none
Configure Bios with sccm

    Question

  • Hi

    We have seen that some of our employees use CD's to boot with and change the password of local administrator. The question is whether there is a procedure that can launch from Windows to change the order of PC's Boot and secure access to a BIOS password. The conventional method would be to visit each PC's, but this We will take a long time.

    Regards

    Thursday, June 03, 2010 3:52 PM

Answers

  • Even if you change the boot order they can press F12 to get to a boot selection screen. Once users have figured out how to change the local admin password using something like a linux boot disk or MDOP they own the boxes, there's not much you can do to stop them short of firing a few of them for breaking the company security policies.

    I was going to suggest the same as Eirik as far as setting the admin password with a GPO but that has two distinct drawbacks if your users are smart enough to figure out how to set the admin password then they are likely smart enough to figure out that they can unplug from the network on the reboot afterwards to prevent the GPO from changing it back for long enough for them to do what they desire. Or they can simply browse to the sysvol directory and open the script that's being run to set to the password and see what you are setting it to assuming you are setting it with a machine startup script.

     

     

     


    John Marcum | http://myitforum.com/cs2/blogs/jmarcum |
    Tuesday, June 08, 2010 12:42 PM

All replies

  • There is no universal fix for this. You'll have to check with your hardware vendor to see if they have a solution.

    Another approach could be to set the local adminstrator password with a group policy. That way it would be changed back every time the computer starts. Since the tools used to change passwords (at least the ones I have seen) boot from cd and run from RAM, the computer needs a reboot afterwards, and the password will be reset if the computer is connected to the corporate network.

     

    Thursday, June 03, 2010 4:40 PM
  • Intel VPro is an Intel specific technology that does let you control BIOS and other hardware related items. VPro integrates into ConfigMgr via it's out of band management capabilities so this is one possible solution.
    Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys
    Thursday, June 03, 2010 5:17 PM
  • Even if you change the boot order they can press F12 to get to a boot selection screen. Once users have figured out how to change the local admin password using something like a linux boot disk or MDOP they own the boxes, there's not much you can do to stop them short of firing a few of them for breaking the company security policies.

    I was going to suggest the same as Eirik as far as setting the admin password with a GPO but that has two distinct drawbacks if your users are smart enough to figure out how to set the admin password then they are likely smart enough to figure out that they can unplug from the network on the reboot afterwards to prevent the GPO from changing it back for long enough for them to do what they desire. Or they can simply browse to the sysvol directory and open the script that's being run to set to the password and see what you are setting it to assuming you are setting it with a machine startup script.

     

     

     


    John Marcum | http://myitforum.com/cs2/blogs/jmarcum |
    Tuesday, June 08, 2010 12:42 PM
  • I can't speak to other manufacturers since we use primarily Dell equipment, but Dell has a utility that can turn specific BIOS settings into an .exe. 

    You download the utility, configure the settings you want to include, i.e. boot order BIOS Password, PXE on or off, almost every conceivable option in the BIOS. Then the application will compile an .exe that when run on a PC it will change the BIOS settings that you select.  Which then can be deployed via managment software.

    We've used this utility to PXE boot a PC one time when there was no one around in order to re-image a PC, it has worked pretty well.  Again, I can only speak to the Dell utility, which is called DCCU, Dell Client Configuration Utility.

    I have to imagine that most major manufacturers have somthing similar.

    Friday, June 11, 2010 7:01 PM
  • Well another thing you can do is that disable the CD Rom for those users who are creating problems for you.
    Zulqarnain Ali MCTS, MCSA
    Friday, November 12, 2010 11:16 AM
  • Have you considered disabling the built-in administrator account by using a group policy?

    Friday, November 12, 2010 1:47 PM
  • Disabling the account doesn't help. The same CD that let's you change the password also lets you enable the account. ;-)

     


    John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|
    • Proposed as answer by Zulqarnain Ali Saturday, November 13, 2010 4:40 AM
    Friday, November 12, 2010 2:14 PM