This post was updated on May 25th, 2026 and covers script version 2.3.0.
Update: Dell does now provide native WMI classes to manage BIOS passwords on newer models. For more information, see this post: Dell BIOS Password Management - WMI. For information on using the Dell PowerShell module to configure passwords on older models, continue reading this post.
This is the third post in my series on how to manage BIOS / Firmware passwords with PowerShell. Previously, I’ve discussed Lenovo BIOS Password Management and HP BIOS Password Management.
This script is similar to the previous scripts in that the goal was to have a script that could automatically set, change, or clear BIOS passwords while providing logging and optional user prompts. However, there are a few differences. In this post, I’ll cover the basics of how the script works.
The script can be downloaded from my GitHub: https://github.com/ConfigJon/Firmware-Management/blob/master/Dell/Manage-DellBiosPasswords-DellBIOSProvider.ps1
This post is part of the v2 update to my BIOS management scripts. For an overview of everything that changed across the Dell, HP, and Lenovo scripts, see BIOS Management Scripts v2 Released.
Dell and PowerShell
Unlike HP and Lenovo, Dell does not provide command line access to their BIOS settings by default. Instead, Dell provides a PowerShell module called Dell Command | PowerShell Provider. This PowerShell module allows Dell BIOS passwords and settings to be directly viewed and modified from a PowerShell prompt or script. This PowerShell module needs to be installed before running the Dell password management script. For more information, see my recent blog post, Working with the Dell Command | PowerShell Provider.
Once the Dell PowerShell Provider module has been installed, open an administrative PowerShell prompt and import the module.
Import-Module DellBIOSProvider
Now that the module is imported, the first thing that needs to be done is to determine what passwords are currently configured. This information can be obtained using the Get-Item PowerShell cmdlet against the DellSmbios: PSDrive.
#Check the status of the admin password
Get-Item -Path DellSmbios:\Security\IsAdminPasswordSet | Select-Object -ExpandProperty CurrentValue
#Check the status of the system password
Get-Item -Path DellSmbios:\Security\IsSystemPasswordSet | Select-Object -ExpandProperty CurrentValue
Checking the status of the passwords with return either True or False.
The next step is to action on this data and set, change, or clear the password(s). This can be accomplished by using the Set-Item PowerShell cmdlet against the DellSmbios: PSDrive.
#Set a new admin password
Set-Item -Path DellSmbios:\Security\AdminPassword NewPassword
#Change an existing admin password
Set-Item -Path DellSmbios:\Security\AdminPassword NewPassword -Password OldPassword
#Clear an existing admin password
Set-Item -Path DellSmbios:\Security\AdminPassword "" -Password OldPassword
For more information on using the Dell PowerShell Provider, refer to the official documentation: Reference Guide, User Guide
Manage-DellBiosPasswords-DellBIOSProvider.ps1
This script takes these basic commands and adds logic to allow for a more automated password management process. The script accepts parameters that tell it which actions to perform.
- AdminSet - Set a new admin password or change an existing admin password
- AdminClear - Clear an existing admin password
- SystemSet - Set a new system password or change an existing system password
- SystemClear - Clear an existing system password
There are also parameters that are used to specify the new and old BIOS passwords.
- AdminPassword - The current admin password or password to be set
- OldAdminPassword - The old admin password(s) to be changed. Multiple old passwords can be specified (separated by a comma). See the Limitations section of this post for more information.
- SystemPassword - The current system password or password to be set
- OldSystemPassword - The old system password(s) to be changed. Multiple old passwords can be specified (separated by a comma). See the Limitations section of this post for more information.
Note
Each of these password parameters also has a matching CMS parameter (for example,
-AdminPasswordCmsFile) that reads the password from an encrypted file instead of from the command line. See the Securing the BIOS Password section at the bottom of this post for more information.
By default, if the script fails to perform any of these actions, it will display a message box on the screen and exit with an error code. This can be useful in a task sequence scenario where you may not want a system to continue with the task sequence if the BIOS password is not set correctly. However, if you want the script to be completely silent, there are a few parameters that can be set.
- NoUserPrompt - Suppress all user prompts
- ContinueOnError - Ignore any errors caused by changing or clearing passwords
When the script runs, it will write to a log file. By default, this log file will be named Manage-DellBiosPasswords-DellBIOSProvider.Log. If the script is being run during a task sequence, the log file will be located in the _SMSTSLogPath. Otherwise, the log file will be located in ProgramData\ConfigJonScripts\Dell. The log file name and path can be changed using the LogFile parameter. Note that the log file path will always be set to _SMSTSLogPath when run during a task sequence.
Limitations and Known Issues
Password Lockout
In testing on Dell hardware, the Dell PowerShell Provider does not appear to enforce a BIOS password lockout (or the lockout is set to a very high number), so failed password attempts do not require a reboot to continue trying additional passwords. This is different from HP and Lenovo, where the system locks after a small number of failed attempts. Only a limited number of Dell models have been tested, and Dell could change this behavior in the future, so the script still includes the same multi-pass task sequence support as the HP and Lenovo variants. Starting with version 2.1.0, the OldAdminPassword and OldSystemPassword parameters are capped at 2 old passwords each, matching the HP and Lenovo scripts for parity. If multiple passes of the script are required, see the multi-pass example in the Examples section below.
Multiple Configured Passwords
Dell places a few restrictions on setting passwords:
- If a system or hard drive password is currently set, an admin password cannot be set.
- If an admin password is set and a system password is not set, the admin password is required to set the system password.
- If an admin password and system password are both set and the admin password is cleared, the system password is also automatically cleared.
Hard Drive Passwords
Some Dell systems have the ability to set hard drive password(s). This script currently does not support hard drive passwords. Only admin and system passwords can be managed.
Examples
The script can be run as a standalone script in Windows, or as a part of a Configuration Manager task sequence. It can also be run in the full Windows OS or in WinPE.
Here are a few examples of calling the script from a PowerShell prompt in Windows.
Set a new admin password
Manage-DellBiosPasswords-DellBIOSProvider.ps1 -AdminSet -AdminPassword <String>
Set or change a admin password
Manage-DellBiosPasswords-DellBIOSProvider.ps1 -AdminSet -AdminPassword <String> -OldAdminPassword <String1>,<String2>
Set a new admin password and set a new system password
Manage-DellBiosPasswords-DellBIOSProvider.ps1 -AdminSet -SystemSet -AdminPassword <String> -SystemPassword <String>
Clear an existing admin password
Manage-DellBiosPasswords-DellBIOSProvider.ps1 -AdminClear -OldAdminPassword <String1>,<String2>
Set a new admin password sourced from a CMS-encrypted file
Manage-DellBiosPasswords-DellBIOSProvider.ps1 -AdminSet -AdminPasswordCmsFile <String>
Here is a basic example of calling the script during a task sequence. This is likely one of the most common ways the script would be called in a task sequence. In this example the admin password will be set if it doesn’t exist, and it will be changed if it does already exist.
-AdminSet -AdminPassword %NewPassword% -OldAdminPassword %OldPassword1%,%OldPassword2%
Note that before running the Dell password management script, the DellBIOSProvider PowerShell module must be installed. See my recent post Working with the Dell Command | PowerShell Provider for information on installing the module during a task sequence.
If multiple passes of the script are required (see the Password Lockout note in the Limitations section above), the script supports the same multi-pass pattern as the HP and Lenovo scripts. First in the Set Password Values step, create variables for each password.
The First Pass folder has no conditions on it, as it should run for any Dell system. To set a new admin password or change an existing admin password, the AdminSet parameter is specified along with the AdminPassword and OldAdminPassword parameters.
Because the script will need to run multiple times, there is one additional parameter that needs to be specified. The SMSTSPasswordRetry parameter instructs the script to not display prompts to the screen until all attempts have completed. In this scenario, the script needs to be run 3 times, so SMSTSPasswordRetry parameter is specified on the first 2 passes of the script and not on the final pass. When the password(s) are successfully changed or cleared, the SMSTSPasswordRetry variable will be set to false. This means that if the first pass of the script is successful, the second and third passes of the script will be skipped.
-AdminSet -AdminPassword %NewPassword% -OldAdminPassword %OldPassword1%,%OldPassword2% -SMSTSPasswordRetry
When the script runs during a task sequence, it will create task sequence variables to track the success or failure of each different script action. If any one of the password actions fails, the associated task sequence variable will be set to Failed.
- DellSetAdmin
- DellClearAdmin
- DellSetSystem
- DellClearSystem
As I mentioned before, the first run of the script in the task sequence does not have any conditions, but each successive run of the script should have these conditions.
The second pass of the script. Notice the SMSTSPasswordRetry parameter is specified because there is still another potential pass of the script yet to run.
-AdminSet -AdminPassword %NewPassword% -OldAdminPassword %OldPassword3%,%OldPassword4% -SMSTSPasswordRetry
The third pass of the script. Notice the SMSTSPasswordRetry parameter is not set because this is the final pass of the script.
-AdminSet -AdminPassword %NewPassword% -OldAdminPassword %OldPassword5%,%OldPassword6%
User Prompts
If at the end of the script execution (whether that be one pass or multiple) any of the password management tasks are in a failed state, and the NoUserPrompt or ContinueOnError switches have not been specified, a prompt will be displayed on the screen informing the user of which tasks failed.
The end result of all of this is a script that can be used to change or clear Dell BIOS passwords. The script can be run in a task sequence and persist information across multiple reboots (if required). This allows for the user to be correctly prompted about any required manual actions even if there are many old passwords to test.
Securing the BIOS Password
This script takes the BIOS password as a plain-text parameter. As of version 2.3.0 it can also read the password from a CMS-encrypted file using a matching CMS-file parameter (for example, -AdminPasswordCmsFile), so the password is never passed on the command line. For a full walkthrough of encrypting the password and deploying it safely in unattended deployments, see Securing BIOS Passwords.
Additional Reading
If you would like to configure Dell BIOS settings other than just the passwords, see my post Dell BIOS Settings Management - DellBIOSProvider. For other tools, check out Dell Command Configure, Dell PowerShell Provider User Guide, and Dell PowerShell Provider Reference Guide.