Welcome to our peer-to-peer forums, where owners help owners. Need help now? Visit eSupport here.

English Community

Software and Operating SystemEnterprise Client Management
All Forum Topics
Options

4 Posts

09-07-2018

Finland

3 Signins

79 Page Views

  • Posts: 4
  • Registered: ‎09-07-2018
  • Location: Finland
  • Views: 79
  • Message 1 of 5

Proper & Secure BIOS management when using Supervisor password

2018-09-07, 7:28 AM

Hello!

 

I'm having some difficulties setting our ThinkPad BIOS settings in a secure way because of the Supervisor password.

 

We have recently started using Lenovo devices in our company, so all this is still quite new to me. We have 3 different ThinkPad models in each generation (one from T-series, one from X-series and one from P-series) and we install and manage these using Microsoft System Center Configuration Manager (1806). The installation of these are done by a vendor that utilises our SCCM infrastructure. However, the re-installations are done by our internal Helpdesk.

 

Now since Lenovo requires that the Supervisor password is manually typed, we have agreed with the vendor that they will use a specific password which we will then change using the SCCM Operating System Deployment. This is where our Security processes kick in, making things difficult. We have a very strict policy when it comes to clear text passwords. This means that the passwords used in the installations cannot be visible without encryption in any input or output (e.g. log files), including script files. The only exception we have allowed is that if the password is changed during the installation, the old/temporary password can be shown, but the new one cannot be.

 

I feel like I've tried all the solutions I've found from the forums and by searching the web, but all of them have weakness that make the installation either insecure or unmanaged. For instance, the Think BIOS Configurator is a great tool that allows you to easily change the settings using a file and it even supports the password encryption. However, I have not found a way to ensure that the tool does what it is supposed to as the Exit Code for the command is always 0, even if it fails to change the settings.

 

Alternative method we used with our old HP computers was that we used the PowerShell SecureString option to encrypt the password, but it seems that the ThinkPad devices refuse to understand this. Also using the Scancode encoding fails because the password utilises capital letters and the ThinkPad, once again, doesn't understand those.

 

The most recent attempt was to use the new "Mask sensitive data stored in task sequence variables" feature that was added to the SCCM 1806 version, but while this hides the password in the console, it does not hide it in the logs. So once again, no luck there.

 

So far, the only viable option that I have found is the "ThinkPad Setup Settings Capture/Playback Utility for Windows", but the biggest problem with this is the fact that it's tied to the specific BIOS version, which causes a very large workload, especially when new ThinkPad models are released, as you need to maintain the BIOS versions during the installation and create new packages for each update and captured settings.

 

Any thoughts/ideas on how to achieve my goal? Either by making the Think BIOS Configurator compatible with error codes or by some other ways of changing the settings in a secure way?

 

PS. Unfortunately lightening the security process is not an option.

Reply
Answer
Options

199 Posts

06-02-2015

United States of America

830 Signins

9758 Page Views

  • Posts: 199
  • Registered: ‎06-02-2015
  • Location: United States of America
  • Views: 9758

Re: Proper & Secure BIOS management when using Supervisor password

2018-09-10, 19:07 PM

Could you download the latest version of the HTA? It should be v1.25. This will provide error codes on configuring settings (errorlevel 1 if any failed) and changing the password (errorlevel 2 if that fails).

 

Let me know if that helps you out.

Reply

Replies(4)
Options

199 Posts

06-02-2015

United States of America

830 Signins

9758 Page Views

  • Posts: 199
  • Registered: ‎06-02-2015
  • Location: United States of America
  • Views: 9758
  • Message 2 of 5

Re: Proper & Secure BIOS management when using Supervisor password

2018-09-07, 14:10 PM

Hi ile371,

 

Could you provide me a little more info about where you are having issues? Is it with applying settings using the Think Bios Config tool, changing the password or both?

 

Unfortunately there is no direct way of returning an error code from an hta but it can be looked into more. 

 

Thanks!

Reply
Options

4 Posts

09-07-2018

Finland

3 Signins

79 Page Views

  • Posts: 4
  • Registered: ‎09-07-2018
  • Location: Finland
  • Views: 79
  • Message 3 of 5

Re: Proper & Secure BIOS management when using Supervisor password

2018-09-10, 5:18 AM

Both. The steps in the task sequence would be

  1. Change the temporary Supervisor Password to a proper password
  2. Restart
  3. Apply the ThinkPad BIOS Settings
  4. Restart

 

If the Temporary password is set to something else that what is documented, the step 1) will still be processed as Success since the exit code is 0. This also means that the step 3 should fail, since the password used in that step doesn't work, but once again the exit code for the tool is 0, aka Sucess.

 

I wanted to include my own script that would try to a simple BIOS settings change (like Enable WakeOnLan) to see if the password was indeed changed, but wasn't able to since the BIOS password would visible in either a package (Powershell script) or in the log file.

Reply
Answer
Options

199 Posts

06-02-2015

United States of America

830 Signins

9758 Page Views

  • Posts: 199
  • Registered: ‎06-02-2015
  • Location: United States of America
  • Views: 9758
  • Message 4 of 5

Re: Proper & Secure BIOS management when using Supervisor password

2018-09-10, 19:07 PM

Could you download the latest version of the HTA? It should be v1.25. This will provide error codes on configuring settings (errorlevel 1 if any failed) and changing the password (errorlevel 2 if that fails).

 

Let me know if that helps you out.

0 person found this solution to be helpful.

This helped me too

Reply
Options

4 Posts

09-07-2018

Finland

3 Signins

79 Page Views

  • Posts: 4
  • Registered: ‎09-07-2018
  • Location: Finland
  • Views: 79
  • Message 5 of 5

Re: Proper & Secure BIOS management when using Supervisor password

2018-10-03, 6:11 AM

I didn't read the code properly, but once I started testing the 1.25 version in WinPE, I was able to get the proper error codes and create the scenarios around that. Thank you for pointing that out.

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms