This post covers script version 2.3.0.

This is the HP Client Management Script Library (HPCMSL) variant of my HP BIOS password management script. It performs the same task as the WMI-based variant - automatically setting, changing, or clearing the Setup and Power-On passwords with logging and optional user prompts - but it uses the HPCMSL cmdlets instead of talking to the HP WMI interface directly. If you would rather avoid the module dependency, see the WMI variant.

The script can be downloaded from my GitHub. https://github.com/ConfigJon/Firmware-Management/tree/master/HP

This post is part of the v2 update to my BIOS management scripts. For an overview of everything that changed across the Dell, HP, and Lenovo scripts, see BIOS Management Scripts v2 Released.

Prerequisite: the HP Client Management Script Library

This variant requires the HPCMSL to be installed on the device before it runs. The script verifies the HP.ClientManagement module is present and will stop with an error if it is not found. You can install the library using my Install-HPCMSL.ps1 script, which supports both online and offline (WinPE) installation.

HPCMSL and BIOS passwords

The HPCMSL provides dedicated cmdlets for managing both the Setup password and the Power-On password, so the script does not need to construct WMI method calls or deal with the <utf-16/> password encoding. The library handles all of that internally.

#Import the HP Client Management Script Library
Import-Module HP.ClientManagement

#Check the status of the passwords (each returns True or False)
Get-HPBIOSSetupPasswordIsSet
Get-HPBIOSPowerOnPasswordIsSet

#Set a new setup password when none is currently set
Set-HPBIOSSetupPassword -NewPassword "NewPassword"

#Change an existing setup password
Set-HPBIOSSetupPassword -NewPassword "NewPassword" -Password "OldPassword"

#Clear an existing setup password
Clear-HPBIOSSetupPassword -Password "OldPassword"

The Power-On password is managed with the matching Set-HPBIOSPowerOnPassword and Clear-HPBIOSPowerOnPassword cmdlets. On a device where the Setup password is already set, the Setup password is required to authorize creating or changing the Power-On password.

#Set or change the power-on password
Set-HPBIOSPowerOnPassword -NewPassword "NewPassword" -Password "AuthorizingPassword"

#Clear the power-on password
Clear-HPBIOSPowerOnPassword -Password "OldPassword"

Unlike the WMI SetBIOSSetting method, which returns a numeric code, these cmdlets throw a terminating error when an operation fails (for example, when the supplied old password is incorrect). The script wraps each call so it can try multiple old passwords and report success or failure exactly like the WMI variant.

Manage-HPBiosPasswords-HPCMSL.ps1

This script takes these basic commands and adds logic to allow for a more automated password management process. The parameters are identical to the WMI variant. The script accepts parameters that tell it which actions to perform.

  • SetupSet - Set a new setup password or change an existing setup password
  • SetupClear – Clear an existing setup password
  • PowerOnSet - Set a new power on password or change an existing power on password. HP firmware requires a setup password to manage the power on password, so a setup password must already be set, or be set in the same run with SetupSet
  • PowerOnClear – Clear an existing power on password. When a setup password is set, it authorizes the clear; when no setup password is set, also specify the OldPowerOnPassword parameter

There are also parameters that are used to specify the new and old BIOS passwords.

  • SetupPassword – The current setup password or password to be set
  • OldSetupPassword – The old setup password(s) to be changed. Multiple old passwords can be specified (separated by a comma). See the Limitations section of this post for more information.
  • PowerOnPassword – The current power on password or password to be set
  • OldPowerOnPassword – The old power on password(s) to be changed. Multiple old passwords can be specified (separated by a comma). See the Limitations section of this post for more information.

Note

Each of these password parameters also has a matching CMS parameter (for example, -SetupPasswordCmsFile) that reads the password from an encrypted file instead of from the command line. See the Securing the BIOS Password section at the bottom of this post for more information.

By default, if the script fails to perform any of these actions, it will display a message box on the screen and exit with an error code. This can be useful in a task sequence scenario where you may not want a system to continue with the task sequence if the BIOS password is not set correctly. However, if you want the script to be completely silent, there are a few parameters that can be set.

  • NoUserPrompt – Suppress all user prompts
  • ContinueOnError – Ignore any errors caused by changing or clearing passwords

When the script runs, it will write to a log file. By default, this log file will be named Manage-HPBiosPasswords-HPCMSL.log. If the script is being run during a task sequence, the log file will be located in the _SMSTSLogPath. Otherwise, the log file will be located in ProgramData\ConfigJonScripts\HP. The log file name and path can be changed using the LogFile parameter. Note that the log file path will always be set to _SMSTSLogPath when run during a task sequence.

Limitations and Known Issues

Password Lockout
This limitation is imposed by HP for security reasons. If enough wrong password attempts are made, the system will lock and require a reboot to continue attempting passwords. I’ve tested a few different HP models, and they all seem to lock after 3 failed password attempts.

Even though the lockout number is 3, the way this script is written, you can only specify 2 old passwords in the old password parameters. This is because the script first tests if the password is already set to the value passed in the new password parameters, which eats up 1 of those lockout attempts if incorrect.

There is a check in the parameter validation section of the script that will throw an error if 2 or more old passwords are specified. If you need to increase this limit, either comment out or modify those lines.

Setup and Power-On Passwords
HP firmware uses the setup (BIOS administrator) password as the authority for managing the power on password. A setup password must already be set, or be set in the same run with SetupSet, before a power on password can be set. When a setup password is present, it also authorizes changing or clearing the power on password, so the OldPowerOnPassword parameter is only needed on systems that have no setup password set. The script can also clear both passwords in a single run; in that case it clears the power on password first (authorized by the setup password) and then clears the setup password.

HP Sure Admin
On modern HP commercial systems, Sure Admin (Enhanced BIOS Authentication Mode) can replace the BIOS password with a cryptographically signed authorization. BIOS changes on these devices require a signed payload or a local access key rather than a password, which this script does not perform. Starting with version 2.2.0, the script detects when Sure Admin is enabled, logs a clear message, and exits cleanly without attempting any password actions. Managing Sure Admin enabled devices requires HP’s Sure Admin tooling.

Examples

The script can be run as a standalone script in Windows, or as a part of a Configuration Manager task sequence. It can also be run in the full Windows OS or in WinPE (provided the HPCMSL has been installed first).

Here are a few examples of calling the script from a PowerShell prompt in Windows.

Set a new setup password
Manage-HPBiosPasswords-HPCMSL.ps1 -SetupSet -SetupPassword <String>

Set or change a setup password
Manage-HPBiosPasswords-HPCMSL.ps1 -SetupSet -SetupPassword <String> -OldSetupPassword <String1>,<String2>

Clear an existing setup password
Manage-HPBiosPasswords-HPCMSL.ps1 -SetupClear -OldSetupPassword <String1>,<String2>

Set a setup password and a power on password in the same run
Manage-HPBiosPasswords-HPCMSL.ps1 -SetupSet -PowerOnSet -SetupPassword <String> -PowerOnPassword <String>

Set or change a power on password when the setup password is already set
Manage-HPBiosPasswords-HPCMSL.ps1 -PowerOnSet -PowerOnPassword <String> -SetupPassword <String>

Change a setup password and clear a power on password
Manage-HPBiosPasswords-HPCMSL.ps1 -SetupSet -SetupPassword <String> -OldSetupPassword <String1>,<String2> -PowerOnClear

Clear a power on password when the setup password is set
Manage-HPBiosPasswords-HPCMSL.ps1 -PowerOnClear -SetupPassword <String>

Clear both the setup and power on passwords in a single run
Manage-HPBiosPasswords-HPCMSL.ps1 -SetupClear -OldSetupPassword <String1>,<String2> -PowerOnClear

Set a new setup password sourced from a CMS-encrypted file
Manage-HPBiosPasswords-HPCMSL.ps1 -SetupSet -SetupPasswordCmsFile <String>

The task sequence deployment process - including using the SMSTSPasswordRetry parameter to test more old passwords across multiple reboots, and the HPSetSetup, HPClearSetup, HPSetPowerOn, and HPClearPowerOn task sequence variables that track the result of each action - is identical to the WMI variant. For a full task sequence walkthrough with screenshots, see the WMI variant of this post.

Important

Because this variant depends on the HPCMSL, the task sequence must include an earlier step that installs the library on the device (for example, using Install-HPCMSL.ps1, which supports both online and offline (WinPE) installation). Without it, the script will stop with an error before it can touch any BIOS passwords.

Securing the BIOS Password

This script takes the BIOS password as a plain-text parameter. As of version 2.3.0 it can also read the password from a CMS-encrypted file using a matching CMS-file parameter (for example, -SetupPasswordCmsFile), so the password is never passed on the command line. For a full walkthrough of encrypting the password and deploying it safely in unattended deployments, see Securing BIOS Passwords.

Additional Reading

If you’re looking to configure HP BIOS settings other than just the passwords, check out HP BIOS Settings Management (HPCMSL). For more information on the library itself, see Installing the HP Client Management Script Library and the official HP Client Management Script Library page.