HP BIOS Settings Management (HPCMSL)

This post covers script version 2.3.0.

This is the HP Client Management Script Library (HPCMSL) variant of my HP BIOS settings management script. It performs the same task as the WMI-based variant - getting a list of current BIOS settings and setting BIOS settings from either the body of the script or a CSV file - but it uses the HPCMSL cmdlets instead of talking to the HP WMI interface directly. If you would rather avoid the module dependency, see the WMI variant.

The script can be downloaded from my GitHub: https://github.com/ConfigJon/Firmware-Management/tree/master/HP

This post is part of the v2 update to my BIOS management scripts. For an overview of everything that changed across the Dell, HP, and Lenovo scripts, see BIOS Management Scripts v2 Released.

Prerequisite: the HP Client Management Script Library

This variant requires the HPCMSL to be installed on the device before it runs. The script verifies the HP.ClientManagement module is present and will stop with an error if it is not found. You can install the library using my Install-HPCMSL.ps1 script, which supports both online and offline (WinPE) installation.

HPCMSL and BIOS settings

The HPCMSL provides cmdlets for reading and writing BIOS settings, so the script does not need to connect to the HP WMI classes directly.

#Import the HP Client Management Script Library
Import-Module HP.ClientManagement

#Return a list of all settings
Get-HPBIOSSettingsList | Select-Object Name,Value

#Return the current value of a specific setting
Get-HPBIOSSettingValue -Name "Deep Sleep"

#Set a specific value for a specific setting when a BIOS password is not set
Set-HPBIOSSettingValue -Name "Deep Sleep" -Value "On"

#Set a specific value for a specific setting when a BIOS password is set
Set-HPBIOSSettingValue -Name "Deep Sleep" -Value "On" -Password "Password"

#Check the status of the setup password (returns True or False)
Get-HPBIOSSetupPasswordIsSet

A few notes on the cmdlets:

For enumeration settings, Get-HPBIOSSettingsList returns the value as a comma-separated list with the currently active value marked by a leading asterisk (for example “On,*Off,Auto”). The script parses out the active value when it builds the GetSettings output, so the CSV it produces contains the clean current value and is interchangeable with the CSV produced by the WMI variant. Get-HPBIOSSettingValue returns the active value directly. Starting with version 2.1.0, these available values are also surfaced as a PossibleValue column in the GetSettings output and CSV export, matching the Dell and Lenovo settings scripts.
Set-HPBIOSSettingValue throws a terminating error when a setting cannot be set (for example, an incorrect password or an unknown value). The script wraps each call so it can count and log the result exactly like the WMI variant.
When a setting is changed, the HPCMSL prints its own green confirmation line to the console (for example, “HP BIOS Setting Deep Sleep successfully set to Off”). This is cosmetic output from the library itself (the WMI variant is silent on the console), and both variants record the result in the log the same way.

Manage-HPBiosSettings-HPCMSL.ps1

This script takes the basic commands and adds logic to allow for a more automated settings management process. The script has five parameters.

GetSettings - Use this parameter to instruct the script to generate a list of all current BIOS settings. Each setting is listed with its current value and, where available, its possible values. The settings will be displayed to the screen by default.
SetSettings - Use this parameter to instruct the script to set specific BIOS settings. Settings can be specified either in the body of the script or from a CSV file.
SetDefaults - Use this parameter to reset all BIOS settings to their default values. This is available only in the HPCMSL variant, because the HP WMI interface has no bulk reset-to-defaults method.
CsvPath - Use this parameter to specify the location of a CSV file. If used with the GetSettings switch, this acts as the location where a list of current BIOS settings will be saved. If used with the SetSettings switch, this acts as the location where the script will read BIOS settings to be set from. Using this switch with the SetSettings switch will also cause the script to ignore any settings specified in the body of the script.
SetupPassword - Used to specify the BIOS password

When using the script to set settings, the list of settings can either be specified in the script itself or in a CSV file. To specify settings in the script, look for the $Settings array near the top of the script. The settings should be in the format of “Setting Name,Setting Value”

#List of settings to be configured =================================
#===================================================================
$Settings = (
    "Deep S3,Off",
    "Deep Sleep,Off",
    "S4/S5 Max Power Savings,Disable",
    "S5 Maximum Power Savings,Disable",
    "Fingerprint Device,Disable",
    "Num Lock State at Power-On,Off",
    "NumLock on at boot,Disable",
    "Numlock state at boot,Off",
    "Prompt for Admin password on F9 (Boot Menu),Enable",
    "Prompt for Admin password on F11 (System Recovery),Enable",
    "Prompt for Admin password on F12 (Network Boot),Enable",
    "PXE Internal IPV4 NIC boot,Enable",
    "PXE Internal IPV6 NIC boot,Enable",
    "PXE Internal NIC boot,Enable",
    "Wake On LAN,Boot to Hard Drive",
    "Swap Fn and Ctrl (Keys),Disable"
)
#===================================================================
#===================================================================

A full list of configurable settings can be exported from a device by calling the script with the GetSettings parameter. The CsvPath parameter can also be specified to output the list of settings to a CSV file.

You can then sort through the exported settings and either save them as a CSV file or add them to the $Settings array in the body of the script.

When the script runs, it will write to a log file. By default, this log file will be named Manage-HPBiosSettings-HPCMSL.log. If the script is being run during a task sequence, the log file will be located in the _SMSTSLogPath. Otherwise, the log file will be located in ProgramData\ConfigJonScripts\HP. The log file name and path can be changed using the LogFile parameter. Note that the log file path will always be set to _SMSTSLogPath when run during a task sequence.

The script has logic built-in to detect if settings were already set correctly, were successfully set, failed to set, or were not found on the device. The script will output these counts to the screen at the end. More detailed information about the settings will be written to the log file.

I’ve noticed that over the years, HP BIOS setting names have not remained consistent. Because of this, there can be multiple different ways to specify the same setting across different HP models. I have included a few example settings files in my GitHub. These settings files contain commonly configured HP BIOS settings that cover a wide range of HP hardware models.

Settings_CSV_SecureBoot.csv - Contains settings for enabling UEFI and Secure Boot
Settings_CSV_TPM.csv - Contains settings for enabling and activating TPM
Settings_CSV_General.csv - Contains other common settings
Settings_InScript_All.txt - Contains common settings formatted for use in the body of the script

Limitations and Known Issues

HP Sure Admin
On modern HP commercial systems, Sure Admin (Enhanced BIOS Authentication Mode) can replace the BIOS password with a cryptographically signed authorization. Changing settings on these devices requires a signed payload or a local access key rather than a password, which this script does not perform. Starting with version 2.2.0, the script detects when Sure Admin is enabled and, when SetSettings or SetDefaults is used, logs a clear message and exits cleanly without attempting any changes. GetSettings is unaffected, because reading settings does not require authorization. Managing settings on Sure Admin enabled devices requires HP’s Sure Admin tooling.

Examples

The script can be run as a standalone script in Windows, or as a part of a Configuration Manager task sequence. It can also be run in the full Windows OS or in WinPE (provided the HPCMSL has been installed first).

Here are a few examples of calling the script from a PowerShell prompt.

#Set BIOS settings supplied in the script
Manage-HPBiosSettings-HPCMSL.ps1 -SetSettings -SetupPassword ExamplePassword

#Set BIOS settings supplied in a CSV file
Manage-HPBiosSettings-HPCMSL.ps1 -SetSettings -CsvPath C:\Temp\Settings.csv -SetupPassword ExamplePassword

#Set BIOS settings, reading the setup password from a CMS-encrypted file
Manage-HPBiosSettings-HPCMSL.ps1 -SetSettings -SetupPasswordCmsFile C:\Temp\setup.cms

#Reset all BIOS settings to their default values
Manage-HPBiosSettings-HPCMSL.ps1 -SetDefaults -SetupPassword ExamplePassword

#Output a list of current BIOS settings to the screen
Manage-HPBiosSettings-HPCMSL.ps1 -GetSettings

#Output a list of current BIOS settings to a CSV file
Manage-HPBiosSettings-HPCMSL.ps1 -GetSettings -CsvPath C:\Temp\Settings.csv

The task sequence deployment process is identical to the WMI variant. For a full task sequence walkthrough with screenshots, see the WMI variant of this post.

Important
Because this variant depends on the HPCMSL, the task sequence must include an earlier step that installs the library on the device (for example, using Install-HPCMSL.ps1, which supports both online and offline (WinPE) installation). Without it, the script will stop with an error before it can touch any BIOS settings.

Securing the BIOS Password

This script takes the BIOS password as a plain-text parameter. As of version 2.3.0 it can also read the password from a CMS-encrypted file using a matching CMS-file parameter (for example, -SetupPasswordCmsFile), so the password is never passed on the command line. For a full walkthrough of encrypting the password and deploying it safely in unattended deployments, see Securing BIOS Passwords.

Additional Reading

For information on configuring HP BIOS passwords using PowerShell, see my post HP BIOS Password Management (HPCMSL). For more information on the library itself, see Installing the HP Client Management Script Library and the official HP Client Management Script Library page.

Prerequisite: the HP Client Management Script Library#

HPCMSL and BIOS settings#

Manage-HPBiosSettings-HPCMSL.ps1#

Limitations and Known Issues#

Examples#

Securing the BIOS Password#

Additional Reading#