Home Blog How To Deploy HP BIOS Settings Using SCCM and HP BIOS Configuration...

How To Deploy HP BIOS Settings Using SCCM and HP BIOS Configuration Utility

45
8349

Introduction

In most organizations, the workstation configuration needs to conform to a specific standard, and the settings need to be deployed at scale. The alternative is to enter BIOS on all machines and configuring the settings manually. I don’t think anyone wants to manually open the BIOS and configure the settings, as it is a very time-consuming task and will likely have a low-quality result.

If you are using HP’s workstations, you require a strategy to deploy the HP BIOS settings.

The tool used in this scenario is the HP setup utility HP BIOS Configuration Utility (BCU), and most of the test cases I’ve tried are for HP laptops.

This blog post covers how to use the HP BIOS Configuration Utility (BCU) to deploy HP BIOS settings using SCCM.

What is the BIOS?

BIOS stands for Basic Input Output System and is where all the system configuration is contained.

Nowadays, UEFI has replaced Legacy BIOS, but UEFI is still commonly referred to as BIOS.

How do you deploy HP BIOS settings using SCCM?

Enterprise OEMs such as Dell, HP, and Lenovo provide solutions for deploying BIOS settings, or UEFI firmware settings, as it’s now called.

Below is a list of the solutions for each manufacturer:

The DELL and Lenovo solutions use executables or scripts which can be executed with different parameters, depending on what you want to Enable, Disable, or Configure in the BIOS.

The HP Setup Utility, which is called HP BIOS Configuration Utility (BCU), works differently. The HP BIOS Configuration Utility (BCU) uses an Export/Import function, where for each model, export the BIOS settings, make the changes required, and then re-import the required settings.

I’m not too fond of the standard method in the HP BIOS Configuration Utility (BCU), as it requires you to go into each model and export the BIOS settings and then tweak them.

I would rather have a solution similar to DELL and Lenovo, where I can use a script with different parameters for each feature instead of triggering it per model.

Because of this lack of functionality, I created the solution described in this blog post.

In my example, I had to set:

  • Configure WLAN Switching
  • Enable Virtualization
  • Enable TPM
  • Enable SecureBoot
  • Configure Video Memory

You can configure other BIOS settings, described later in this post. Now you won’t need to go into the BIOS and access the standard BIOS Setup Utility on each machine to make the changes :). The solution works for both HP Laptops and HP Desktops.

Glossary

BCUBIOS Configuration UtlityHP's command line utility for systematic deployment of BIOS settings.

HP BIOS Configuration Utility and deployment of settings

As I mentioned in the Introduction, HP BIOS settings have traditionally been configured using one exported configuration file, modified, and then re-imported.

The common understanding was that a setting file with ALL HP BIOS settings required exporting for each model. I also have seen strange behavior when reusing settings files between different models.

In reality, settings that are not available on a specific model or specific BIOS version are automatically skipped.

HP can name settings differently between different models. The solution is to add all the other variants into the settings file.

HP also provides a Script Library with some Powershell modules:
https://developers.hp.com/hp-client-management/doc/client-management-script-library

HP BIOS Configuration Utility and Powershell

Features

The template script as of now works for:

  • Use two different passwords
  • Enable TPM
  • Enable Virtualization
  • Enable WLAN switching
  • Configuring Video Memory

The script works just as well with any other settings you might wish to apply, such as configuring the boot device.

Later in this blog post, I describe how to customize the script to add different settings configurations.

Since the HP BIOS Configuration Utility does not handle blank BIOS passwords well, I have previously created a Powershell script.

Note that Enabling or Disabling of TPM requires the user to press F10 to bypass the Physical Presence Interface (PPI). At this point, it’s not possible to ignore this.

Assumptions and prerequisites

There are some assumptions and prerequisites that need to be in place for this solution to work.

These include:

  • HP BIOS Configuration Utility
    4.0.25.1 or later
    . The commands have changed between the different versions. Starting with 4.0.21.1, the commands for configuring new passwords and input of the existing passwords has changed from /nspwdfile and /cspwdfile to /npwdfile and /cpwdfile.
  • A *.bin file containing the encrypted password in your organization.

Download the HP BIOS Configuration Utility

The HP BIOS Configuration Utility can be found here: https://ftp.hp.com/pub/caps-softpaq/cmit/HP_BCU.html.

How does the Powershell script work?

The script uses HP BIOS Configuration Utility, together with an encrypted password file. The script checks if there is a password configured. If not, it executes the HP BIOS Configuration Utility without a password. Otherwise, the Powershell script uses the password provided. The logic is based on the HP BIOS Configuration Utility gives a return code of 10 if a password has been configured.

NOTE: In BCU versions before 3.0.3.1, it was possible to specify the password as a clear text in the command line, which is not the case in later versions.

Instead of using one settings file with all the settings, we use one settings file per setting or group of settings.

The Powershell script

Below is the script used in the solution, called Set-HPConfiguration.ps1 :

<#
.DESCRIPTION
Sets HP UEFI configuration
    
.NOTES
Author: Daniel Classon
Version: 1.1
Date: 2018-10-31
    
.EXAMPLE
.\Set-HPConfiguration.ps1 -Enable TPM
.DISCLAIMER
All scripts and other powershell references are offered AS IS with no warranty.
These script and functions are tested in my environment and it is recommended that you test these scripts in a test environment before using in your production environment.
#>
Param(
    [Parameter(Mandatory=$False)]
    [string]$Enable,
    [Parameter(Mandatory=$False)]
    [string]$Disable,
    [Parameter(Mandatory=$False)]
    [string]$Configure,
    [Parameter(Mandatory=$False)]
    [string]$PasswordFile = "$PSScriptRootpwd.bin",
    [Parameter(Mandatory=$False)]
    [string]$PasswordFile2 = "$PSScriptRootpwd2.bin"
)
Begin {
    switch ($Configure)
    {
        'ThunderboltSecurity' {$ConfigFile="$PSScriptRootConfigure_ThunderboltSecurity.txt"}
        'VideoMemory' {$ConfigFile="$PSScriptRootConfigure_VideoMemory.txt"}
        Default {}
    }
    switch ($Enable)
    {
        'SecureBoot' {$ConfigFile="$PSScriptRootEnable_SecureBoot.txt"}
        'TPM' {$ConfigFile="$PSScriptRootEnable_TPM.txt"}
        'Virtualization' {$ConfigFile="$PSScriptRootEnable_Virtualization.txt"}
        'WLANSwitching' {$ConfigFile="$PSScriptRootEnable_WLANSwitching.txt"}
        Default {}
    }
        switch ($Disable)
    {
        'Virtualization' {$ConfigFile="$PSScriptRootDisable_Virtualization.txt"}
        Default {}
    }
}
Process {
    $process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/npwdfile:$PasswordFile`"", "`"/set:$ConfigFile`"", "/log" -Wait -PassThru
    #If a password is configured, enter it
    if ($process.ExitCode -eq 10) {
        try {
            $process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/cpwdfile:$PasswordFile`"", "`"/set:$ConfigFile`"", "/log" -wait -PassThru
        }
        catch {
            $process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/cpwdfile:$PasswordFile2`"", "`"/set:$ConfigFile`"", "/log" -wait -PassThru
        }
    }
}  
End {
}           

Implementation of the Powershell script

Download the source files

Download the source files here: https://danielengberg.com/wp-content/uploads/2019/10/Set-HPConfiguration-v2.1.zip

The list of components included in the solution:

  • HP BIOS Configuration Utility
    • Executable for handling the BIOS settings configurations
  • HPQPswd64.exe
    • Executable for creating the encrypted password file.
  • Settings files
    • One setting file per setting or group of settings.
  • Encrypted password file
    • Created using HPQPswd64.exe
  • Set-HPConfiguration.ps1
    • The script file that runs the logic for the HP BIOS settings configuration.

Once you have extracted the contents of the *.zip file, you should have the following structure:

Create an encrypted password file

The encrypted password file is created using HPQPswd64.exe, included in the HP BIOS Configuration Utility package.

Follow the below steps:

  1. Open HPQPswd64.exe
  2. Enter the password to be encrypted
  3. Enter the destination to the password file.
  4. Press OK to close HPQPswd64.exe

NOTE: Passwords for HP BIOS

Create an encrypted password for the HP setup utility HP BIOS Configuration Utility with HPQPswd64.exe

HP passwords can contain the following characters:

  • Unicode
  • Numbers

Place the password file in the same folder as the solution.

Customize the Powershell script

Export HP BIOS settings

Open a command prompt as Administrator. Browse to the installation directory of the HP BIOS Configuration Utility, often at C:\Program Files (x86)\HPBIOS Configuration Utility.

Use the following command to access the BIOS and export all available settings for your model:

BiosConfigUtility64.exe /get:biosconfig.txt /cpwdfile:password.bin

The settings available may differ for each model. However, you need not worry as it does not apply the setting if the setting does not exist on the hardware.

Cut out the HP BIOS settings

Extract the settings you wish, for example:

Virtualization Technology for Directed I/O (VTd) Disable *Enable Virtualization Technology (VTx) Disable *Enable 

Add HP BIOS settings to the configuration file

Create a new file with <Enable/Configure setting>.

Remember to include this at the top of the text file.

BIOSConfig 1.0 ; ; 

Update the Powershell script

Update BIOS settings

If you want to add more settings than the ones I have configured, you need to create a new configuration file with the required setting and change the following switch statement:

    switch ($Configure)
    {
        'ThunderboltSecurity' {$ConfigFile="$PSScriptRootConfigure_ThunderboltSecurity.txt"}
        'VideoMemory' {$ConfigFile="$PSScriptRootConfigure_VideoMemory.txt"}
        Default {}
    }
    switch ($Enable)
    {
        'SecureBoot' {$ConfigFile="$PSScriptRootEnable_SecureBoot.txt"}
        'TPM' {$ConfigFile="$PSScriptRootEnable_TPM.txt"}
        'Virtualization' {$ConfigFile="$PSScriptRootEnable_Virtualization.txt"}
        'WLANSwitching' {$ConfigFile="$PSScriptRootEnable_WLANSwitching.txt"}
        Default {}
    }
        switch ($Disable)
    {
        'Virtualization' {$ConfigFile="$PSScriptRootDisable_Virtualization.txt"}
        Default {}
    
Update password file and configuration

The example script will try to configure a new password with the /npwdfile parameter. If a BIOS password is already configured, the HP BIOS Configuration Utility should deliver an exit code of 10, and it will attempt to use that password with /cpwdfile paramter.

This example will also test two different passwords for a match. This is useful if your environment contains clients which at some point were configured with another password. Feel free to add or remove passwords here.

    $process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/npwdfile:$PasswordFile`"", "`"/set:$ConfigFile`"", "/log" -Wait -PassThru
    #If a password is configured, enter it
    if ($process.ExitCode -eq 10) {
        try {
            $process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/cpwdfile:$PasswordFile`"", "`"/set:$ConfigFile`"", "/log" -wait -PassThru
        }
        catch {
            $process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/cpwdfile:$PasswordFile2`"", "`"/set:$ConfigFile`"", "/log" -wait -PassThru

Execute the Powershell script

Execute the script using this command:

.\Set-HPConfiguration.ps1 -<Enable/Disable/Configure> <Item>

Add the Powershell solution to SCCM

Create an SCCM package

Press Create Package.

Create package in SCCM

Put the source files somewhere and start to create a package.

Browse for source files when creating a package in SCCM hp bios configuration utility
Configure source path when creating a package in SCCM

Select Do not create a program

Do not create a program when creating a package in SCCM hp bios configuration utility

Review the settings and press Next and Finish.

Finalize Create Package wizard when creating a package in SCCM hp bios configuration utility

Add the steps to an SCCM Task Sequence.

Add one step for each setting.

Select HP and configure WMI query with the following queries in an If Any statement:

SELECT * FROM Win32_ComputerSystem WHERE Manufacturer like "%HP%"
SELECT * FROM Win32_ComputerSystem WHERE Manufacturer like "%Hewlett-Packard%"
Configure WMI query for HP BIOS Configuration Utility

For each step, configure an additional step, with no WMI query:

Enable TPM

Enable TPM step in Task Sequence in SCCM

Enable Virtualization

Enable virtualization in Task Sequence in SCCM

Configure Video Memory

Configure Video Memory in Task Sequence in SCCM

Configure Thunderbolt

Configure Thunderbolt in Task Sequence in SCCM

Enable WLAN Switching

Enable WLAN Switching in Task Sequence in SCCM

 Enable SecureBoot

Enable SecureBoot in Task Sequence in SCCM

 Add a Restart Computer step to the end of the BIOS Configuration steps with no query:

Add Restart Computer step in Task Sequence in SCCM

The Task Sequence should now look like this:

Configure HP BIOS Configuration in Task Sequence in SCCM

You can also use these steps as a Task Sequence to deploy to running clients, not just during operating system deployment.

Note: You don’t need to have the same setting for all HP models, but could configure the settings on a per model base. One setting could be configured for HP Elitebooks, one for HP ZBooks etc.

Other customizations available for the HP BIOS

Of course, you can also deploy other things such as boot options, boot order, etc.

Make sure to modify the solution above to fit your requirements! You can also configure this granularly for each computer model.

Conclusion

Using this method provides additional flexibility compared to the HP BIOS Configuration Utility (BCU) standard solution.

There are many methods to accomplish the same thing, but I have found that the solution provided in this blog post is easy to follow.

As always, please leave comments below if you have any feedback or improvements to the solution.

Thanks!

Related posts:

45 COMMENTS

  1. Hey Daniel, great sutff. I just ran it and everything “worked” but the settings did not change. I re-read this article and saw this line:
    .\Set-HPConfiguration.ps1 –

    Is this the reason the settings were not applied?
    Where do I add?

    Thanks

    • Hey,
      How are you executing the Powershell script in the Task Sequence? You need to specify the settings that are to be Enabled and also make sure that you have a configuration file for each setting.

      • I executed it exactly as in your post.
        I used your WLANSwitching, virtualization and Video Memory files as a test.
        They are all in one folder along with the BiosConfigUtility64.exe and the password.bin file.

        The PS script is left as is.
        This is my TS: https://i.imgur.com/xiLaCpB.png

        When I run the TS, the CMD windows pops up with a “successfully read password from file” message, so I assumed it works and all I’m missing was a “set” command somewhere.

          • I left everything as default, and implemented this exactly 3 weeks ago when I first sent the message. So latest version and default configurations.

  2. Hi Daniel
    In my environment, the script does not work. Strange, because the script executes without any error. But no changes happen. The bios is still unchanged, no config applied 🙁
    Do you have some infos about that? It sounds like the same issue as daniel explained above.
    Thanks, raphael

  3. Hi Daniel,
    Thanks for this, once working this will be a great way to configure BIOS Settings!
    Can you confirm that the /npwdfile and /cpwdfile switches are correct?

    The below is from the HP Documentation?
    “Use the following sample command to create a setup password on a system with no existing password:
    BIOSConfigUtility.exe /nspwdfile:”new password.bin”
    Use the following sample command to modify the BIOS setup password use:
    BIOSConfigUtility.exe /nspwdfile:”new password.bin” /cspwdfile:”current
    password.bin”
    Use the following sample command to remove the BIOS setup password use:
    BIOSConfigUtility.exe /nspwdfile:”” /cspwdfile:”current password.bin””

  4. Thanks for the nice write-up Daniel. In my environment, I maintain different models of HPs. I want to add some logic to what you’ve created that will allow me to put the various config files in model-specific subfolders. Can’t figure out how to write the logic in the PowerShell script. Can you help?

  5. Thank you so much for this very thorough solution. If no password is specified at all, is anything required to signal that no password on BIOS is set, or is to be set? Do I need to specify that a BIOS password is blank?

    • Hi,

      You should configure a BIOS password, as HP requires many of the executions to have a BIOS password set. If you have not already configured a BIOS password, the script will set the password set in your password file.

  6. Thank you so much for this solution. We have been trying powershell/wmi commands and the HP BCU, following this guide has proven successful. The only thing we can’t figure out is how to bypass the confirmation popup about Virtualization Technology after rebooting the machines.

    Daniel, is there a way to achieve this?

    • Hi Fredric,

      Thanks! It seems like this misconfiguration was only made for the WLAN Switching txt file. I have made the change and updated the links in the post.

      Did you see the error anywhere else?

      /Daniel

    • I have just run into this issue myself.. there is not one answer for all at least in my environment.. some of the older models have the verbiage “enabled” and some of the newer models have “enable”.. you have to unfortunately pull a config file from each model and then verify what it will and won’t accept.. I haven’t figured out if the SCCM plugin for HP MIK will solve this issue or not.

  7. This worked perfect! Thank you for taking the time to write this. One question:

    How can I run this hidden during OSD, the shell pops up and shows what it is doing.

    • Something weird, the BIOS exports are identical to HP 450 G5 and HP 450 G6. But on the G5 it won’t enable Lan / WLAN Auto and Power On when the lid is opened. Works great on the G6. All other settings do apply the same on both models.

      • Shell popups with PowerShell can be hidden by using -NoNewWindow
        e.g
        $process = Start-Process -FilePath “$PSScriptRootBiosConfigUtility64.exe” -ArgumentList “`”/npwdfile:$PasswordFile`””, “`”/set:$ConfigFile`””, “/log” -Wait -PassThru -NoNewWindow

  8. Great information. Thanks! Is it posible to set PowerRecovery after Power Loss Behaviour with this script?

  9. I’ve run HP’s BCU and have the config output but I’m looking for (and not finding) a resource that defines each of the settings available. Items like those below are a bit cryptic and could use some ‘splainin. I imagine I could spend much time testing and/or pulling details from many different sources, and I have some pretty reasonable guesses, but it sure would be great to have a HP “dictionary” for all of the available settings. Anyone got such a resource?

    Power Control
    *Disable
    Enable
    Boost Converter
    *Disable
    Enable
    Several others…

  10. please can you make a video for us ? I’m stuck at “Cut out the HP BIOS settings”
    I dont know the password for the bios and the Virtualization is turn off.

      • Hi Daniel,Thanks for the steps to reset BIOS password.This really help us.I am stuck at at Cut off BIOS setting.I have forgot my BIOS password and wanted to enable virtualisation service. Please upload youtube video and share link with us.

  11. Daniel, Thank you veru much for all you help and support! I wish you and ur family a lot of health in this difficult times ! 🙂

  12. Hi, Does this set the bios password? We have a project running where it is a requirement to have a bios password set.

    • Hi Ryan,

      Yes, the solution sets a password if none is configured. If a password is configured, it will be used. The solution also supports multiple passwords.

      I added a new section, “Update password file and configuration,” to clarify this.

      Thanks for your comment!

  13. Hi Daniel I have issues with a HP workstation notebook the specs say that that memory used has to be the same configuration as each for DIM to work. I have two of the same workstations, I can not get one of them to upgrade to a mere 4gb while the other upgraded just fine to a 8GB using two four Sodimm’s the workstations are HP 8440p I want to try and see if it might be a corrupt BIOS I set the defaults and they both have the latest and final bios

  14. What settings do you use in the Configure_ThunderboltSecurity.txt file?
    I need to Change the Thunderbolt Security Level option to PCIe and DisplayPort – User Authentication

  15. Is it possible to get information about a Post Stystem Password (authentication) is set on HP Notebooks? Is it also possible to change the settings via powershell or HP BCU?

  16. Thanks for the clear explanation !
    However, on a HP G6 Minitower, with Win10-1909 and the most recent HP-BCU I keep getting issues woth “unable to decrypt the password file” and if I try to create a new one, it always ends up with 0 bytes :-(.
    On a HP-Deskpro-G5 (and ealier) with the same Windows installation, it works fine !.. Any thoughts ?

  17. Great Tuto
    My question is rather non-expert level … but you mentioned that one “can also deploy other things such as boot options”!
    I wish my HP X2 allows me to boot from USB with bootable Linux OS, which it doesn’t allow by default … IS THAT POSSIBLE or included in the scripts
    thanks

  18. Kinda old post, but still very useful today.
    I have one question though…
    At our company we want to add a post power-on password for added security. So the computer can’t start without this pw.
    Is this an available option to set, like you can with the BIOS setup password? can’t seem to find any information about that. We would hate to set it on each machine individually. Thanks.

  19. Hello Daniel, how are you? I’m testing this component and I can’t change the actions in the BIOS, I’ve already downloaded the latest version from HP and I’m using the scripts provided, but nothing is changed in the BIOS.

  20. Hi,

    How do you set a Bios password on the remote device? I copied the password file and theBIOSConfigUtility64.exe to a remote device and I tried with PSSession and Invoke-Command -ComputerName $PC -scriptblock but can’t make it to work.

LEAVE A REPLY

Please enter your comment!
Please enter your name here