Remote Lock Down BIOS

What's in the BIOS that you would care about in a scenario like this?  Why not just make sure the hard drive is encrypted and be done with it?

we could lose the device from our systems firstly and it could go missing.  A user could rebuild the device with their own windows 10 image. Just after a viable file to push out to  remotely to over 200 machines?

Oh wait, I see your use case now.  You just want to add an ADMIN password to the BIOS proactively to prevent even the legitimate users of those laptops from doing unapproved things.  In that case I see your use case, but Dell Command is the only tool I'm aware of that can be used to set a BIOS password (and change other BIOS settings) from Windows.  PowerEdge servers have another tool, but that isn't available for laptops.  If you can find some other mechanism, then I'd probably implement it myself in your scenario, but if you CAN'T find anything, I would argue that if a user rebuilding their work system with their own image is a concern, that's a problem with the user, not an IT problem.  And do you even allow regular users to join your Azure AD domain?  If not, then they'd be blocked from doing pretty much anything as soon as they did that, in which case they'd have to come to you to rebuild their system properly, and maybe that would be the time to discipline them appropriately.

I don't think you've considered your threat model properly here.  Consider:

- This remote BIOS lockdown assumes that the system has already been stolen.  In that case, the only real concern is the data on the hard drive.  As long as that is protected by proper encryption, then why do you even care what the thief does with that system?  It's already gone, and unless you have a service like CompuTrace, there's no reasonable expectation you'll even see it again.  Even if you DO use CompuTrace, that isn't a guarantee.

- Suppose you got this batch file and pushed it out via SCCM?  How would a stolen system receive that signal?  The first thing a thief is likely to do is erase the hard drive, at which point your system will never receive that signal.  CompuTrace works differently because it's embedded into the BIOS.  But even if the thief DOESN'T wipe the system, do you have a VPN solution that connects to your internal network even before any users log in?  If not, then unless the owner set an incredibly stupid password and the thief bothered to try to crack it, then the stolen laptop will never connect to your network to receive that SCCM command.  But once again, chances are that the system would be wiped immediately.

If you want remote lockdown/wipe capabilities, you'd need something like CompuTrace, which would allow you to maintain visibility and control of your system even after the drive has been formatted or replaced, but that's more expensive.

Yes thats right, thought yo were  bit off the mark at first as this is more to do with ADMIN passwords etc not focused on thieves! Have tried Dell command configure but it didnt work and further investigation shows it isnt compatible with Latitude or W10. I have found a Dell Client Configuration Utility but that fails when importing the XML - Looking into this...