Omnia/Azure-Dell-BIOS-Password-Solution
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2487fcc969e458402e1f2ec297d033a1d245f50a
Azure-Dell-BIOS-Password-So…/readme.md
T
samsamfin 2487fcc969 Updates to requirements
2026-05-05 10:27:57 +00:00

63 lines
2.9 KiB
Markdown
Raw Blame History

# Dell BIOS Admin Password Management via Intune
Manages Dell BIOS Admin password across the fleet using Intune Remediation scripts and Azure Blob Storage. No third-party Dell software required.
## How it works
The solution uses Dell's native WMI security interface (`root\dcim\sysman\wmisecurity`), specifically the `PasswordObject` and `SecurityInterface` WMI classes. These are exposed directly by Dell UEFI firmware via Windows' built-in ACPI WMI bridge driver (`wmiacpi.sys`) — **no Dell Command | Monitor or Dell Command | Update installation is needed**.
> **Note:** The `root\dcim\sysman\wmisecurity` namespace will **not** be present on generic virtual machines (Hyper-V, Azure, VMware) that lack a real Dell UEFI firmware profile. The solution targets physical Dell endpoints only.
## Requirements
- Physical Dell endpoint with UEFI firmware (modern Dell business/consumer hardware)
- Windows 10/11 (wmiacpi.sys included by default)
- Network access to Azure Blob Storage from the endpoint
- Intune Remediation (requires Intune P1 license or Intune Suite)
~~Dell Command | Monitor or Dell Command | Update~~ *(not required)*
## Instructions
Create an Azure storage account and a new container inside it. Generate a SAS URL for it. Inside the container, upload two Base64-encoded `.txt` files:
- `current-content.txt` — the current BIOS Admin password (Base64 encoded)
- `old-content.txt` — all known previous passwords, one per line (Base64 encoded), plus one blank line to handle devices with no BIOS password currently set
As passwords change over the years, update both files in the storage account accordingly.
Intune handles the enforcement logic via a detection/remediation script pair.
## Azure configuration
Create a storage account and generate a SAS token scoped to the container with at least **read** (`sp=r`) permissions. Upload both password files and note the full blob URLs for each file (used directly in the scripts).
### Example SAS URL (container level)
```
https://stitbiosmgmt.blob.core.windows.net/mgmt?sp=r&st=2026-02-26T08:55:03Z&se=2036-02-26T17:10:03Z&spr=https&sv=2024-11-04&sr=c&sig=lBtObK2UmF3nzLvN4%2Biu1X9H6nC0Tc%2BRgvW0hM4eq9U%3D
```
## Intune configuration
### Remediation script pair
| Setting | Value |
|:--|:--|
| Name | Dell BIOS Admin Password |
| Detection script | `Dell-BIOSPassword-Detection.ps1` |
| Remediation script | `Dell-BIOSPassword-Remediation.ps1` |
| Run this script using the logged-on credentials | No (run as System) |
| Enforce script signature check | No (unless you sign your scripts) |
| Run script in 64-bit PowerShell | Yes |
| Schedule | Daily, or every 1 hour depending on urgency |
### Entra ID Group for deployment
`Intune - Azure Dell BIOS Password Solution`
This group should be scoped to Dell physical endpoints only. A dynamic device group rule filtering on manufacturer can be used:
```
(device.deviceManufacturer -eq "Dell Inc.")
```
Reference in New Issue View Git Blame Copy Permalink