Dell Client Manager, Part 4: Dell BIOS Profile

Updating the BIOS is great, but it is something that doesn't have to be done (unless it is a security update). Being able to actually control the settings in the BIOS is where the rubber meets the road. Using the Dell Client Manager you can control every little setting in your computer's BIOS. You can configure your laptop, your desktop, and even your server. It is a great tool.

In this article I will talk about the two methods you can use to create a BIOS profile, some of the common settings I use. In the next article I will talk about how to apply a policy to a collection of computers.

Resources:

There are some great resources on how to setup, configure, and use the Dell Client Manager. Here are some useful links:

• Dell Client Manager, a Great Opening Act
• Dell Client Manager 2.0 FAQ
• Dell Client Manager Quickstart Video
• Inventorying, Updating, and Monitoring Your Dell Client Machines
• Dell Client Manager 2.2 Reference Guide
• THE place to go for all Dell Client Manager resources

Dell BIOS Profiles

Dell BIOS Profiles extend desktop management down to a granular level. System admins are using to being able to control software and operating systems. Managing the computer itself was something that had to be either ignored or done by hand. Both are very bad options. Creating profiles is pretty straightforward. Simply applying the a well thought out profile will make your endpoints, and eventually your entire environment, more secure. There are two ways to create a profile. The first is "Import" and the second is "By Hand".

Let's get started:

• Open the Altiris 6.5 Console
• Go to View >> Solutions >> Dell Client Manager
• Now, go to Dell Client Manager >> Dell BIOS Profiles

Import

This method allows you to import BIOS settings from a computer in your environment. This will require a few things before you can setup the profile:

• The target computer needs to have the Dell Client Manager Agent and the Dell OMCI drivers
• The Dell Client Monitoring, Dell Client BIOS Inventory Policy, and Dell Client Hardware Inventory Policy need to be enabled (make sure the target computer is in the collections for the policies and tasks)
• The computer should have reported in to the Notification Server at least once

It is important to meet the requirements above. When you import the BIOS settings into your profile, you are importing information from the Notification Server database, not the target computer. Once you have met all of the prereqs, it is time to create a profile:

• Right-click on the "Dell BIOS" Profiles folder
• Go to New >> Dell BIOS Profile
  
  

  Click to view.

  Click on "Dell BIOS Profile"

• A new window titled "New Dell BIOS Profile..." will appear
  
  

  Click to view.

• At the top of the screen, click on the "Import" button
• A new screen titled "Find Resource" will appear
  
  

  Click to view.

• Use the "Domain" and "Product line" drop-down menus to help you find your target computer
• You can also enter in a name or partial name in the "Name like:" field
• Once you have filled out all the necessary information, click on find
  
  

  Click to view.

  You will be able to see the computers that match your results below the search criteria you entered

• Select the target computer and click the "OK" button
• The "Find Recourse" screen will disappear, and all of the settings from the target computer will be loaded into the profile
  
  

  Click to view.

• Look through the settings in the profile to make sure they meet your needs
• When you are done, click on the "Save" button. A new window will appear, in that window you can name the profile
  
  

  Click to view.

As an aside, when I first started creating BIOS profiles I did not know about this method. The entire time I thought to myself: "Why can't I just import the settings from one of my computers?" It wasn't until I started writing this article that I noticed this option. This would have saved me a ton of time. I am used to the Dell BIOS GUI, and through trial and error I have been able to configure the computers that I manage. This is a great feature, but it is still useful to plunge into the "Hands On" method. I have found that sometimes not all of the settings show up in the BIOS, but they can be configured as part of the profile.

By Hand

Instead of importing the profile into your profile you can simply go through each selection and build your own profile. To do this method you will use the first two bullet points from the "Import" directions. In the next section I will talk about some of the settings I use when configuring a BIOS.

My Common Settings:

To enable the setting, you will need to check the box next to the setting. Once the box is checked you will be able to enter something into the text box, or use the drop down.

• Auto on: This enables the computer to turn itself on every day. The default time in the BIOS is midnight. I try to avoid using this (I let Deployment Solution turn the computers on via wake-on-line). There are some computers in my environment that I have to have turn on no matter what. On those computers I turn this option on.
• Auto on hour: Set the hour you want the computer to turn on. You will need to use military time.
• Auto on minute: Set the minute you want your computer to turn on.
• Boot Device: When you enable this policy and click on the link found under the "Value" column you get two different areas you can configure:
  • Device Status:
    
    

    Click to view.

    The "Device" tab lets you decide what boot devices are enabled. I usually disable the USB Floppy, CDROM, and USB Devices. Basically I don't want anyone to boot off their own device. You can still boot off of disabled devices, you will need to enter the BIOS admin password.

  • Device Priority:
    
    

    Click to view.

    Under the "Device Priority" tab you can set the order of the approved boot devices. In the "Bootable devices types:" column you can select a device and to add it to the "Boot Order" column you simply click the "Add" button. You can change the order of the boot devices by clicking on the device in the "Boot order" column and then click the "Up" or "Down" buttons. As you can see I only have the network card and hard drive selected.

• Chassis intrusion: This setting alerts you to when the case is opened. I set this to "Silent Enabled". I want to know that the case is opened, not the entire world. I have tested this option and it takes about 3 minutes on average to get an email from our Notification Server.
• Chassis intrusion status: Every time you open your computer a log is kept. Once you install the Dell Client Manager Agent it starts to tell you that the case has been opened (the only way to get rid of the message is to clear the log in the BIOS). I set this option to "Clear" so the log is clear once the policy is applied. Now that you have a policy in place all future reporting will go through the Notification Server.
• Integrated network adapter: I set this to "Enabled w/ Boot to PXE". This lets me push images out to my computers through Deployment Console using PXE. You can also set it to "Disable", "Enabled w/ Boot to RPL", "Enabled w/ BOot to iSCSI", "Enabled w/ Boot to ImageServer", and of course "Enabled"
• Integrated network adapter: I was having problems getting my computers to turn on when I sent Wake-on-LAN packets. It didn't work until I set this setting to "Disable"
• Password: I decided after a few incidents in my environment that every computer BIOS needed to have a password. If you are setting a new password, leave the "Old Password" text box empty.
• Post F12 key: When you turn the computer on you will see the BIOS splash screen. If you look in the top right corner you will see "F12 = Boot Menu". If you set this option to "Disable" it removes that option. I don't want people to know how to get to the boot menu, so I disable this option.
• Post F2 key: This is the same deal as above. In the top right corner it says "F2 = Setup" I set this option to "Disabled" to remove that text from the BIOS splash screen.
• Post MEBx Key Setting: If you have an Intel vPro chip and you set this to disable people won't know how to get to the vPro menu
  
  Note: If people already know the keyboard shortcuts they can still get to the menu. That is why setting the admin password is so important.
• USB Ports: I set this to "No Boot". In some environments and on some computers it may make sense to se this to "Disabled"
• Wakeup on LAN: I want Wake on LAN packets to turn my computers on. I set this to "Enabled for all NICs"

There are a few others that I have not tried yet, but could be useful:

• Asset tag: It would be great to use a policy to set all asset tags, but I am not sure how to do it. If you know, drop me a line. This setting would be great to remove the asset tag (enable the setting and leave it blank) from the BIOS when the asset is retired.

• Speaker volume:

  This would be great to set the internal speaker volume to 0%. I have not tested this, so I am not sure what it will do.

When you are all done make sure you press the "Apply" button. Your profile is saved.

There are a few things to keep in mind while configuring a BIOS profile. The first is that you may need to create a profile for each computer model that you support. Why? Dell is constantly improving their computers, so as you get newer models they will have more settings you can configure. If you use a profile for your newest computer on your oldest your reporting will be thrown off (we will talk about reporting later). Second, each BIOS comes with default settings. Unless you disable a default setting the policy will ignore it. Finally, the profile screen displays all
possible BIOS settings for tons of Dell models. Carefully select what settings you want to apply.

Stay tuned for the next article. In it I will discuss how to apply this policy to a computer collection in Notification Server. In the interim, have fun configuring your BIOS profiles.