https://www.configjon.com/series/securing-bios/Recent content in Securing BIOS Passwords on Jon's NotesHugoen-usSun, 24 May 2026 00:00:00 +0000https://www.configjon.com/securing-bios-passwords/Sun, 24 May 2026 00:00:00 +0000https://www.configjon.com/securing-bios-passwords/<p>My Dell, HP, and Lenovo BIOS password and settings scripts all accept the BIOS password as a plain-text parameter. This keeps the scripts simple and broadly compatible, but it means that <strong>how you deliver the password to the script</strong> is also how you secure the password. This post covers how to do that safely under Configuration Manager and task sequences, and how the built-in CMS support added in version 2.3.0 makes it easier.</p>https://www.configjon.com/bios-password-encryption-certificate/Sun, 24 May 2026 00:00:00 +0000https://www.configjon.com/bios-password-encryption-certificate/<p>The CMS method described in <strong><a href="https://www.configjon.com/securing-bios-passwords/">Securing BIOS Passwords</a></strong> relies on a document encryption certificate. The BIOS password is encrypted to that certificate&rsquo;s public key, and only devices holding the matching private key can decrypt it. This post is a companion to that one. It covers how to create and manage the certificate itself: choosing between a self-signed certificate and one issued from an enterprise PKI, and handling the full lifecycle from creation through distribution, rotation, and removal.</p>