07. 07. 2026 Antonio Cerullo Automation, Microsoft

Automating BIOS Password Management on Dell Laptops via SCCM (with 90-Day Rotation)

Why we decided to address this

At some point, while reviewing our endpoint security posture, we realized that BIOS protection was one of those areas we tend to take for granted rather than actually verify.

This was the situation we encountered:

• No BIOS password configured
• Unrestricted access to BIOS settings
• External boot still enabled

This meant that anyone with physical access could potentially bypass multiple layers of protection.

However, there was a second issue… A BIOS password that never changes eventually becomes a risk rather than a control.
That’s why we decided to extend the solution with automatic password rotation every 90 days.

Objective

The goal was to build a solution that is:

  • Fully automated
  • Easy to maintain
  • Integrated into SCCM
  • Secure from an operational standpoint

Tools Used

The implementation relies on standard tools:

  • Microsoft SCCM (Configuration Manager)
  • Dell Command Configure / Monitor (CCTK)
  • Task Sequence / Task Sequence variables
  • Active Directory (for secure storage)

How the Solution Works

The logic is intentionally simple:

  1. SCCM deploys a Task Sequence
  2. Dell Command Configure and Monitor are installed if not present
  3. CCTK is executed
  4. The BIOS password is set or rotated
  5. Metadata and logs are stored centrally in Active Directory

Password Handling

To minimize risks:

  • No hardcoded passwords
  • No plain-text logging
  • Sensitive values handled via Task Sequence variables

Automatic Password Rotation (Every 90 Days)

The Task Sequence is deployed with a recurring schedule: Every 90 days

Each execution:

  • Reads the current password
  • Applies a new one
  • Updates the BIOS

Day 0   → Initial password is applied
Day 90  → Password is rotated
Day 180 → Password is rotated again
Day 270 → …

Active Directory Integration (Password & Rotation Tracking)

To properly manage the lifecycle of BIOS passwords, we integrated the solution with Active Directory.

After each execution, the Task Sequence updates the computer object with:

Password rotation date – stored in attribute X (e.g. ‘extensionAttribute2’)
Current BIOS password – stored in attribute Y (e.g. ‘extensionAttribute3’)

This provides:

  • Centralized visibility
  • Easy recovery of credentials
  • Auditability and compliance tracking

Important note: By default, all attributes of computer objects are visible (READ permission) to all users. It is therefore necessary to block read access via the security settings of the OU containing the computers.

Centralized Logging (SCCM Server Share)

As a final step, we implemented centralized logging to ensure traceability.

After each execution, the Task Sequence copies the execution log to a network share hosted on SCCM server

Example

\\sccmserver.local\BIOSPWDLogs$

What gets logged

  • Device name
  • Timestamp
  • Execution result (success / failure)
  • Error codes (if any)
  • Password age check

Why this is important

This enables:

  • Centralized troubleshooting
  • Audit trail for security operations
  • Easy monitoring of deployments
  • Historical tracking per device

Logging best practices

  • Do NOT include passwords in logs
  • Restrict share access (write-only for clients if possible)
  • Use naming conventions per device
  • Monitor storage growth

Final Thoughts

This solution turned out to be effective because it combines:

  • Simplicity
  • Automation
  • Scalability

But most importantly, it introduces two key improvements:

Password rotation every 90 days
Centralized tracking (AD + logging)

Together, they transform BIOS password management into a controlled, auditable, and enterprise-ready security process.

End-User Impact Issues

Once a BIOS password is configured, Dell systems require that password to:

  • Apply BIOS updates
  • Modify firmware settings
  • Execute certain low-level operations

However, the end user:

  • Does not know the BIOS password
  • Has no visibility into how it is managed
  • Cannot provide the required authentication
  • Are unable to keep their devices up to date

As a result BIOS updates either fail silently or prompt for a password the user cannot provide

This creates a gap between security enforcement and operational usability.

Antonio Cerullo

Antonio Cerullo

Site Reliability Engineer at Wuerth IT Italy

Author

Antonio Cerullo

Leave a Reply

Your email address will not be published. Required fields are marked *

Archive