Configure Dell UEFI Settings using Intune Configuration Profiles

Today I want to show you, that you can now configure Dell UEFI Settings directly in Intune, using the new “BIOS configurations and other settings” Template. Dell provides a really good guide for this:

Dell Command Configure

Before we can deploy the wanted setting changes to our clients, we have to prepare the UEFI Settings using the Dell Command Configure Tool.
Once installed, we can configure our needed settings:

As soon as we are finished with our settings, we simply export the configuration to a .cctk file, that we can use in Intune.


Deploy Dell Command Endpoint Configure for Microsoft Intune

Before we can deploy our settings, we need to deploy the Dell Command | Endpoint Configure for Microsoft Intune Tool to all Dell endpoints where we want to modify UEFI Settings. Dell again provides a really helpful documentation on how to deploy the App:

Once we have created the App in Intune as described by Dell, we can assign it to our Dell endpoints:

Intune Configuration Profile

Once we have deployed the needed provider to our client, we then can create a new Configuration Profile in Intune. using the new “BIOS configurations and other settings” Template.

As usual we start with the new Profile by giving it a useful name:

In the next page, we can select the currently only supported manufacturer Dell and upload our previously created config export file.

Next, we can apply Scope Tags to our Profile if needed.

Then, we can assign our UEFI Settings Profile to a group of applicable devices.

In the Review page, we can check our selected options and create the Policy:


Now that we have deployed our settings, I want to show you how you can troubleshoot this process. The Dell Command Endpoint Configure Agent writes it’s logfiles to C:\ProgramData\Dell\EndpointConfigure.
If the device already has a bios password set, the procedure will fail with an Error 65 from the cctk in the EndpointConfigure.log and the DellCommandConfigure.log will also show the issue in cleartext:

Once we removed the password manually / or via custom Dell Command Configure package, the process will work just fine, and you will see the success in the EndpointConfigure.log and the individual configured settings in the DellCmmandConfigure.log:

Password Management

If you enabled the per-device BIOS password protection option, Intune will assign an individual password for each device. If you need to manually set an option in the UEFI of such a managed device, you can view the password using Graph API


In my opinion, this new integration has the potential to make the life of hardware support guys so much easier, no longer need to build custom packages for each hardware model / setting that needs to be modified. Also the per-device password protection has the potential to massively increase the security level of our devices, since we do not have to rely on a password that is used on multiple thousand devices, which compromises the security of all devices if you have to reveal the password to do a manual troubleshooting.






7 responses to “Configure Dell UEFI Settings using Intune Configuration Profiles”

  1. Rachid el Moussaoui


    I tried your method and created a multiplatform cctk file using dell command configure wizard and used it in the configuration file in Intune. The main goal was to set up a bios password on the devices, but in the logfiles i get this faillure log line :
    Option : SetupPwd

    2024/04/03 15:06:35 cctk – Password is not Installed. Please try again without providing –ValSetupPwd

  2. Andrew

    How can I enable per-device BIOS password protection option? And if enabled, does Intune use such password automatically when deploying the cctk configs?

  3. Andrew

    Or it is enabled by default by “Disable per-device BIOS password protection” set to NO? But in such case, I have to leave it as NO for every package I create? Feels weird..

  4. […] Configure Dell UEFI Settings using Intune Configuration Profiles […]

  5. AlphaSeb

    Great, and how do you update the BIOS itself when each device has a seperate password? Manually?!

    1. If you update the UEFI using e.g. Windows Update for Business, it will use the “Windows UEFI firmware update platform” to update the BIOS, which will not need an password during the update process:

Leave a Reply

Your email address will not be published. Required fields are marked *