Results
%PROGRAMDATA%
After running the BIOS Verification agent, results are written to C:\ProgramData\Dell\TrustedDevice\, the %ERRORLEVEL% environment, the Event Viewer, and the registry.
The Trusted Device agent writes logs and JSON formatted results to C:\ProgramData\Dell\TrustedDevice\.
The Trusted Device agent writes pass/fail results to the %ERRORLEVEL% environment. After running the agent, administrators can query %ERRORLEVEL% to return the status of specific devices. The %ERRORLEVEL% return value can be compared against the list of error codes in the table below.
Trusted Device writes all Windows Event logs to the Dell subfolder. Any log entry that is a Warning or Error is additionally written to the System folder.
The Dell Trusted Device agent writes a new notification to the Event Viewer each run and at regular intervals. Find BIOS Verification and Image Capture notifications in Event Viewer at:
| Location | Source Type |
|---|---|
| Windows Logs > System | Dell Trusted Device | BIOS Verification |
| Application and Service Logs > Dell | Trusted Device | BIOS Verification |
Find BIOS Events & Indicator of Attack notifications in Event Viewer at:
| Location | Source Type |
|---|---|
| Windows Logs > System | Dell Trusted Device | BIOS Events and IoA |
| Application and Service Logs > Dell | Trusted Device | BIOS Events and IoA |
Find Intel ME Verification notifications in Event Viewer at:
| Location | Source Type |
|---|---|
| Windows Logs > System | Dell Trusted Device | Intel ME Verification |
| Application and Service Logs > Dell | Trusted Device | Intel ME Verification |
Find Secured Component Verification (On Cloud) notifications in Event Viewer at:
| Location | Source Type |
|---|---|
| Windows Logs > System | Dell Trusted Device | Secured Component Verification |
| Application and Service Logs > Dell | Trusted Device | Secured Component Verification |
Find Security Risk Protection Score notifications in Event Viewer at:
| Location | Source Type |
|---|---|
| Application and Service Logs > Dell | Trusted Device | Security Assessment |
The Details of the events are listed in the General tab of Event Viewer. The following tables detail the BIOS Verification, BIOS Events & Indicators of Attack, Intel ME Verification, Secured Component Verification (On Cloud), and Security Risk Protection Score in Event Viewer.
BIOS Verification
| Action | Level | Event ID | Task Category |
|---|---|---|---|
| Verification Passed | Informational | 9 | 1 |
| Verification Failed | Error | 2 | 1 |
| Image Captured | Warning | 1 | 2 |
| Duplicate Image Capture | Warning | 2 | 2 |
| No Image Found | Informational | 3 | 2 |
| BIOS is out of date | Warning | 40 | 8 |
| BIOS Version Not Currently Supported | Error | 2 | 1 |
BIOS Events & Indicators of Attack
| Action | Level | Event ID | Task Category |
|---|---|---|---|
| Indicator of Attack Cleared | Informational | 10 | 3 |
| Partial Indicator of Attack | Warning | 11 | 3 |
| Indicator of Attack | Error | 12 | 3 |
Intel ME Verification
| Action | Level | Event ID | Task Category |
|---|---|---|---|
| Verification Passed | Informational | 18 | 5 |
| Verification Failed | Error | 20 | 5 |
| Drive Error | Error | 20 | 5 |
| Network Connection Error | Error | 20 | 5 |
| Platform Unsupported | Error | 20 | 5 |
| Internal Server Error | Error | 20 | 5 |
| Tampering Detected | Error | 20 | 5 |
| Unknown Error | Error | 20 | 5 |
| Invalid Parameter | Warning | 19 | 5 |
Secured Component Verification (On Cloud)
| Action | Level | Event ID | Task Category |
|---|---|---|---|
| Verification Success | Informational | 41 | 9 |
| Verification Failed | Informational | 41 | 9 |
| Server Internal Error Network Error | Error | 43 | 9 |
| Unsupported Platform | Warning | 42 | 9 |
Security Risk Protection Score
| Action | Level | Event ID | Task Category |
|---|---|---|---|
| Pass | Informational | 13 | 4 |
| Pass with warnings | Warning | 14 | 4 |
| Fail | Error | 15 | 4 |
The Trusted Device agent's results are written to the registry each time the BIOS Verification agent is run. All BIOS Verification, Image Capture, and BIOS Events & Indicators of Attack registry keys are located at HKLM\Software\Dell\TrustedDevice.
Off-host Verification
- This entry stores the pass and fail status of off-host verification in JSON format.
- HKLM\Software\Dell\BiosVerification
- Result.json
- "biosVerification":"True"=Pass
- "biosVerification":"False"=Fail
Image Capture
- This entry stores the location of the image store.
- HKLM\Software\Dell\TrustedDevice
- "ImagePathStore"=string
- Determine if an image was present on the last Image Capture run. This value will not exist if Image Capture has not run.
- HKLM\Software\Dell\TrustedDevice
- "ImagePresentOnLastRun"=DWORD
- DWORD=1 - Image was present on last run.
- DWORD=0 - Image was not present on last run.
- Image store path in which the last image was copied. This value will not exist if no images are captured.
- "LastImagePath"=string
- Timestamp of the last copied image.
- "LastCopyTimeStamp"=string
- This private key verifies the images in the store.
- "PrivateKeyBlob"=string
NOTE: End users should not modify this entry as it prevents the product from functioning properly.
- "PrivateKeyBlob"=string
- A public key used to verify the images in the store.
- "PublicKeyBlob"=string
NOTE: End users should not modify this entry as it prevents the product from functioning properly.
- "PublicKeyBlob"=string
BIOS Attributes Polling Interval
-
This entry configures the time period in seconds between BIOS attribute sweeps.
- HKLM\SOFTWARE\Dell\TrustedDevice\
- DWORD=SecondsBetweenAttributeSweeps
- Minimum value in seconds = 3600 (1 hour)
- Maximum value = 172800 (48 hours)
- Default = every 12 hours
- Value (in decimal) = 3600 - sweeps occur every hour
- Value (in decimal) = 172800 - sweeps occur every 48 hours
- This entry changes the delay in milliseconds between each individual BIOS attribute retrieval.
- HKLM\SOFTWARE\Dell\TrustedDevice\
- DWORD=MSBetweenAttributeReads
- Minimum value in milliseconds = 500
- Maximum value in milliseconds = 2000
- Default = every 500 milliseconds
- Value (in decimal) = 500 - reads a different BIOS attribute every 500 milliseconds
- Value (in decimal) = 2000 - reads a different BIOS attribute every 2000 milliseconds
Security Risk Protection Score
- This entry disables Security Risk Protection Score.
- HKLM\SOFTWARE\Dell\TrustedDevice\
- DWORD=SecurityScore
- Default = 1 (enabled)
- Value = 1 - enabled
- Value = 0 - disabled
NOTE: If Security Risk Protection Score is disabled in the Registry, component assessments are not run and no score is generated.