This post was updated on May 24th, 2026 and covers script version 2.3.0.
This post is one of 3 posts in my series on managing BIOS settings using PowerShell. I’ve also written about Dell and HP. In this post I’ll be talking about using PowerShell to manage Lenovo BIOS settings.
The script can be downloaded from my GitHub: https://github.com/ConfigJon/Firmware-Management/tree/master/Lenovo
This post is part of the v2 update to my BIOS management scripts. For an overview of everything that changed across the Dell, HP, and Lenovo scripts, see BIOS Management Scripts v2 Released.
Lenovo, WMI, and PowerShell
Lenovo provides a WMI interface that can be used for querying and modifying BIOS settings on their hardware models. This means that PowerShell can be used to directly view and edit BIOS settings without the need for a vendor specific program. This script uses 7 of the Lenovo provided WMI classes.
Starting with version 2.0.0, the script uses the CIM cmdlets (Get-CimInstance and Invoke-CimMethod) instead of the deprecated Get-WmiObject, so it can run on both Windows PowerShell 5.1 and PowerShell 7. The examples below reflect this change.
The first WMI class is Lenovo_BiosSetting. This class is used to return a list of the configurable BIOS settings as well as their current values.
#Connect to the Lenovo_BiosSetting WMI class
$SettingList = Get-CimInstance -Namespace root\wmi -ClassName Lenovo_BiosSetting
#Return a list of all configurable settings
$SettingList | Select-Object CurrentSetting
#Return a specific setting and value
$SettingList | Where-Object CurrentSetting -Like "SettingName*" | Select-Object -ExpandProperty CurrentSetting
The second WMI class is Lenovo_SetBiosSetting. This class contains a method called SetBIOSSetting which is used to modify bios setting values.
#Connect to the Lenovo_SetBiosSetting WMI class
$Interface = Get-CimInstance -Namespace root\wmi -ClassName Lenovo_SetBiosSetting
#Set a specific BIOS setting when a BIOS password is not set
Invoke-CimMethod -InputObject $Interface -MethodName SetBIOSSetting -Arguments @{parameter="SettingName,SettingValue"}
#Set a specific BIOS setting when a BIOS password is set
Invoke-CimMethod -InputObject $Interface -MethodName SetBIOSSetting -Arguments @{parameter="SettingName,SettingValue,Password,ascii,us"}
The third WMI class is Lenovo_SaveBiosSettings. This class contains a method called SaveBiosSettings which is used to commit any changes made to BIOS setting values.
#Connect to the Lenovo_SaveBiosSettings WMI class
$SaveSettings = Get-CimInstance -Namespace root\wmi -ClassName Lenovo_SaveBiosSettings
#Save any outstanding BIOS configuration changes (no password set)
Invoke-CimMethod -InputObject $SaveSettings -MethodName SaveBiosSettings
#Save any outstanding BIOS configuration changes (password set)
Invoke-CimMethod -InputObject $SaveSettings -MethodName SaveBiosSettings -Arguments @{parameter="Password,ascii,us"}
The fourth WMI class is Lenovo_BiosPasswordSettings. This class is used to query the current status of the BIOS passwords.
#Connect to the Lenovo_BiosPasswordSettings WMI class
$PasswordSettings = Get-CimInstance -Namespace root\wmi -ClassName Lenovo_BiosPasswordSettings
#Check the current password configuration state
$PasswordSettings.PasswordState
The fifth WMI class is Lenovo_LoadDefaultSettings. This class contains a method called LoadDefaultSettings which is used to set all BIOS settings to factory default values.
#Connect to the Lenovo_LoadDefaultSettings WMI class
$DefaultSettings = Get-CimInstance -Namespace root\wmi -ClassName Lenovo_LoadDefaultSettings
#Load default settings (no password set)
Invoke-CimMethod -InputObject $DefaultSettings -MethodName LoadDefaultSettings
#Load default settings (password set)
Invoke-CimMethod -InputObject $DefaultSettings -MethodName LoadDefaultSettings -Arguments @{parameter="Password,ascii,us"}
The sixth WMI class is Lenovo_SetBiosPassword. This class contains a method called SetBiosPassword which is used to set or change a BIOS password. In this script, it’s used to check if the currently configured password matches the password passed to the script in the SupervisorPassword or SystemManagementPassword parameters.
#Connect to the Lenovo_SetBiosPassword WMI class
$PasswordSet = Get-CimInstance -Namespace root\wmi -ClassName Lenovo_SetBiosPassword
#Set a BIOS password
Invoke-CimMethod -InputObject $PasswordSet -MethodName SetBiosPassword -Arguments @{parameter="pap,OldPassword,NewPassword,ascii,us"}
The seventh WMI class is Lenovo_GetBiosSelections. This class contains a method called GetBiosSelections which returns the list of possible values for a given setting. Starting with version 2.1.0, the script uses this to include a PossibleValue column in the GetSettings output, matching the Dell and HP settings scripts.
#Connect to the Lenovo_GetBiosSelections WMI class
$BiosSelections = Get-CimInstance -Namespace root\wmi -ClassName Lenovo_GetBiosSelections
#Return the list of possible values for a specific setting
(Invoke-CimMethod -InputObject $BiosSelections -MethodName GetBiosSelections -Arguments @{Item="SettingName"}).Selections
For reference, when calling the SetBIOSSetting, SaveBiosSettings, LoadDefaultSettings or SetBiosPassword methods, the possible return values are:
- Success
- Not Supported
- Invalid Parameter
- Access Denied - BIOS password not supplied or not correct
- System Busy - There are pending setting changes. Reboot and try again
For more detailed information on the Lenovo WMI interface, as well as a list of supported hardware models, refer to the official documentation. https://support.lenovo.com/us/en/solutions/ht100612
Complex Passwords and the WMI Opcode Interface
When a supervisor or system management password is set, the legacy WMI methods above pass that password inside a comma-delimited string (for example, SettingName,SettingValue,Password,ascii,us), which breaks down when the password contains a comma or other special characters. To handle this, newer Lenovo systems (2020 and later ThinkPad models, and 2017 and later ThinkCentre and ThinkStation models) provide the Lenovo_WmiOpcodeInterface.
Starting with version 2.2.0, when this interface is available and a password is required, the script authorizes the change through the opcode interface (using WmiOpcodePasswordAdmin) and then calls SetBIOSSetting, SaveBiosSettings, and LoadDefaultSettings without an embedded password. This allows complex passwords to be used. On older hardware the script automatically falls back to the legacy comma-delimited method, so how the script is called is unchanged either way.
Manage-LenovoBiosSettings.ps1
This script takes the basic commands and adds logic to allow for a more automated settings management process. The script has six parameters.
- GetSettings – Use this parameter to instruct the script to generate a list of all current BIOS settings. Each setting is listed with its current value and, where available, its possible values. The settings will be displayed to the screen by default.
- SetSettings – Use this parameter to instruct the script to set specific BIOS settings. Settings can be specified either in the body of the script or from a CSV file.
- SetDefaults - Use this parameter to instruct the script to set all BIOS settings to factory default values.
- CsvPath – Use this parameter to specify the location of a CSV file. If used with the GetSettings switch, this acts as the location where a list of current BIOS settings will be saved. If used with the SetSettings switch, this acts as the location where the script will read BIOS settings to be set from. Using this switch with the SetSettings switch will also cause the script to ignore any settings specified in the body of the script.
- SupervisorPassword - Used to specify the supervisor password
- SystemManagementPassword - Used to specify the system management password
When using the script to set settings, the list of settings can either be specified in the script itself or in a CSV file. To specify settings in the script, look for the $Settings array near the top of the script. The settings should be in the format of “Setting Name,Setting Value”
#List of settings to be configured =================================
#===================================================================
$Settings = (
"PXE IPV4 Network Stack,Enabled",
"IPv4NetworkStack,Enable",
"PXE IPV6 Network Stack,Enabled",
"IPv6NetworkStack,Enable",
"Intel(R) Virtualization Technology,Enabled",
"VirtualizationTechnology,Enable",
"VT-d,Enabled",
"VTdFeature,Enable",
"Enhanced Power Saving Mode,Disabled",
"Wake on LAN,Primary",
"Require Admin. Pass. For F12 Boot,Yes",
"Physical Presence for Provisioning,Disabled",
"PhysicalPresenceForTpmProvision,Disable",
"Physical Presence for Clear,Disabled",
"PhysicalPresenceForTpmClear,Disable",
"Boot Up Num-Lock Status,Off"
)
#===================================================================
#===================================================================
A full list of configurable settings can be exported from a device by calling the script with the GetSettings parameter. The CsvPath parameter can also be specified to output the list of settings to a CSV file.
You can then sort through the exported settings and either save them as a CSV file or add them to the $Settings array in the body of the script.
When the script runs, it will write to a log file. By default, this log file will be named Manage-LenovoBiosSettings.Log. If the script is being run during a task sequence, the log file will be located in the _SMSTSLogPath. Otherwise, the log file will be located in ProgramData\ConfigJonScripts\Lenovo. The log file name and path can be changed using the LogFile parameter. Note that the log file path will always be set to _SMSTSLogPath when run during a task sequence.
The script has logic built-in to detect if settings were already set correctly, were successfully set, failed to set, or were not found on the device. The script will output these counts to the screen at the end. More detailed information about the settings will be written to the log file.
Lenovo BIOS setting names differ between hardware models. Specifically, laptops and desktops seem to have different setting names. This means that there can be multiple different ways to specify the same setting across multiple hardware models. I have included a few example settings files in my GitHub. These settings files contain commonly configured Lenovo BIOS settings that cover multiple Lenovo hardware models.
- Settings_CSV_SecureBoot.csv - Contains settings for enabling UEFI and Secure Boot
- Settings_CSV_TPM.csv - Contains settings for enabling and activating TPM
- Settings_CSV_General.csv - Contains other common settings
- Settings_InScript_All.txt - Contains common settings formatted for use in the body of the script
Limitations and Known Issues
Multiple Configured Passwords
Note
When both a supervisor and a system management password are set, authenticate with the supervisor password using the
-SupervisorPasswordparameter — the script always uses the supervisor password when one is present. If you supply the system management password instead, the password check will still pass (the WMI opcode interface accepts either password), but the setting changes will then be rejected by the firmware and fail.
Certificate-Based Authentication
On newer Lenovo systems, the supervisor or system management password can be replaced by a signing certificate (this appears as a PasswordState value of 128). These devices require cryptographically signed WMI commands rather than a password, which this script does not perform. Starting with version 2.1.0, the script detects this state, logs a clear message, and exits cleanly rather than failing in a confusing way.
Examples
The script can be run as a standalone script in Windows, or as a part of a Configuration Manager task sequence. It can also be run in the full Windows OS or in WinPE.
Here are a few examples of calling the script from a PowerShell prompt.
#Set BIOS settings supplied in the script (no password set)
Manage-LenovoBiosSettings.ps1 -SetSettings
#Set BIOS settings supplied in the script (supervisor password set)
Manage-LenovoBiosSettings.ps1 -SetSettings -SupervisorPassword ExamplePassword
#Set BIOS settings supplied in the script (system management password set)
Manage-LenovoBiosSettings.ps1 -SetSettings -SystemManagementPassword ExamplePassword
#Set BIOS settings supplied in a CSV file (supervisor password set)
Manage-LenovoBiosSettings.ps1 -SetSettings -CsvPath C:\Temp\Settings.csv -SupervisorPassword ExamplePassword
#Set BIOS settings, reading the supervisor password from a CMS-encrypted file
Manage-LenovoBiosSettings.ps1 -SetSettings -SupervisorPasswordCmsFile C:\Temp\supervisor.cms
#Set all BIOS settings to factory default values (supervisor password set)
Manage-LenovoBiosSettings.ps1 -SetDefaults -SupervisorPassword ExamplePassword
#Output a list of current BIOS settings to the screen
Manage-LenovoBiosSettings.ps1 -GetSettings
#Output a list of current BIOS settings to a CSV file
Manage-LenovoBiosSettings.ps1 -GetSettings -CsvPath C:\Temp\Settings.csv
Here is an example of calling the script during a task sequence. In this example the settings are specified in the body of the script, so the script can be stored directly in the task sequence step. Also the setup password is set, so the SupervisorPassword parameter is specified.
In this second example, the script is being called from a package and the settings are being supplied from a CSV file.
Securing the BIOS Password
This script takes the BIOS password as a plain-text parameter. As of version 2.3.0 it can also read the password from a CMS-encrypted file using a matching CMS-file parameter (for example, -SupervisorPasswordCmsFile), so the password is never passed on the command line. For a full walkthrough of encrypting the password and deploying it safely in unattended deployments, see Securing BIOS Passwords.
Additional Reading
If you’re looking for other methods to configure Lenovo BIOS settings, check out these links. The Think BIOS Config Tool is an official tool released by Lenovo that allows for changing BIOS settings through a GUI interface or at the command line. For information on configuring Lenovo BIOS passwords using PowerShell, see my post Lenovo BIOS Password Management.