Hey everyone! I'm looking for some advice on implementing BIOS passwords for the Dell computers at my workplace. The main goal is to restrict access to settings and prevent booting from USB or network sources to reduce unnecessary support tickets. More importantly, I aim to deter theft since a BIOS-locked computer tends to be less valuable and usable for thieves. However, I want to make sure that users can't just remove an SSD, install a new OS elsewhere, and then pop it back in to boot normally, even with secure boot enabled. I understand there's a NVMe password option, but I'm not sure if that's effective in preventing other drives from booting. Any recommendations on how to achieve this?
5 Answers
Sounds like you’re solving an issue that might not be as big as it seems. If tracking stolen laptops is the main concern, investing in Absolute is probably your safest bet.
You could create your own secure boot keys and enroll them into the BIOS manually. Configure Windows to accept only that key, which would involve resigning the Windows boot manager EFI as part of your setup. Also, ensure USB booting is blocked and BIOS has a password set. It’s a bit of a task, but could be effective.
Here are a few technologies to consider:
- For theft protection: Bitlocker and Intune Autopilot registration, plus inventory management and surveillance cameras.
- For firmware settings: A firmware password (you may already have this), and you can centrally manage it using Dell DCCU that applies relevant restrictions.
- For boot protection: Limit to PXE booting and use 802.1X authentication.
Your work computers should ideally have a Mobile Device Management (MDM) check in place before they can connect to company resources. If someone swaps the HDDs, that computer won’t be able to access anything company-related. Keep in mind, though, that there’s no foolproof way to stop someone from doing this, especially since BIOS passwords can be reset.
Absolutely! Using Absolute or another integrated security solution might help, but it's still possible for them to boot a different OS until they connect to the internet.
You might want to consider a service like Absolute, which is integrated with Dell systems. It functions like a lo-jack for laptops, allowing you to remotely disable or "brick" a device, even if they switch the hard drives around.
I’ve heard of Absolute before. Thanks for the tip!
"LoJack for Laptops" is the name used back in the day for this kind of service. Definitely worth looking into!
That sounds interesting! But couldn’t someone just boot with a fresh Windows install that has default secure boot keys?