INTRODUCTION

In most organizations, the workstation configuration needs to conform to a specific standard. If you are using HP workstations, you will need a strategy on how to deploy the HP BIOS settings. The tool we will be using in this scenario is the HP BIOS Configuration Utility (BCU) .

Enterprise OEMs such as DELL, HP and Lenovo provide solutions for deploying BIOS settings.

Below is a list of the solutions for each manufacturer:

The DELL and Lenovo solutions use executables or scripts which can be executed with different parameters, depending on what you want to Enable, Disable or Configure in the BIOS.

The HP solution – the HP BIOS Configuration Utility (BCU) works a bit differently. The HP BIOS Configuration Utility (BCU) uses an Export/Import function, where the idea is that for each model, you should export the BIOS settings, make the changes required and then re-import the required settings.

I do not really like the standard method in the HP BIOS Configuration Utility (BCU), as it requires you to go in to each model and export the BIOS settings and then tweak them.

I would rather have a solution similar to that of DELL and Lenovo, where I can use a script with different parameters for each feature, instead of triggering it per model.

This is why I created the solution described in this blog post.

In my example I had to set the following:

  • Configure WLAN Switching
  • Enable Virtualization
  • Enable TPM
  • Enable SecureBoot
  • Configure Video Memory

You can of course configure other BIOS settings. How to accomplish this is later described in this blog post.

GLOSSARY

BCUBIOS Configuration UtlityHP's command line utility for systematic deployment of BIOS settings.

HP BIOS SETTINGS

As I mentioned in the Introduction, HP BIOS settings have traditionally been configured using one exported configuration file which is modified and then re-imported.

The common understanding was that a setting file with ALL BIOS settings had to be exported for each model. I also have seen strange behavior when reusing settings files between different models.

In reality, settings that are not available on a specific model or specific BIOS version will automatically be skipped.

Sometimes, settings can be named differently between different models. The solution is just to add all the different variants in to the settings file.

THE SOLUTION

FEATURES

The template script as of now works for:

  • Use two different passwords
  • Enable TPM
  • Enable Virtualization
  • Enable WLAN switching
  • Configuring Video Memory

The script works just as well with any other settings that you might wish to apply. Later in this blog post describe how to customize the script to add configuration of other settings.

Since the HP BIOS Configuration Utility does not handle blank BIOS passwords well, I have previously created a Powershell script.

ASSUMPTIONS & PREREQUISITES

There are some assumptions and prerequisites that need to be in place in order for this solution to work.

These include:

  • HP BIOS Configuration Utility
    4.0.25.1 or later
    . This is because commands have changed between the different versions. Starting with 4.0.21.1, the commands for configuring new passwords and input of the existing passwords has changed from /nspwdfile and /cspwdfile to /npwdfile and /cpwdfile.
  • A *.bin file containing the encrypted password in your organization.

HOW IT WORKS

The script uses HP BIOS Configuration Utility together with an encrypted password file. The script will check if there is a password configured. If not, it will execute the HP BIOS Configuration Utility without a password. Otherwize it will use the passsword provided.

NOTE: In BCU versions prior to 3.0.3.1 it was possible to specify the password as clear text in the command line, which is not possible in later versions.

Instead of using one settings file with all the settings, we will be using one settings file per setting or group of settings.

THE SCRIPT

Below is the script used in the solution,
Set-HPConfiguration.ps1 :

<#
.DESCRIPTION
Sets HP UEFI configuration
    
.NOTES

Author: Daniel Classon
Version: 1.1
Date: 2018-10-31
    
.EXAMPLE
.\Set-HPConfiguration.ps1 -Enable TPM

.DISCLAIMER
All scripts and other powershell references are offered AS IS with no warranty.
These script and functions are tested in my environment and it is recommended that you test these scripts in a test environment before using in your production environment.
#>

Param(
    [Parameter(Mandatory=$False)]
    [string]$Enable,
    [Parameter(Mandatory=$False)]
    [string]$Disable,
    [Parameter(Mandatory=$False)]
    [string]$Configure,
    [Parameter(Mandatory=$False)]
    [string]$PasswordFile = "$PSScriptRoot\pwd.bin",
    [Parameter(Mandatory=$False)]
    [string]$PasswordFile2 = "$PSScriptRoot\pwd2.bin"

)

Begin {

    switch ($Configure)
    {
        'ThunderboltSecurity' {$ConfigFile="$PSScriptRoot\Configure_ThunderboltSecurity.txt"}
        'VideoMemory' {$ConfigFile="$PSScriptRoot\Configure_VideoMemory.txt"}
        Default {}
    }

    switch ($Enable)
    {
        'SecureBoot' {$ConfigFile="$PSScriptRoot\Enable_SecureBoot.txt"}
        'TPM' {$ConfigFile="$PSScriptRoot\Enable_TPM.txt"}
        'Virtualization' {$ConfigFile="$PSScriptRoot\Enable_Virtualization.txt"}
        'WLANSwitching' {$ConfigFile="$PSScriptRoot\Enable_WLANSwitching.txt"}
        Default {}
    }
        switch ($Disable)
    {
        'Virtualization' {$ConfigFile="$PSScriptRoot\Disable_Virtualization.txt"}
        Default {}
    }

}
Process {
    $process = Start-Process -FilePath "$PSScriptRoot\BiosConfigUtility64.exe" -ArgumentList "`"/npwdfile:$PasswordFile`"", "`"/set:$ConfigFile`"", "/log" -Wait -PassThru

    #If a password is configured, enter it
    if ($process.ExitCode -eq 10) {
        try {
            $process = Start-Process -FilePath "$PSScriptRoot\BiosConfigUtility64.exe" -ArgumentList "`"/cpwdfile:$PasswordFile`"", "`"/set:$ConfigFile`"", "/log" -wait -PassThru
        }
        catch {
            $process = Start-Process -FilePath "$PSScriptRoot\BiosConfigUtility64.exe" -ArgumentList "`"/cpwdfile:$PasswordFile2`"", "`"/set:$ConfigFile`"", "/log" -wait -PassThru
        }
    }
}  
End {
}           

IMPLEMENTATION

DOWNLOAD SOURCE FILES

Download the source files here: http://www.danielclasson.com/wp-content/uploads/2019/01/Set-HPConfiguration-v2.0.zip

The following components are included in solution:

  • HP BIOS Configuration Utility
    • Executable for handling the BIOS settings configurations
  • HPQPswd64.exe
    • Executable for creating the encrypted password file.
  • Settings files
    • One setting file per setting or group of setting.
  • Encrypted password file
    • This will need to be created.
  • Set-HPConfiguration.ps1
    • The script file that runs the logic for the HP BIOS settings configuration.

Once you have extracted the contents of *.zip file, you should have the following structure:

CREATE ENCRYPTED PASSWORD FILE

The encrypted password file is created using HPQPswd64.exe, which is included in the HP BIOS Configuration Utility package.

Follow the below steps:

  1. Open HPQPswd64.exe
  2. Enter Password to be encrypted
  3. Enter the destination to the password file.
  4. Press OK to close HPQPswd64.exe

NOTE: Passwords for HP BIOS

Create an encrypted password for HP BIOS Configuration Utility with HPQPswd64.exe

HP passwords can contain the following characters:

  • Unicode
  • Numbers

Place the password file in the same folder as the solution.

CUSTOMIZATION

EXPORT SETTINGS

Open a command prompt as Administrator. Browse to the installation directory of the HP BIOS Configuration Utility, which is usually located at C:\Program Files (x86)\HP\BIOS Configuration Utility.

Use the following command to export all available settings for your model:

BiosConfigUtility64.exe /get:biosconfig.txt /cpwdfile:password.bin

The settings available will differ for each model. But you don’t need to worry as the setting will not be applied if the setting does not exist on the hardware.

CUT OUT THE SETTINGS

Take the settings that you wish, for example:

Virtualization Technology for Directed I/O (VTd) Disable *Enable Virtualization Technology (VTx) Disable *Enable 

ADD TO NEW FILE

Create a new file with <Enable/Configure setting>.

Remember to always include this at the top of the text file.

BIOSConfig 1.0 ; ; 

UPDATE  SCRIPT

If you want to add more settings than the ones I have configured, you will need to create a new configuration file with the required setting and modify the following switch statement:

    switch ($Configure)
    {
        'ThunderboltSecurity' {$ConfigFile="$PSScriptRoot\Configure_ThunderboltSecurity.txt"}
        'VideoMemory' {$ConfigFile="$PSScriptRoot\Configure_VideoMemory.txt"}
        Default {}
    }

    switch ($Enable)
    {
        'SecureBoot' {$ConfigFile="$PSScriptRoot\Enable_SecureBoot.txt"}
        'TPM' {$ConfigFile="$PSScriptRoot\Enable_TPM.txt"}
        'Virtualization' {$ConfigFile="$PSScriptRoot\Enable_Virtualization.txt"}
        'WLANSwitching' {$ConfigFile="$PSScriptRoot\Enable_WLANSwitching.txt"}
        Default {}
    }
        switch ($Disable)
    {
        'Virtualization' {$ConfigFile="$PSScriptRoot\Disable_Virtualization.txt"}
        Default {}
    

EXECUTION

Execute the script using this command:

.\Set-HPConfiguration.ps1 -<Enable/Disable/Configure> <Item>

SCCM

Create package

Press Create Package.

Create package in SCCM

Put the source files somewhere and start to create package.

Browse for source files when creating a package in SCCM hp bios configuration utility
Configure source path when creating a package in SCCM

Select Do not create a program

Do not create a program when creating a package in SCCM hp bios configuration utility

Review the settings and press Next and Finish.

Finalize Create Package wizard when creating a package in SCCM hp bios configuration utility

Add the steps to SCCM Task Sequence.

Add one step for each setting.

Select HP and configure WMI query with the following queries in an If Any statement:

SELECT * FROM Win32_ComputerSystem WHERE Manufacturer like "%HP%"
SELECT * FROM Win32_ComputerSystem WHERE Manufacturer like "%Hewlett-Packard%"
Configure WMI query for HP BIOS Configuration

For each step, configure an additional step, with no WMI query:

Enable TPM

Enable TPM step in Task Sequence in SCCM

Enable Virtualization

Enable virtualization in Task Sequence in SCCM

Configure Video Memory

Configure Video Memory in Task Sequence in SCCM

Configure Thunderbolt

Configure Thunderbolt in Task Sequence in SCCM

Enable WLAN Switching

Enable WLAN Switching in Task Sequence in SCCM

 Enable SecureBoot

Enable SecureBoot in Task Sequence in SCCM

 Add a Restart Computer step to the end of the BIOS Configuration steps with no query:

Add Restart Computer step in Task Sequence in SCCM

This is what your end result should look like.

Configure HP BIOS Configuration in Task Sequence in SCCM

You can also use these steps as a Task Sequence which you can deploy to running clients, and not just during operating system deployment.

SUMMARY

Using this method provides additional flexibility compared to the standard solution in the HP BIOS Configuration Utility (BCU).

As always, there are countless number of methods to accomplish the same thing, but I have found that the solution provided in this blog post is easy to follow.

As always, please leave comments below if you have any feedback or improvements to the solution.

Thanks!

RELATED POSTS