1 Rookie
•
9 Posts
0
37
July 7th, 2025 09:40
[Feature request] Compliance Policy -> UEFI setup password
At the moment it's not possible to set a UEFI setup password with the help of compliance policies. Is it on porpose (security requirement, etc.)? Otherwise is would be a nice feature to get all my devices 'compliant'.
No Events found!
DELL-Charles R
Moderator
•
4.4K Posts
0
July 7th, 2025 17:07
I brought it up to a Systems Management engineer.
I can't say if or when it may be adopted for OME.
Can monitor future releases to see if it is.
DELL-Charles R
Moderator
•
4.4K Posts
0
July 7th, 2025 14:16
Hello,
UEFI setup passwords are not part of OME Compliance Policies
In Dell OpenManage Enterprise 4.4, UEFI setup passwords and other secure attributes are intentionally excluded from Compliance Policies. This is by design and aligns with Dell’s security model.
Key Reasons:
OME has no way to perform a GET operation to retrieve or verify the current UEFI password from the iDRAC or BIOS. These values are write-only for security reasons — they cannot be read back or compared.
Compliance policies work by comparing the current system state to a desired configuration. Since the UEFI password cannot be retrieved, it cannot be validated — making it unsuitable for compliance enforcement.
Including passwords in compliance templates would introduce risks:
user_a
1 Rookie
•
9 Posts
0
July 7th, 2025 16:56
Ah okey, got it. I just thought there might be a possibility to get (compare) and set a hash value.
I mean, it is possible to export the server configuration from within iDRAC to xml file (including UEFI password hash); and it's possible to set the password (hash) directly in iDRAC, by uploading config xml or via server profile.
Doing it with a compliance policy would be quite handy let's say. Imagine you have multiple servers in branch locations and your ITSec rules want you to change the password(s) regulary or on request. Setting the password by server profile or PowerShell/REST doesn't really provide you a control mechanism.