Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Dell OpenManage Integration with Microsoft Windows Admin Center Version 3.0 User’s Guide

Secure your cluster with Secured-core

Protect your system BIOS from being tampered by malicious hackers.

Prerequisites

Secured-core feature is supported on below configurations:

  • Cluster types:
    • Microsoft Failover clusters and HCI clusters created from Dell PowerEdge YX5X series nodes or newer generations.
  • For YX5X PowerEdge servers with AMD processors:
    • AMD Milan with cluster nodes BIOS version must be 2.3.6 or above.
  • For YX5X PowerEdge servers with Intel processors:
    • Cluster nodes BIOS version must be 1.3.8 or above.
    NOTE: Below Intel processor types are not supported for Secured-core feature:
    • E-23 series and Pentium SKUs such as G6605, G6505, G6505T, G6405, and G6405T.
  • For PowerEdge servers above YX5X, all BIOS models are supported for secured core.
  • OS versions:
    • Azure stack HCI and Windows Server 2022 or higher
  • TPM V2.0 module must be installed with firmware 7.2.2.0 or above.
  • OMIWAC Premium License must be installed on each cluster node.
NOTE: To ensure proper functioning of the "System Guard" operating system feature, ensure that the TPM Hierarchy under System Security section is enabled in the BIOS settings.

About this task

A malicious hacker who has physical access to a system can tamper with the BIOS. A tampered BIOS code poses a high security threat and makes the system vulnerable to further attacks. With the Secured-core feature, OpenManage Integration extension ensures that your cluster boots only using the software that is trusted by Dell.

Secured -core feature includes enabling BIOS and OS security features. Both Dell Technologies and Microsoft recommend to enable BIOS and OS security features respectively to protect infrastructure from external threats. In the Windows Admin Center, use the OpenManage Integration extension to enable BIOS security features, and use the Security extension to enable OS security features. For more information about OS security features, see Microsoft guidelines.

Steps

To enable BIOS security features:

  1. Log in to Windows Admin Center and launch OpenManage Integration extension.
  2. Select View > Security. Another menu with drop-down appears. Select Secured Core. Alternatively, go to the Action menu, under SECURTY, select Secured Core.
  3. Specify "Manage as" credentials if prompted.
    The OpenManage Integration validates if the following prerequisites are fulfilled on the target or cluster nodes.
    • The supported platform and processor types
    • The supported OS version
    • The supported BIOS version
    • The OMIWAC Premium License installed

    See prerequisites for more information.

  4. If one or more prerequisites are not fulfilled, OpenManage Integration displays the list of prerequisites and its overall status and recommendation. Review the recommendations with the status showing or and resolve the prerequisites. To see the prerequisites to be fulfilled for each cluster node, switch Show Node Level Details.
    After resolving the perquisites, go to Security > Secured-core again to display the overall status. If all the perquisites are met, OMIMSWAC displays the overall secured-core status for both BIOS and OS. The overall BIOS/OS status is the summary of all BIOS/OS feature configuration statuses for the entire cluster.
    Table 1. Overall BIOS/OS status
    Overall hardware configuration (BIOS) statusDescription
    Enabled All BIOS features are enabled on all nodes
    Partially Enabled One or more nodes do not have all BIOS features enabled.
    Disabled No node has all BIOS features enabled.
  5. If infrastructure lock is enabled, click Disable. You must disable the infrastructure lock before enabling the BIOS configurations.
  6. Review all the BIOS feature status and the corresponding OS feature status. A consolidated view of all BIOS/OS feature configuration status displayed in the 'Cluster level BIOS Features and Status' and 'Cluster level OS Features and Status' sections.
    Table 2. BIOS and corresponding OS features with security functionalities
    BIOS FeaturesSecurity FunctionsCorresponding OS FeaturesOther Information
    Virtualization Technology Helps BIOS to enable processor virtualization features (such as protecting against exploits in user-mode drivers and applications) and provide virtualization support to the Operating System (OS) through the DMAR table.
    • Hypervisor-Protected Code Integrity (HVCI)
    • Virtualization Based Security (VBS)
    Kernel DMA Protection When enabled, both BIOS and OS protects devices from Direct Memory Access attacks in early boot by leveraging the Input/Output Memory Management Unit (IOMMU). Boot DMA Protection
    Secure Boot Secure Boot ensures that the device boots with trusted, Dell Technologies signed software. Secure Boot
    Trusted Platform Module (TPM) 2.0 Trusted Platform Module (TPM) is a dedicated microprocessor designed to secure hardware by integrating cryptographic keys into devices. Software can use a TPM to authenticate hardware devices.
    • Trusted Platform Module (TPM) 2.0
    • System Guard
      NOTE: To ensure proper functioning of the "System Guard" operating system feature, ensure that the TPM Hierarchy under System Security section is enabled in the BIOS settings.
    NOTE:
    • If TPM firmware version is less than 7.2.2.0, Enable BIOS Configuration button is disabled. You must replace with a hardware having TPM firmware version 7.2.2.0 or above.
    • Enabling TPM will enable TPM Security, TPM Bypass Provision, TPM Bypass Clear, TPM Algorithm Selection, and TPM Module firmware security attributes.
      • If secured-core fails because TPM is partially enabled, check whether TPM has failed due to TPM Bypass Provision and TPM Bypass Clear attributes.
      • If yes, then you can ignore this failure because TPM Bypass Provision and TPM Bypass Clear attributes are not directly related to the secured-core but these are considered for overall infrastructure security and system resilience.
    [AMD] Dynamic Root of Trust Measurement Enables AMD Dynamic Root of Trust Measurement (DRTM). Also enables AMD secure encryption features such as Secure Memory Encryption (SME) and Transparent Secure Memory Encryption (SME). This feature is available for AMD based processor.
    [Intel] Trusted Execution Technology Enhances platform security by using Virtualization Technology, TPM Security, and TPM2 Algorithm (must be SHA256). Intel TXT provides security against hypervisor, BIOS, firmware and other pre -launch software based attacks by establishing a 'root of trust' during the boot process. This feature is available for Intel based processor.
    • To see BIOS and OS feature status about each cluster node, switch the Show Node Level Details on. A summary of BIOS and OS feature configuration for each cluster node displayed. Use the toggle switch to turn on or off the node specific details.
    Table 3. BIOS and OS configuration summary for each node
    Overall hardware configuration (BIOS)/OS statusDescription
    Enabled: All BIOS/OS features are enabled on this node.
    Partially Enabled: One or more BIOS/OS features disabled on this node.
    All BIOS/OS features are disabled on this node.
  7. To configure secured core for all BIOS attributes, click Enable BIOS Configuration.
    BIOS Configuration window appears.
  8. To apply the BIOS configuration, perform one of the following actions:
    • Apply and Reboot Now: Applies the BIOS configuration changes in all cluster nodes and reboot the cluster using cluster aware updating method (without impacting the workload).

      If Kernel Soft Reboot is enabled for the cluster, the OpenManage Integration extension ignores this settings and performs a full reboot to apply all the BIOS related settings.

    • Apply at Next Reboot: Saves the changes and applies the BIOS configuration in all cluster nodes at the next reboot. If you choose this option, make sure to exit the OpenManage Integration extension and restart the cluster using the Windows Admin Center before performing any cluster management operations.
  9. When finished, click Apply.
    The operation will enable the CredSSP. To improve the security, disable the CredSSP after the operation is complete.
  10. OpenManage Integration extension checks the necessary prerequisites required to complete the operation. If all prerequisites are compliant, the extension will proceed to update the BIOS configurations.
    If any of the prerequisite fails, a banner message appears. Click View Details to see the non-compliant prerequisites, and ways you can resolve them.
    1. Resolve the non-compliant prerequisites, and try the operation again (go to step 7). For more information about prerequisites check, see Prerequisites check details.
  11. Click View Details to see the BIOS configuration changes status at node level.

Results

Dell Technologies and Microsoft recommend to enable Secured Core for Azure Stack HCI and Windows Server 2022 to protect the infrastructure from external threats. For more information, see:

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\