Reporting BIOS Password States on Think Products with ConfigMgr Current Branch

There may be a need to run a report on your Think products to check which BIOS settings are enabled or disabled, or if there is even a BIOS supervisor password set.

This post will walk through creating a simple custom report in ConfigMgr that will display the following:
  • All Lenovo Think products
  • Model (Friendly Names)
  • Computer Name
  • BIOS Version
  • Is TPM Enabled?
  • Is TPM Activated?
  • Secure Boot Status
  • UEFI Enabled?
  • BIOS Password(s) Set
 
 Extending Hardware Inventory


First, you'll need to extend hardware inventory to collect these two Lenovo WMI classes.

Lenovo_BiosSetting
Lenovo_Bios PasswordSettings

To make this a bit easier, there's a zip at the bottom of the page you can download that contains a MOF file you can import into your Default Client Settings that will add these classes.


Open the Default Client Settings, select Hardware Inventory, and click Set Classes button

On the Hardware Inventory Class window, click Import.  Select the MOF file containing the Lenovo WMI Classes.

 
Leave the default radio button selected to import both the inventory classes and settings and Click Import.  Click Ok to complete.  Once the clients receive the updated Client Settings, the two Lenovo classes will be inventoried and can be reviewed in Resource Explorer.  If you have a mixed environment of different vendors, it may be a good idea to create Custom Client Settings and deploy only to a Collection containing Lenovo hardware.

 Creating the Custom Report

Also at the bottom of the page is a sample report you can import into your SSRS.  Assuming you have the Reporting Services Point role installed and configured, find the URL of your Report Manager.  This can be found in the Console under the Monitoring Workspace / Reporting Node


Open Internet Explorer, navigate to the Report Manager URL and choose a path to upload the report to.  Once uploaded, edit the report in Report Builder.  You'll need to replace the Data Source and make any other customizations to fit your environment.


Here's an example of what will be displayed

You'll notice in the example different values under the BIOS Password(s) column.  These correspond to the integer that's displayed in the Password State property when querying the Lenovo_BiosPasswordSettings class.  Below is a matrix that explains what these integers translate to:


0
No BIOS Passwords Set
1
Only Power On Password
2
Only Supervisor Password
3
Supervisor + Power On Password
4
User HDD or User HHD and Master Password
5
Power On Password + User HDD or User HDD and Master Password
6
Supervisor Password + User HDD or User HHD and Master Password
7
Supervisor Password + Power On Password + User HDD or User HHD and Master Password

I'm by no means a SQL expert but below is the query used to pull this data

SELECT ALL
  SMS_G_System_COMPUTER_SYSTEM.Manufacturer00 AS 'Manufacturer',
  __em_COMPUTER_SYSTEM_PRODUCT0.Version00 AS 'Model',
  SMS_G_System_COMPUTER_SYSTEM.Name00 AS 'Computer Name',
  SMS_G_System_PC_BIOS.SMBIOSBIOSVersion00 AS 'BIOS Version',
  CASE
    WHEN SMS_G_System_TPM.IsEnabled_InitialValue00 = 1 THEN 'Yes'
    ELSE 'No'
  END AS 'TPM Enabled',
  CASE
    WHEN SMS_G_System_TPM.IsActivated_InitialValue00 = 1 THEN 'Yes'
    ELSE 'No'
  END AS 'TPM Activated',
  CASE
    WHEN SMS_G_System_FIRMWARE.SecureBoot00 = 1 THEN 'Enabled'
    ELSE 'Disabled'
  END AS 'Secure Boot',
  CASE
    WHEN SMS_G_System_FIRMWARE.UEFI00 = 1 THEN 'Enabled'
    ELSE 'Disabled'
  END AS 'UEFI',
  CASE
    WHEN __ENOVO_BIOSPASSWORDSETTINGS1.PasswordState00 = 1 THEN 'Only Power On Password'
    WHEN __ENOVO_BIOSPASSWORDSETTINGS1.PasswordState00 = 2 THEN 'Only Supervisor Password'
    WHEN __ENOVO_BIOSPASSWORDSETTINGS1.PasswordState00 = 3 THEN 'Supervisor + Power On Password'
    WHEN __ENOVO_BIOSPASSWORDSETTINGS1.PasswordState00 = 4 THEN 'User HDD or User HHD and Master Password'
    WHEN __ENOVO_BIOSPASSWORDSETTINGS1.PasswordState00 = 5 THEN 'Power On Password + User HDD or User HDD and Master Password'
 WHEN __ENOVO_BIOSPASSWORDSETTINGS1.PasswordState00 = 6 THEN 'Supervisor Password + User HDD or User HHD and Master Password'
 WHEN __ENOVO_BIOSPASSWORDSETTINGS1.PasswordState00 = 7 THEN 'Supervisor Password + Power On Password + User HDD or User HHD and Master Password'
    ELSE 'No BIOS Passwords Set'
  END AS 'BIOS Password(s)'

FROM vSMS_R_System AS SMS_R_System
INNER JOIN COMPUTER_SYSTEM_PRODUCT_DATA AS __em_COMPUTER_SYSTEM_PRODUCT0
  ON __em_COMPUTER_SYSTEM_PRODUCT0.MachineID = SMS_R_System.ItemKey
INNER JOIN Computer_System_DATA AS SMS_G_System_COMPUTER_SYSTEM
  ON SMS_G_System_COMPUTER_SYSTEM.MachineID = SMS_R_System.ItemKey
INNER JOIN PC_BIOS_DATA AS SMS_G_System_PC_BIOS 
  ON SMS_G_System_PC_BIOS.MachineID = SMS_R_System.ItemKey
INNER JOIN TPM_DATA AS SMS_G_System_TPM
  ON SMS_G_System_TPM.MachineID = SMS_R_System.ItemKey
INNER JOIN LENOVO_BIOSPASSWORDSETTINGS_DATA AS __ENOVO_BIOSPASSWORDSETTINGS1
  ON __ENOVO_BIOSPASSWORDSETTINGS1.MachineID = SMS_R_System.ItemKey
INNER JOIN Firmware_DATA AS SMS_G_System_FIRMWARE
  ON SMS_G_System_FIRMWARE.MachineID = SMS_R_System.ItemKey
WHERE (SMS_G_System_COMPUTER_SYSTEM.Manufacturer00 = N'LENOVO'
AND __em_COMPUTER_SYSTEM_PRODUCT0.Version00 LIKE N'Think%')
ORDER BY 'Model'

Downloads:

MOF File: https://download.lenovo.com/cdrt/blog/Lenovo-WMIClasses.zip

Sample Report (CDRT logo has been removed): https://download.lenovo.com/cdrt/blog/Lenovo-TPM_BiosPassword_SecureBoot_Status-Report.zip


Further Reading:

Extending Hardware Inventory: https://docs.microsoft.com/en-us/sccm/core/clients/manage/inventory/extend-hardware-inventory

Creating Custom Reports: https://docs.microsoft.com/en-us/sccm/core/servers/manage/creating-custom-report-models-in-sql-server-reporting-services


Comments