How To Deploy HP BIOS Settings Using SCCM and HP BIOS Configuration Utility

Introduction

In most organizations, the workstation configuration needs to conform to a specific standard, and the settings need to be deployed at scale. The alternative is to enter BIOS on all machines and configuring the settings manually. I don’t think anyone wants to manually open the BIOS and configure the settings, as it is a very time-consuming task and will likely have a low-quality result.

If you are using HP’s workstations, you require a strategy to deploy the HP BIOS settings.

The tool used in this scenario is the HP setup utility HP BIOS Configuration Utility (BCU), and most of the test cases I’ve tried are for HP laptops.

This blog post covers how to use the HP BIOS Configuration Utility (BCU) to deploy HP BIOS settings using SCCM.

What is the BIOS?

BIOS stands for Basic Input Output System and is where all the system configuration is contained.

Nowadays, UEFI has replaced Legacy BIOS, but UEFI is still commonly referred to as BIOS.

How do you deploy HP BIOS settings using SCCM?

Enterprise OEMs such as Dell, HP, and Lenovo provide solutions for deploying BIOS settings, or UEFI firmware settings, as it’s now called.

Below is a list of the solutions for each manufacturer:

• HP  – HP BIOS Configuration Utility (BCU)
• DELL –  DELL Command Configure Toolkit (CCTK)
• Lenovo – Lenovo WMI scripts

The DELL and Lenovo solutions use executables or scripts which can be executed with different parameters, depending on what you want to Enable, Disable, or Configure in the BIOS.

The HP Setup Utility, which is called HP BIOS Configuration Utility (BCU), works differently. The HP BIOS Configuration Utility (BCU) uses an Export/Import function, where for each model, export the BIOS settings, make the changes required, and then re-import the required settings.

I’m not too fond of the standard method in the HP BIOS Configuration Utility (BCU), as it requires you to go into each model and export the BIOS settings and then tweak them.

I would rather have a solution similar to DELL and Lenovo, where I can use a script with different parameters for each feature instead of triggering it per model.

Because of this lack of functionality, I created the solution described in this blog post.

In my example, I had to set:

• Configure WLAN Switching
• Enable Virtualization
• Enable TPM
• Enable SecureBoot
• Configure Video Memory

You can configure other BIOS settings, described later in this post. Now you won’t need to go into the BIOS and access the standard BIOS Setup Utility on each machine to make the changes :). The solution works for both HP Laptops and HP Desktops.

Glossary

HP BIOS Configuration Utility and deployment of settings

As I mentioned in the Introduction, HP BIOS settings have traditionally been configured using one exported configuration file, modified, and then re-imported.

The common understanding was that a setting file with ALL HP BIOS settings required exporting for each model. I also have seen strange behavior when reusing settings files between different models.

In reality, settings that are not available on a specific model or specific BIOS version are automatically skipped.

HP can name settings differently between different models. The solution is to add all the other variants into the settings file.

HP also provides a Script Library with some Powershell modules:
https://developers.hp.com/hp-client-management/doc/client-management-script-library

HP BIOS Configuration Utility and Powershell

Features

The template script as of now works for:

• Use two different passwords
• Enable TPM
• Enable Virtualization
• Enable WLAN switching
• Configuring Video Memory

The script works just as well with any other settings you might wish to apply, such as configuring the boot device.

Later in this blog post, I describe how to customize the script to add different settings configurations.

Since the HP BIOS Configuration Utility does not handle blank BIOS passwords well, I have previously created a Powershell script.

Note that Enabling or Disabling of TPM requires the user to press F10 to bypass the Physical Presence Interface (PPI). At this point, it’s not possible to ignore this.

Assumptions and prerequisites

There are some assumptions and prerequisites that need to be in place for this solution to work.

These include:

• HP BIOS Configuration Utility
  4.0.25.1 or later. The commands have changed between the different versions. Starting with 4.0.21.1, the commands for configuring new passwords and input of the existing passwords has changed from /nspwdfile and /cspwdfile to /npwdfile and /cpwdfile.
• A *.bin file containing the encrypted password in your organization.

Download the HP BIOS Configuration Utility

The HP BIOS Configuration Utility can be found here: https://ftp.hp.com/pub/caps-softpaq/cmit/HP_BCU.html.

How does the Powershell script work?

The script uses HP BIOS Configuration Utility, together with an encrypted password file. The script checks if there is a password configured. If not, it executes the HP BIOS Configuration Utility without a password. Otherwise, the Powershell script uses the password provided. The logic is based on the HP BIOS Configuration Utility gives a return code of 10 if a password has been configured.

NOTE: In BCU versions before 3.0.3.1, it was possible to specify the password as a clear text in the command line, which is not the case in later versions.

Instead of using one settings file with all the settings, we use one settings file per setting or group of settings.

The Powershell script

Below is the script used in the solution, called Set-HPConfiguration.ps1 :

<#
.DESCRIPTION
Sets HP UEFI configuration
    
.NOTES
Author: Daniel Classon
Version: 1.1
Date: 2018-10-31
    
.EXAMPLE
.\Set-HPConfiguration.ps1 -Enable TPM
.DISCLAIMER
All scripts and other powershell references are offered AS IS with no warranty.
These script and functions are tested in my environment and it is recommended that you test these scripts in a test environment before using in your production environment.
#>
Param(
    [Parameter(Mandatory=$False)]
    [string]$Enable,
    [Parameter(Mandatory=$False)]
    [string]$Disable,
    [Parameter(Mandatory=$False)]
    [string]$Configure,
    [Parameter(Mandatory=$False)]
    [string]$PasswordFile = "$PSScriptRootpwd.bin",
    [Parameter(Mandatory=$False)]
    [string]$PasswordFile2 = "$PSScriptRootpwd2.bin"
)
Begin {
    switch ($Configure)
    {
        'ThunderboltSecurity' {$ConfigFile="$PSScriptRootConfigure_ThunderboltSecurity.txt"}
        'VideoMemory' {$ConfigFile="$PSScriptRootConfigure_VideoMemory.txt"}
        Default {}
    }
    switch ($Enable)
    {
        'SecureBoot' {$ConfigFile="$PSScriptRootEnable_SecureBoot.txt"}
        'TPM' {$ConfigFile="$PSScriptRootEnable_TPM.txt"}
        'Virtualization' {$ConfigFile="$PSScriptRootEnable_Virtualization.txt"}
        'WLANSwitching' {$ConfigFile="$PSScriptRootEnable_WLANSwitching.txt"}
        Default {}
    }
        switch ($Disable)
    {
        'Virtualization' {$ConfigFile="$PSScriptRootDisable_Virtualization.txt"}
        Default {}
    }
}
Process {
    $process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/npwdfile:$PasswordFile`"", "`"/set:$ConfigFile`"", "/log" -Wait -PassThru
    #If a password is configured, enter it
    if ($process.ExitCode -eq 10) {
        try {
            $process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/cpwdfile:$PasswordFile`"", "`"/set:$ConfigFile`"", "/log" -wait -PassThru
        }
        catch {
            $process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/cpwdfile:$PasswordFile2`"", "`"/set:$ConfigFile`"", "/log" -wait -PassThru
        }
    }
}  
End {
}           

Implementation of the Powershell script

Download the source files

Download the source files here: https://danielengberg.com/wp-content/uploads/2019/10/Set-HPConfiguration-v2.1.zip

The list of components included in the solution:

• HP BIOS Configuration Utility
  • Executable for handling the BIOS settings configurations
• HPQPswd64.exe
  • Executable for creating the encrypted password file.
• Settings files
  • One setting file per setting or group of settings.
• Encrypted password file
  • Created using HPQPswd64.exe
• Set-HPConfiguration.ps1
  • The script file that runs the logic for the HP BIOS settings configuration.

Once you have extracted the contents of the *.zip file, you should have the following structure:

Create an encrypted password file

The encrypted password file is created using HPQPswd64.exe, included in the HP BIOS Configuration Utility package.

Follow the below steps:

1. Open HPQPswd64.exe
2. Enter the password to be encrypted
3. Enter the destination to the password file.
4. Press OK to close HPQPswd64.exe

NOTE: Passwords for HP BIOS

HP passwords can contain the following characters:

• Unicode
• Numbers

Place the password file in the same folder as the solution.

Customize the Powershell script

Export HP BIOS settings

Open a command prompt as Administrator. Browse to the installation directory of the HP BIOS Configuration Utility, often at C:\Program Files (x86)\HPBIOS Configuration Utility.

Use the following command to access the BIOS and export all available settings for your model:

BiosConfigUtility64.exe /get:biosconfig.txt /cpwdfile:password.bin

The settings available may differ for each model. However, you need not worry as it does not apply the setting if the setting does not exist on the hardware.

Cut out the HP BIOS settings

Extract the settings you wish, for example:

Virtualization Technology for Directed I/O (VTd) Disable *Enable Virtualization Technology (VTx) Disable *Enable 

Add HP BIOS settings to the configuration file

Create a new file with <Enable/Configure setting>.

Remember to include this at the top of the text file.

BIOSConfig 1.0 ; ; 

Update the Powershell script

Update BIOS settings

If you want to add more settings than the ones I have configured, you need to create a new configuration file with the required setting and change the following switch statement:

    switch ($Configure)
    {
        'ThunderboltSecurity' {$ConfigFile="$PSScriptRootConfigure_ThunderboltSecurity.txt"}
        'VideoMemory' {$ConfigFile="$PSScriptRootConfigure_VideoMemory.txt"}
        Default {}
    }
    switch ($Enable)
    {
        'SecureBoot' {$ConfigFile="$PSScriptRootEnable_SecureBoot.txt"}
        'TPM' {$ConfigFile="$PSScriptRootEnable_TPM.txt"}
        'Virtualization' {$ConfigFile="$PSScriptRootEnable_Virtualization.txt"}
        'WLANSwitching' {$ConfigFile="$PSScriptRootEnable_WLANSwitching.txt"}
        Default {}
    }
        switch ($Disable)
    {
        'Virtualization' {$ConfigFile="$PSScriptRootDisable_Virtualization.txt"}
        Default {}
    

Update password file and configuration

The example script will try to configure a new password with the /npwdfile parameter. If a BIOS password is already configured, the HP BIOS Configuration Utility should deliver an exit code of 10, and it will attempt to use that password with /cpwdfile paramter.

This example will also test two different passwords for a match. This is useful if your environment contains clients which at some point were configured with another password. Feel free to add or remove passwords here.

    $process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/npwdfile:$PasswordFile`"", "`"/set:$ConfigFile`"", "/log" -Wait -PassThru
    #If a password is configured, enter it
    if ($process.ExitCode -eq 10) {
        try {
            $process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/cpwdfile:$PasswordFile`"", "`"/set:$ConfigFile`"", "/log" -wait -PassThru
        }
        catch {
            $process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/cpwdfile:$PasswordFile2`"", "`"/set:$ConfigFile`"", "/log" -wait -PassThru

Execute the Powershell script

Execute the script using this command:

.\Set-HPConfiguration.ps1 -<Enable/Disable/Configure> <Item>

Add the Powershell solution to SCCM

Create an SCCM package

Press Create Package.

Put the source files somewhere and start to create a package.

Select Do not create a program

Review the settings and press Next and Finish.

Add the steps to an SCCM Task Sequence.

Add one step for each setting.

Select HP and configure WMI query with the following queries in an If Any statement:

SELECT * FROM Win32_ComputerSystem WHERE Manufacturer like "%HP%"

SELECT * FROM Win32_ComputerSystem WHERE Manufacturer like "%Hewlett-Packard%"

For each step, configure an additional step, with no WMI query:

Enable TPM

Enable Virtualization

Configure Video Memory

Configure Thunderbolt

Enable WLAN Switching

 Enable SecureBoot

 Add a Restart Computer step to the end of the BIOS Configuration steps with no query:

The Task Sequence should now look like this:

You can also use these steps as a Task Sequence to deploy to running clients, not just during operating system deployment.

Note: You don’t need to have the same setting for all HP models, but could configure the settings on a per model base. One setting could be configured for HP Elitebooks, one for HP ZBooks etc.

Other customizations available for the HP BIOS

Of course, you can also deploy other things such as boot options, boot order, etc.

Make sure to modify the solution above to fit your requirements! You can also configure this granularly for each computer model.

Conclusion

Using this method provides additional flexibility compared to the HP BIOS Configuration Utility (BCU) standard solution.

There are many methods to accomplish the same thing, but I have found that the solution provided in this blog post is easy to follow.

As always, please leave comments below if you have any feedback or improvements to the solution.

Thanks!

Related posts:

• Downgrade HP TPM firmware from 2.0 to 1.2.
• Configure the collection update schedule in SCCM using Powershell
• 4 best practices for collection updates in SCCM
• How to configure maintenance windows using SCCM with a Patch Tuesday offset