My Dell, HP, and Lenovo BIOS password and settings scripts have been around for years, and over time they drifted away from the modules, operating systems, and hardware they run against. I’ve now finished a top-to-bottom modernization of the whole set (the v2 generation) currently at version 2.3.0. This post summarizes what changed across all of the scripts and links to the individual posts where each one is covered in detail.

The scripts can be downloaded from my GitHub. https://github.com/ConfigJon/Firmware-Management

The big changes

CIM cmdlets and PowerShell 7 support. Every script that talked to WMI through the deprecated Get-WmiObject now uses the CIM cmdlets (Get-CimInstance and Invoke-CimMethod) on a single code path. The result is that the scripts now run on both Windows PowerShell 5.1 and PowerShell 7 without changes. All the WMI teaching examples in the individual posts were updated to match.

More script variants. Dell already shipped both a WMI and a DellBIOSProvider variant. HP now matches that model. The original WMI scripts were renamed with a -WMI suffix and a new pair of HPCMSL variants have been added for compatibility with the HP Client Management Script Library. Lenovo stays a single WMI variant, since there’s no low-level Lenovo PowerShell provider to build a second script against.

Consistency and parity. The scripts were audited against each other and brought in line: shared helper functions standardized, consistent parameters and output (including a PossibleValue column in the settings output), SetDefaults added everywhere the platform supports it, standardized old-password handling, and a number of bugs fixed along the way.

Modern BIOS authentication. Newer commercial hardware has moved past the simple BIOS password, and the scripts now handle that gracefully:

  • Lenovo complex passwords - on 2020+ ThinkPad and 2017+ ThinkCentre/ThinkStation systems, the scripts use the modern Lenovo_WmiOpcodeInterface, which handles complex and special-character passwords (including commas) that the legacy method couldn’t. Older systems automatically fall back to the legacy method.
  • HP Sure Admin and Lenovo BIOS certificate authentication - on devices where the password has been replaced by HP Sure Admin or Lenovo’s BIOS certificate authentication, the scripts now detect it, log a clear message, and exit cleanly instead of failing in a confusing way. (These devices require signed-payload tooling rather than a password, which these scripts don’t perform.)

Secure password sourcing. As of version 2.3.0, every password parameter has a matching -…CmsFile parameter that reads the password from a CMS-encrypted file and decrypts it in memory at runtime, so the password never appears on a command line or in a log. The existing plain-text parameters are unchanged. The full walkthrough is in its own post: Securing BIOS Passwords.

What changed per manufacturer

Dell - both the WMI and DellBIOSProvider variants were modernized. The WMI variants moved fully to the CIM cmdlets. The DellBIOSProvider settings script gained boot-order management (-SetBootOrder/-BootMode) through the DellBIOSProvider to match the WMI variant.

HP - the original scripts were renamed to -WMI and modernized, and new HPCMSL variants were added. The settings scripts now report possible values, the HPCMSL settings script can reset settings to defaults, the power-on password handling was corrected to use the setup password as HP firmware requires, and HP Sure Admin is detected.

Lenovo - both scripts were modernized, gained the opcode interface for complex passwords, and detect certificate-based authentication. The settings script now reports possible values in its output.

Also worth a look