Update & Configure Bios through Intune ? is that possible ?

Microsoft Intune offers the ability to manage BIOS configuration on managed devices via the Enterprise Portal. This feature enables IT administrators to define specific BIOS settings on devices to ensure compliance with corporate security and compliance policies.

Some key points on BIOS configuration with Intune :

  • Support for leading device manufacturers : Intune enables BIOS configuration on devices from leading manufacturers : Dell, HP, Microsoft Surface (Others Brands will be integrated later).
  • Definition of customized BIOS settings : Administrators can create customized BIOS profiles and deploy them on managed devices. This includes settings such as BIOS password, secure boot, security options, etc.
  • Compliance and reporting : Intune provides detailed reports on device compliance with defined BIOS settings. This ensures that all devices are configured securely.
  • Targeted deployment : BIOS settings can be deployed to specific groups of devices or users according to business needs.
  • Automatic update : When new BIOS settings become available, Intune can automatically deploy them to managed devices to maintain a high level of security.

In this Article we will create 3 policies :

  • Bios Password Policy : We will unify password BIOS for all devices
  • Enable Secure Boot : for more security
  • Enable Automatic BIOS updates : Automatically Install critical updates

1 – Benefits and considerations

This feature offers several advantages:

  • Centralized management of BIOS settings for a fleet of devices
  • Improved security thanks to consistent configurations
  • Reduced time and effort needed to manage BIOS settings manually

2 – Requirements and compatibility

To use this feature, several conditions must be met:

  • Devices must be running Windows 10 version 1809 or later.
  • Only certain manufacturers and models are currently supported : Dell , HP, Lenovo, Microsoft Surface.
  • Manufactor Agent should be installed on device (for example : HP Connect for HP, DCECMI for Dell) installed by default on most Laptop.
  • An account with the “Policy and Profile Manager” or Global Admin role in Intune is required.

Be carefull : I recommand to plan and test all policies on small group of users before large-scale deployment.

3 – Accessing Intune partner portals :

  1. Go to Intune center
  2. Select Devices
  3. Select “Manage devices
  4. Select “Partner Portals
  5. Select device model (I will select HP in my case)

After clicking on HP you will be redirected to HP connect : HP Connect

Select Sign in to login with your M365 Account.

  • Accept Entra ID application Authorization
  • Here is the BIOS admin portal for HP Connect.

4 – Create BIOS Policies :

A – Bios Password Policy

Before start creating policy, we must create secret (Bios Password)

  • Go to Secret
  • Select “New Secret
  • Define secret name , type (Password) and value.
  • Here is secret created

Lets start creating Password policy.

  • Go to Policies
  • Select “New Policy
  • Add name to your policy and select Type as “BIOS Authentication
  • Click Next
  • Slect “BIOS Password” then select created secret
  • Click Save
  • Select Apply
  • Select a small group of users to test your policy before apply it at large (in my case I’m using all Users after testing policy)
  • Select Publish
  • Our first Policy is successfully created

B – Enable Secure Boot

Before enabling Secure Boot Policy, you should be sure BitLocker is not Enabled, otherwise you need to disable BitLocker, Enable Secure Boot then Enable BitLocker.

  • Select “New Policy
  • Give a name to your Policy then select “BIOS Settings” as type
  • Select Global Policy, then search for secure boot and enabe it.
  • click “Next
  • Click “Save
  • Click Apply
  • Select a small group of users to test your policy before apply it at large (in my case I’m using all Users after testing policy)
  • Select Publish

C – Enable Automatic BIOS updates

  • Select New Policy
  • Give a name to your Policy the select “BIOS Update” as type
  • Select Global Policy then select update setting that feet your company needs, in my case I’ll install only critical updates.
  • Click Save
  • Select a small group of users to test your policy before apply it at large (in my case I’m using all Users after testing policy)
  • Select Publish

Conclusion

Controlling BIOS options via the Intune enterprise portal represents a significant step forward in enterprise device management. By enabling secure, centralized configuration of BIOS settings, this feature helps organizations maintain a high level of security and compliance across their Windows device fleets.

Thanks

Aymen EL JAZIRI (Microsoft MVP)
Aymen EL JAZIRI (Microsoft MVP)

Hi, I’m Aymen El Jaziri , a passionate System Administrator and Microsoft MVP, with years of hands-on experience in managing and securing modern IT infrastructures.
This blog is where I share technical guides, automation scripts, product reviews, and real-world solutions that help IT professionals simplify their day-to-day work and stay ahead in a fast-evolving cloud ecosystem.
Whether you’re here to troubleshoot an issue, improve your automation game, or learn new best practices , welcome in my blog !
Let’s build a stronger, smarter IT community together.
Feel free to connect with me on LinkedIn for more content, discussions, or collaboration opportunities.

Thanks

Aymen

Articles: 154

Related Posts

Trending now

Why it’s important to to disable user application consent in Microsoft 365
Intune Security Deep Dive : Enable Tamper Protection to Secure Defender Settings on Windows Devices
Unlock Your Microsoft 365 Tenant after Conditional Access misconfiguration in One Click
Maximize RDS Collection Efficiency : PowerShell Automation for Seamless Maintenance