Update BIOS Password on HP computers. There are different BIOS passwords in use. Used BIOS password is based on computer name prefix (location)
Solution:
Create a PowerShell script and deploy it to clients as a SCCM application. Use the written registry key/values for the application's detection method.
Powershell Skript:
##################################################
# Version 1.0 TS - 2018/11/07 #
##################################################
# Disclaimer
#
# The script is not supported under any standard support program or service.
# The script is provided AS IS without warranty of any kind.
#
# Description
#
# Script should be run w/o parameters. Before BIOS Password is updated BitLocker
# has to be disabled. After the script is run Bitlocker will be activated.
# bin Files have to be created with HPQPswd.exe Tool (x86 version). Old BIOS password
# is based on computer name prefix.
# Requiered: BIOSConfigUtility64.exe and HPQPswd.exe
# Source: https://ftp.hp.com/pub/softpaq/sp88001-88500/sp88497.exe
#
# Examples:
#
# .\UpdateBIOSPassword.ps1
#
#==============================================
# Declare Variables
#==============================================
[string]$LogFile = "$env:WinDir\ccm\logs\app\" + $($((Split-Path $MyInvocation.MyCommand.Definition -leaf)).replace("ps1","log"))
[string]$LogPath = "$env:WinDir\ccm\logs\app\"
[string]$RegPath = "HKLM:\SOFTWARE\SCCM\InstallationStatus\Application\HPBIOSPWDUpdate1.0"
#==============================================
# Declare Functions
#==============================================
Function Write-ToLog([string]$message, [string]$file) {
<#
.SYNOPSIS
Writing log to the logfile
.DESCRIPTION
Function to write logging to a logfile.
#>
If(-not($file)){$file=$LogFile}
$Date = $(get-date -uformat %Y-%m-%d-%H.%M.%S)
$message = "$Date `t$message"
Write-Verbose $message
Write-Host $message
#Write Log to log file Without ASCII not able to read with tracer.
Out-File $file -encoding ASCII -input $message -append
}
#==============================================
# Main Script
#==============================================
Write-ToLog "####### Script has been started ######"
Write-ToLog "Check if CCM\logs\app folder exists"
# Create %WinDir%\ccm\logs\app folder if it doesn't exist
if(-not(Test-Path -Path "$env:WinDir\CCM\Logs\app"))
{
New-Item -Path "$env:WinDir\CCM\Logs" -Name "app" -Type Directory
Write-ToLog "$env:WinDir\CCM\Logs\app folder has been created"
}
# Suspend Bitlocker if activated -> Separate Step in TS - removed
$BLStatus = (Get-WmiObject -Namespace root\cimv2\Security\MicrosoftVolumeEncryption -Class Win32_EncryptableVolume -Filter "DriveLetter = 'C:'").ProtectionStatus
if($BLStatus -eq 1)
{
Write-ToLog "Disable BitLocker"
manage-bde.exe -protectors -disable c:
Write-ToLog "BitLocker disabled"
}
Write-ToLog "Check computer name"
# Get computer Name
[string]$CompName = $env:Computername
Write-ToLog "Computer name detected: $CompName"
Write-ToLog "Get computer name prefix"
# Get computer name prefix
$CompNamePref = $CompName.Substring(0,4)
Write-ToLog "Computer's prefix is $CompNamePref"
# Select new BIOS password file
Write-ToLog "Select BIOS password file"
switch -Wildcard ($CompNamePref)
{
"AAAA"
{
$BiosPwdFile = "BIOSPWD1.bin"
continue
}
"BBBB"
{
$BiosPwdFile = "BIOSPWD2.bin"
continue
}
"CCCC"
{
$BiosPwdFile = "BIOSPWD3.bin"
continue
}
"DDDD"
{
$BiosPwdFile = "BIOSPWD4.bin"
continue
}
"EEEE"
{
$BiosPwdFile = "BIOSPWD5.bin"
continue
}
} # End switch
Write-ToLog "New BIOS Password File selected: $BiosPwdFile"
# Get the old BIOS PWD bin files
Write-ToLog "Get the old PSW bin files"
$Bins = Get-ChildItem -Filter OLDBIOSPW*.bin
$Target = $Bins.Length
Write-ToLog "$Target OLDBISOPW.bin files found"
for ($i=$Target; $i -gt 0; $i--) {
Write-ToLog "Try BIOS update with OLDBIOSPW$i.bin file"
$ReturnBiosUpdate = Start-Process -FilePath .\BIOSConfigUtility64.exe -ArgumentList "/npwdfile:.\$BiosPwdFile /cpwdfile:.\OLDBIOSPW$i.bin" -PassThru -Wait -WindowStyle Hidden
$mainExitCode = $ReturnBiosUpdate.ExitCode
# Exit loop when right OLDBIOSPW found and the update executed
If ($mainExitCode -eq 0 -or $mainExitCode -eq 3010) {
Write-ToLog "OLD PSW bin file detected: OLDBIOSPW$i.bin"
Write-ToLog "BIOS Password Update successful. Exit code:$mainExitCode"
Write-ToLog "Add the UPDATED registry value"
Write-ToLog "Add the registry values used for SCCM application detection method"
#Add the registry values used for SCCM application detection method
Write-ToLog "Adding registry key and its values"
New-Item -Path $RegPath -Force | Out-Null
Write-ToLog "Registry Key has been added"
New-ItemProperty -Path $RegPath -Name "AppName" -Type String -Value "BIOS Password Update" -Force
New-ItemProperty -Path $RegPath -Name "InstallDate" -Type String -Value "$(Get-Date)" -Force
New-ItemProperty -Path $RegPath -Name "Revision" -Type String -Value "0001" -Force
New-ItemProperty -Path $RegPath -Name "Vendor" -Type String -Value "HP" -Force
New-ItemProperty -Path $RegPath -Name "Version" -Type String -Value "1.0" -Force
break
}
else
{
Write-ToLog "BIOS Password Update unsuccessful. Exit code:$mainExitCode"
}
}
# Copy the HP log files
Write-ToLog "Copy the HP log files"
Copy-Item -Path .\*.log -Destination C:\Windows\CCM\Logs\app
# Enable BitLocker
if($BLStatus -eq 1)
{
Write-ToLog "Enable BitLocker"
manage-bde.exe -protectors -enable c:
Write-ToLog "BitLocker enabled"
}
switch ($mainExitCode) {
0
{
Write-ToLog "Exit code: $mainExitCode - Sucess."
}
10
{
Write-ToLog "Exit code: $mainExitCode - Valid password not provided."
}
15
{
Write-ToLog "Exit code: $mainExitCode - Command line syntax error."
}
default
{
Write-ToLog "Exit code: $mainExitCode - Unknown Error."
}
}
Write-ToLog "####### Script has been finished #######"
Exit $mainExitCode