This post was updated on June 2nd, 2026 and covers script version 2.3.0.

This post discusses how to manage Lenovo BIOS passwords using WMI. My goal was to have a script that could change or clear existing passwords and could display a prompt to the screen when manual intervention was required. In this post, I’ll cover the basics of how the script works. I’ll also talk about some limitations of the script and some areas it could be improved in the future.

The script can be downloaded from my GitHub. https://github.com/ConfigJon/Firmware-Management/tree/master/Lenovo

This post is part of the v2 update to my BIOS management scripts. For an overview of everything that changed across the Dell, HP, and Lenovo scripts, see BIOS Management Scripts v2 Released.

Lenovo, WMI, and PowerShell

Lenovo provides a WMI interface that can be used for querying and modifying BIOS settings on their hardware models. This means that PowerShell can be used to directly view and edit BIOS settings without the need for a vendor specific program. This script deals specifically with Lenovo BIOS passwords, so in this post, I will only be discussing the classes related to password management.

Starting with version 2.0.0, the script uses the CIM cmdlets (Get-CimInstance and Invoke-CimMethod) instead of the deprecated Get-WmiObject, so it can run on both Windows PowerShell 5.1 and PowerShell 7. The examples below reflect this change.

The first thing that needs to be done is to determine what passwords are currently configured. This information can be obtained from the Lenovo_BiosPasswordSettings class.

$PasswordSettings = Get-CimInstance -Namespace root\wmi -ClassName Lenovo_BiosPasswordSettings
$PasswordSettings.PasswordState

These two lines will return a number that tells us what passwords are currently set. For reference, this is what each value means:

  • 0 - No passwords set
  • 1 - Power on password set
  • 2 - Supervisor password set
  • 3 - Power on and supervisor passwords set
  • 4 - Hard drive password(s) set
  • 5 - Power on and hard drive passwords set
  • 6 - Supervisor and hard drive passwords set
  • 7 - Supervisor, power on, and hard drive passwords set
  • 64 - System management password set
  • 65 - System management and power on passwords set
  • 66 - System management and supervisor passwords set
  • 67 - System management, supervisor, and power on passwords set
  • 68 - System management and hard drive passwords set
  • 69 - System management, power on, and hard drive passwords set
  • 70 - System management, supervisor, and hard drive passwords set
  • 71 - System management, supervisor, power on, and hard drive passwords set
  • 128 - BIOS certificate-based authentication in use (see the Limitations section)

The next step is to action on this data and either change or clear the BIOS password. This can be done using the Lenovo_SetBiosPassword class.

$PasswordSet = Get-CimInstance -Namespace root\wmi -ClassName Lenovo_SetBiosPassword
Invoke-CimMethod -InputObject $PasswordSet -MethodName SetBiosPassword -Arguments @{parameter="pap,OldPassword,NewPassword,ascii,us"}

These two lines will attempt to change the supervisor password from OldPassword to NewPassword. The type of password being modified is determined by the first value inside the double quotes, in this case pap, which is the supervisor password. For reference, here are the values for the other password types:

  • pap - Supervisor password
  • pop - Power on password
  • smp - System management password
  • uhdp1 - User hard drive password
  • mhdp1 - Master hard drive password

Here are some additional examples.

#Change the supervisor password
Invoke-CimMethod -InputObject $PasswordSet -MethodName SetBiosPassword -Arguments @{parameter="pap,OldPassword,NewPassword,ascii,us"}

#Change the power on password
Invoke-CimMethod -InputObject $PasswordSet -MethodName SetBiosPassword -Arguments @{parameter="pop,OldPassword,NewPassword,ascii,us"}

#Change the system management password
Invoke-CimMethod -InputObject $PasswordSet -MethodName SetBiosPassword -Arguments @{parameter="smp,OldPassword,NewPassword,ascii,us"}

#Clear the supervisor password
Invoke-CimMethod -InputObject $PasswordSet -MethodName SetBiosPassword -Arguments @{parameter="pap,OldPassword,,ascii,us"}

#Clear the power on password
Invoke-CimMethod -InputObject $PasswordSet -MethodName SetBiosPassword -Arguments @{parameter="pop,OldPassword,,ascii,us"}

#Clear the system management password
Invoke-CimMethod -InputObject $PasswordSet -MethodName SetBiosPassword -Arguments @{parameter="smp,OldPassword,,ascii,us"}

For more detailed information on the Lenovo WMI interface, as well as a list of supported hardware models, refer to the official documentation. https://support.lenovo.com/us/en/solutions/ht100612

Complex Passwords and the WMI Opcode Interface

The Lenovo_SetBiosPassword method shown above passes the password inside a single comma-delimited string (for example, pap,OldPassword,NewPassword,ascii,us). That works for simple passwords, but it breaks down when a password contains a comma or certain other special characters, because the BIOS can’t reliably tell where one value ends and the next begins. To address this, Lenovo introduced the Lenovo_WmiOpcodeInterface on 2020 and newer ThinkPad models, and 2017 and newer ThinkCentre and ThinkStation models. Instead of one delimited string, it accepts each value as a separate opcode.

Starting with version 2.2.0, the script automatically detects whether this interface is available (by checking its Active property) and uses it when present, falling back to the legacy method on older hardware. Complex passwords are handled correctly on modern systems with no change to how you call the script.

With the opcode interface, a supervisor password change is performed by sending a sequence of opcodes rather than a single string.

$Opcode = Get-CimInstance -Namespace root\wmi -ClassName Lenovo_WmiOpcodeInterface
Invoke-CimMethod -InputObject $Opcode -MethodName WmiOpcodeInterface -Arguments @{Parameter="WmiOpcodePasswordType:pap;"}
Invoke-CimMethod -InputObject $Opcode -MethodName WmiOpcodeInterface -Arguments @{Parameter="WmiOpcodePasswordCurrent01:OldPassword;"}
Invoke-CimMethod -InputObject $Opcode -MethodName WmiOpcodeInterface -Arguments @{Parameter="WmiOpcodePasswordNew01:NewPassword;"}
Invoke-CimMethod -InputObject $Opcode -MethodName WmiOpcodeInterface -Arguments @{Parameter="WmiOpcodePasswordSetUpdate;"}

Because each value is sent separately, a password containing a comma or other special character is no longer a problem. The script takes care of the details (including the slightly different sequence required on ThinkCentre and ThinkStation desktops), so the parameters described below work the same way whether the script uses the opcode interface or the legacy method.

Manage-LenovoBiosPasswords.ps1

This script takes these basic commands and adds logic to allow for a more automated password management process. The script accepts parameters that tell it which actions to perform.

  • SupervisorSet - Change an existing supervisor password
  • SupervisorClear - Clear an existing supervisor password
  • PowerOnSet - Set or change a power on password
  • PowerOnClear - Clear an existing power on password
  • SystemManagementSet - Set or change a system management password
  • SystemManagementClear - Clear an existing system management password
  • HDDPasswordClear - Clear an existing user and/or master hard drive password

There are also parameters that are used to specify the new and old BIOS passwords.

  • SupervisorPassword - The current supervisor password or password to be set
  • OldSupervisorPassword - The old supervisor password(s) to be changed. Multiple old passwords can be specified (separated by a comma). See the Limitations section of this post for more information.
  • PowerOnPassword - The current power on password or password to be set
  • OldPowerOnPassword - The old power on password(s) to be changed. Multiple old passwords can be specified (separated by a comma). See the Limitations section of this post for more information.
  • SystemManagementPassword - The current system management password or password to be set
  • OldSystemManagementPassword - The old system management password(s) to be changed. Multiple old passwords can be specified (separated by a comma). See the Limitations section of this post for more information.
  • HDDUserPassword - The current user hard drive password to be cleared
  • HDDMasterPassword - The current master hard drive password to be cleared

Note

Each of these password parameters also has a matching CMS parameter (for example, -SupervisorPasswordCmsFile) that reads the password from an encrypted file instead of from the command line. See the Securing the BIOS Password section at the bottom of this post for more information.

By default, if the script fails to perform any of these actions, it will display a message box on the screen and exit with an error code. This can be useful in a task sequence scenario where you may not want a system to continue with the task sequence if the BIOS password is not set correctly. However, if you want the script to be completely silent, there are a few parameters that can be set.

  • NoUserPrompt - Suppress all user prompts
  • ContinueOnError - Ignore any errors caused by changing or clearing passwords. (Will not ignore parameter validation errors)

When the script runs, it will write to a log file. By default, this log file will be named Manage-LenovoBiosPasswords.Log. If the script is being run during a task sequence, the log file will be located in the _SMSTSLogPath. Otherwise, the log file will be located in ProgramData\ConfigJonScripts\Lenovo. The log file name and path can be changed using the LogFile parameter. Note that the log file path will always be set to _SMSTSLogPath when run during a task sequence.

Limitations and Known Issues

Blank Passwords
The first limitation is imposed by Lenovo for security reasons. The very first password on a system must be set manually. Through the standard WMI interface, it is not possible to programmatically set a supervisor password when no password currently exists. The script detects this scenario and will throw an error and prompt the user if that is the case.

Lenovo has since added System Deployment Boot Mode (SDBM) to newer hardware (Whiskey Lake and later ThinkPad models, and 2022 and later ThinkCentre and ThinkStation models) which does allow setting an initial supervisor password (and clearing the TPM without a physical presence prompt). The catch is that SDBM has to be entered manually on each device: at boot you press F12, then Delete to enter the mode, and it works only from WinPE and exits on the next reboot. Because activating it is a hands-on, per-device action that can’t be automated, it falls outside what this script is built for (unattended, at-scale management) so it isn’t incorporated into the script. If you do need to set an initial supervisor password, SDBM is the supported route; see the linked documentation for the steps.

Starting with version 2.3.0, this restriction is relaxed for the power on and system management passwords. When an authorizing password is already present, the script can set an initial power on or system management password, because that existing password authorizes the operation. An initial power on password can be authorized by either a supervisor or a system management password, and an initial system management password can be authorized by a supervisor password. The supervisor password itself still cannot be set programmatically and remains subject to the manual process described above.

Password Lockout
The second limitation is also imposed by Lenovo for security reasons. If enough wrong password attempts are made, the system will lock and require a reboot to continue attempting passwords. In my testing with Lenovo hardware, I’ve found some models lock after 3 failed password attempts, and some lock after 6 failed password attempts.

Even though the lockout number is 3 or 6, depending on hardware model, the way this script is written, you can only specify either 2 or 5 old passwords in the old password parameters. This is because the script first tests if the password is already set to the value passed in the new password parameters, which eats up 1 of those lockout attempts if incorrect.

For example, if the script is instructed to change a supervisor password, the first thing it does, is test the current password against the value passed in the SupervisorPassword parameter. If it does not match, this counts as 1 failed attempt. The script then attempts to change the password to the values passed in the OldSupervisorPassword parameter. However, since the script is already at 1 failed attempt after the first test, only 2 more password attempts can be made before needing a reboot.

If this script is being run during a task sequence, and there are 4 different potential old passwords, and the device locks after 3 failed attempts, the script would need to be called with Password1 and Password2 specified as old passwords. Then a reboot would need to happen. Then the script would need to be run a second time with Password3 and Password4 specified as old passwords.

There are 2 checks in the parameter validation section of the script that will throw an error if 2 or more old passwords are specified. If you need to increase this limit, either comment out or modify those lines. Additionally, if too many failed password attempts are made and the BIOS setting Password Count Exceeded Error is set to Enabled, on the next reboot a message will be displayed on screen and require a user input.

Multiple Configured Passwords
When multiple types of passwords are set on a system, there are different requirements for which passwords must be specified to complete some actions.

  • If the supervisor and power on passwords are set
    • The supervisor password is required to change or clear the power on password
  • If the supervisor and system management passwords are set
    • The supervisor password is required to change or clear the system management password
  • If the system management and power on passwords are set
    • The system management password is required to change or clear the power on password

Power On Password Issue

Caution

Power on password changes are validated by the firmware at the next reboot, not at the moment the WMI call runs; the call reports success immediately. As long as the authorizing password (the supervisor or system management password, or the old power on password when neither of those is set) is correct, the change applies normally on the next boot. If the authorizing password is incorrect, the operation is still reported as success but is rejected at the next reboot and the password is left unchanged. The script cannot reliably detect an incorrect authorizing password in advance, so it logs the power on password operation as submitted and lets the firmware validate it on reboot.

When a power on password operation is rejected, an error message is displayed on screen during the next system reboot. The message is: 0191: System Security - Invalid remote change requested. Prior to version 2.3.0 this also happened during normal use, because the script’s internal check for whether the password was already set correctly itself queued an invalid change. That check has been removed, so power on set, change, and clear now work correctly when the authorizing password is valid.

Hard Drive Passwords

Caution

The script can only clear existing hard drive passwords; it does not set or change them. Clearing a hard drive password over WMI is not reliable across Lenovo models. The behavior varies by firmware: on some older systems the clear command reported success even when it had actually failed, while on current hardware I tested, the clear is rejected. The WMI call returns Invalid Parameter even when the supplied password is correct. Do not rely on clearing hard drive passwords over WMI.

Because the result cannot be trusted on every model, the script reports what the firmware actually returned rather than assuming success. When a clear fails, it logs the BIOS return value along with a note to clear the password manually in BIOS Setup, and the failure is reflected in the script’s exit code and on-screen prompts, so a failed clear is never silently treated as a success. If you do use the hard drive password parameters, verify the result on the device afterward.

Certificate-Based Authentication
Newer Lenovo systems can replace the supervisor or system management password with a signing certificate. This shows up as a PasswordState value of 128. These devices require cryptographically signed WMI commands rather than a password, which this script does not perform. Starting with version 2.1.0, the script detects this state, logs a clear message, and exits cleanly rather than failing in a confusing way. Managing certificate-based devices requires Lenovo’s signed-command tooling, such as the Lenovo BIOS Certificate Tool.

Examples

The script can be run as a standalone script in Windows, or as a part of a Configuration Manager task sequence. It can also be run in the full Windows OS or in WinPE.

Here are a few examples of calling the script from a PowerShell prompt in Windows.

#Change an existing supervisor password
Manage-LenovoBiosPasswords.ps1 -SupervisorSet -SupervisorPassword Password1 -OldSupervisorPassword Password2

#Clear an existing supervisor password
Manage-LenovoBiosPasswords.ps1 -SupervisorClear -OldSupervisorPassword Password1

#Change an existing system management password when the supervisor password is also set
Manage-LenovoBiosPasswords.ps1 -SystemManagementSet -SystemManagementPassword Password1 -SupervisorPassword Password2

#Set a power on password when one is not set yet, authorized by the existing supervisor password
Manage-LenovoBiosPasswords.ps1 -PowerOnSet -PowerOnPassword Password1 -SupervisorPassword Password2

#Change an existing supervisor password and clear a power on password
Manage-LenovoBiosPasswords.ps1 -SupervisorSet -SupervisorPassword Password1 -OldSupervisorPassword Password2 -PowerOnClear

#Clear an existing power on password when only the power on password is set, suppress any user prompts, and continue on error
Manage-LenovoBiosPasswords.ps1 -PowerOnClear -OldPowerOnPassword Password1,Password2 -NoUserPrompt -ContinueOnError

#Change an existing supervisor password, reading the passwords from CMS-encrypted files instead of the command line
Manage-LenovoBiosPasswords.ps1 -SupervisorSet -SupervisorPasswordCmsFile C:\Temp\NewSupervisor.cms -OldSupervisorPasswordCmsFile C:\Temp\OldSupervisor.cms

Here is a basic example of calling the script during a task sequence. In this example the supervisor password is being changed and there is only 1 possible old supervisor password.

-SupervisorSet -SupervisorPassword %NewPassword% -OldSupervisorPassword %OldPassword%

Here is a second example of calling the script during a task sequence. In this example, the supervisor password is being changed and there are 6 possible old supervisor passwords. The hardware the script is being run against will lock after 3 failed attempts, so only 2 old passwords can be specified before a reboot is required. This means that the script will need to be run 3 times.

First in the Set Password Values step, create variables for each password.

The First Pass folder has no conditions on it; it should run for any Lenovo system. To change a supervisor password, the SupervisorSet parameter is specified along with the SupervisorPassword and OldSupervisorPassword parameters.

Because the script will need to run multiple times, there is one additional parameter that needs to be specified. The SMSTSPasswordRetry parameter instructs the script to not display prompts to the screen until all attempts have completed. In this scenario, the script needs to be run 3 times, so SMSTSPasswordRetry parameter is specified on the first 2 passes of the script and not on the final pass. When the password(s) are successfully changed or cleared, the SMSTSPasswordRetry variable will be set to false. This means that if the first pass of the script is successful, the second and third passes of the script will be skipped.

-SupervisorSet -SupervisorPassword %NewPassword% -OldSupervisorPassword %OldPassword1%,%OldPassword2% -SMSTSPasswordRetry

When the script runs during a task sequence, it will create task sequence variables to track the success or failure of each different script action. If any one of the password actions fails, the associated task sequence variable will be set to Failed.

  • LenovoSetSupervisor
  • LenovoClearSupervisor
  • LenovoSetPowerOn
  • LenovoClearPowerOn
  • LenovoSetSystemManagement
  • LenovoClearSystemManagement

As I mentioned before, the first run of the script in the task sequence does not have any conditions, but each successive run of the script should have these conditions.

The second pass of the script. Notice the SMSTSPasswordRetry parameter is specified because there is still another potential pass of the script yet to run.

-SupervisorSet -SupervisorPassword %NewPassword% -OldSupervisorPassword %OldPassword3%,%OldPassword4% -SMSTSPasswordRetry

The third pass of the script. Notice the SMSTSPasswordRetry parameter is not set because this is the final pass of the script.

-SupervisorSet -SupervisorPassword %NewPassword% -OldSupervisorPassword %OldPassword5%,%OldPassword6%

If at the end of the 3 passes of the script, the password was still not successfully changed, a message would then be prompted on the screen informing the imaging technician.

This script ended up being a lot longer and more complicated than I expected when I started, but the end result of all of this is a script that can be used to change or clear Lenovo BIOS passwords. The script can be run in a task sequence and persist information across multiple reboots. This allows for the user to be correctly prompted about any required manual actions even if there are many old passwords to test.

Securing the BIOS Password

This script takes the BIOS password as a plain-text parameter. As of version 2.3.0 it can also read the password from a CMS-encrypted file using a matching CMS-file parameter (for example, -SupervisorPasswordCmsFile), so the password is never passed on the command line. For a full walkthrough of encrypting the password and deploying it safely in unattended deployments, see Securing BIOS Passwords.

Additional Reading

If you’re looking to configure Lenovo BIOS settings other than just the passwords, check out these links. Lenovo BIOS Settings Management is my own script. The Think BIOS Config Tool is an official tool released by Lenovo that allows for changing BIOS settings through a GUI interface or at the command line.