Lenovo has published an excellent guide for management of their BIOS settings via scripts for the ThinkPad-series. It seems that it does apply for all different series (ThinkCentre, ThinkPad, ThinkStation) and therefore the same methods can be used regardless of the type of device.
However, there are numerous caveats to the documentation and some minor misalignments of naming standards between specific device types – even within the same series of devices.
Supervisor Password
Initial password
Password seems to be quite odd for Lenovo. First of all – password can’t be set the first time around via their WMI interface but requires that someone sets on the device. In addition – the experience has been that depending on the type of keyboard (validated with a Lenovo and an HP set of keyboards) the password might not be set as expected. In the end – we could only validate what the password was (and use the expected password) when set with an HP-keyboard.
Updates settings with password
Once a password is set it becomes a requirement to pass this one when changing any setting, or setting a new password. To pass this one each updated setting requires the password, encoding and keyboard and in addition it is also required when saving the bios settings. One could find many more efficient methods, but this is the way togo about it. After lots of testing – the following methods have been succesful;
Changing a BIOS configuration
$wmi = Get-WmiObject -Class Lenovo_SetBiosSetting -Namespace root\wmi
$wmi.SetBiosSetting("TCG Security Feature,Active,password,ascii,us;")
Note that at the end there is a ;.
Ascii and us is the encoding and the language of the keyboard. This is the most common setup – so lets stick with it.
To save the settings the following command can be issued;
(Get-WmiObject -Class Lenovo_SaveBiosSettings -Namespace root\wmi).SaveBiosSettings(password,ascii,us;)
If you are unsure wether there is a password or not – we can always test and validate. If you configure all settings incorrectly and then try to save without the appropiate password (blank or with the correct password) – all settings are lost.
You can check if a password is set by using the following method;
$password = “,password,ascii,us”
$result = ((Get-WmiObject -Class Lenovo_SaveBiosSettings -Namespace root\wmi).SaveBiosSettings(password,ascii,us)).return
if (!($result –eq "Success")) {
#if the command isn’t successfull we set a blank password
$password = ""
}
if ($result –eq "Success") {
$nopass = $false
}
To avoid writing lots of code once we have identified if a password is in use – we can leverage the $password and append it to every settings.
$wmi.SetBiosSetting("TCG Security Feature,Active$password")
The $nopass can be used to choose decide how we save the settings
if ($nopass -eq $true) {
Get-WmiObject -Class Lenovo_SaveBiosSettings -Namespace root\wmi).SaveBiosSettings()
}
else {
(Get-WmiObject -Class Lenovo_SaveBiosSettings -Namespace root\wmi).SaveBiosSettings($passwordsave)
}
<pre>[sourcecode]
Settings
Unlike the harmonized and common way to handle BIOS settings via the WMI interface – settings have a wide spread of possible names and setting options. Quite often similiar enough to cause frustration
An overview of TPM related settings and Secureboot
In addition – once these settings are enabled they can’t be disabled. Lenovo has taken a secure-by-default stance and will force someone to physically access the computer to decrease security. As far as their guide states today the following settings can’t be disabled – once they are enabled – via WMI.
SecureBoot
SecureRollbackPrevention
PhysicalPresneceForTpmClear
PhysicalPresenceForTpmProvision
Nice post, note that in order to know is a password is configured you can also use passwordstate as below:
(gwmi -Class Lenovo_BiosPasswordSettings -Namespace rootwmi -ComputerName $computer).PasswordState