Configure and use Lenovo BIOS supervisor password during OSD using PowerShell and Configuration Manager

Introduction

Following up on my previous post, continuing on the Lenovo BIOS password topic. This time I’m illustrating, how you initially can set the supervisor password during the deployment of the operating system.

Last time I mentioned, how this cannot be done remotely for security reasons. However, there are an option to allow this during OSD (Operating System Deployment), called System Deployment Boot Mode. If taking advantage of this, you’re allowed to set the supervisor password programmatically in WinPE.

I’m using PowerShell to do so, and this post will walk you through the necessities.

PowerShell

IMPORTANT: It goes without saying, but test this before using in production. Use at your own risk. The script was made for internal needs and use, as well as for practice and learning. If forgetting the supervisor password, or unintentionally setting it to something unknown, replacing the motherboard is the only official and supported approach to resetting the password.

A few years ago, I made a script called Lenovo BIOS Configurator.

I still use this script as of today, even though I probably would have tailored it differently. Regardless, this is also the script I added changes to, in order to be able to set the supervisor password initially and programmatically during OSD.

Find the script on my GitHub page here: Lenovo-BIOS-Configurator/Config-LenovoBIOS.ps1 at main Β· imabdk/Lenovo-BIOS-Configurator (github.com)

In order to set the supervisor password via the script, simply use the -SetSupervisorPass parameter:

  • -SetSupervisorPass <InsertYourSupervisorPassword>

NOTE: Currently the script only supports setting the supervisor password initially, and does not support changing it or removing it again. Perhaps I’ll add that at some point later. πŸ™‚

Configuration Manager

This is my exact configuration of using the Config-LenovoBIOS.ps1 script in one of my task sequences. For your convenience, I’m making an exported copy available for download in the end of the post.

  • NOTE: All of this is supposed to run within WinPE.

Set SMSTSBIOSPasswordStatus

I’m grabbing the current password status of the device, and writes that to the task sequence variable: SMSTSBIOSPasswordStatus. I do this in order to use the value of this variable conditionally later in the process.

Set SMSTSBIOSPassword

I also configure the actual supervisor password in a variable. 1) to be able to hide it from the smsts.log 2) for easier use throughout the task sequence

  • NOTE: You can hide the value, if this is a security concern to you. Do note that the Config-LenovoBIOS.ps1 does it’s own logging into systemroot\Config-LenovoBIOS.log where the value also will be visible. This was mainly done for troubleshooting purposes, and if concerned, you can edit the script to not do this.

System Deployment Boot Mode

As mentioned in my introduction, setting the supervisor password initially coming from PowerShell or similar, is only possible if leveraging what’s called System Deployment Boot Mode (SDBM).

This SDBM is only available in the Whiskey Lake generation of ThinkPads, and due to lack of a better way of detecting this mode, I simply added a condition to the step, only allowing this specific generation.

Set Supervisor Password

This step configures the actual supervisor password, to the value defined in the SMSTSBIOSPassword variable.

  • This steps uses the entire Config-LenovoBIOS.ps1. Make sure to enter that into the script area, as well as setting the execution policy to Bypass.

Also note that this step only runs if there is no supervisor password configured already. This is again done by querying the SMSTSBIOSPasswordStatus variable.

If configuring the supervisor password is successful, you will see entries in the smsts.log similar to below screenshot:

  • The Config-LenovoBIOS.ps1 outputs it’s actions both to its own logfile as well as the smsts.log. If this is a security concern to you, please edit that out directly in the Config-LenovoBIOS.ps1 script.
    • I’m considering to add some logic, which can obfuscate this automatically, but for now, you will need to do something yourself. πŸ™‚

And if configuring the supervisor password is NOT successful, you will see entries in the smsts.log similar to below screenshot:

  • In this scenario particular, I intentionally avoided to do this from System Deployment Boot ModeΒ and as you see, this is not allowed: Access Denied.

What the Config-LenovoBIOS.ps1 script also does with this step, is to update the SMSTSBIOSPasswordStatus variable accordingly:

if ($Invocation -eq "Success") {
    Write-Log -Message "Supervisor password successfully configured to: $SetSupervisorPass"
    if ($IsTaskSequence -eq $true) {
        $tsEnv = New-Object -ComObject Microsoft.SMS.TSEnvironment
        $tsEnv.Value('SMSTSBIOSPasswordStatus') = 2
    }            
}
elseif ($Invocation -ne "Success") {
    Write-Log -Message "Supervisor password is NOT configured. Output from WMI is: $Invocation"
    Write-Log -Message "This can only be done programmatically while in System Deployment Mode"
    if ($IsTaskSequence -eq $true) {
        $tsEnv = New-Object -ComObject Microsoft.SMS.TSEnvironment
        $tsEnv.Value('SMSTSBIOSPasswordStatus') = 0
    }   
}

Config BIOS (SMSTSBIOSPasswordStatus 0)

This step illustrates configuring the BIOS when a supervisor password is NOT set.

Config BIOS (SMSTSBIOSPasswordStatus 2)

Of more interest, this is the step that configures the BIOS when a supervisor is set using the parameter: -SupervisorPass

This step also queries the SMSTSBIOSPasswordStatus, making sure the step is only run, if a supervisor password is present.

System Deployment Boot Mode

This is activated before a regular PXE boot. To activate System Deployment Boot Mode, do following:

  • (Re)boot the computer
  • Press F12 to access the boot menu
  • Once in the boot menu, press ‘DEL’.
    • System Deployment Boot Mode will appear in the upper right corner of the screen
      • Continue PXE booting per usual

Download

As promised, download an exported task sequence containing all the relevant steps here: Config-LenovoBIOS-TS.zip (418 downloads)

ENJOY πŸ™‚

3 thoughts on “Configure and use Lenovo BIOS supervisor password during OSD using PowerShell and Configuration Manager”

  1. You can use the WMI query to check whether you are in the System Deployment Boot Mode

    (Get-WmiObject -Class Lenovo_SystemDeploymentBootMode -Namespace root\wmi).CurrentSetting

    Enable = In System Deployment Boot Mode
    Disable = Not in System Deployment Boot Mode

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.