Dell OpenManage Integration with Microsoft Windows Admin Center Version 3.0 User’s Guide

Secure your cluster with Secured-core

Protect your system BIOS from being tampered by malicious hackers.

To enable BIOS security features:

1. Log in to Windows Admin Center and launch OpenManage Integration extension.
2. Select View > Security. Another menu with drop-down appears. Select Secured Core. Alternatively, go to the Action menu, under SECURTY, select Secured Core.
3. Specify "Manage as" credentials if prompted.
   The OpenManage Integration validates if the following prerequisites are fulfilled on the target or cluster nodes.

   • The supported platform and processor types
   • The supported OS version
   • The supported BIOS version
   • The OMIWAC Premium License installed

   See prerequisites for more information.

4. If one or more prerequisites are not fulfilled, OpenManage Integration displays the list of prerequisites and its overall status and recommendation. Review the recommendations with the status showing or and resolve the prerequisites. To see the prerequisites to be fulfilled for each cluster node, switch Show Node Level Details.
   After resolving the perquisites, go to Security > Secured-core again to display the overall status. If all the perquisites are met, OMIMSWAC displays the overall secured-core status for both BIOS and OS. The overall BIOS/OS status is the summary of all BIOS/OS feature configuration statuses for the entire cluster.

   Table 1. Overall BIOS/OS status

   Overall hardware configuration (BIOS) status	Description
   Enabled	All BIOS features are enabled on all nodes
   Partially Enabled	One or more nodes do not have all BIOS features enabled.
   Disabled	No node has all BIOS features enabled.

5. If infrastructure lock is enabled, click Disable. You must disable the infrastructure lock before enabling the BIOS configurations.
6. Review all the BIOS feature status and the corresponding OS feature status. A consolidated view of all BIOS/OS feature configuration status displayed in the 'Cluster level BIOS Features and Status' and 'Cluster level OS Features and Status' sections.

   Table 2. BIOS and corresponding OS features with security functionalities

   BIOS Features	Security Functions	Corresponding OS Features	Other Information
   Virtualization Technology	Helps BIOS to enable processor virtualization features (such as protecting against exploits in user-mode drivers and applications) and provide virtualization support to the Operating System (OS) through the DMAR table.	Hypervisor-Protected Code Integrity (HVCI) Virtualization Based Security (VBS)
   Kernel DMA Protection	When enabled, both BIOS and OS protects devices from Direct Memory Access attacks in early boot by leveraging the Input/Output Memory Management Unit (IOMMU).	Boot DMA Protection
   Secure Boot	Secure Boot ensures that the device boots with trusted, Dell Technologies signed software.	Secure Boot
   Trusted Platform Module (TPM) 2.0	Trusted Platform Module (TPM) is a dedicated microprocessor designed to secure hardware by integrating cryptographic keys into devices. Software can use a TPM to authenticate hardware devices.	Trusted Platform Module (TPM) 2.0 System Guard NOTE: To ensure proper functioning of the "System Guard" operating system feature, ensure that the TPM Hierarchy under System Security section is enabled in the BIOS settings.	NOTE: If TPM firmware version is less than 7.2.2.0, Enable BIOS Configuration button is disabled. You must replace with a hardware having TPM firmware version 7.2.2.0 or above. Enabling TPM will enable TPM Security, TPM Bypass Provision, TPM Bypass Clear, TPM Algorithm Selection, and TPM Module firmware security attributes. If secured-core fails because TPM is partially enabled, check whether TPM has failed due to TPM Bypass Provision and TPM Bypass Clear attributes. If yes, then you can ignore this failure because TPM Bypass Provision and TPM Bypass Clear attributes are not directly related to the secured-core but these are considered for overall infrastructure security and system resilience.
   [AMD] Dynamic Root of Trust Measurement	Enables AMD Dynamic Root of Trust Measurement (DRTM). Also enables AMD secure encryption features such as Secure Memory Encryption (SME) and Transparent Secure Memory Encryption (SME).		This feature is available for AMD based processor.
   [Intel] Trusted Execution Technology	Enhances platform security by using Virtualization Technology, TPM Security, and TPM2 Algorithm (must be SHA256). Intel TXT provides security against hypervisor, BIOS, firmware and other pre -launch software based attacks by establishing a 'root of trust' during the boot process.		This feature is available for Intel based processor.

   • To see BIOS and OS feature status about each cluster node, switch the Show Node Level Details on. A summary of BIOS and OS feature configuration for each cluster node displayed. Use the toggle switch to turn on or off the node specific details.

   Table 3. BIOS and OS configuration summary for each node

   Overall hardware configuration (BIOS)/OS status	Description
   	Enabled: All BIOS/OS features are enabled on this node.
   	Partially Enabled: One or more BIOS/OS features disabled on this node.
   	All BIOS/OS features are disabled on this node.
7. To configure secured core for all BIOS attributes, click Enable BIOS Configuration.
   BIOS Configuration window appears.
8. To apply the BIOS configuration, perform one of the following actions:
   • Apply and Reboot Now: Applies the BIOS configuration changes in all cluster nodes and reboot the cluster using cluster aware updating method (without impacting the workload).

     If Kernel Soft Reboot is enabled for the cluster, the OpenManage Integration extension ignores this settings and performs a full reboot to apply all the BIOS related settings.

   • Apply at Next Reboot: Saves the changes and applies the BIOS configuration in all cluster nodes at the next reboot. If you choose this option, make sure to exit the OpenManage Integration extension and restart the cluster using the Windows Admin Center before performing any cluster management operations.
9. When finished, click Apply.
   The operation will enable the CredSSP. To improve the security, disable the CredSSP after the operation is complete.
10. OpenManage Integration extension checks the necessary prerequisites required to complete the operation. If all prerequisites are compliant, the extension will proceed to update the BIOS configurations.
    If any of the prerequisite fails, a banner message appears. Click View Details to see the non-compliant prerequisites, and ways you can resolve them.
    1. Resolve the non-compliant prerequisites, and try the operation again (go to step 7). For more information about prerequisites check, see Prerequisites check details.
11. Click View Details to see the BIOS configuration changes status at node level.