07-08-2016 04:59 AM - last edited on 07-08-2016 07:30 AM by BiggAl
i want to set BIOS admin password in deployment from SCCM2012.
I find some clue I don't set password from windows when it is clear (from factory).
We have 5000PC M700/900 don't tell me we need manualy set password on all PC ...
thnx for help
Mod: edited title to add system type
Solved! Go to Solution.
07-08-2016 05:02 PM
This question comes up fom time to time.
There are threads that discuss the issue, but IIRC an *initial* BIOS Supervisor password cannot be set by script. It requires physical presence for security purposes. Once a password is set, only then it can be changed by script.
If I've misspoken, or this has recently changed, I hope that more info will be provided by the folks who post in this forum regularly.
07-09-2016 09:55 AM
As sarbin mentioned it is not possible to set a Supervisor password on a system where one does not exist using scripts under Windows. Our supervisor password is not a trivial password which can easily be circumvented so you would not want it to be easily set without your knowing it. This is why we require the additional precaution of physical presence to the machine to set it.
Understanding that it would be a difficult task to manually enter a strong supervisor password on 5k machines, we do provide another way of doing it in a more automated fashion. From the download page for your system's BIOS you can find some BIOS settings tools:
The Windows BIOS setting tool is a self-extracting executable that includes a utility called "srdos.exe". As its name implies it is a DOS executable. As such it requires the system to be booted to an external device such as a USB key which has been configured to be DOS bootable. This satisfies the physical presence requirement. You can use a tool such as Rufus (google it) to create such a key.
Note: The Windows version of this tool (srwin.exe) does not support setting a supervisor password.
You can run srdos.exe from a batch file on that key with a command line that sets a supervisor password. This will circumvent the need to type in the password manually so you can have better success with strong passwords. Since we cannot support blasting out a supervisor password to remote machines at this time, this is probably the best alternative.
08-08-2016 06:12 AM
Lenovo has BIOS services, where they can configure an inital BIOS password. My issue is, the password must be set in order to turn on DeviceGuard in Windows 10.