Bios - Remote Management
Posted by TheNewGuy6789@reddit | sysadmin | View on Reddit | 62 comments
I was asked by my manager to review this topic and I wanted to see what others best methods were - curious to know , how (if at all) people are remotely managing Bios settings ?
Dell has a solution but our security team shot it down as it involved downloading an agent - we have 3000 computers active and This was not something that was considered before so there is nothing that was part of the image that can be leveraged and ideally we are looking for something we can do that would basically allow for on the fly changes
FirmGuardFreddie@reddit
Hey! Full disclosure that we are a vendor offering remote BIOS management services that work across Dell, Lenovo, HP, etc. Our solution has several features that allow you to make BIOS changes remotely (such as SecureConfig, referenced earlier: https://firmguard.com/secureconfig), as well as other unique use cases like updating the BIOS, wiping drives, and even reimaging endpoints—all of which can be done remotely. Could be a solid fit depending on your setup.
Happy to answer any questions you have about the tool, and if you’re interested in learning more, we do offer a free trial :)
Stonewalled9999@reddit
Dell? No worries Windows Update will flash the BIOS even if you don't want it to. MS is big brother and will shove it down your throat.
demonseed-elite@reddit
Just curious. Why would you even need something like this? I've never had a case for it. I would think needing to go into a BIOS setting on a machine to be a rare enough event that the cost of any solution would far exceed just a tech going to the machine and changing it, and I can't see a reason to push a BIOS change en masse. I work for a very large company with multiple thousands of endpoints and aside from setting the asset tag on provisioning, I don't think I've had to go into the BIOS once.
narcissisadmin@reddit
Say Dell adds a new charging option in the BIOS and you need to push it to hundreds of machines.
demonseed-elite@reddit
I can see that as an extreme, fringe "maybe" case.
Has it ever happened in my experience? No.
Would my company care if a new charging option was added that would extend battery life another year or two? No, laptops are replaced every 3-5 years anyways. Any battery issues prior to that are covered by Pro Support. Any after that are the problem of the e-waste company.
CornucopiaDM1@reddit
Consistency
demonseed-elite@reddit
What needs to be consistent in the BIOS of an end user's PC?
I don't see any of the settings in an OEM vendor's BIOS worth the headache of some massive remote service system and feel there are more important things on the average corporate network to bellyache over and throw resources at.
I guess it's why I'm having such a hard time wrapping my head around this question as a senior systems architect. It's something I've never even heard a use-case for.
narcissisadmin@reddit
That sentence conflicts itself.
demonseed-elite@reddit
No, it means in 20 years of IT, I never even encountered a use case for something like this. Everybody seems to act like they're diving into the BIOS of users workstations daily. Aside from a new machine being provisioned, I think the last time I had to enter a BIOS to edit something that was causing an actual issue was 8-9 years ago.
brispower@reddit
Securing the boot process is the first one that comes to mind, there are several others and you'd do well to look into it. The pre boot is vulnerable using out ot the box configuration.as a malicious actor with physical access can do all kinds of things with USB devices.
demonseed-elite@reddit
Still not a use case for a system like this. I am not arguing needing to enter the BIOS ever. As I said, we do this one time, at provisioning. New machine comes in, we enter BIOS, it's done. That BIOS never gets visited again for the life of the machine.
My question was why anyone would need a way to do this globally, across potentially 1000's of already deployed PCs, many potentially remote, after they have been provisioned?
narcissisadmin@reddit
Surely you aren't saying that you manually dick with the BIOS on each device that comes in, right?
demonseed-elite@reddit
If by that you mean set the asset tag and put in an admin password, yes. It usually happens shortly after I attach the serialized asset sticker to the chassis.
Then we plug it into the network and let Intune Autopilot do its thing with minimal intervention.
brispower@reddit
What if someone inherited a fleet?
demonseed-elite@reddit
If the fleet is consistent enough to do it in the first place and not a mix of 3 different OEMs with totally different BIOSes, and management saw "boot protection" worth spending the thousands of dollars in IT time and software to create that infrastructure rather than use something simpler like enabling drive encryption? Sure, go for it. I think there a statement about that involving fools and money. I can think of a dozen better places to spend it.
Thanks but I'll just write into policy that any machines we get across our desks have the options set and be patient for a couple years and watch this fringe attack vector slowly closes like the hole in the ozone layer.
brispower@reddit
You do you mate
sryan2k1@reddit
We set asset tag, boot splash screen name, and set the battery to "primary AC use"
demonseed-elite@reddit
That's fair, I can see that. I'd expect Wake on Lan also being enabled is a common one, but we do similar at machine provisioning and set an admin password on the BIOS to prevent tampering.
I guess I'm more wondering why the need for infrastructure to make gross BIOS changes afterward across an organization? Just set a provisioning policy and within a couple years, your machines are all standardized.
It's not like BIOSes are even consistent! The OEM churn out new models every 9 months it seems.
Hotshot55@reddit
We're going through a project to modify power profiles on servers and doing it in an automated fashion is way better than logging into the iDRAC of 1000s of servers.
demonseed-elite@reddit
Ok, now this, I can totally see. Thank you for a solid use case for something like this.
Squanchy2112@reddit
Amt through mesh central?
narcissisadmin@reddit
Mesh Central is the shit.
Squanchy2112@reddit
Wow I just realized I got down voted sad times
Squanchy2112@reddit
That's right it is
420GB@reddit
Dell, Lenovo and HP can all have their BIOS settings retrieved and managed via WMI/PowerShell without any extra software needed.
yepperoniP@reddit
I needed to mass adjust a BIOS setting on a fleet of laptops a few months back and also wanted to keep things agent-free. Apparently Dell supports modifying BIOS settings directly via WMI, which you can use access via PowerShell without having to install any additional software. This meant no installing Dell BIOS provider for PowerShell, and I also could skip the CCTK/Dell Command Control exe stuff as well.
I asked r/PowerShell for help and managed to get a pretty decent working solution.
https://www.reddit.com/r/PowerShell/comments/1is2la9/issues_with_using_invokecimmethod_instead_of/
This blog post from 2020 was a big help in figuring this out: https://www.configjon.com/dell-bios-settings-management-wmi/
You don't need the full GitHub scripts linked there, most things can be handled with two lines:
I used Invoke-CimMethod, but the WmiMethod commands are apparently still supported and easier to get working. The first command basically connects to the BIOS via WMI, and the second one sets the value of the BIOS setting you want to change. For example, you can specify "Camera" and set the value to "Disabled" and the webcam will be silently disabled in BIOS on next reboot.
There's also a command to get a list of all the possible options that you can change but I don't have that on me at the moment.
SpotlessCheetah@reddit
WMI is ripped out of W11 24h2.
420GB@reddit
Not at all, only the deprecated and limited
wmiccommand was removed.yepperoniP@reddit
At least from what I understand, the old wmic cmd program has been deprecated for a while and is now removed by default, but the actual WMI subsystem is still actively supported even in the latest Windows 11. It’s why I was looking at doing everything with CIM cmdlets, but I think things like Get-WmiObject should still work, but a similar wmic command won’t. I don’t have a fresh install of 24H2 to test but my home PC that was upgraded from 22H2 still has the WMI cmdlets (not sure if wmic remains after the upgrade though)
https://techcommunity.microsoft.com/blog/windows-itpro-blog/wmi-command-line-wmic-utility-deprecation-next-steps/4039242
Valdularo@reddit
Brilliant post! Thank you very much for this!
PabloSmash1989@reddit
Saving this. That's amazing
Acceptable-Okra4782@reddit
I saved this, precious info
HanSolo71@reddit
Bro this is amazing. Passing this along to a few other people.
brispower@reddit
Is anyone here doing any of this from intune? Our org has DCC for just updating bios and docks and some PowerShell scripting already but there's a desire to put it into intune, probably leveraging DCC with cctk still to push settings that way.
Icedman81@reddit
WMIC (since this is going to die sooner or later, powershit).
You can control BIOS settings via WMIC. Most manufacturers have documentation on how to control settings (well, most of them) via WMI, like enabling Secureboot and so on.
How do I know this? I had a customer of a customer that had imaging software install every computer in CSM mode with MBR partitioning, instead of doing it actually correctly. Bunch of Lenovos and HPs. Created a conversion script for both manufacturers that converted from MBR to GPT and enabled secureboot (Lenovo had some headaches, but I can't be arsed to remember what it was, because you're not paying me for it).
Here's a couple of references:
user_none@reddit
WMIC is dead. Had a coworker message me about it yesterday on a Win 11 machine.
yepperoniP@reddit
Yeah, you’ll need to make an equivalent script in PowerShell using WMI/CIM commands for this to work, but it does work pretty well.
cats_are_the_devil@reddit
If your dell machines have vpro, you can leverage that.
Unable-Entrance3110@reddit
We use Dells which has a nice PowerShell module for updating the BIOS on their computers. It's great.
PositiveBubbles@reddit
Yep, I sent it to the MOE team just after I moved from there to Systems (I set up the HP equivalent with HPCLSM via intune deployment)
Tsusai@reddit
I've used Dell Command Configure to make the payload, and batchpatch to deploy it.
ZAFJB@reddit
You need to shoot your 'security team'.
MFKDGAF@reddit
Right?!? What kind of fucktards are they.
ScoobyGDSTi@reddit
Dell Command Powershell module.
Win
mercurygreen@reddit
Other then Dell, I'm not aware of a BIOS that really does this. (Also, if you're not going to trust an agent from Dell, you better find out what manufacturer they DO trust because they're just going to limit your options when you find another one.)
Google lists "Impero Intel vPro Active Management Technology" and "Firmguard SecureConfig" but I've never dealt with either and don't know their price point.
Angelworks42@reddit
Most every laptop has support for various methods via wmi: https://woshub.com/powershell-view-change-bios-settings/
We're a Dell shop but back in the day we setup Lenovo stuff too.
There are some catches like the need to set a BIOS password before setting up tpm, secure boot etc - but these days that should be default now.
Pisnaz@reddit
Hp uses wmi also, there is decent data on their support page, or was last I looked. Dell can work with a powershell module, but I also avoid it over security currently till I can find time to test etc.
Ummgh23@reddit
https://www.configjon.com/bios-management-example-task-sequences/
We've been using this
pawwoll@reddit
Well, one of the choices, if we exclude dell, is to drop the idea and manage bios by hand.
BWMerlin@reddit
Workspace ONE has native BIOS control for Dell.
DeadOnToilet@reddit
We use various powershell and scripting tools provided by desktop and laptop manufacturers and push those changes out via MDM.
Entegy@reddit
For HP I used to just package a customization file with their BIOS Customization Tool. Does Dell offer something similar?
zk13669@reddit
HP has a few pretty good solutions for this. Native WMI, HP CMSL powershell module, and HP connect which hooks into Intune to deploy BIOS settings. BCU is technically deprecated (I think) but that also still works well.
HellzillaQ@reddit
You can interact with the BIOS with PS module
sryan2k1@reddit
Dell's CCTK is literally designed for this. Tell the security team to eat it.
anonymousITCoward@reddit
I use Dells Command | Configure to set the BIOS at the time of setup, once set you can remove it... you only really need it for the initial configuration, unless your BIOS configs are a moving target...
kyleisrighthere@reddit
Have you looked at dell command control? You can create packages (exe) that run in the os to update bios. I use it for one off pcs that I need wake on lan enabled. Not sure how scalable it is or isn't.
AlphabetAlphabets@reddit
Cctk works very well. I've also used it to enable the tpm module on PCs that need to upgrade to Windows 21
IronJagexLul@reddit
I manage 4000 endpoints in a billion dollar industry with dell command configure. It's about your only real option for bios management remotely. I'm unaware of other vendors having something comparable.
Your security team needs to re-eval and actually vet it.
Like another poster said if you can't trust dells software you're gonna be hard pressed finding some random 3rd party you'll be happy with.
ElectroSpore@reddit
That is a total failure of being able to update and deploy software from the sound of it.
AND how will you deploy that something if your team is unable to deploy and download an agent after imaging?
BlackV@reddit
you have 3000 computers, so do you not have an RMM system already ?
why not use that ?
Krigen89@reddit