I’ve been meaning to start posting some tutorials for a while and I’ve finally gotten around to my first. So here goes…

Intel VT is a requirement of any VM solution (Hyper-V, VMware, Virtualbox etc) as well as a number of emerging security products such as McAfee Deep Defender. By default, Lenovo hardware ships with Intel VT disabled in the BIOS. If you’re a large enough enterprise, you can probably agree to have this enabled in the BIOS from the outset but for smaller companies this can be costly. Luckily, you can access Lenovo BIOS settings using WMI. It’s fairly simple to put together a VBScript to enable this as part of your  OSD process. But what if you already have your machines deployed and need to make the change post-deployment?

Well, a nice way of handling this is to use an SCCM Configuration Baseline to enforce the setting. And I’m going to walk you through how to do it…

First, we’re going to open SCCM > Assets & Compliance > Compliance Settings > Configuration Items and create a new Configuration Item:

Image1

You’ll only want this running on client OSes so deselect anything server:

Image2

Create a new Setting and populate as follows:

  • Name: Intel Virtualization Technology Configuration
  • Setting Type: Script
  • Data Type: String
  • Discovery Script – Type: PowerShell:

gwmi -class Lenovo_BiosSetting -namespace rootwmi | Where-Object {$_.CurrentSetting.split(“,”,

[StringSplitOptions]::RemoveEmptyEntries) -eq “VirtualizationTechnology”} | Format-List CurrentSetting

  • Remediation Script – Type: PowerShell:

(gwmi -class Lenovo_SetBiosSetting -namespace rootwmi).SetBiosSetting(“VirtualizationTechnology,Enable”)
(gwmi -class Lenovo_SaveBiosSettings -namespace rootwmi).SaveBiosSettings()

Image3

Create a new Compliance rule for this Setting as follows:

  • Name: Intel Virtualization Technology Compliance Rule
  • Value: VirtualizationTechnology,Enable
  • Check “Run the specified remediation script when this setting is non-compliant”

Image5

Now create a second Setting and populate as follows:

  • Name: Intel VTdFeature Configuration
  • Setting Type: Script
  • Data Type: String
  • Discovery Script – Type: PowerShell:

gwmi -class Lenovo_BiosSetting -namespace rootwmi | Where-Object {$_.CurrentSetting.split(“,”,[StringSplitOptions]::RemoveEmptyEntries) -eq “VTdFeature”} | Format-List CurrentSetting

  • Remediation Script – Type: PowerShell:

(gwmi -class Lenovo_SetBiosSetting -namespace rootwmi).SetBiosSetting(“VTdFeature,Enable”)
(gwmi -class Lenovo_SaveBiosSettings -namespace rootwmi).SaveBiosSettings()

Create a new Compliance rule for this Setting as follows:

  • Name: Intel VTdFeature Compliance Rule
  • Value: VTdFeature,Enable
  • Check “Run the specified remediation script when this setting is non-compliant”

When finished, we should be left back in the original Wizard with two Settings and two Compliance items as follows:

Image6Image7

Now that our Configuration Item is created, we need to Create a new Configuration Baseline for deployment. Navigate to Assets & Compliance > Compliance Settings > Configuration Baselines and create a new one as follows:

Image8

Once this is created, you can Deploy to any collection in either Monitor or Remediation mode. I would suggest Monitor first to get a handle of how many machines will be affected, and maybe start off in Remediation on a handful of machines to ensure it works as expected. Changes to the BIOS take effect when the machine is next restarted.