Configure Dell UEFI Settings using Intune Configuration Profiles

Today I want to show you, that you can now configure Dell UEFI Settings directly in Intune, using the new “BIOS configurations and other settings” Template. Dell provides a really good guide for this: https://www.dell.com/support/kbdoc/en-us/000214308/dell-command-endpoint-configure-for-microsoft-intune

Dell Command Configure

Before we can deploy the wanted setting changes to our clients, we have to prepare the UEFI Settings using the Dell Command Configure Tool.
Once installed, we can configure our needed settings:

As soon as we are finished with our settings, we simply export the configuration to a .cctk file, that we can use in Intune.

Intune

Deploy Dell Command Endpoint Configure for Microsoft Intune

Before we can deploy our settings, we need to deploy the Dell Command | Endpoint Configure for Microsoft Intune Tool to all Dell endpoints where we want to modify UEFI Settings. Dell again provides a really helpful documentation on how to deploy the App: https://dl.dell.com/content/manual52371649-dell-command-endpoint-configure-for-microsoft-intune-installation-guide.pdf?language=en-us

Once we have created the App in Intune as described by Dell, we can assign it to our Dell endpoints:

Intune Configuration Profile

Once we have deployed the needed provider to our client, we then can create a new Configuration Profile in Intune. using the new “BIOS configurations and other settings” Template.

As usual we start with the new Profile by giving it a useful name:

In the next page, we can select the currently only supported manufacturer Dell and upload our previously created config export file.

Next, we can apply Scope Tags to our Profile if needed.

Then, we can assign our UEFI Settings Profile to a group of applicable devices.

In the Review page, we can check our selected options and create the Policy:

Troubleshooting

Now that we have deployed our settings, I want to show you how you can troubleshoot this process. The Dell Command Endpoint Configure Agent writes it’s logfiles to C:\ProgramData\Dell\EndpointConfigure.
If the device already has a bios password set, the procedure will fail with an Error 65 from the cctk in the EndpointConfigure.log and the DellCommandConfigure.log will also show the issue in cleartext:

Once we removed the password manually / or via custom Dell Command Configure package, the process will work just fine, and you will see the success in the EndpointConfigure.log and the individual configured settings in the DellCmmandConfigure.log:

Password Management

If you enabled the per-device BIOS password protection option, Intune will assign an individual password for each device. If you need to manually set an option in the UEFI of such a managed device, you can view the password using Graph API

https://graph.microsoft.com/beta/deviceManagement/hardwarePasswordInfo

Conclusion

In my opinion, this new integration has the potential to make the life of hardware support guys so much easier, no longer need to build custom packages for each hardware model / setting that needs to be modified. Also the per-device password protection has the potential to massively increase the security level of our devices, since we do not have to rely on a password that is used on multiple thousand devices, which compromises the security of all devices if you have to reveal the password to do a manual troubleshooting.