Configuring WoL with CM for Dell Desktops – Part 3

4/26/2020

[Download exported Configuration Baseline and Configuration Items here. This includes the CIs from Part 2 and Part 3.]

In Configuring WoL with Configuration Manager – Part 1, I covered the settings that are required to enable Wake-On-LAN that are not hardware manufacturer specific. In Part 2 I cover the BIOS (UEFI) specific settings for current HP desktops and in Part 3, I am going to go over the BIOS (UEFI) specific settings for current model Dell desktops. There are multiple ways to configure BIOS settings on Dell desktops and laptops. Dell provides Dell Command | Configure, which is a command line utility that can be used to get and set BIOS settings and can even be used to set multiple settings using an answer file. Dell also provides the Dell Command | PowerShell Provider, which is a module that makes BIOS configuration manageable through PowerShell. Another method for managing Dell systems is by using the Dell Command | Integration Suite for System Center. The Dell Command | Integration Suite for System Center is a console extension for Microsoft Endpoint Manager Configuration Manager (MEMCM – previously called System Center Configuration Manager) that integrates the other Dell Command Suite components. Dell is also starting to provide direct WMI access (without any required dependencies), but it is only supported on Gen 10 systems and Gen 9 systems running a current BIOS (any generation below is out of luck). Lastly, Dell also provides Dell Command | Monitor. Dell Command | Monitor not only enables administrators to inventory and monitor Dell systems (see my blogs How to Inventory Dell BIOS and UEFI Settings with ConfigMgr Part 1 and Part 2), it enables BIOS settings to be modified using WMI. The downside is that it needs to be running in the full OS and cannot be used in WinPE. However, since I like collecting Dell specific inventory with MEMCM and I will be enforcing/monitoring WoL BIOS settings in the full OS, I will be using the WMI methods that Dell Command | Monitor enables in this blog.

For configuring the Dell desktop WoL settings, I will be using Configuration Manager Configuration Items (CIs) that are deployed via a Configuration Baseline. CIs can not only be used to report on settings, they can also be used to enforce settings and manage drift. Unlike GPOs, reporting is natively built in to Configuration Manager, which makes compliance reporting really easy.

The current Dell desktop models have two BIOS settings that need to be configured in order to perform successful WoL – “Wake-On-LAN” and “Deep Sleep Control“. If power utilization is not a concern and you want to add a little more redundancy to systems that should always stay up, there are a few other settings that are of interest. The first one is what the system should do in the event of a power loss and is called “AC Power Recovery Mode“. The other settings have to do with the capability of enabling a power on event and can power on a system at a pre-determined hour, minute and day. These settings are: “Auto On“, “Auto On Hour“, and “Auto On Minute“.

The following chart summarizes the settings, the values that I am going configure, and the possible values. These settings will enable WoL, disable Deep Sleep Control (which if enabled will prevent WoL from being successful), always turn the system back on after a power loss, and enable the system to power up every day at 4:44 AM:

Setting Value Possible Values
Wake-On-LAN 4 1-Disable, 4-LAN, 5-LAN or WLAN, 6-WLAN only
Deep Sleep Control 2 1-S4andS5, 2-Disable, 3-S5Only
AC Power Recovery Mode 3 1-Off, 2-Last, 3-On
Auto On 2 1-Disable, 2-Everyday, 3-Weekdays, 4-Select days
Auto On Hour 4 0-23
Auto On Minute 44 0-59

As mentioned above, I like configuring BIOS settings using CIs. When creating a CI that may or may not be applicable to other systems, it is a good idea to create an Application type CI (instead of an Operating System type CI). This way detection logic can be applied to see if the CI should or should not be evaluated on a system. For BIOS settings, I like to limit my CIs to the hardware models that I have certified and tested that it actually works. For Dell models, I use the Win32_ComputerSystem Model identifier. The custom script for the Dell desktop detection logic is the following:

$ErrorActionPreference = 'SilentlyContinue'
$SupportedModels = @("OptiPlex 5050","OptiPlex 5060","OptiPlex 5070","OptiPlex 7040","OptiPlex 7050")
#-------------------------------------
$CS = gwmi -Class Win32_ComputerSystem
If ($SupportedModels -Contains $CS.Model) {
    Write-Output $CS.Model
    }

This corresponds to the following Dell desktop models: Dell OptiPlex 5050, 5060, 5070, 7040, 7050. NOTE: Add your own models here in each of the CI Detection Methods.

For the CI Name and CI Setting Name, I like to use the following naming structure for easy identification and purpose:

{Manufacturer} BIOS – {Laptop/Desktop/All} – {BIOS Setting Name}

So for the Dell Desktop WoL setting would look like the following:

Dell BIOS – Desktop – Wake On LAN

For the CI Description, I like to include the desired setting value and the models that are supported. For the Dell Desktop WoL setting I have the following:

4(LAN):Dell OptiPlex 5050, 5060, 5070, 7040, 7050

I also like to use categories for easy searching/filtering and use “BIOS Settings” and “WoL” for this CI. The CI General tab looks like the following:

CI Setting Name is the same:

I also like to keep the Discovery Script modular so that it is easy to re-use for multiple BIOS settings. By keeping the Setting name at the top of the script, that is the only thing that needs to be changed for creating Discovery Scripts for other BIOS settings. For the Dell Desktop WoL the discovery script would be the following:

#Discovery Script:
$SettingName = 'Wake-On-LAN'
#-------------------------------------
$BIOSSetting = Get-CimInstance -Namespace root\dcim\sysman -ClassName DCIM_BIOSEnumeration | Where-Object { $_.AttributeName -eq $SettingName}
Write-Output $BIOSSetting.CurrentValue

The Compliance Rule will be a string value that should be compared to the desired setting. In this case, I want this setting to be equal to “4” and I want to run the remediation script when the setting is non-compliant. NOTE: In order for the “Run the specified remediation script when this setting is noncompliant” to be visible, there needs to be a remediation script defined which is below.

Like the modular Discovery Script, I also like to keep the Remediation Script modular so that it is easy to re-use for multiple BIOS settings. By keeping the Setting name, setting value and BIOS password at the top of the script, that is the only thing that needs to be changed for creating Remediation Scripts for other BIOS settings. For the Dell Desktop WoL, the remediation script would be the following:

#Remediation Script:
$SettingName = 'Wake-On-LAN'
$Value = '4' #1-Disable,4-LAN,5-LAN or WLAN,6-WLAN only
$BIOSPW = 'Password1'
#-------------------------------------
$BIOS = Get-CimInstance -Namespace root\dcim\sysman -ClassName DCIM_BIOSService
$BIOSPWSetting = Get-CimInstance -Namespace root\dcim\sysman -classname dcim_biospassword
If (($BIOSPWSetting | ?{$_.AttributeName -eq 'AdminPwd' }).IsSet -eq $false)
{
    $Result = Invoke-CimMethod -InputObject $BIOS -MethodName SetBIOSAttributes -Arguments @{AttributeName=@($SettingName);AttributeValue=@($Value)}
}
elseif (($BIOSPWSetting | ?{$_.AttributeName -eq 'AdminPwd' }).IsSet -eq $true)
{
    $Result = Invoke-CimMethod -InputObject $BIOS -MethodName SetBIOSAttributes -Arguments @{AttributeName=@($SettingName);AttributeValue=@($Value);AuthorizationToken=$BIOSPW}
}
 
Exit $Result.ReturnValue

In order to change a BIOS setting, a BIOS password is required if one is set. Above is one method for a single static BIOS password. If you have multiple static BIOS passwords or dynamic BIOS Passwords, then more would need to be done in order to determine the correct BIOS password to use. This approach is more secure than using the Dell Command | Configure Utility and passing the password on a command line. If CM is secured properly (which it should be, otherwise you have more important things to worry about), then only the CM admin (or admins) that are scoped to manage CIs will be able to read these directly in the console. Getting the password from the Management Point is probably not impossible, but it would require a bit of work and some luck. As for the client, I have yet been able to find it. However, if there is a way to easily grab this information, please reach out to me and let me know via the comments below or a DM on Twitter.

The other settings, Deep Sleep Control and AC Power Recovery Mode, follow the same approach. For the daily Power-On, I combine each setting in the same CI and it will look like the following:

Lastly, we need to create a Configuration Baseline. I like to use a similar naming structure for easy identification and purpose:

BIOS Settings – {Purpose} – {Intended Platform} {Prod/Pre-Prod}

So for these WoL settings I use the following:

BIOS Settings – WoL – Desktop Pre-Prod

I like to duplicate Baselines (and even some CIs) into a production and pre-production. That way it is easy to test and make changes once it is already rolled out to production.

For the Baseline Description, I like to include a brief description for the Baseline. For this Baseline, I use the following:

Enabled WoL Settings and daily Power On settings on select desktops

Just like the CI, I also like to use categories for easy searching/filtering and use “BIOS Settings” and “WoL” for this Baseline. The Baseline General tab looks like the following:

Since all Settings might not apply to all targeted systems, it is very important to change the “Purpose” from “Required” (default) to “Optional”. Otherwise, systems that are not applicable will show up as non-compliant. Here I have combined the Dell CIs to same Baseline that contains the HP CIs.

This Configuration Baseline can now be deployed to a target collection like All Desktops and only the settings will only be applied to the applicable systems based on the detection methods.. Be sure to enable “Remediate noncompliant rules when supported” (and “Allow remediation outside of maintenance window” if desired).

Once again, if you have made it all the way to the bottom of this post, thanks for reading and congratulations! Hopefully this helps you to configure your systems for Wake-On-LAN so that they can be woken up and/or kept powered on during this time when there is a push to get more people to work from home. It will also help with other deployments, upgrades and patching as well. Now scroll back up to the top and download the provided Configuration Baseline and Configuration Items, modify them for your Dell models and test it out in your environment.

Originally posted on https://miketerrill.net/

2 thoughts on “Configuring WoL with CM for Dell Desktops – Part 3

  1. Pingback: Configuring WoL with Configuration Manager – Part 1 | Mike's Tech Blog

  2. Pingback: Configuring WoL with CM for HP Desktops – Part 2 | Mike's Tech Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.