Posted on by Jon Anderson

Lenovo BIOS Settings Management

This post was updated on October 18th, 2020.

This post is one of 3 posts in my series on managing BIOS settings using PowerShell. I’ve also written about Dell and HP. In this post I’ll be talking about using PowerShell to manage Lenovo BIOS settings.

The script can be downloaded from my GitHub: https://github.com/ConfigJon/Firmware-Management/tree/master/Lenovo

Lenovo, WMI, and PowerShell

Lenovo provides a WMI interface that can be used for querying and modifying BIOS settings on their hardware models. This means that we can use PowerShell to directly view and edit BIOS settings without the need for a vendor specific program. This script uses 6 of the Lenovo provided WMI classes.

The first WMI class is Lenovo_BiosSetting. This class is used to return a list of the configurable BIOS settings as well as their current values.

#Connect to the Lenovo_BiosSetting WMI class
$SettingList = Get-WmiObject -Namespace root\wmi -Class Lenovo_BiosSetting

#Return a list of all configurable settings
$SettingList | Select-Object CurrentSetting

#Return a specific setting and value
$SettingList | Where-Object CurrentSetting -Like "SettingName*" | Select-Object -ExpandProperty CurrentSetting

The second WMI class is Lenovo_SetBiosSetting. This class contains a method called SetBiosSetting which is used to modify bios setting values.

#Connect to the Lenovo_SetBiosSetting WMI class
$Interface = Get-WmiObject -Namespace root\wmi -Class Lenovo_SetBiosSetting

#Set a specific BIOS setting when a BIOS password is not set
$Interface.SetBiosSetting("SettingName,SettingValue")

#Set a specific BIOS setting when a BIOS password is set
$Interface.SetBiosSetting("SettingName,SettingValue,Password,ascii,us")

The third WMI class is Lenovo_SaveBiosSetting. This class contains a method called SaveBiosSettings which is used to commit any changes made to BIOS setting values.

#Connect to the Lenovo_SaveBiosSetting WMI class
$SaveSettings = Get-WmiObject -Namespace root\wmi -Class Lenovo_SaveBiosSettings

#Save any outstanding BIOS configuration changes (no password set)
$SaveSettings.SaveBiosSettings()

#Save any outstanding BIOS configuration changes (password set)
$SaveSettings.SaveBiosSettings("Password,ascii,us")

The fourth WMI class is Lenovo_BiosPasswordSettings. This class is used to query the current status of the BIOS passwords.

#Connect to the Lenovo_BiosPasswordSettings WMI class
$PasswordSettings = Get-WmiObject -Namespace root\wmi -Class Lenovo_BiosPasswordSettings

#Check the current password configuration state
$PasswordSettings.PasswordState

The fifth WMI class is Lenovo_LoadDefaultSettings. This class contains a method called LoadDefaultSettings which is used the set all BIOS settings to factory default values.

#Connect to the Lenovo_LoadDefaultSettings WMI class
$DefaultSettings = Get-WmiObject -Namespace root\wmi -Class Lenovo_LoadDefaultSettings

#Load default settings (no password set)
$DefaultSettings.LoadDefaultSettings()

#Load default settings (password set)
$DefaultSettings.LoadDefaultSettings("Password,ascii,us")

The sixth WMI class is Lenovo_SetBiosPassword. This class contains a method called SetBiosPassword which is used to set or change a BIOS password. In this script, it’s used to check if the currently configured password matches the password passed to the script in the SupervisorPassword or SystemManagementPassword parameters.

#Connect to the Lenovo_SetBiosPassword WMI class
$PasswordSet = Get-WmiObject -Namespace root\wmi -Class Lenovo_SetBiosPassword

#Set a BIOS password
$PasswordSet.SetBiosPassword("pap,OldPassword,NewPassword,ascii,us")

For reference, when calling the SetBiosSetting, SaveBiosSetting, LoadDefaultSettings or SetBiosPassword methods, the possible return values are:

  • Success
  • Not Supported
  • Invalid Parameter
  • Access Denied – BIOS password not supplied or not correct
  • System Busy – There are pending setting changes. Reboot and try again

For more detailed information on the Lenovo WMI interface, as well as a list of supported hardware models, refer to the official documentation. https://support.lenovo.com/us/en/solutions/ht100612

Manage-LenovoBiosSettings.ps1

This script takes the basic commands and adds logic to allow for a more automated settings management process. The script has four parameters.

  • GetSettings – Use this parameter to instruct the script to generate a list of all current BIOS settings. The settings will be displayed to the screen by default.
  • SetSettings – Use this parameter to instruct the script to set specific BIOS settings. Settings can be specified either in the body of the script or from a CSV file.
  • SetDefaults – Use this parameter to instruct the script to set all BIOS settings to factory default values.
  • CsvPath – Use this parameter to specify the location of a CSV file. If used with the GetSettings switch, this acts as the location where a list of current BIOS settings will be saved. If used with the SetSettings switch, this acts as the location where the script will read BIOS settings to be set from. Using this switch with the SetSettings switch will also cause the script to ignore any settings specified in the body of the script.
  • SupervisorPassword – Used to specify the supervisor password
  • SystemManagementPassword – Used to specify the system management password

When using the script to set settings, the list of settings can either be specified in the script itself or in a CSV file. To specify settings in the script, look for the $Settings array near the top of the script. The settings should be in the format of “Setting Name,Setting Value” 

#List of settings to be configured =================================
#===================================================================
$Settings = (
    "PXE IPV4 Network Stack,Enabled",
    "IPv4NetworkStack,Enable",
    "PXE IPV6 Network Stack,Enabled",
    "IPv6NetworkStack,Enable",
    "Intel(R) Virtualization Technology,Enabled",
    "VirtualizationTechnology,Enable",
    "VT-d,Enabled",
    "VTdFeature,Enable",
    "Enhanced Power Saving Mode,Disabled",
    "Wake on LAN,Primary",
    "Require Admin. Pass. For F12 Boot,Yes",
    "Physical Presence for Provisioning,Disabled",
    "PhysicalPresenceForTpmProvision,Disable",
    "Physical Presnce for Clear,Disabled",
    "PhysicalPresenceForTpmClear,Disable",
    "Boot Up Num-Lock Status,Off"
)
#===================================================================
#===================================================================

A full list of configurable settings can be exported from a device by calling the script with the GetSettings parameter. The CsvPath parameter can also be specified to output the list of settings to a CSV file.

You can then sort through the exported settings and either save them as a CSV file or add them to the $Settings array in the body of the script.

When the script runs, it will write to a log file. By default, this log file will be named Manage-LenovoBiosSettings.Log. If the script is being run during a task sequence, the log file will be located in the _SMSTSLogPath. Otherwise, the log file will be located in ProgramData\ConfigJonScripts\Lenovo. The log file name and path can be changed using the LogFile parameter. Note that the log file path will always be set to _SMSTSLogPath when run during a task sequence.

The script has logic built-in to detect if settings were already set correctly, were successfully set, failed to set, or were not found on the device. The script will output these counts to the screen at the end. More detailed information about the settings will be written to the log file.

Lenovo BIOS setting names differ between hardware models. Specifically, laptops and desktops seem to have different setting names. This means that there can be multiple different ways to specify the same setting across multiple hardware models. I have included a few example settings files in my GitHub. These settings files contain commonly configured Lenovo BIOS settings that cover multiple Lenovo hardware models.

  • Settings_CSV_UEFI_SecureBoot.csv – Contains settings for enabling UEFI and Secure Boot
  • Settings_CSV_TPM.csv – Contains settings for enabling and activating TPM
  • Settings_General.csv – Contains other common settings
  • Settings_In-Script_All.txt – Contains common settings formatted for use in the body of the script

One current limitation of the script has to do with the password check functionality. The script has logic built-in to detect if the BIOS password specified in the SupervsiorPassword or SystemManagementPassword parameter matches the currently set BIOS password. Running this password check only works one time per reboot, this means that if you need to run the script multiple times, you will need to have a reboot between each run of the script, or you will need to disable the password check portion of the script.

Examples

The script can be run as a standalone script in Windows, or as a part of a Configuration Manager task sequence. It can also be run in the full Windows OS or in WinPE.

Here are a few examples of calling the script from a PowerShell prompt. 

#Set BIOS settings supplied in the script (no password set)
Manage-LenovoBiosSettings.ps1 -SetSettings

#Set BIOS settings supplied in the script (supervisor password set)
Manage-LenovoBiosSettings.ps1 -SetSettings -SupervisorPassword ExamplePassword

#Set BIOS settings supplied in the script (system management password set)
Manage-LenovoBiosSettings.ps1 -SetSettings -SystemManagementPassword ExamplePassword

#Set BIOS settings supplied in a CSV file (supervisor password set)
Manage-LenovoBiosSettings.ps1 -SetSettings -CsvPath C:\Temp\Settings.csv -SupervisorPassword ExamplePassword

#Set all BIOS settings to factory default values (supervisor password set)
Manage-LenovoBiosSettings.ps1 -SetDefaults -SupervisorPassword ExamplePassword

#Output a list of current BIOS settings to the screen
Manage-LenovoBiosSettings.ps1 -GetSettings

#Output a list of current BIOS settings to a CSV file
Manage-LenovoBiosSettings.ps1 -GetSettings -CsvPath C:\Temp\Settings.csv

Here is an example of calling the script during a task sequence. In this example the settings are specified in the body of the script, so the script can be stored directly in the task sequence step. Also the setup password is set, so the SupervisorPassword parameter is specified.

In this second example, the script is being called from a package and the settings are being supplied from a CSV file.

Notes and Additional Reading

If a password is set, the script attempts to verify the supplied password matches the currently set password. There seems to be a bug that can cause this check to not work.

  • The supervisor and system management passwords are both set
  • Attempt to change the supervisor password and supply the system management password as the existing password
  • The SetBiosPassword method reports success, but the password is not changed

The script then continues and attempts to change settings, but the password is incorrect, so the settings fail to change. I don’t currently have a work around for this issue, so if a supervisor password is set, ensure that password is specified.

If you’re looking for other methods to configure Lenovo BIOS settings, check out these links. The Think BIOS Config Tool is an official tool released by Lenovo that allows for changing BIOS settings through a GUI interface or at the command line. The Lenovo BIOS Configurator is a script written by Martin Bengtsson. It’s an alternate example of using PowerShell to configure Lenovo BIOS settings. For information on configuring Lenovo BIOS passwords using PowerShell, see my post Lenovo BIOS Password Management.