BIOS Compliance with SCCM

Today’s blog post explains how to mange BIOS settings with SCCM compliance settings. We will  create a configuration item to enable LAN / WLAN switching in BIOS on HP Elitebook G2 and G3 computers. I will also show how you can list out every BIOS setting in Powershell so you can create a BIOS configuration baseline that works for your environment.

Deploying BIOS configuration used to be a pain. We used to create a BIOS / UEFI answer file and deployed it to our computers together with a tool that wrote those settings to the computers BIOS. That was the old stone-age way to configure BIOS / UEFI. And honestly, we only deployed BIOS settings to computers during an OSD task sequence as we had no way to detect if our changed settings on a later deployment where applied to all computers or not.

Compliance Settings in SCCM solves all our problems regarding BIOS management. We know exactly which computers are compliant with all our settings and we can auto-correct the ones who are not.

 

Manage BIOS Settings with SCCM

Configuration items support Powershell code to discover settings, and they support Powershell to correct those setting if they’r wrong. Now Powershell have full access to WMI, and every serious hardware vendor with respect for themselves have published WMI methods to read and set BIOS settings.  So we can create a configuration baseline for BIOS that have configured every setting we want, and it will correct those BIOS settings on every who is not compliant.

This guide will focus on Hewlett Packard. We will create one configuration item that enables LAN/WLAN Switching, and then we add that configuration item to a configuration baseline named HP BIOS that we deploy to our HP Computers.

 

Finding the WMI Methods to Manage BIOS

I recommend using WMI Explorer to find the WMI namespace and class where the correct methods are stored. WMI Explorer must run as administrator to get access to the correct classes on HP computers.

WMI Explorer

From WMI Explorer we see that the WMI class we want is HP_BIOSSetting, and its located in the ROOT\HP\InstrumentedBIOS namespace. There is one instance pr BIOS setting, and I’m interested in the name, possible values and the value field.

  • Name: The name of the BIOS setting
  • PossibleValues: List the value type, and the values it accepts
  • Value: Shows the currently set value, as well as any other accepted values.

Use the WMI Explorer to find the values you want to set and follow my guide. My Powershell discovery and remediation scripts makes it easy to discover and set any HP BIOS setting.

 

Creating our Configuration Items to manage BIOS.

We will create a configuration item to discover and set the settng LAN / WLAN switching in BIOS. From WMI Explorer I see that this setting is named “LAN/WLAN  Switching” on G2 computers, and is named “LAN WLAN Auto Switching” on G3 computers. I do not know what it is named on G4 computers as I don’t have access to any at this time. In WMI Explorer we see that the possible values are Disabled and Enabled, and its a string type. The value field also shows “*Disabled,Enabled” which means it is currently disabled as it has a star in front of that name.

 

Powershell Discovery Script – BIOS LAN / WLAN switching

This Powershell discovery script works on any HP Elitebook G2 and G3. It returns true if LAN / WLAN Switching is enabled, and false if disabled.

 

Powershell Remediation Script – BIOS LAN / WLAN switching

This Powershell remediation script can set any setting to the value you want. Just specify the setting and value you want to set. Unfortunately, the BIOS password has to be in plain text. Please let me know if you know a good way to secure this.

 

 

Creating the BIOS Configuration Item in SCCM

Assets and Compliance -> Compliance Settings -> Configuration Items.

Right click and create a new configuration item.

Manage BIOS Settings with SCCM Compliance Settings

 

Select the operating systems you want to support with this configuration item. I only select client OS.

Manage BIOS Settings with SCCM Compliance Settings -2

 

Go to settings and click new to create a new setting. Make sure the setting type is script, and data type is Boolean as our discovery script returns either true if LAN / WLAN switching is enabled, or false if disabled.

Manage BIOS Settings with SCCM Compliance Settings -3

 

Copy and paste the discovery script, and click OK.

Manage BIOS Settings with SCCM Compliance Settings -4

 

Copy and paste the remediation script. Click OK.

Manage BIOS Settings with SCCM Compliance Settings -5

 

Create a new compliance rule. This is how it looks when it’s done.

Manage BIOS Settings with SCCM Compliance Settings -7

 

Set the rule type to value, and the value returned by the script equals true. We also want to run our remediation script on computers who are not compliant to auto-correct them.

Manage BIOS Settings with SCCM Compliance Settings -6

 

Click next on the summary screen and we are done.

Manage BIOS Settings with SCCM Compliance Settings -8

 

We now have a configuration item that detects if LAN / WLAN switching is enabled in BIOS, and enables those who are disabled. You can follow this guide to create your own configuration items for additional BIOS settings as well.

 

Creating the BIOS Configuration Baseline in SCCM

Assets and Compliance -> Compliance Settings -> Configuration Baselines

Create a new configuration baseline and add the configuration item we created. Add the extra ones you created as well if you created more than one CI.

 

Deploy the configuration baseline to a collection of computers you want to enforce these BIOS settings. I have a collection of all HP G2 and G3 laptops. Make sure to select “Remediate noncompliant rules when supported”, and set a schedule for how often clients will evaluate this baseline.

HP BIOS Configuration Baseline - Deploy

All done.