Dell Trusted Device Installation and Administrator Guide v3.6 September 2021 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2019 - 2021 Dell Inc. All rights reserved.
Contents Chapter 1: Introduction................................................................................................................. 5 Contact Dell ProSupport....................................................................................................................................................5 Chapter 2: Requirements.............................................................................................................. 6 Prerequisites..........................................
Chapter 14: Results, troubleshooting, and remediation................................................................ 37 Results..................................................................................................................................................................................37 Troubleshooting................................................................................................................................................................. 40 Remediation............
1 Introduction The Dell Trusted Device agent is part of the Dell SafeBIOS product portfolio. The Trusted Device agent includes the following: ● BIOS Verification ● BIOS Events & Indicators of Attack ● Image Capture ● Intel ME Verification ● Security Risk Protection Score ● Dell Event Repository and SIEM integration BIOS Verification provides customers with affirmation that devices are secured below the operating system, a place where IT administrator visibility is lacking.
2 Requirements ● See the table below for a list of supported platforms. NOTE: If the Trusted Device agent is installed on non-Dell platforms, the following error displays. NOTE: If the Trusted Device agent is run on an unsupported platform, the following error displays. Exclusions Exclusions may be required for compatibility with third-party software, anti-virus, or scripts. Exclude the following. Folders ● C:\ProgramData\Dell\BiosVerification ● C:\Program Files\Dell\BIOSVerification ● C:\Program Files\DE
● C:\Windows\System32\drivers\DellBV.sys ● C:\Windows\System32\drivers\dtdsel.sys File Types ● .bv ● .rcv ● .sha256 Prerequisites ● Microsoft .NET Framework 4.7.2 (or later) is required for the installer. The installer does not install the Microsoft .NET Framework component. All computers that are shipped from the Dell factory are preinstalled with the full version of Microsoft .Net Framework 4.8 (or later). To verify the version of Microsoft .
Dell Computer Models ○ Latitude 5320 ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ Latitude Latitude Latitude Latitude Latitude Latitude Latitude Latitude Latitude Latitude Latitude Latitude Latitude Latitude Latitude ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ Latitude 5580 Latitude 5590 Latitude 5591 Latitude 7200 2-in-1* Latitude 7210 2-in-1* Latitude 7220 Rugged Tablet* Latitude 7220 Rugged Extreme Tablet* Latitude 7280 Latitude 7285 Latitude 7290 Latitude 7290 2-in-1 Latitude 7300* Latitude 7310* Latitude 7310 2-in-1* Latitude 73
Ports ● Trusted Device uses certificate pinning. The Trusted Device agent must pass SSL and TLS Inspection and Deep Packet Inspection. Ensure the Trusted Device agent can communicate with the Dell Cloud by allowlisting port 443. See the following table for more information: Destination Protocol Port api.delltrusteddevicesecurity.com HTTPS 443 bas.solution.delltrusteddevicesecurity.com HTTPS 443 service.delltrusteddevicesecurity.com HTTPS 443 solution.delltrusteddevicesecurity.
3 Download the software This section details obtaining the software from dell.com/support. If you already have the software, you can skip this section. Go to dell.com/support to begin. 1. On the Dell Support webpage, select Browse all products. 2. Select Security from the list of products. 3. Select Trusted Device Security. After this selection has been made once, the website remembers.
4. Select the product. Trusted Device 5. Select Drivers & downloads. 6. Select the wanted client operating system type. 7. Select Trusted Device Agent. 8. Select Download .
4 Verify the installation package The Trusted Device installation package is Authenticode signed with a Dell owned certificate. To verify the installation package, do the following: 1. Right-click TrustedDevice-xxbit.msi 2. Select Properties 3. Select the Digital Signatures tab 4. In Signature list, verify Dell Inc displays and select it 5. Select Details 6.
5 Installation Use one of the following methods to install the Trusted Device agent: ● Interactive Installation ● Command-Line Installation Interactive installation The Trusted Device agent installer requires administrative rights. The bit rate of the utility must match the architecture of the host computer operating system. Choose one of the following: ● TrustedDeviceSetup.msi - 32-bit installer ● TrustedDeviceSetup-64bit.msi - 64-bit installer 1. Copy TrustedDeviceSetup-64bit.msi to the local computer.
7. By default, the Trusted Device installer does not install shortcuts. To install shortcuts, click the Dell Trusted Device Shortcuts feature tree menu and select This feature will be installed on the local hard drive. Click Next to continue. ● 8. Click Install to begin the installation.
9. A status window displays but may take several minutes. 10. Click Finish.
After installation, a browser launches and displays results. See Results, Troubleshooting, and Remediation for more information. Restart the computer to complete installation if prompted. Check installed version interactively To see the installed version of the Trusted Device Agent Interactively, use the following method: 1. In Type here to search on the taskbar, type Apps & features. 2. Left-click Dell Trusted Device Agent and the version displays below the product name.
● Specify display options at the end of the argument that is passed to the /v switch to achieve the expected behavior. Do not use both /q and /qn in the same command line. Only use ! and - after /qb. Switch Meaning /s Silent mode /l Writes logging information into a logfile at the specified or existing path Option Meaning /q No Progress dialog - restarts itself after process completion /qb Progress dialog with Cancel button, prompts for restart.
msiexec /i TrustedDeviceSetup-64bit.msi /qn ● The following example adds shortcuts to an existing 64-bit Trusted Device agent installation silently, no progress bar, and logs in C:\Dell. msiexec.exe /i TrustedDeviceSetup-64bit.msi /qn ADDLOCAL="Shortcuts" /l*v C: \DELL\AddShortcuts.log ● The following example removes shortcuts from an existing 64-bit Trusted Device agent installation silently, no progress bar, and logs in C:\Dell. msiexec.exe /i TrustedDeviceSetup-64bit.msi /qn REMOVE="Shortcuts" /l*v C: \D
6 Uninstall Trusted Device The user uninstalling must be a local administrator. If uninstalling by command line, domain credentials are required. Use one of the following methods to uninstall the utility: ● Uninstall from Apps & features ● Uninstall from the Command-Line Uninstall from Apps & features 1. In Type here to search on the taskbar, type Apps & features. 2. Left-click Dell Trusted Device Agent then left-click Uninstall.
7 BIOS Verification BIOS Verification provides customers with affirmation that devices are secured below the operating system, a place where IT administrator visibility is lacking. It enables customers to verify BIOS integrity using an off-host process without interrupting the boot process.
8 Image Capture Administrators can capture images of corrupted or tampered BIOS for analysis and remediation. When run, Trusted Device queries the EFI (Extensible Firmware Interface) partition for a corrupt or tampered image. If an image is detected, it is copied from the EFI partition to %PROGRAMDATA%\Dell\TrustedDevice\ImageCapture. If off-host verification fails, Trusted Device copies corrupt or tampered images from memory to %PROGRAMDATA%\Dell\TrustedDevice\ImageCapture.
9 BIOS Events & Indicators of Attack BIOS Events & Indicators of Attack enables administrators to analyze events in the Windows Event Viewer that may indicate bad actors targeting BIOS on enterprise endpoints. Bad actors change BIOS attributes to gain access to enterprise computers locally or remotely. These attack vectors can be monitored then mitigated through the BIOS Events & Indicators of Attack features' ability to monitor BIOS attributes.
10 Security Risk Protection Score Security Risk Protection Score enables administrators to determine the security risk level of computers in their enterprise. Trusted Device scans and detects the below security solutions and assigns a score per overall risk assessment.
11 Intel ME Verification The Intel Management Engine (Intel ME) is an independent microcontroller that is built into Intel processor chipsets manufactured starting in 2008. Intel ME provides an interface between the operating system, hardware, and BIOS. Additionally, Intel ME is granted extensive system-level privilege and runs in every power state. The Trusted Device agent scans and verifies that Intel ME firmware is present and untampered after initial installation, startup, and every 24 hours.
12 Integration The Dell Trusted Device agent can be integrated with other products and services to ensure computers are secure at the BIOS level. SIEM Security Information Event Management (SIEM) solutions aggregate data from multiple sources in your enterprise. SIEM enables administrators to identify trends and unusual behavior or to perform real-time analysis of alerts that are generated by applications and hardware.
Download and install Docker The Event Repository requires Docker. Go to https://docs.docker.com/get-docker/ to download and install Docker. NOTE: If you are installing Docker on Windows, see this Microsoft article to configure Windows Subsystem for Linux (WSL). Create the persistent directory The Event Repository requires persistent storage that is shared between the Docker host and the Event Repository Docker container to stage Trusted Device and certificate data.
Tenant The Tenant element configures the Event Repository with tenant information. Tenant information details the configuration necessary to control which computers can register with this Event Repository instance. The following table details the elements of the Tenant object: Name Required Description TenantName Yes The name of the tenant. This is typically based on the company name or division. The TenantName should be unique in an orgranization.
Name Required Description for longer than the time specified, it is closed, and a new log file is opened. MaxFileAge Yes The time log files persist in the output folder. Files older than this time period, specified in days, are deleted. The Kestrel element details the TLS connection. The following table details the Kestrel components: Name Required Description Endpoints Yes Details for the container listening ports. Http / Https Yes Protocol definitions for the docker listening ports.
} } } } } "Certificate": { "Path": " /app/certs/test.pfx ", "Password": “ Password@123 " Move the appsettings.json file to the persistent directory after modifying the above values. Configure the Trusted Device agent The Trusted Device agent requires custom registry values to deliver data to the Event Repository. Create or modify the following registry values to configure the Trusted Device agent for use with the Event Repository: ● HKLM\Software\Dell\DellTrustedDevice\Overrides NOTE: This registry k
NOTE: The server example.server.com must be trusted. The hostname must match, the Trust Chain must be trusted, and the date must be valid. "RootCertificate"="ExampleCertificate" Configure to forward data to a SIEM solution SIEM solutions often require a utility to consume data sources. The Splunk universal forwarder is a lightweight forwarding solution that can be configured for use with the Event Repository during or after installation.
Variable Meaning -v Enables the creation of a volume shared between the Docker host and the Docker container . ● The following example starts the Event Repository container and maps C:\eventrepository\Data on the host computer to /app/appsettings.json in the container and configures the host listening on port 31235 while using port 5001 in the container. NOTE: This example retrieves the latest Docker image if it is not present on the target computer. docker run -it –rm -d -p31235:5001 -v c:\eventreposit
Live Query Live Query enables security teams to query and report the state of the BIOS to determine if it is compromised. The Live Query integration with Trusted Device is available with the Carbon Black Audit and Remediation service (formerly LiveOps). Carbon Black now recommends the Dell SafeBIOS Verification Status query which reports on the BIOS verification status for each endpoint per Sensor Group. For specific information about how to access this query, see the Carbon Black documentation.
13 Run the BIOS Verification Agent Use one of the following methods to run the agent: ● Interactively ● Command Line NOTE: If you attempt to run the BIOS Verification agent on an unsupported platform, Platform Not Supported displays. NOTE: Trusted Device determines Dell platform support at runtime. NOTE: If Trusted Device is installed with shortcuts, go to Start > Dell and click Dell Trusted Device Agent to run the agent. NOTE: If Trusted Device is installed without shortcuts, go to C:\Program Files\Dell\Bi
3. A browser launches automatically and displays BIOS results.
NOTE: If the utility is unable to determine BIOS state, browser-based results do not display. See Results, Troubleshooting, and Remediation for error codes. Run the BIOS Verification Agent with Command Line The following table details optional command-line arguments.
Parameters Meaning -noncestring The parameter is a base64 encoded nonce. The string is base64 decoded, and the result becomes the nonce. If the decoded nonce is larger than 1024 bytes, an ArgumentException error is thrown. 1. 2. 3. 4. Open Command Prompt with administrative privileges. Go to the directory containing the utility. Type Dell.TrustedDevice.Service.Console.exe then press Enter. A browser launches automatically and displays BIOS results.
14 Results, troubleshooting, and remediation This chapter details reviewing results, troubleshooting, and remediating a corrupt or tampered BIOS image. Results After running the BIOS Verification agent, results are written to C:\ProgramData\Dell\TrustedDevice\, the %ERRORLEVEL% environment, the Event Viewer, and the registry. %PROGRAMDATA% The Trusted Device agent writes logs and JSON formatted results to C:\ProgramData\Dell\TrustedDevice\.
Location Source Type Application and Service Logs > Dell Trusted Device | Intel ME Verification Find Security Risk Protection Score notifications in Event Viewer at: Location Source Type Application and Service Logs > Dell Trusted Device | Security Assessment Details pertaining to the events are listed in the General tab of Event Viewer. The following tables detail the BIOS Verification, BIOS Events & Indicators of Attack, Intel ME Verification, and Security Risk Protection Score in Event Viewer.
Security Risk Protection Score Action Level Event ID Task Category Pass Informational 13 4 Pass with warnings Warning 14 4 Fail Error 15 4 Registry The Trusted Device agent's results are written to the registry each time the BIOS Verification agent is run. All BIOS Verification, Image Capture, and BIOS Events & Indicators of Attack registry keys are located at HKLM\Software\Dell\TrustedDevice.
Maximum value = 172800 (48 hours) Default = every 12 hours Value (in decimal) = 3600 - sweeps occur every hour Value (in decimal) = 172800 - sweeps occur every 48 hours ● This entry changes the delay in milliseconds between each individual BIOS attribute retrieval. HKLM\SOFTWARE\Dell\TrustedDevice\ DWORD=MSBetweenAttributeReads Minimum value in milliseconds = 500 Maximum value in milliseconds = 2000 Default = every 500 milliseconds Value (in decimal) = 500 - reads a different BIOS attribute every 500 millis
Error Code Meaning Additional Information 6 An internal error has occurred An error on the local device occurred preventing The Dell Trusted Device agent from properly running. Run Trusted Device again. If this error persists, contact Dell Support. 7 The server responded with an error or is unavailable The Dell Trusted Device agent's server is unavailable. Validate network connectivity and that the web-based locations are accessible from the device.