Earlier this year, I wrote about how to manage Dell BIOS passwords using PowerShell. The method described in that post uses the DellBIOSProvider PowerShell module. This method works, but I was not completely satisfied with it, as the PowerShell module needs to be downloaded and installed on every system the script runs on.
Thankfully, Dell recently released a technical whitepaper documenting WMI classes that can be used to directly modify BIOS settings without needing an outside program or PowerShell module. This allowed me to create a new version of the Dell BIOS Settings Management script that does not require any additional content to function.
One caveat for this new method is the WMI classes are only supported on Dell hardware released to market after calendar year 2018. Because of this, older Dell hardware will still require the use of the DellBIOSProvider PowerShell module.
The script can be downloaded from my GitHub: https://github.com/ConfigJon/Firmware-Management/blob/master/Dell/Manage-DellBiosPasswords-WMI.ps1
Dell, WMI, and PowerShell
Dell provides a WMI interface that can be used for querying and modifying BIOS settings on their hardware models (only applies to models released after calendar year 2018). This means that we can use PowerShell to directly view and edit BIOS settings without the need for a vendor specific program. This script uses 2 of the Dell provided WMI classes.
The first WMI class is PasswordObject. It is located in the root\dcim\sysman\wmisecurity namespace. This class is used to return the current BIOS password status.
#Connect to the PasswordObject WMI class
$Password = Get-CimInstance -Namespace root\dcim\sysman\wmisecurity -ClassName PasswordObject
#Check the status of the admin password
$Password | Where-Object NameId -EQ "Admin" | Select-Object -ExpandProperty IsPasswordSet
#Check the status of the system password
$Password | Where-Object NameId -EQ "System" | Select-Object -ExpandProperty IsPasswordSet
The second WMI class is SecurityInterface. It is located in the root\dcim\sysman\wmisecurity namespace. This class contains a method called SetNewPassword which is used to set and modify BIOS passwords.
#Connect to the SecurityInterface WMI class
$SecurityInterface = Get-WmiObject -Namespace root\dcim\sysman\wmisecurity -Class SecurityInterface
#Set the admin password when no password is currently set
$SecurityInterface.SetNewPassword(0,0,0,"Admin","","NewPassword")
#Set the system password when no password is currently set
$SecurityInterface.SetNewPassword(0,0,0,"System","","NewPassword")
#Change an existing admin password
$SecurityInterface.SetNewPassword(1,$Bytes.Length,$Bytes,"Admin","CurrentPassword","NewPassword")
#Clear an existing admin password
$SecurityInterface.SetNewPassword(1,$Bytes.Length,$Bytes,"Admin","CurrentPassword","")
BIOS Password Encoding
The above information contains examples for modifying the BIOS with and without an existing BIOS password. When a BIOS password is set, it must first be encoded before it can be passed to a method.
$Password = "ExamplePass"
$Encoder = New-Object System.Text.UTF8Encoding
$Bytes = $Encoder.GetBytes($Password)
Each of the methods used to modify BIOS settings starts with 3 arguments. The 3 arguments are:
- The type of text
- The length of the byte array
- The byte array containing the encoded password
When no password is set, these arguments are set to 0,0,0. The type of text is 0 (None), the length of the byte array is 0, and the byte array itself is 0.
When a password is set, these arguments are set to 1,$Bytes.Length,$Bytes. The type of text is 1 (plain text), the length of the byte array is set to $Bytes.Length, and the byte array is $Bytes.
Status Codes
For reference, when calling the SetNewPassword method, the possible status codes are:
- 0 – Success
- 1 – Failed
- 2 – Invalid Parameter
- 3 – Access Denied
- 4 – Not Supported
- 5 – Memory Error
- 6 – Protocol Error
For more detailed information on the Dell WMI interface, refer to the official documentation. http://downloads.dell.com/manuals/common/dell-agentless-client-manageability.pdf
Manage-DellBiosPasswords-WMI.ps1
This script takes the basic commands we just looked at and adds logic to allow for a more automated password management process. The script accepts parameters that tell it which actions to perform.
- AdminSet – Set a new admin password or change an existing admin password
- AdminClear – Clear an existing admin password
- SystemSet – Set a new system password or change an existing system password
- SystemClear – Clear an existing system password
There are also parameters that are used to specify the new and old BIOS passwords.
- AdminPassword – The current admin password or password to be set
- OldAdminPassword – The old admin password(s) to be changed. Multiple old passwords can be specified (separated by a comma).
- SystemPassword – The current system password or password to be set
- OldSystemPassword – The old system password(s) to be changed. Multiple old passwords can be specified (separated by a comma).
By default, if the script fails to perform any of these actions, it will display a message box on the screen and exit with an error code. This can be useful in a task sequence scenario where you may not want a system to continue with the task sequence if the BIOS password is not set correctly. However, if you want the script to be completely silent, there are a few parameters that can be set.
- NoUserPrompt – Suppress all user prompts
- ContinueOnError – Ignore any errors caused by changing or clearing passwords
When the script runs, it will write to a log file. By default, this log file will be named Manage-DellBiosPasswords-WMI.Log. If the script is being run during a task sequence, the log file will be located in the _SMSTSLogPath. Otherwise, the log file will be located in ProgramData\ConfigJonScripts\Dell. The log file name and path can be changed using the LogFile parameter. Note that the log file path will always be set to _SMSTSLogPath when run during a task sequence.
Examples
The script can be run as a standalone script in Windows, or as a part of a Configuration Manager task sequence. It can also be run in the full Windows OS or in WinPE.
Here are a few examples of calling the script from a PowerShell prompt in Windows.
#Set a new admin password
Manage-DellBiosPasswords-WMI.ps1 -AdminSet -AdminPassword <String>
#Set or change a admin password
Manage-DellBiosPasswords-WMI.ps1 -AdminSet -AdminPassword <String> -OldAdminPassword <String1>,<String2>,<String3>
#Set a new admin password and set a new system password
Manage-DellBiosPasswords-WMI.ps1 -AdminSet -SystemSet -AdminPassword <String> -SystemPassword <String>
#Clear an existing admin password
Manage-DellBiosPasswords-WMI.ps1 -AdminClear -OldAdminPassword <String1>,<String2>,<String3>
Here is a basic example of calling the script during a task sequence. This is likely one of the most common ways the script would be called in a task sequence. In this example the admin password will be set if it doesn’t exist, and it will be changed if it does already exist.
-AdminSet -AdminPassword %NewPassword% -OldAdminPassword %OldPassword1%,%OldPassword2%,%OldPassword3%
Password Lockout
If you have read my posts on managing HP and Lenovo BIOS passwords, then you will know that those scripts have logic built-in to handle system reboots. This is because on HP and Lenovo systems, after a set number of failed password attempts, the system locks and needs to be rebooted before any additional password attempts can be made.
In my testing on Dell hardware, it seems that there is not a BIOS password lockout (or it is set to a very high number) when using the Dell PowerShell Provider. This means that there isn’t a need for multiple passes of the script when there are many potential old passwords to change. The OldAdminPassword and OldSystemPassword parameters could accept many values in a single pass of the script.
Having said that, I have only tested this on a limited number of Dell hardware models, so I am not sure if it is universal. Dell could also choose to add a lockout in the future. For these reasons, I have still included the reboot logic in the script, even if it isn’t needed right now.
If multiple passes of the script are required, it would function just like the HP and Lenovo scripts.
First in the Set Password Values step, create variables for each password.
The First Pass folder has no conditions on it, as it should run for any Dell system. To set a new admin password or change an existing admin password, the AdminSet parameter is specified along with the AdminPassword and OldAdminPassword parameters.
Because the script will need to run multiple times, there is one additional parameter that needs to be specified. The SMSTSPasswordRetry parameter instructs the script to not display prompts to the screen until all attempts have completed. In this scenario, the script needs to be run 3 times, so SMSTSPasswordRetry parameter is specified on the first 2 passes of the script and not on the final pass. When the password(s) are successfully changed or cleared, the SMSTSPasswordRetry variable will be set to false. This means that if the first pass of the script is successful, the second and third passes of the script will be skipped.
-AdminSet -AdminPassword %NewPassword% -OldAdminPassword %OldPassword1%,%OldPassword2% -SMSTSPasswordRetry
When the script runs during a task sequence, it will create task sequence variables to track the success or failure of each different script action. If any one of the password actions fails, the associated task sequence variable will be set to Failed.
- DellSetAdmin
- DellClearAdmin
- DellSetSystem
- DellClearSystem
As I mentioned before, the first run of the script in the task sequence does not have any conditions, but each successive run of the script should have these conditions.
The second pass of the script. Notice the SMSTSPasswordRetry parameter is specified because there is still another potential pass of the script yet to run.
-AdminSet -AdminPassword %NewPassword% -OldAdminPassword %OldPassword3%,%OldPassword4% -SMSTSPasswordRetry
The third pass of the script. Notice the SMSTSPasswordRetry parameter is not set because this is the final pass of the script.
-AdminSet -AdminPassword %NewPassword% -OldAdminPassword %OldPassword5%,%OldPassword6%
User Prompts
If at the end of the script execution (whether that be one pass or multiple) any of the password management tasks are in a failed state, and the NoUserPrompt or ContinueOnError switches have not been specified, a prompt will be displayed on the screen informing the user of which tasks failed.
The end result of all of this is a script that can be used to change or clear Dell BIOS passwords. The script can be run in a task sequence and persist information across multiple reboots (if required). This allows for the user to be correctly prompted about any required manual actions even if there are many old passwords to test.
Notes and Additional Reading
A few notes about some restrictions Dell has placed on setting passwords.
- If a system or hard drive password is currently set, an admin password cannot be set
- If an admin password is set and a system password is not set, the admin password is required to set the system password
- If an admin password and system password are both set and the admin password is cleared, the system password will also be automatically cleared
- When booting into WinPE, the Dell WMI classes take a couple of minutes to install or initialize. Because of this, if the script fails to connect to a WMI class, it will retry every 30 seconds for 3 minutes before failing.
Some Dell systems have the ability to set hard drive password(s). This script currently does not support hard drive passwords. Only admin and system passwords can be managed. I may work on adding hard drive password support in the future.
For information on configuring Dell BIOS passwords using PowerShell and WMI, see my post Dell BIOS Settings Management – WMI. If you need to support older dell hardware that does not support the WMI classes, see my other Dell posts Dell BIOS Password Management – PSModule and Dell BIOS Settings Management – PSModule. If you’re looking for other options for managing Dell BIOS passwords, check out the Dell Command Configure utility.