Jaa


Changing HP BIOS/UEFI settings with HP's Bios Configuration Utility

HP offers a BIOS Utility for automated configuration of BIOS/UEFI settings which can be downloaded at https://ftp.hp.com/pub/caps-softpaq/cmit/HP_BCU.html

This utility is easy to use to configure BIOS/UEFI settings appropriately from either the full operating system or WinPE. The download from HP contains two executables in both 32 and 64-bit versions named BIOSConfigUtility and HPQPswd. A user guide is also included which has the full documentation. The BIOSConfigUtility utility sets BIOS/UEFI values, can read existing BIOS/UEFI settings, in addition to other functions listed in the documentation. The HPQPswd GUI utility can create a password file for use accessing BIOS/UEFI's with a password.

This blog article is an attempt to get you up and running in the shortest amount of time and provide lessons learned that may not be in the documentation.

An easy way to get started with these utilities is to read the existing settings and values from a physical HP model via a simple script. One way to do this is to create a short batch script like below and run it with local administrative rights. The following script can be used if an existing BIOS/UEFI password is not set:

rem Sets source directory for use throughout the script
pushd "%~dp0"
rem Read the settings and values from the HP physical system. Note the 64-bit version is used on an OS that is 64-bit
BiosConfigUtility64.exe /get:<resultFile.txt>

If a BIOS/UEFI password is set you first need to use the HPQPswd GUI utility to create a .bin file with the encrypted password and then reference the created .bin file with an additional parameter in the batch script as shown below:

rem Sets source directory for use throughout the script
pushd "%~dp0"
rem Read the settings and values from the HP physical system. Note the 64-bit version is used on an OS that is 64-bit
BiosConfigUtility64.exe /get:<resultFile.txt> /cpwdfile:<.binFile>

Looking at the resulting .txt file that should have been created in the directory where the utilities were run from you should see something like the following:

BIOSConfig 1.0
;
;     Originally created by BIOS Configuration Utility
;     Version: 4.0.13.1
;     Date="2017/06/16" Time="14:44:57" UTC="-4"
;
;     Found 160 settings ;

 

The values in this file marked with an * are the ones that are currently set.

To create a script that will set specific values you can edit the output file created in the last step leaving only the specific values you would like to set. An example of an editing output file is shown below which sets one value:

BIOSConfig 1.0

Data Execution Prevention
Disable
*Enable

To run a batch script that sets this one value the following script could be used that uses the /set command

rem Sets source directory for use throughout the script
pushd "%~dp0"
rem Set a value on a HP physical system. Note the 64-bit version is used on an OS that is 64-bit
BiosConfigUtility64.exe /set:<InputFile.txt> /verbose

That concludes the basics.

I’ve learned the following implementing this in practice which may useful to consider:

  • Different HP models have different setting names. However, to make a script that can be run on multiple models the different setting names and their associated values can be combined into a single input file. When the script runs it sets the values for the settings that match and ignores the ones that don’t.
  • Older models like the HP 6005 require a password to enable the TPM. If a password isn’t already set it’s easy to set a password, enable the TPM, and then remove the password.
  • Older models like the HP 6005 allow the utility to change the password, but this password is not useable to access the BIOS physically. This situation is related to Unicode.
  • Some models like the 800 G2 require that the HP Bios Config Utility is run twice with a reboot after each to enable the TPM. To avoid additional reboots in a task sequence scenario, the utility can be run in WinPE to leverage the automatic reboot after the WinPE phase is completed.
  • Use of the password .bin file has historically had issues on some models like the HP 705 G2

An additional note is that in my experience the HP BIOS/UEFI default configurations are flexible regarding using either MBR or UEFI partitioning. This gives flexibility in the timing of running the HP Config Utility when provisioning systems.

For reference below is the batch script I’ve used to work around some of the items I discussed above:

rem Sets source directory for use throughout the script
pushd "%~dp0"
rem Set a predefined password on the BIOS/UEFI
BiosConfigUtility64.exe /npwdfile:password.bin r
rem Set the values from the input file that match the settings on that particular model
BiosConfigUtility64.exe /set:<InputFile.txt> /verbose /cpwdfile:password.bin
rem Optionally remove the BIOS/UEFI password if it is not desired
BiosConfigUtility64.exe /nspwdfile:"" /cpwdfile:password.bin

 

I hope this information has been helpful and gets you up and running quickly.

 

No warranty is implied with usage of the information in this article.

Comments

  • Anonymous
    June 18, 2017
    We are currently kicking off our Windows 10 Rollout while also changing machines over to UEFI using SCCM.With our old BIOS setup we could generate a unique password per machine and pass that into the biosconfigutil as a string.That way if one password was discovered the fleet would not be compromised.How is using a .bin file to encrypt the password more secure? from what I have seen most people are using the same bin across the fleet.Pete.
  • Anonymous
    November 20, 2017
    Hi Jim, thanks for the article. We're an HP shop and I'm currently considering how I can use this utility in two ways: 1) for already deployed computers, enable WOL and 2) during SCCM OS deployment, use this to set UEFI mode, password, drive in asset tags, enable WOL.I haven't look through the HP documentation yet, but I assume there are returned error codes to tell me if each setting failed or succeeded?