Introduction

In most organizations, the workstation configuration needs to conform to a specific standard.

If you are using HP’s workstations, you require a strategy on how to deploy the HP BIOS settings.

The tool used in this scenario is the HP BIOS Configuration Utility (BCU), and most of the test cases I’ve tried are for HP laptops.

In this blog post, I cover how to use the HP BIOS Configuration Utility (BCU) to deploy HP BIOS settings using SCCM.

How do you deploy HP BIOS settings using SCCM?

Enterprise OEMs such as Dell, HP, and Lenovo provide solutions for deploying BIOS settings, or UEFI firmware settings, as it’s now called.

Below is a list of the solutions for each manufacturer:

The DELL and Lenovo solutions use executables or scripts which can be executed with different parameters, depending on what you want to Enable, Disable, or Configure in the BIOS.

The HP solution – the HP BIOS Configuration Utility (BCU) works a bit differently. The HP BIOS Configuration Utility (BCU) uses an Export/Import function, where for each model, export the BIOS settings, make the changes required, and then re-import the required settings.

I’m not too fond of the standard method in the HP BIOS Configuration Utility (BCU), as it requires you to go into each model and export the BIOS settings and then tweak them.

I would rather have a solution similar to DELL and Lenovo, where I can use a script with different parameters for each feature, instead of triggering it per model.

Because of this lack of functionality, I created the solution described in this blog post.

In my example, I had to set:

  • Configure WLAN Switching
  • Enable Virtualization
  • Enable TPM
  • Enable SecureBoot
  • Configure Video Memory

You can configure other BIOS settings, described later in this post. Now you won’t need to go into the BIOS and access the standard BIOS Setup Utility on each machine to make the changes :).

Glossary

BCUBIOS Configuration UtlityHP's command line utility for systematic deployment of BIOS settings.

HP BIOS Configuration Utility and deployment of settings

As I mentioned in the Introduction, HP BIOS settings have traditionally been configured using one exported configuration file, modified, and then re-imported.

The common understanding was that a setting file with ALL HP BIOS settings required exporting for each model. I also have seen strange behavior when reusing settings files between different models.

In reality, settings that are not available on a specific model or specific BIOS version are automatically skipped.

Sometimes settings can be named differently between different models. The solution is to add all the other variants into the settings file.

HP also provides a Script Library with some Powershell modules:
https://developers.hp.com/hp-client-management/doc/client-management-script-library

HP BIOS Configuration Utility and Powershell

Features

The template script as of now works for:

  • Use two different passwords
  • Enable TPM
  • Enable Virtualization
  • Enable WLAN switching
  • Configuring Video Memory

The script works just as well with any other settings that you might wish to apply. Later in this blog post describing how to customize the script to add configuration of different settings.

Since the HP BIOS Configuration Utility does not handle blank BIOS passwords well, I have previously created a Powershell script.

Note that Enabling or Disabling of TPM requires the user to press F10 to bypass the Physical Presence Interface (PPI). At this point, it’s not possible to ignore this.

Assumptions and prerequisites

There are some assumptions and prerequisites that need to be in place for this solution to work.

These include:

  • HP BIOS Configuration Utility
    4.0.25.1 or later
    . The commands have changed between the different versions. Starting with 4.0.21.1, the commands for configuring new passwords and input of the existing passwords has changed from /nspwdfile and /cspwdfile to /npwdfile and /cpwdfile.
  • A *.bin file containing the encrypted password in your organization.

How does the Powershell script work?

The script uses HP BIOS Configuration Utility, together with an encrypted password file. The script checks if there is a password configured. If not, it executes the HP BIOS Configuration Utility without a password. Otherwise, the Powershell script uses the password provided.

NOTE: In BCU versions before 3.0.3.1, it was possible to specify the password as a clear text in the command line, which is not the case in later versions.

Instead of using one settings file with all the settings, we use one settings file per setting or group of settings.

The Powershell script

Below is the script used in the solution, called Set-HPConfiguration.ps1 :

<#
.DESCRIPTION
Sets HP UEFI configuration
    
.NOTES

Author: Daniel Classon
Version: 1.1
Date: 2018-10-31
    
.EXAMPLE
.\Set-HPConfiguration.ps1 -Enable TPM

.DISCLAIMER
All scripts and other powershell references are offered AS IS with no warranty.
These script and functions are tested in my environment and it is recommended that you test these scripts in a test environment before using in your production environment.
#>

Param(
    [Parameter(Mandatory=$False)]
    [string]$Enable,
    [Parameter(Mandatory=$False)]
    [string]$Disable,
    [Parameter(Mandatory=$False)]
    [string]$Configure,
    [Parameter(Mandatory=$False)]
    [string]$PasswordFile = "$PSScriptRootpwd.bin",
    [Parameter(Mandatory=$False)]
    [string]$PasswordFile2 = "$PSScriptRootpwd2.bin"

)

Begin {

    switch ($Configure)
    {
        'ThunderboltSecurity' {$ConfigFile="$PSScriptRootConfigure_ThunderboltSecurity.txt"}
        'VideoMemory' {$ConfigFile="$PSScriptRootConfigure_VideoMemory.txt"}
        Default {}
    }

    switch ($Enable)
    {
        'SecureBoot' {$ConfigFile="$PSScriptRootEnable_SecureBoot.txt"}
        'TPM' {$ConfigFile="$PSScriptRootEnable_TPM.txt"}
        'Virtualization' {$ConfigFile="$PSScriptRootEnable_Virtualization.txt"}
        'WLANSwitching' {$ConfigFile="$PSScriptRootEnable_WLANSwitching.txt"}
        Default {}
    }
        switch ($Disable)
    {
        'Virtualization' {$ConfigFile="$PSScriptRootDisable_Virtualization.txt"}
        Default {}
    }

}
Process {
    $process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/npwdfile:$PasswordFile`"", "`"/set:$ConfigFile`"", "/log" -Wait -PassThru

    #If a password is configured, enter it
    if ($process.ExitCode -eq 10) {
        try {
            $process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/cpwdfile:$PasswordFile`"", "`"/set:$ConfigFile`"", "/log" -wait -PassThru
        }
        catch {
            $process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/cpwdfile:$PasswordFile2`"", "`"/set:$ConfigFile`"", "/log" -wait -PassThru
        }
    }
}  
End {
}           

Implementation of the Powershell script

Download the source files

Download the source files here: https://danielengberg.com/wp-content/uploads/2019/10/Set-HPConfiguration-v2.1.zip

The list of components included in the solution:

  • HP BIOS Configuration Utility
    • Executable for handling the BIOS settings configurations
  • HPQPswd64.exe
    • Executable for creating the encrypted password file.
  • Settings files
    • One setting file per setting or group of settings.
  • Encrypted password file
    • Created using HPQPswd64.exe
  • Set-HPConfiguration.ps1
    • The script file that runs the logic for the HP BIOS settings configuration.

Once you have extracted the contents of the *.zip file, you should have the following structure:

Create an encrypted password file

The encrypted password file is created using HPQPswd64.exe, included in the HP BIOS Configuration Utility package.

Follow the below steps:

  1. Open HPQPswd64.exe
  2. Enter the password to be encrypted
  3. Enter the destination to the password file.
  4. Press OK to close HPQPswd64.exe

NOTE: Passwords for HP BIOS

Create an encrypted password for HP BIOS Configuration Utility with HPQPswd64.exe

HP passwords can contain the following characters:

  • Unicode
  • Numbers

Place the password file in the same folder as the solution.

Customize the Powershell script

Export HP BIOS settings

Open a command prompt as Administrator. Browse to the installation directory of the HP BIOS Configuration Utility, often at C:\Program Files (x86)\HPBIOS Configuration Utility.

Use the following command to export all available settings for your model:

BiosConfigUtility64.exe /get:biosconfig.txt /cpwdfile:password.bin

The settings available may differ for each model. However, you need not worry as it does not apply the setting if the setting does not exist on the hardware.

Cut out the HP BIOS settings

Extract the settings you wish, for example:

Virtualization Technology for Directed I/O (VTd) Disable *Enable Virtualization Technology (VTx) Disable *Enable 

Add HP BIOS settings to the configuration file

Create a new file with <Enable/Configure setting>.

Remember to include this at the top of the text file.

BIOSConfig 1.0 ; ; 

Update the Powershell script

If you want to add more settings than the ones I have configured, you need to create a new configuration file with the required setting and change the following switch statement:

    switch ($Configure)
    {
        'ThunderboltSecurity' {$ConfigFile="$PSScriptRootConfigure_ThunderboltSecurity.txt"}
        'VideoMemory' {$ConfigFile="$PSScriptRootConfigure_VideoMemory.txt"}
        Default {}
    }

    switch ($Enable)
    {
        'SecureBoot' {$ConfigFile="$PSScriptRootEnable_SecureBoot.txt"}
        'TPM' {$ConfigFile="$PSScriptRootEnable_TPM.txt"}
        'Virtualization' {$ConfigFile="$PSScriptRootEnable_Virtualization.txt"}
        'WLANSwitching' {$ConfigFile="$PSScriptRootEnable_WLANSwitching.txt"}
        Default {}
    }
        switch ($Disable)
    {
        'Virtualization' {$ConfigFile="$PSScriptRootDisable_Virtualization.txt"}
        Default {}
    

Execute the Powershell script

Execute the script using this command:

.\Set-HPConfiguration.ps1 -<Enable/Disable/Configure> <Item>

Add the Powershell solution to SCCM

Create an SCCM package

Press Create Package.

Create package in SCCM

Put the source files somewhere and start to create a package.

Browse for source files when creating a package in SCCM hp bios configuration utility
Configure source path when creating a package in SCCM

Select Do not create a program

Do not create a program when creating a package in SCCM hp bios configuration utility

Review the settings and press Next and Finish.

Finalize Create Package wizard when creating a package in SCCM hp bios configuration utility

Add the steps to an SCCM Task Sequence.

Add one step for each setting.

Select HP and configure WMI query with the following queries in an If Any statement:

SELECT * FROM Win32_ComputerSystem WHERE Manufacturer like "%HP%"
SELECT * FROM Win32_ComputerSystem WHERE Manufacturer like "%Hewlett-Packard%"
Configure WMI query for HP BIOS Configuration Utility

For each step, configure an additional step, with no WMI query:

Enable TPM

Enable TPM step in Task Sequence in SCCM

Enable Virtualization

Enable virtualization in Task Sequence in SCCM

Configure Video Memory

Configure Video Memory in Task Sequence in SCCM

Configure Thunderbolt

Configure Thunderbolt in Task Sequence in SCCM

Enable WLAN Switching

Enable WLAN Switching in Task Sequence in SCCM

 Enable SecureBoot

Enable SecureBoot in Task Sequence in SCCM

 Add a Restart Computer step to the end of the BIOS Configuration steps with no query:

Add Restart Computer step in Task Sequence in SCCM

The Task Sequence should now look like this:

Configure HP BIOS Configuration in Task Sequence in SCCM

You can also use these steps as a Task Sequence, which you can deploy to running clients, and not just during operating system deployment.

Other customizations available for the HP BIOS

Of course, you can also deploy other things such as boot options, boot order etc.

Make sure to modify the solution above to fit your requirements!

Conclusion

Using this method provides additional flexibility compared to the HP BIOS Configuration Utility (BCU) standard solution.

As always, there are many methods to accomplish the same thing, but I have found that the solution provided in this blog post is easy to follow.

As always, please leave comments below if you have any feedback or improvements to the solution.

Thanks!

Related posts:

28 COMMENTS

  1. Hey Daniel, great sutff. I just ran it and everything “worked” but the settings did not change. I re-read this article and saw this line:
    .\Set-HPConfiguration.ps1 –

    Is this the reason the settings were not applied?
    Where do I add?

    Thanks

    • Hey,
      How are you executing the Powershell script in the Task Sequence? You need to specify the settings that are to be Enabled and also make sure that you have a configuration file for each setting.

      • I executed it exactly as in your post.
        I used your WLANSwitching, virtualization and Video Memory files as a test.
        They are all in one folder along with the BiosConfigUtility64.exe and the password.bin file.

        The PS script is left as is.
        This is my TS: https://i.imgur.com/xiLaCpB.png

        When I run the TS, the CMD windows pops up with a “successfully read password from file” message, so I assumed it works and all I’m missing was a “set” command somewhere.

          • I left everything as default, and implemented this exactly 3 weeks ago when I first sent the message. So latest version and default configurations.

  2. Hi Daniel
    In my environment, the script does not work. Strange, because the script executes without any error. But no changes happen. The bios is still unchanged, no config applied 🙁
    Do you have some infos about that? It sounds like the same issue as daniel explained above.
    Thanks, raphael

  3. Hi Daniel,
    Thanks for this, once working this will be a great way to configure BIOS Settings!
    Can you confirm that the /npwdfile and /cpwdfile switches are correct?

    The below is from the HP Documentation?
    “Use the following sample command to create a setup password on a system with no existing password:
    BIOSConfigUtility.exe /nspwdfile:”new password.bin”
    Use the following sample command to modify the BIOS setup password use:
    BIOSConfigUtility.exe /nspwdfile:”new password.bin” /cspwdfile:”current
    password.bin”
    Use the following sample command to remove the BIOS setup password use:
    BIOSConfigUtility.exe /nspwdfile:”” /cspwdfile:”current password.bin””

  4. Thanks for the nice write-up Daniel. In my environment, I maintain different models of HPs. I want to add some logic to what you’ve created that will allow me to put the various config files in model-specific subfolders. Can’t figure out how to write the logic in the PowerShell script. Can you help?

  5. Thank you so much for this very thorough solution. If no password is specified at all, is anything required to signal that no password on BIOS is set, or is to be set? Do I need to specify that a BIOS password is blank?

    • Hi,

      You should configure a BIOS password, as HP requires many of the executions to have a BIOS password set. If you have not already configured a BIOS password, the script will set the password set in your password file.

  6. Thank you so much for this solution. We have been trying powershell/wmi commands and the HP BCU, following this guide has proven successful. The only thing we can’t figure out is how to bypass the confirmation popup about Virtualization Technology after rebooting the machines.

    Daniel, is there a way to achieve this?

    • Hi Fredric,

      Thanks! It seems like this misconfiguration was only made for the WLAN Switching txt file. I have made the change and updated the links in the post.

      Did you see the error anywhere else?

      /Daniel

    • I have just run into this issue myself.. there is not one answer for all at least in my environment.. some of the older models have the verbiage “enabled” and some of the newer models have “enable”.. you have to unfortunately pull a config file from each model and then verify what it will and won’t accept.. I haven’t figured out if the SCCM plugin for HP MIK will solve this issue or not.

  7. This worked perfect! Thank you for taking the time to write this. One question:

    How can I run this hidden during OSD, the shell pops up and shows what it is doing.

    • Something weird, the BIOS exports are identical to HP 450 G5 and HP 450 G6. But on the G5 it won’t enable Lan / WLAN Auto and Power On when the lid is opened. Works great on the G6. All other settings do apply the same on both models.

      • Shell popups with PowerShell can be hidden by using -NoNewWindow
        e.g
        $process = Start-Process -FilePath “$PSScriptRootBiosConfigUtility64.exe” -ArgumentList “`”/npwdfile:$PasswordFile`””, “`”/set:$ConfigFile`””, “/log” -Wait -PassThru -NoNewWindow

  8. Great information. Thanks! Is it posible to set PowerRecovery after Power Loss Behaviour with this script?

LEAVE A REPLY

Please enter your comment!
Please enter your name here