This post was updated on May 25th, 2026 and covers script version 2.3.0.

Earlier this year, I wrote about how to manage Dell BIOS passwords using PowerShell. The method described in that post uses the DellBIOSProvider PowerShell module. This method works, but I was not completely satisfied with it, as the PowerShell module needs to be downloaded and installed on every system the script runs on.

Thankfully, Dell recently released a technical whitepaper documenting WMI classes that can be used to directly modify BIOS settings without needing an outside program or PowerShell module. This allowed me to create a new version of the Dell BIOS Settings Management script that does not require any additional content to function.

One caveat for this new method is the WMI classes are only supported on Dell hardware released to market after calendar year 2018. Because of this, older Dell hardware will still require the use of the DellBIOSProvider PowerShell module.

The script can be downloaded from my GitHub: https://github.com/ConfigJon/Firmware-Management/blob/master/Dell/Manage-DellBiosPasswords-WMI.ps1

This post is part of the v2 update to my BIOS management scripts. For an overview of everything that changed across the Dell, HP, and Lenovo scripts, see BIOS Management Scripts v2 Released.

Dell, WMI, and PowerShell

Dell provides a WMI interface that can be used for querying and modifying BIOS settings on their hardware models (only applies to models released after calendar year 2018). This means that PowerShell can be used to directly view and edit BIOS settings without the need for a vendor specific program. This script uses 2 of the Dell provided WMI classes.

The first WMI class is PasswordObject. It is located in the root\dcim\sysman\wmisecurity namespace. This class is used to return the current BIOS password status.

#Connect to the PasswordObject WMI class
$Password = Get-CimInstance -Namespace root\dcim\sysman\wmisecurity -ClassName PasswordObject

#Check the status of the admin password
$Password | Where-Object NameId -EQ "Admin" | Select-Object -ExpandProperty IsPasswordSet

#Check the status of the system password
$Password | Where-Object NameId -EQ "System" | Select-Object -ExpandProperty IsPasswordSet

The second WMI class is SecurityInterface. It is located in the root\dcim\sysman\wmisecurity namespace. This class contains a method called SetNewPassword which is used to set and modify BIOS passwords.

#Connect to the SecurityInterface WMI class
$SecurityInterface = Get-CimInstance -Namespace root\dcim\sysman\wmisecurity -ClassName SecurityInterface

#Set the admin password when no password is currently set
Invoke-CimMethod -InputObject $SecurityInterface -MethodName SetNewPassword -Arguments @{SecType=0; SecHndCount=0; SecHandle=[byte[]]@(); NameId="Admin"; OldPassword=""; NewPassword="NewPassword"}

#Set the system password when no password is currently set
Invoke-CimMethod -InputObject $SecurityInterface -MethodName SetNewPassword -Arguments @{SecType=0; SecHndCount=0; SecHandle=[byte[]]@(); NameId="System"; OldPassword=""; NewPassword="NewPassword"}

#Change an existing admin password
Invoke-CimMethod -InputObject $SecurityInterface -MethodName SetNewPassword -Arguments @{SecType=1; SecHndCount=$Bytes.Length; SecHandle=$Bytes; NameId="Admin"; OldPassword="CurrentPassword"; NewPassword="NewPassword"}

#Clear an existing admin password
Invoke-CimMethod -InputObject $SecurityInterface -MethodName SetNewPassword -Arguments @{SecType=1; SecHndCount=$Bytes.Length; SecHandle=$Bytes; NameId="Admin"; OldPassword="CurrentPassword"; NewPassword=""}

Note: Earlier versions of this post used Get-WmiObject and dot-notation method calls (for example $SecurityInterface.SetNewPassword(...)). Get-WmiObject was removed in PowerShell 7, so the script and these examples now use Get-CimInstance and Invoke-CimMethod, which work in both Windows PowerShell 5.1 and PowerShell 7.

BIOS Password Encoding

The above information contains examples for modifying the BIOS with and without an existing BIOS password. When a BIOS password is set, it must first be encoded before it can be passed to a method.

$Password = "ExamplePass"
$Encoder = New-Object System.Text.UTF8Encoding
$Bytes = $Encoder.GetBytes($Password)

Each call to SetNewPassword includes three arguments that describe the authenticating password:

  • SecType - The type of text (0 = None, 1 = plain text)
  • SecHndCount - The length of the byte array
  • SecHandle - The byte array containing the encoded password

When no password is currently set, these are SecType=0, SecHndCount=0, SecHandle=[byte[]]@() (an empty byte array).

When a password is set, these are SecType=1, SecHndCount=$Bytes.Length, SecHandle=$Bytes.

Status Codes

For reference, when calling the SetNewPassword method, the possible status codes are:

  • 0 - Success
  • 1 - Failed
  • 2 - Invalid Parameter
  • 3 - Access Denied
  • 4 - Not Supported
  • 5 - Memory Error
  • 6 - Protocol Error

For more detailed information on the Dell WMI interface, refer to the official documentation. http://downloads.dell.com/manuals/common/dell-agentless-client-manageability.pdf

Manage-DellBiosPasswords-WMI.ps1

This script takes these basic commands and adds logic to allow for a more automated password management process. The script accepts parameters that tell it which actions to perform.

  • AdminSet – Set a new admin password or change an existing admin password
  • AdminClear – Clear an existing admin password
  • SystemSet – Set a new system password or change an existing system password
  • SystemClear – Clear an existing system password

There are also parameters that are used to specify the new and old BIOS passwords.

  • AdminPassword – The current admin password or password to be set
  • OldAdminPassword – The old admin password(s) to be changed. Multiple old passwords can be specified (separated by a comma). See the Limitations section of this post for more information.
  • SystemPassword – The current system password or password to be set
  • OldSystemPassword – The old system password(s) to be changed. Multiple old passwords can be specified (separated by a comma). See the Limitations section of this post for more information.

Note

Each of these password parameters also has a matching CMS parameter (for example, -AdminPasswordCmsFile) that reads the password from an encrypted file instead of from the command line. See the Securing the BIOS Password section at the bottom of this post for more information.

By default, if the script fails to perform any of these actions, it will display a message box on the screen and exit with an error code. This can be useful in a task sequence scenario where you may not want a system to continue with the task sequence if the BIOS password is not set correctly. However, if you want the script to be completely silent, there are a few parameters that can be set.

  • NoUserPrompt – Suppress all user prompts
  • ContinueOnError – Ignore any errors caused by changing or clearing passwords

When the script runs, it will write to a log file. By default, this log file will be named Manage-DellBiosPasswords-WMI.Log. If the script is being run during a task sequence, the log file will be located in the _SMSTSLogPath. Otherwise, the log file will be located in ProgramData\ConfigJonScripts\Dell. The log file name and path can be changed using the LogFile parameter. Note that the log file path will always be set to _SMSTSLogPath when run during a task sequence.

Limitations and Known Issues

Password Lockout
In testing on Dell hardware, the Dell WMI interface does not appear to enforce a BIOS password lockout (or the lockout is set to a very high number), so failed password attempts do not require a reboot to continue trying additional passwords. This is different from HP and Lenovo, where the system locks after a small number of failed attempts. Only a limited number of Dell models have been tested, and Dell could change this behavior in the future, so the script still includes the same multi-pass task sequence support as the HP and Lenovo variants. Starting with version 2.1.0, the OldAdminPassword and OldSystemPassword parameters are capped at 2 old passwords each, matching the HP and Lenovo scripts for parity. If multiple passes of the script are required, see the multi-pass example in the Examples section below.

Multiple Configured Passwords
Dell places a few restrictions on setting passwords:

  • If a system or hard drive password is currently set, an admin password cannot be set.
  • If an admin password is set and a system password is not set, the admin password is required to set the system password.
  • If an admin password and system password are both set and the admin password is cleared, the system password is also automatically cleared.

Hard Drive Passwords
Some Dell systems have the ability to set hard drive password(s). This script currently does not support hard drive passwords. Only admin and system passwords can be managed.

WinPE Initialization
When booting into WinPE, the Dell WMI classes take a couple of minutes to install or initialize. Because of this, if the script fails to connect to a WMI class, it will retry every 30 seconds for 3 minutes before failing.

Examples

The script can be run as a standalone script in Windows, or as a part of a Configuration Manager task sequence. It can also be run in the full Windows OS or in WinPE.

Here are a few examples of calling the script from a PowerShell prompt in Windows.

#Set a new admin password
Manage-DellBiosPasswords-WMI.ps1 -AdminSet -AdminPassword <String>
 
#Set or change a admin password
Manage-DellBiosPasswords-WMI.ps1 -AdminSet -AdminPassword <String> -OldAdminPassword <String1>,<String2>
 
#Set a new admin password and set a new system password
Manage-DellBiosPasswords-WMI.ps1 -AdminSet -SystemSet -AdminPassword <String> -SystemPassword <String>
 
#Clear an existing admin password
Manage-DellBiosPasswords-WMI.ps1 -AdminClear -OldAdminPassword <String1>,<String2>

#Set a new admin password sourced from a CMS-encrypted file
Manage-DellBiosPasswords-WMI.ps1 -AdminSet -AdminPasswordCmsFile <String>

Here is a basic example of calling the script during a task sequence. This is likely one of the most common ways the script would be called in a task sequence. In this example the admin password will be set if it doesn’t exist, and it will be changed if it does already exist.

-AdminSet -AdminPassword %NewPassword% -OldAdminPassword %OldPassword1%,%OldPassword2%

If multiple passes of the script are required (see the Password Lockout note in the Limitations section above), the script supports the same multi-pass pattern as the HP and Lenovo scripts. First in the Set Password Values step, create variables for each password.

The First Pass folder has no conditions on it, as it should run for any Dell system. To set a new admin password or change an existing admin password, the AdminSet parameter is specified along with the AdminPassword and OldAdminPassword parameters.

Because the script will need to run multiple times, there is one additional parameter that needs to be specified. The SMSTSPasswordRetry parameter instructs the script to not display prompts to the screen until all attempts have completed. In this scenario, the script needs to be run 3 times, so SMSTSPasswordRetry parameter is specified on the first 2 passes of the script and not on the final pass. When the password(s) are successfully changed or cleared, the SMSTSPasswordRetry variable will be set to false. This means that if the first pass of the script is successful, the second and third passes of the script will be skipped.

-AdminSet -AdminPassword %NewPassword% -OldAdminPassword %OldPassword1%,%OldPassword2% -SMSTSPasswordRetry

When the script runs during a task sequence, it will create task sequence variables to track the success or failure of each different script action. If any one of the password actions fails, the associated task sequence variable will be set to Failed.

  • DellSetAdmin
  • DellClearAdmin
  • DellSetSystem
  • DellClearSystem

As I mentioned before, the first run of the script in the task sequence does not have any conditions, but each successive run of the script should have these conditions.

The second pass of the script. Notice the SMSTSPasswordRetry parameter is specified because there is still another potential pass of the script yet to run.

-AdminSet -AdminPassword %NewPassword% -OldAdminPassword %OldPassword3%,%OldPassword4% -SMSTSPasswordRetry

The third pass of the script. Notice the SMSTSPasswordRetry parameter is not set because this is the final pass of the script.

-AdminSet -AdminPassword %NewPassword% -OldAdminPassword %OldPassword5%,%OldPassword6%

User Prompts

If at the end of the script execution (whether that be one pass or multiple) any of the password management tasks are in a failed state, and the NoUserPrompt or ContinueOnError switches have not been specified, a prompt will be displayed on the screen informing the user of which tasks failed.

The end result of all of this is a script that can be used to change or clear Dell BIOS passwords. The script can be run in a task sequence and persist information across multiple reboots (if required). This allows for the user to be correctly prompted about any required manual actions even if there are many old passwords to test.

Securing the BIOS Password

This script takes the BIOS password as a plain-text parameter. As of version 2.3.0 it can also read the password from a CMS-encrypted file using a matching CMS-file parameter (for example, -AdminPasswordCmsFile), so the password is never passed on the command line. For a full walkthrough of encrypting the password and deploying it safely in unattended deployments, see Securing BIOS Passwords.

Additional Reading

For information on configuring Dell BIOS settings using PowerShell and WMI, see my post Dell BIOS Settings Management - WMI. If you need to support older Dell hardware that does not support the WMI classes, see my other Dell posts Dell BIOS Password Management - DellBIOSProvider and Dell BIOS Settings Management - DellBIOSProvider. For other tools, check out the Dell Command Configure utility.