Securing BIOS Passwords

Securing BIOS passwords for unattended deployments. The CMS encryption and document-encryption certificate model covered here is shared groundwork for both delivery models: the task-sequence and interactive scripts (via their -CmsFile parameters) and the Intune scripts (which require it).

Securing BIOS Passwords in Unattended Deployments

My Dell, HP, and Lenovo BIOS password and settings scripts all accept the BIOS password as a plain-text parameter. This keeps the scripts simple and broadly compatible, but it means that how you deliver the password to the script is also how you secure the password. This post covers how to do that safely under Configuration Manager and task sequences, and how the built-in CMS support added in version 2.3.0 makes it easier. ...

Document Encryption Certificates for BIOS Password Management

The CMS method described in Securing BIOS Passwords relies on a document encryption certificate. The BIOS password is encrypted to that certificate’s public key, and only devices holding the matching private key can decrypt it. This post is a companion to that one. It covers how to create and manage the certificate itself: choosing between a self-signed certificate and one issued from an enterprise PKI, and handling the full lifecycle from creation through distribution, rotation, and removal. ...