Introduction
In most organizations, the workstation configuration needs to conform to a specific standard, and the settings need to be deployed at scale. The alternative is to enter BIOS on all machines and configuring the settings manually. I don’t think anyone wants to manually open the BIOS and configure the settings, as it is a very time-consuming task and will likely have a low-quality result.
If you are using HP’s workstations, you require a strategy to deploy the HP BIOS settings.
The tool used in this scenario is the HP setup utility HP BIOS Configuration Utility (BCU), and most of the test cases I’ve tried are for HP laptops.
This blog post covers how to use the HP BIOS Configuration Utility (BCU) to deploy HP BIOS settings using SCCM.
What is the BIOS?
BIOS stands for Basic Input Output System and is where all the system configuration is contained.
Nowadays, UEFI has replaced Legacy BIOS, but UEFI is still commonly referred to as BIOS.
How do you deploy HP BIOS settings using SCCM?
Enterprise OEMs such as Dell, HP, and Lenovo provide solutions for deploying BIOS settings, or UEFI firmware settings, as it’s now called.
Below is a list of the solutions for each manufacturer:
- HP – HP BIOS Configuration Utility (BCU)
- DELL – DELL Command Configure Toolkit (CCTK)
- Lenovo – Lenovo WMI scripts
The DELL and Lenovo solutions use executables or scripts which can be executed with different parameters, depending on what you want to Enable, Disable, or Configure in the BIOS.
The HP Setup Utility, which is called HP BIOS Configuration Utility (BCU), works differently. The HP BIOS Configuration Utility (BCU) uses an Export/Import function, where for each model, export the BIOS settings, make the changes required, and then re-import the required settings.
I’m not too fond of the standard method in the HP BIOS Configuration Utility (BCU), as it requires you to go into each model and export the BIOS settings and then tweak them.
I would rather have a solution similar to DELL and Lenovo, where I can use a script with different parameters for each feature instead of triggering it per model.
Because of this lack of functionality, I created the solution described in this blog post.
In my example, I had to set:
- Configure WLAN Switching
- Enable Virtualization
- Enable TPM
- Enable SecureBoot
- Configure Video Memory
You can configure other BIOS settings, described later in this post. Now you won’t need to go into the BIOS and access the standard BIOS Setup Utility on each machine to make the changes :). The solution works for both HP Laptops and HP Desktops.
Glossary
| BCU | BIOS Configuration Utlity | HP's command line utility for systematic deployment of BIOS settings. |
HP BIOS Configuration Utility and deployment of settings
As I mentioned in the Introduction, HP BIOS settings have traditionally been configured using one exported configuration file, modified, and then re-imported.
The common understanding was that a setting file with ALL HP BIOS settings required exporting for each model. I also have seen strange behavior when reusing settings files between different models.
In reality, settings that are not available on a specific model or specific BIOS version are automatically skipped.
HP can name settings differently between different models. The solution is to add all the other variants into the settings file.
HP also provides a Script Library with some Powershell modules:
https://developers.hp.com/hp-client-management/doc/client-management-script-library
HP BIOS Configuration Utility and Powershell
Features
The template script as of now works for:
- Use two different passwords
- Enable TPM
- Enable Virtualization
- Enable WLAN switching
- Configuring Video Memory
The script works just as well with any other settings you might wish to apply, such as configuring the boot device.
Later in this blog post, I describe how to customize the script to add different settings configurations.
Since the HP BIOS Configuration Utility does not handle blank BIOS passwords well, I have previously created a Powershell script.
Note that Enabling or Disabling of TPM requires the user to press F10 to bypass the Physical Presence Interface (PPI). At this point, it’s not possible to ignore this.
Assumptions and prerequisites
There are some assumptions and prerequisites that need to be in place for this solution to work.
These include:
- HP BIOS Configuration Utility
4.0.25.1 or later. The commands have changed between the different versions. Starting with 4.0.21.1, the commands for configuring new passwords and input of the existing passwords has changed from /nspwdfile and /cspwdfile to /npwdfile and /cpwdfile. - A *.bin file containing the encrypted password in your organization.
Download the HP BIOS Configuration Utility
The HP BIOS Configuration Utility can be found here: https://ftp.hp.com/pub/caps-softpaq/cmit/HP_BCU.html.
How does the Powershell script work?
The script uses HP BIOS Configuration Utility, together with an encrypted password file. The script checks if there is a password configured. If not, it executes the HP BIOS Configuration Utility without a password. Otherwise, the Powershell script uses the password provided. The logic is based on the HP BIOS Configuration Utility gives a return code of 10 if a password has been configured.
NOTE: In BCU versions before 3.0.3.1, it was possible to specify the password as a clear text in the command line, which is not the case in later versions.
Instead of using one settings file with all the settings, we use one settings file per setting or group of settings.
The Powershell script
Below is the script used in the solution, called Set-HPConfiguration.ps1 :
<#
.DESCRIPTION
Sets HP UEFI configuration
.NOTES
Author: Daniel Classon
Version: 1.1
Date: 2018-10-31
.EXAMPLE
.\Set-HPConfiguration.ps1 -Enable TPM
.DISCLAIMER
All scripts and other powershell references are offered AS IS with no warranty.
These script and functions are tested in my environment and it is recommended that you test these scripts in a test environment before using in your production environment.
#>
Param(
[Parameter(Mandatory=$False)]
[string]$Enable,
[Parameter(Mandatory=$False)]
[string]$Disable,
[Parameter(Mandatory=$False)]
[string]$Configure,
[Parameter(Mandatory=$False)]
[string]$PasswordFile = "$PSScriptRootpwd.bin",
[Parameter(Mandatory=$False)]
[string]$PasswordFile2 = "$PSScriptRootpwd2.bin"
)
Begin {
switch ($Configure)
{
'ThunderboltSecurity' {$ConfigFile="$PSScriptRootConfigure_ThunderboltSecurity.txt"}
'VideoMemory' {$ConfigFile="$PSScriptRootConfigure_VideoMemory.txt"}
Default {}
}
switch ($Enable)
{
'SecureBoot' {$ConfigFile="$PSScriptRootEnable_SecureBoot.txt"}
'TPM' {$ConfigFile="$PSScriptRootEnable_TPM.txt"}
'Virtualization' {$ConfigFile="$PSScriptRootEnable_Virtualization.txt"}
'WLANSwitching' {$ConfigFile="$PSScriptRootEnable_WLANSwitching.txt"}
Default {}
}
switch ($Disable)
{
'Virtualization' {$ConfigFile="$PSScriptRootDisable_Virtualization.txt"}
Default {}
}
}
Process {
$process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/npwdfile:$PasswordFile`"", "`"/set:$ConfigFile`"", "/log" -Wait -PassThru
#If a password is configured, enter it
if ($process.ExitCode -eq 10) {
try {
$process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/cpwdfile:$PasswordFile`"", "`"/set:$ConfigFile`"", "/log" -wait -PassThru
}
catch {
$process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/cpwdfile:$PasswordFile2`"", "`"/set:$ConfigFile`"", "/log" -wait -PassThru
}
}
}
End {
}
Implementation of the Powershell script
Download the source files
Download the source files here: https://danielengberg.com/wp-content/uploads/2019/10/Set-HPConfiguration-v2.1.zip
The list of components included in the solution:
- HP BIOS Configuration Utility
- Executable for handling the BIOS settings configurations
- HPQPswd64.exe
- Executable for creating the encrypted password file.
- Settings files
- One setting file per setting or group of settings.
- Encrypted password file
- Created using HPQPswd64.exe
- Set-HPConfiguration.ps1
- The script file that runs the logic for the HP BIOS settings configuration.
Once you have extracted the contents of the *.zip file, you should have the following structure:
Create an encrypted password file
The encrypted password file is created using HPQPswd64.exe, included in the HP BIOS Configuration Utility package.
Follow the below steps:
- Open HPQPswd64.exe
- Enter the password to be encrypted
- Enter the destination to the password file.
- Press OK to close HPQPswd64.exe
NOTE: Passwords for HP BIOS
HP passwords can contain the following characters:
- Unicode
- Numbers
Place the password file in the same folder as the solution.
Customize the Powershell script
Export HP BIOS settings
Open a command prompt as Administrator. Browse to the installation directory of the HP BIOS Configuration Utility, often at C:\Program Files (x86)\HPBIOS Configuration Utility.
Use the following command to access the BIOS and export all available settings for your model:
BiosConfigUtility64.exe /get:biosconfig.txt /cpwdfile:password.bin
The settings available may differ for each model. However, you need not worry as it does not apply the setting if the setting does not exist on the hardware.
Cut out the HP BIOS settings
Extract the settings you wish, for example:
Virtualization Technology for Directed I/O (VTd) Disable *Enable Virtualization Technology (VTx) Disable *Enable
Add HP BIOS settings to the configuration file
Create a new file with <Enable/Configure setting>.
Remember to include this at the top of the text file.
BIOSConfig 1.0 ; ;
Update the Powershell script
Update BIOS settings
If you want to add more settings than the ones I have configured, you need to create a new configuration file with the required setting and change the following switch statement:
switch ($Configure)
{
'ThunderboltSecurity' {$ConfigFile="$PSScriptRootConfigure_ThunderboltSecurity.txt"}
'VideoMemory' {$ConfigFile="$PSScriptRootConfigure_VideoMemory.txt"}
Default {}
}
switch ($Enable)
{
'SecureBoot' {$ConfigFile="$PSScriptRootEnable_SecureBoot.txt"}
'TPM' {$ConfigFile="$PSScriptRootEnable_TPM.txt"}
'Virtualization' {$ConfigFile="$PSScriptRootEnable_Virtualization.txt"}
'WLANSwitching' {$ConfigFile="$PSScriptRootEnable_WLANSwitching.txt"}
Default {}
}
switch ($Disable)
{
'Virtualization' {$ConfigFile="$PSScriptRootDisable_Virtualization.txt"}
Default {}
Update password file and configuration
The example script will try to configure a new password with the /npwdfile parameter. If a BIOS password is already configured, the HP BIOS Configuration Utility should deliver an exit code of 10, and it will attempt to use that password with /cpwdfile paramter.
This example will also test two different passwords for a match. This is useful if your environment contains clients which at some point were configured with another password. Feel free to add or remove passwords here.
$process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/npwdfile:$PasswordFile`"", "`"/set:$ConfigFile`"", "/log" -Wait -PassThru
#If a password is configured, enter it
if ($process.ExitCode -eq 10) {
try {
$process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/cpwdfile:$PasswordFile`"", "`"/set:$ConfigFile`"", "/log" -wait -PassThru
}
catch {
$process = Start-Process -FilePath "$PSScriptRootBiosConfigUtility64.exe" -ArgumentList "`"/cpwdfile:$PasswordFile2`"", "`"/set:$ConfigFile`"", "/log" -wait -PassThru
Execute the Powershell script
Execute the script using this command:
.\Set-HPConfiguration.ps1 -<Enable/Disable/Configure> <Item>
Add the Powershell solution to SCCM
Create an SCCM package
Press Create Package.
Put the source files somewhere and start to create a package.
Select Do not create a program
Review the settings and press Next and Finish.
Add the steps to an SCCM Task Sequence.
Add one step for each setting.
Select HP and configure WMI query with the following queries in an If Any statement:
SELECT * FROM Win32_ComputerSystem WHERE Manufacturer like "%HP%"
SELECT * FROM Win32_ComputerSystem WHERE Manufacturer like "%Hewlett-Packard%"
For each step, configure an additional step, with no WMI query:
Enable TPM
Enable Virtualization
Configure Video Memory
Configure Thunderbolt
Enable WLAN Switching
Enable SecureBoot
Add a Restart Computer step to the end of the BIOS Configuration steps with no query:
The Task Sequence should now look like this:
You can also use these steps as a Task Sequence to deploy to running clients, not just during operating system deployment.
Note: You don’t need to have the same setting for all HP models, but could configure the settings on a per model base. One setting could be configured for HP Elitebooks, one for HP ZBooks etc.
Other customizations available for the HP BIOS
Of course, you can also deploy other things such as boot options, boot order, etc.
Make sure to modify the solution above to fit your requirements! You can also configure this granularly for each computer model.
Conclusion
Using this method provides additional flexibility compared to the HP BIOS Configuration Utility (BCU) standard solution.
There are many methods to accomplish the same thing, but I have found that the solution provided in this blog post is easy to follow.
As always, please leave comments below if you have any feedback or improvements to the solution.
Thanks!
Hey Daniel, great sutff. I just ran it and everything “worked” but the settings did not change. I re-read this article and saw this line:
.\Set-HPConfiguration.ps1 –
Is this the reason the settings were not applied?
Where do I add?
Thanks
Hey,
How are you executing the Powershell script in the Task Sequence? You need to specify the settings that are to be Enabled and also make sure that you have a configuration file for each setting.
I executed it exactly as in your post.
I used your WLANSwitching, virtualization and Video Memory files as a test.
They are all in one folder along with the BiosConfigUtility64.exe and the password.bin file.
The PS script is left as is.
This is my TS: https://i.imgur.com/xiLaCpB.png
When I run the TS, the CMD windows pops up with a “successfully read password from file” message, so I assumed it works and all I’m missing was a “set” command somewhere.
Sorry for the late reply. It seems correct according to your screenshot. Can you send your version of the script as well as the configuration files used?
/Daniel
I left everything as default, and implemented this exactly 3 weeks ago when I first sent the message. So latest version and default configurations.
I have the same issue, bios password is working but none of the switches is applied.
Hi Daniel
In my environment, the script does not work. Strange, because the script executes without any error. But no changes happen. The bios is still unchanged, no config applied 🙁
Do you have some infos about that? It sounds like the same issue as daniel explained above.
Thanks, raphael
Hi Raphael,
Can you share the script and settings files that you are using?
/Daniel
Hi Daniel,
Thanks for this, once working this will be a great way to configure BIOS Settings!
Can you confirm that the /npwdfile and /cpwdfile switches are correct?
The below is from the HP Documentation?
“Use the following sample command to create a setup password on a system with no existing password:
BIOSConfigUtility.exe /nspwdfile:”new password.bin”
Use the following sample command to modify the BIOS setup password use:
BIOSConfigUtility.exe /nspwdfile:”new password.bin” /cspwdfile:”current
password.bin”
Use the following sample command to remove the BIOS setup password use:
BIOSConfigUtility.exe /nspwdfile:”” /cspwdfile:”current password.bin””
I can confirm that since changing to cspwdfile and nspwdfile the script is now working
Hi Lee,
Thanks for your comment. Which version of HP BCU are you using? It seems like the current password file command has changed between the versions.
http://ftp.hp.com/pub/caps-softpaq/cmit/HP_BCU.html
In 4.0.2.1 it seems to have change to /cpwdfile:
“Changes commands from /cspwdfile and /nspwdfile to /cpwdfile and /npwdfile to match HP SSM.”
http://whp-hou4.cold.extweb.hp.com/pub/caps-softpaq/cmit/whitepapers/HP_BCU_FAQ.pdf
I am using 4.0.25.1 in my example…
/Daniel
Thanks for the nice write-up Daniel. In my environment, I maintain different models of HPs. I want to add some logic to what you’ve created that will allow me to put the various config files in model-specific subfolders. Can’t figure out how to write the logic in the PowerShell script. Can you help?
Thank you so much for this very thorough solution. If no password is specified at all, is anything required to signal that no password on BIOS is set, or is to be set? Do I need to specify that a BIOS password is blank?
Hi,
You should configure a BIOS password, as HP requires many of the executions to have a BIOS password set. If you have not already configured a BIOS password, the script will set the password set in your password file.
Thank you so much for this solution. We have been trying powershell/wmi commands and the HP BCU, following this guide has proven successful. The only thing we can’t figure out is how to bypass the confirmation popup about Virtualization Technology after rebooting the machines.
Daniel, is there a way to achieve this?
Hi Jonathan,
Are you referring to the Physical Presence Interface (PPI) confirmation?
/Daniel
I found the issues regarding the switches.
Error:
https://imgur.com/lppGDLB
Looks like the switches in the txt files should be set to Enable (not Enabled).
Hi Fredric,
Thanks! It seems like this misconfiguration was only made for the WLAN Switching txt file. I have made the change and updated the links in the post.
Did you see the error anywhere else?
/Daniel
I have just run into this issue myself.. there is not one answer for all at least in my environment.. some of the older models have the verbiage “enabled” and some of the newer models have “enable”.. you have to unfortunately pull a config file from each model and then verify what it will and won’t accept.. I haven’t figured out if the SCCM plugin for HP MIK will solve this issue or not.
This worked perfect! Thank you for taking the time to write this. One question:
How can I run this hidden during OSD, the shell pops up and shows what it is doing.
Something weird, the BIOS exports are identical to HP 450 G5 and HP 450 G6. But on the G5 it won’t enable Lan / WLAN Auto and Power On when the lid is opened. Works great on the G6. All other settings do apply the same on both models.
Strange, I haven’t tested configuration on that model yet 🙂
I’d like to know that too. The shell popups are not really ‘nice’.
Shell popups with PowerShell can be hidden by using -NoNewWindow
e.g
$process = Start-Process -FilePath “$PSScriptRootBiosConfigUtility64.exe” -ArgumentList “`”/npwdfile:$PasswordFile`””, “`”/set:$ConfigFile`””, “/log” -Wait -PassThru -NoNewWindow
Great information. Thanks! Is it posible to set PowerRecovery after Power Loss Behaviour with this script?
Hi Rodrigo,
If the setting can be extracted with the HP BCU, it is possible 🙂
/Daniel
Hi Daniel
Thanks for the great information. Do you have instruction for Intune instead of the SCCM?
Hi Ramy,
Sorry, I have not tested this scenario for Intune, but I might in the future :).
/Daniel
I’ve run HP’s BCU and have the config output but I’m looking for (and not finding) a resource that defines each of the settings available. Items like those below are a bit cryptic and could use some ‘splainin. I imagine I could spend much time testing and/or pulling details from many different sources, and I have some pretty reasonable guesses, but it sure would be great to have a HP “dictionary” for all of the available settings. Anyone got such a resource?
Power Control
*Disable
Enable
Boost Converter
*Disable
Enable
Several others…
please can you make a video for us ? I’m stuck at “Cut out the HP BIOS settings”
I dont know the password for the bios and the Virtualization is turn off.
Hi Bob,
Sorry about the late reply. I will see if I can get some time to create a video 🙂
/Daniel
Hi Daniel,Thanks for the steps to reset BIOS password.This really help us.I am stuck at at Cut off BIOS setting.I have forgot my BIOS password and wanted to enable virtualisation service. Please upload youtube video and share link with us.
Daniel, Thank you veru much for all you help and support! I wish you and ur family a lot of health in this difficult times ! 🙂
Thank you, Rodolfo. I wish the same to you!
Hi, Does this set the bios password? We have a project running where it is a requirement to have a bios password set.
Hi Ryan,
Yes, the solution sets a password if none is configured. If a password is configured, it will be used. The solution also supports multiple passwords.
I added a new section, “Update password file and configuration,” to clarify this.
Thanks for your comment!
Hi Daniel I have issues with a HP workstation notebook the specs say that that memory used has to be the same configuration as each for DIM to work. I have two of the same workstations, I can not get one of them to upgrade to a mere 4gb while the other upgraded just fine to a 8GB using two four Sodimm’s the workstations are HP 8440p I want to try and see if it might be a corrupt BIOS I set the defaults and they both have the latest and final bios
What settings do you use in the Configure_ThunderboltSecurity.txt file?
I need to Change the Thunderbolt Security Level option to PCIe and DisplayPort – User Authentication
Is it possible to get information about a Post Stystem Password (authentication) is set on HP Notebooks? Is it also possible to change the settings via powershell or HP BCU?
Thanks for the clear explanation !
However, on a HP G6 Minitower, with Win10-1909 and the most recent HP-BCU I keep getting issues woth “unable to decrypt the password file” and if I try to create a new one, it always ends up with 0 bytes :-(.
On a HP-Deskpro-G5 (and ealier) with the same Windows installation, it works fine !.. Any thoughts ?
Great Tuto
My question is rather non-expert level … but you mentioned that one “can also deploy other things such as boot options”!
I wish my HP X2 allows me to boot from USB with bootable Linux OS, which it doesn’t allow by default … IS THAT POSSIBLE or included in the scripts
thanks
Kinda old post, but still very useful today.
I have one question though…
At our company we want to add a post power-on password for added security. So the computer can’t start without this pw.
Is this an available option to set, like you can with the BIOS setup password? can’t seem to find any information about that. We would hate to set it on each machine individually. Thanks.
Deployed Secure boot by TS on running device. It shows complaint but in SQL report show secure boot 0.
Hello Daniel, how are you? I’m testing this component and I can’t change the actions in the BIOS, I’ve already downloaded the latest version from HP and I’m using the scripts provided, but nothing is changed in the BIOS.
Hi,
How do you set a Bios password on the remote device? I copied the password file and theBIOSConfigUtility64.exe to a remote device and I tried with PSSession and Invoke-Command -ComputerName $PC -scriptblock but can’t make it to work.