At some point, while reviewing our endpoint security posture, we realized that BIOS protection was one of those areas we tend to take for granted rather than actually verify.
This was the situation we encountered:
• No BIOS password configured
• Unrestricted access to BIOS settings
• External boot still enabled
This meant that anyone with physical access could potentially bypass multiple layers of protection.
However, there was a second issue… A BIOS password that never changes eventually becomes a risk rather than a control.
That’s why we decided to extend the solution with automatic password rotation every 90 days.
The goal was to build a solution that is:
The implementation relies on standard tools:
The logic is intentionally simple:
To minimize risks:
The Task Sequence is deployed with a recurring schedule: Every 90 days
Each execution:
Day 0 → Initial password is applied
Day 90 → Password is rotated
Day 180 → Password is rotated again
Day 270 → …
To properly manage the lifecycle of BIOS passwords, we integrated the solution with Active Directory.
After each execution, the Task Sequence updates the computer object with:
Password rotation date – stored in attribute X (e.g. ‘extensionAttribute2’)
Current BIOS password – stored in attribute Y (e.g. ‘extensionAttribute3’)
This provides:
Important note: By default, all attributes of computer objects are visible (READ permission) to all users. It is therefore necessary to block read access via the security settings of the OU containing the computers.
As a final step, we implemented centralized logging to ensure traceability.
After each execution, the Task Sequence copies the execution log to a network share hosted on SCCM server
Example
\\sccmserver.local\BIOSPWDLogs$
What gets logged
Why this is important
This enables:
Logging best practices
This solution turned out to be effective because it combines:
But most importantly, it introduces two key improvements:
Password rotation every 90 days
Centralized tracking (AD + logging)
Together, they transform BIOS password management into a controlled, auditable, and enterprise-ready security process.
Once a BIOS password is configured, Dell systems require that password to:
However, the end user:
As a result BIOS updates either fail silently or prompt for a password the user cannot provide
This creates a gap between security enforcement and operational usability.