Welcome to our peer-to-peer forums, where owners help owners. Need help now? Visit eSupport here.

English Community

Software and Operating SystemEnterprise Client Management
All Forum Topics
Options

15 Posts

06-18-2021

Canada

18 Signins

130 Page Views

  • Posts: 15
  • Registered: ‎06-18-2021
  • Location: Canada
  • Views: 130
  • Message 1 of 4

Hiding/encrypting the BIOS/UEFI password in update scripts

2021-06-23, 5:01 AM

I'm about to take on the task of adding BIOS updating to our SCCM imaging process.  Of course, we have ThinkCentre, ThinkStation, and ThinkPads, so that means we're using all various methods of updating according to this (please let me know if I'm wrong...less methods would obviously be welcome).

 

In trying to make this thing bullet proof, I'm concerned about machines out there that already have a BIOS password set.  According to the document, for the ThinkCentre machines (M73p Tinys), we'd have to specify

Flash.cmd /quiet /pass:Qwerty

 

The part that has me concerned is the last part; including the password in plain text in the command line.  With HP, for example, I can specify an encrypted password file in the command line to use for the password input.  With this, I can see that command ending up in SMSTS logs on the client afterwards, or potentially being visible via other means.

 

Is there a way to specify the existing BIOS/UEFI password on the target machine (when the password is required for flashing) as an encrypted file in the command?  Or is it always plain text?

 

If it's always plain text, I may instruct our techs to simply wipe the BIOS password on machines, set the machines to default BIOS settings, and then start the imaging process to update the BIOS, apply BIOS settings (which can contain the password using /kpap in the Capture/Playback utility, as far as I understand), and then have the password set that way along with the rest of the BIOS settings, and then continue the Windows installation.

 

Thoughts?

 

EDIT:

 

@ link470 wrote:

I may instruct our techs to simply wipe the BIOS password on machines, set the machines to default BIOS settings, and then start the imaging process to update the BIOS, apply BIOS settings (which can contain the password using /kpap in the Capture/Playback utility, as far as I understand), and then have the password set that way along with the rest of the BIOS settings

 

From: https://download.lenovo.com/cdrt/wp/bios.html

Lenovo does not support the ability to set the initial password by script to limit the security exposure of locking both administrators and users out of a computer.


Oh...k scrap that idea...

 

EDIT 2:

 

After a bit more reading, I'm worried this is the path I'm supposed to take:

[1] Reset the BIOS password to a throwaway temporary value that we'll use before imaging systems

[2] PXE boot and start the Task Sequence.

[3] BIOS update runs first, which will reboot into 32-Bit WinPE (shoutouts to the ThinkCentre line... is there a 64-Bit way to update ThinkCentre BIOS' yet that I don't know about?  I've seen mention of a Flash64.cmd around, but don't know if it would help me here with an M93p...) and then execute the command I specified above to run flash.cmd and specify the plain text throwaway password, allowing the BIOS update to run.

[4] After the system reboots (because I don't think we can suppress rebooting with ThinkCentre...can we?), reboot again in 64-Bit WinPE

[5] Once rebooted, run the BIOS capture/playback utility (if I can even run that in WinPE), or HTA scripts (if this is the better or only supported option...), specify the throwaway password, and have the script set the new password along with the rest of the BIOS/UEFI settings.

 

Ok...assuming all of that is correct, that leads me to even more questions.  From the documentation, it appears that the current BIOS password is specified and encrypted in the HTA tool, but what about the target BIOS password, assuming that's how I set that?  Is that also encrypted? 

 

The reason I say "worried this is the path I'm supposed to take" is because this still means that a tech, before imaging, needs to specify the throwaway/temporary password that the script is using for BIOS updating before every time a tech re-images a machine (if a BIOS update exists), which is further from zero-touch than I'd like, but doable if that's the case.

Reply
Answer
Options

884 Posts

06-09-2015

United States of America

5438 Signins

51856 Page Views

  • Posts: 884
  • Registered: ‎06-09-2015
  • Location: United States of America
  • Views: 51856

Re:Hiding/encrypting the BIOS/UEFI password in update scripts

2021-06-23, 12:32 PM

Are you aware of the OSDDoNotLogCommand Task Sequence variable?  This will mask sensitive data in Run Command Line steps.

 

Task sequence variable reference - Configuration Manager | Microsoft Docs

 

Otherwise, the Think BIOS Config Tool will accomplish this.

Reply

Replies(3)
Answer
Options

884 Posts

06-09-2015

United States of America

5438 Signins

51856 Page Views

  • Posts: 884
  • Registered: ‎06-09-2015
  • Location: United States of America
  • Views: 51856
  • Message 2 of 4

Re:Hiding/encrypting the BIOS/UEFI password in update scripts

2021-06-23, 12:32 PM

Are you aware of the OSDDoNotLogCommand Task Sequence variable?  This will mask sensitive data in Run Command Line steps.

 

Task sequence variable reference - Configuration Manager | Microsoft Docs

 

Otherwise, the Think BIOS Config Tool will accomplish this.

0 person found this solution to be helpful.

This helped me too

Reply
Options

15 Posts

06-18-2021

Canada

18 Signins

130 Page Views

  • Posts: 15
  • Registered: ‎06-18-2021
  • Location: Canada
  • Views: 130
  • Message 3 of 4

Re:Hiding/encrypting the BIOS/UEFI password in update scripts

2021-06-23, 15:44 PM

Thanks, I'll look into this.

 

So a couple more questions then about the M93p process for this specifically:

 

[1] I see documentation saying that I can only flash ThinkCentre BIOS/UEFI by rebooting into WinPE 32-Bit. Is this correct? Or is there a Flash64.cmd that I've seen mentioned that's available somewhere to do this in WinPE 64-Bit? The download for the latest M93p BIOS doesn't seem to contain Flash64.cmd, but I've seen this mentioned other places...

 

[2] With modern ThinkPad models, I see we can suppress reboots (as the recommended best practice is to let the Task Sequence control the reboots. However, with ThinkCentre, I'm seeing a lot of varying information. I see mention of WFlash2.exe with support for /sccm, but the one included in the latest M93p BIOS OS upgrade package (fbjydeusa.exe) doesn't appear to support the /sccm option.

 

So, can we suppress reboots while flashing the M93p BIOS during a Task Sequence? If not with the included tools for this model, can I simply obtain a working wflash2.exe that has the /sccm switch from a newer ThinkCentre and use that as a swap in replacement here?

Reply
Options

884 Posts

06-09-2015

United States of America

5438 Signins

51856 Page Views

  • Posts: 884
  • Registered: ‎06-09-2015
  • Location: United States of America
  • Views: 51856
  • Message 4 of 4

Re:Hiding/encrypting the BIOS/UEFI password in update scripts

2021-06-23, 16:28 PM

The /sccm switch was introduced in the M91x series, I believe.   Since this switch isn't available, you can't suppress the reboot.  Really, your only option with this model is to update the BIOS at the end of your Task Sequence (Full OS).  The wflash2.exe is a 32 bit executable and won't work in 64 bit WinPE.  

 

Or, create a legacy Package in ConfigMgr and deploy separately.

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms