This post was updated on October 18th, 2020.
This post discusses how to manage Lenovo BIOS passwords using WMI. My goal was to have a script that could change or clear existing passwords and could display a prompt to the screen when manual intervention was required. In this post, I’ll cover the basics of how the script works. I’ll also talk about some limitations of the script and some areas it could be improved in the future
The script can be downloaded from my GitHub. https://github.com/ConfigJon/Firmware-Management/tree/master/Lenovo
Lenovo, WMI, and PowerShell
Lenovo provides a WMI interface that can be used for querying and modifying BIOS settings on their hardware models. This means that we can use PowerShell to directly view and edit BIOS settings without the need for a vendor specific program. This script deals specifically with Lenovo BIOS passwords, so in this post, I will only be discussing the classes related to password management.
The first thing that needs to be done is to determine what passwords are currently configured. This information can be obtained from the Lenovo_BiosPasswordSettings class.
$PasswordSettings = Get-WmiObject -Namespace root\wmi -Class Lenovo_BiosPasswordSettings
$PasswordSettings.PasswordState
These two lines will return a number that tells us what passwords are currently set. For reference, this is what each value means:
- 0 – No passwords set
- 1 – Power on password set
- 2 – Supervisor password set
- 3 – Power on and supervisor passwords set
- 4 – Hard drive password(s) set
- 5 – Power on and hard drive passwords set
- 6 – Supervisor and hard drive passwords set
- 7 – Supervisor, power on, and hard drive passwords set
- 64 – System management password set
- 65 – System management and power on passwords set
- 66 – System management and supervisor passwords set
- 67 – System management, supervisor, and power on passwords set
- 68 – System management and hard drive passwords set
- 69 – System management, power on, and hard drive passwords set
- 70 – System management, supervisor, and hard drive passwords set
- 71 – System management, supervisor, power on, and hard drive passwords set
The next step is to action on this data and either change or clear the BIOS password. This can be done using the Lenovo_SetBiosPassword class.
$PasswordSet = Get-WmiObject -Namespace root\wmi -Class Lenovo_SetBiosPassword
$PasswordSet.SetBiosPassword("pap,OldPassword,NewPassword,ascii,us")
These two lines will attempt to change the supervisor password from OldPassword to NewPassword. The type of password being modified is determined by the first value inside the double quotes, in this case pap, which is the supervisor password. For reference, here are the values for the other password types:
- pap – Supervisor password
- pop – Power on password
- smp – System management password
- uhdp1 – User hard drive password
- mhdp1 – Master hard drive password
Here are some additional examples.
#Change the supervisor password
$PasswordSet.SetBiosPassword("pap,OldPassword,NewPassword,ascii,us")
#Change the power on password
$PasswordSet.SetBiosPassword("pop,OldPassword,NewPassword,ascii,us")
#Change the system management password
$PasswordSet.SetBiosPassword("smp,OldPassword,NewPassword,ascii,us")
#Clear the supervisor password
$PasswordSet.SetBiosPassword("pap,OldPassword,,ascii,us")
#Clear the power on password
$PasswordSet.SetBiosPassword("pop,OldPassword,,ascii,us")
#Clear the system management password
$PasswordSet.SetBiosPassword("smp,OldPassword,,ascii,us")
For more detailed information on the Lenovo WMI interface, as well as a list of supported hardware models, refer to the official documentation. https://support.lenovo.com/us/en/solutions/ht100612
Manage-LenovoBiosPasswords.ps1
This script takes the basic commands we just looked at and adds logic to allow for a more automated password management process. The script accepts parameters that tell it which actions to perform.
- SupervisorSet – Change an existing supervisor password
- SupervisorClear – Clear an existing supervisor password
- PowerOnSet – Change an existing power on password
- PowerOnClear – Clear an existing power on password
- SystemManagementSet – Change an existing system management password
- SystemManagementClear – Clear an existing system management password
- HDDPasswordClear – Clear an existing user and/or master hard drive password
There are also parameters that are used to specify the new and old BIOS passwords.
- SupervisorPassword – The current supervisor password or password to be set
- OldSupervisorPassword – The old supervisor password(s) to be changed. Multiple old passwords can be specified (separated by a comma). See the Limitations section of this post for more information.
- PowerOnPassword – The current power on password or password to be set
- OldPowerOnPassword – The old power on password(s) to be changed. Multiple old passwords can be specified (separated by a comma). See the Limitations section of this post for more information.
- SystemManagementPassword – The current system management password or password to be set
- OldSystemManagementPassword – The old system management password(s) to be changed. Multiple old passwords can be specified (separated by a comma). See the Limitations section of this post for more information.
- HDDUserPassword – The current user hard drive password to be cleared
- HDDMasterPassword – The current master hard drive password to be cleared
By default, if the script fails to perform any of these actions, it will display a message box on the screen and exit with an error code. This can be useful in a task sequence scenario where you may not want a system to continue with the task sequence if the BIOS password is not set correctly. However, if you want the script to be completely silent, there are a few parameters that can be set.
- NoUserPrompt – Suppress all user prompts
- ContinueOnError – Ignore any errors caused by changing or clearing passwords. (Will not ignore parameter validation errors)
When the script runs, it will write to a log file. By default, this log file will be named Manage-LenovoBiosPasswords.Log. If the script is being run during a task sequence, the log file will be located in the _SMSTSLogPath. Otherwise, the log file will be located in ProgramData\ConfigJonScripts\Lenovo. The log file name and path can be changed using the LogFile parameter. Note that the log file path will always be set to _SMSTSLogPath when run during a task sequence.
Limitations and Known Issues
Blank Passwords
The first limitation is actually imposed by Lenovo for security reasons. The first time a BIOS password is set, it must be set manually. It is not possible to programmatically set a BIOS password when one does not already exist. The script does have logic to detect for this scenario, and will throw an error and prompt the user if that is the case.
Lenovo has recently added a System Deployment Boot Mode to newer hardware models that allows setting a password. I will look into this more in the future to see if it can be incorporated into the script.
Password Lockout
The second limitation is also imposed by Lenovo for security reasons. If enough wrong password attempts are made, the system will lock and require a reboot to continue attempting passwords. In my testing with Lenovo hardware, I’ve found some models lock after 3 failed password attempts, and some lock after 6 failed password attempts.
Even though the lockout number is 3 or 6, depending on hardware model, the way this script is written, you can only specify either 2 or 5 old passwords in the old password parameters. This is because the script first tests if the password is already set to the value passed in the new password parameters, which eats up 1 of those lockout attempts if incorrect.
For example, if the script is instructed to change a supervisor password, the first thing it does, is test the current password against the value passed in the SupervisorPassword parameter. If it does not match, this counts as 1 failed attempt. The script then attempts to change the password to the values passed in the OldSupervisorPassword parameter. However, since we are already at 1 failed attempt after the first test, we can only try 2 more passwords before needing a reboot.
If this script is being run during a task sequence, and there are 4 different potential old passwords, and the device locks after 3 failed attempts, the script would need to be called with Password1 and Password2 specified as old passwords. Then a reboot would need to happen. Then the script would need to be run a second time with Password3 and Password4 specified as old passwords.
There are 2 checks in the parameter validation section of the script that will throw an error if 2 or more old passwords are specified. If you need to increase this limit, either comment out or modify those lines. Additionally, if too many failed password attempts are made and the BIOS setting Password Count Exceeded Error is set to Enabled, on the next reboot a message will be displayed on screen and require a user input.
Multiple Configured Passwords
When multiple types of passwords are set on a system, there are different requirements for which passwords must be specified to complete some actions.
- If the supervisor and power on passwords are set
- The supervisor password is required to change or clear the power on password
- If the supervisor and system management passwords are set
- The supervisor password is required to change or clear the system management password
- If the system management and power on passwords are set
- The system management password is required to change or clear the power on password
Power On Password Issue
In my testing I’ve run into an issue where the SetBiosPassword WMI method will always report success (even in a failure situation) when attempting to change or clear the power on password. When attempting to change a password, my script will first check to see if the supplied password is already set correctly. If it is not, the SetBiosPassword method should return a failure, but when this issue occurs, the SetBiosPassword always returns success. This causes the script to think the power on password has been changed, when in reality, it has not.
Another symptom of this issue is after a failed (reported success) attempt to change or clear the power on password, an error message will be displayed on the screen during the next system reboot. The message is: 0191: System Security – Invalid remote change requested.
Hard Drive Passwords
Currently the script only has logic to clear existing hard drive passwords. In my testing, I found that when attempting to change or clear a hard drive password, the command always returns Success even if it failed. This makes it difficult to determine if the command actually worked or not. If you are planning to use the hard drive password parameters, ensure that the passwords being used are correct. I’d love to hear from you if you have tips on better dealing with Lenovo hard drive passwords. This is definitely an area of the script that could use improvement.
Examples
The script can be run as a standalone script in Windows, or as a part of a Configuration Manager task sequence. It can also be run in the full Windows OS or in WinPE.
Here are a few examples of calling the script from a PowerShell prompt in Windows.
#Change an existing supervisor password
Manage-LenovoBiosPasswords.ps1 -SupervisorSet -SupervisorPassword Password1 -OldSupervisorPassword Password2
#Clear an existing supervisor password
Manage-LenovoBiosPasswords.ps1 -SupervisorClear -OldSupervisorPassword Password1
#Change an existing system management password when the supervisor password is also set
Manage-LenovoBiosPasswords.ps1 -SystemManagementSet -SystemManagementPassword Password1 -SupervisorPassword Password2
#Change an existing supervisor password and clear a power on password
Manage-LenovoBiosPasswords.ps1 -SupervisorSet -SupervisorPassword Password1 -OldSupervisorPassword Password2 -PowerOnClear
#Clear an existing power on password when only the power on password is set, suppress any user prompts, and continue on error
Manage-LenovoBiosPasswords.ps1 -PowerOnClear -OldPowerOnPassword Password1,Password2 -NoUserPrompt -ContinueOnError
Here is a basic example of calling the script during a task sequence. In this example the supervisor password is being changed and there is only 1 possible old supervisor password.
-SupervisorSet -SupervisorPassword %NewPassword% -OldSupervisorPassword %OldPassword%
Here is a second example of calling the script during a task sequence. In this example, the supervisor password is being changed and there are 6 possible old supervisor passwords. The hardware the script is being run against will lock after 3 failed attempts, so only 2 old passwords can be specified before a reboot is required. The means that the script will need to be run 3 times.
First in the Set Password Values step, create variables for each password.
The First Pass folder has no conditions on it, as we want it to run for any Lenovo system. To change a supervisor password, the SupervisorSet parameter is specified along with the SupervisorPassword and OldSupervisorPassword parameters.
Because the script will need to run multiple times, there is one additional parameter that needs to be specified. The SMSTSPasswordRetry parameter instructs the script to not display prompts to the screen until all attempts have completed. In this scenario, the script needs to be run 3 times, so SMSTSPasswordRetry parameter is specified on the first 2 passes of the script and not on the final pass. When the password(s) are successfully changed or cleared, the SMSTSPasswordRetry variable will be set to false. This means that if the first pass of the script is successful, the second and third passes of the script will be skipped.
-SupervisorSet -SupervisorPassword %NewPassword% -OldSupervisorPassword %OldPassword1%,%OldPassword2% -SMSTSPasswordRetry
When the script runs during a task sequence, it will create task sequence variables to track the success or failure of each different script action. If any one of the password actions fails, the associated task sequence variable will be set to Failed.
- LenovoSetSupervisor
- LenovoClearSupervisor
- LenovoSetPowerOn
- LenovoClearPowerOn
- LenovoSetSystemManagement
- LenovoClearSystemManagement
As I mentioned before, the first run of the script in the task sequence does not have any conditions, but each successive run of the script should have these conditions.
The second pass of the script. Notice the SMSTSPasswordRetry parameter is specified because there is still another potential pass of the script yet to run.
-SupervisorSet -SupervisorPassword %NewPassword% -OldSupervisorPassword %OldPassword3%,%OldPassword4% -SMSTSPasswordRetry
The third pass of the script. Notice the SMSTSPasswordRetry parameter is not set because this is the final pass of the script.
-SupervisorSet -SupervisorPassword %NewPassword% -OldSupervisorPassword %OldPassword5%,%OldPassword6%
If at the end of the 3 passes of the script, the password was still not successfully changed, a message would then be prompted on the screen informing the imaging technician.
This script ended up being a lot longer and more complicated than I expected when I started, but the end result of all of this is a script that can be used to change or clear Lenovo BIOS passwords. The script can be run in a task sequence and persist information across multiple reboots. This allows for the user to be correctly prompted about any required manual actions even if there are many old passwords to test.
Additional Reading
If you’re looking to configure Lenovo BIOS settings other than just the passwords, check out these links. Lenovo BIOS Settings Management is my own script. The Think BIOS Config Tool is an official tool released by Lenovo that allows for changing BIOS settings through a GUI interface or at the command line. The Lenovo BIOS Configurator is a script written by Martin Bengtsson. It’s a great example of using PowerShell to configure BIOS settings.