The State of BIOS Management: A Comprehensive Overview

Like most companies, the ones I’ve worked with have a diverse mix of laptop vendors. Love-hate relationships with these manufacturers are pretty common, often tied to various quirks and idiosyncrasies. For me, one of the most important factors is how well they handle BIOS/UEFI management. After all, the manufacturer should know their hardware best, right? 🤔

image-20241220131027634

Determining the level of control and configuration possible on hardware can be tricky and depends on specific organizational needs. For simplicity’s sake, let’s focus on a straightforward security measure: setting a BIOS/UEFI password. Throughout this blog, I’ll use ‘BIOS’ and ‘UEFI’ interchangeably, as the underlying concept remains the same.

Why Bother with a BIOS Password?

So, why lock down your BIOS with a password? Well, there are a few good reasons:

  1. The obvious, unauthorized access prevention
  2. Prevent network/USB boots
  3. Stop end user from fiddling with settings, prevent accidental (or intentional) misconfigurations

A locked-down BIOS is less likely to suffer from accidental changes or malicious tampering, significantly increasing your device’s Security Posture.

Your BIOS Management Toolkit

Traditionally, configuring BIOS settings has been a manual affair. There were no fancy tools or automated scripts to streamline the process. Operating systems generally didn’t interact with the underlying BIOS, leaving the burden on IT professionals.

To achieve consistent and efficient BIOS configuration, automated approaches are now preferred. Here are some popular solutions from leading vendors,

Microsoft - Surface Devices

Microsoft has leaned heavily on DFCI (Device Firmware Configuration Interface) integrated into Intune for managing Surface devices. While this is a solid solution, it’s primarily designed for remote management and lacks a standalone tool for local configuration. One can also setup UEFI password using plain password, certificate and use configuration package. Plus, PowerShell scripting enthusiasts might find themselves a bit limited as there are no modules or APIs to query/set configuration using PowerShell for custom scenarios.

Dell

Dell takes the crown for offering a diverse range of BIOS management tools. The Dell Client Configuration Utility DCCU provides a user-friendly web interface for easy configuration. For those who prefer a more hands-on approach, the Dell Command PowerShell Provider offers extensive scripting capabilities. This provider is incredibly versatile, working seamlessly in local, remote, and even WinPE environments, evidently it has raked half a billion downloads on [PowerShell Gallery][https://www.powershellgallery.com/packages/DellBIOSProvider/2.7.0]

HP

HP offers a variety of tools to cater to different needs. The HP BIOS Configuration Utility BCU is a simple and effective tool for local configuration. HP connect is the cloud based solution for managing BIOS remotely. HP Manageability Integration Kit HP MIK that integrates with SCCM for simplified bios managment. There is also HP Image Assistant HPIA and Client Management Script Library (HP CMSL) for niche scenarios.

Lenovo

Lenovo provides Think BIOS Config solution that can be used for both local and remote configuration. It integrates seamlessly with various management tools like SCCM, Intune, and works in WinPE. While WMI can be used to query and set some BIOS configurations, it’s not as comprehensive as the PowerShell provider offered by Dell.

Most of the vendors provides imaging assistant that can lay bios configurations during imaging. While imaging tools can be handy for initial deployments, they often fall short when it comes to managing BIOS configurations in large-scale, distributed environments. Once devices are dispersed across various locations, reimaging them to apply BIOS changes becomes impractical and time-consuming. This is where automated, remote BIOS management solutions truly shine.

Wrapping It Up

t’s unfortunate that a unified framework for BIOS management doesn’t exist. Given the increasing sophistication of cyberattacks, securing the BIOS is crucial. While DFCI was a promising step, its adoption has been limited to Microsoft’s ecosystem.

It’s worth noting that vendors have financial incentives to configure BIOS settings at the factory level, as there are offerings to configure BIOS for a small fee.

Despite the lack of a universal tool, organizations can leverage the available tools and techniques to secure their BIOS configurations. I hope this blog has shed some light on the various options and considerations involved in BIOS management.