In this blogpost we're going to talk about installing and configuring BIOS passwords on Dell endpoints using Microsoft Intune and reading these passwords using MS Graph.

REQUIREMENTS

Dell Command Center
Dell BIOS Configuration Management
DOTNET 8.0

First you need to download and install the "Dell Command Center" software from the Dell website (link provided above)

Next you need to open the program and installs this on your Dell device. In this example I will use a laptop

Start the application and configure all settings that you want to enable on your endpoint (i.e. secure boot options, TPM).

Note:
If you don't want one password but random passwords per device don't set the "set password" option. In this Blogpost we use random passwords.

When you have configured your options you need to export these settings. When you export these settings you will get a .cctk file

Note:
Be sure to have the following in your CCTK file:

CONFIG

[CCTK]

CapsuleFirmwareUpdate=Enabled. This will allow Intune to still be able to update your Firmware

TrustExecution=Enabled (https://www.intel.com/content/www/us/en/support/articles/000025873/processors.html). This will enable trusted execution

We are now going to create a BIOS configuration policy using Intune. To do this follow these steps:

+ go to intune.microsoft.com

+ sign in with a account that has enough rights to configure and create a configuration profile

+ browse to Devices -> Windows -> Configuration

+ select Create -> New Policy

+ a new screen will appear. Select Windows 10 and later following Templates and select BIOS configurations and other settings

+ name the policy

+ in the following screen Hardware will be automatically set to Dell because Intune only supports Dell at this moment. If you want to have random BIOS passwords you need to make sure you select No regarding Disable per-device BIOS password protection

+ select your .cctk file that we've created above.

+ my advise is to first test this with a couple of devices. Create an Entra Group and add some test machines/endpoints to this group as member

Note:
Do not modify the profile/policy if it's on "pending". Wait for the profile to be either "succeeded or failed".

REMOVE BIOS CONFIG

To remove the BIOS config we're going to create another BIOS configuration policy. Follow the steps above to create another config policy but select Yes on the Disable per-device BIOS password protection. Selecting Yes will allow the configuration to remove your BIOS password

+ select your .cctk file.

+ select your "test" group and save the policy

DEPLOY SOFTWARE

when you want to manage BIOS configurations you also need to deploy the Microsoft Intune Dell Bios Configuration Management software. You can easily download this app from the Dell website and deploy this using Intune. You also need to download and deploy DOTNET 8.0:

Dell BIOS Configuration Management
DOTNET 8.0

Create a .wim file using IntuneWinAppUtil and create a new Windows app using Intune to deploy the software to your test device(s). 

IntuneWinAppUtil

READ PASSWORDS (MS GRAPH)

now that we have succesfully deployed all the needed software we can get the BIOS passwords using MS Graph.

you will need the following rights and consent these:

• DeviceManagementConfiguration.Read.All
• DeviceManagementConfiguration.ReadWrite.All
• DeviceManagementManagedDevices.PrivilegedOperations.All

+ browse to Graph Explorer | Try Microsoft Graph APIs - Microsoft Graph

+ sign in to your environment

+ use https://graph.microsoft.com/beta/deviceManagement/hardwarePasswordInfo to retrieve all saved BIOS passwords. If you want one specific device use https://graph.microsoft.com/beta/deviceManagement/{hardwarePasswordInfoId}

when you try the above for the first time you will get an error regarding insufficient rights. To configure these acces rights you can add the following to your query:

https://graph.microsoft.com/beta/deviceManagement/hardwarePasswordInfo -scope <Permission> 

select the modify permissions tab. from there you can now open the persissions panel

search for the permissions needed above and consent these permissions for your user profile.