If you are familiar with the HP's BIOSConfigUtility, you can skip the remainder of the article and grab the PowerShell script from my GitHub repository along with several sample config files. The script was designed based on my interactions with enterprise customers and has been instrumental in successfully transitioning to, and thriving within, a secure Windows 10 environment. Everybody else, buckle in...

The HP BIOSConfigUtility software is a terrific tool for enabling you to achieve configuration parity with Windows 10 requirements on HP's enterprise client systems. This product consists of a Command Line Interface (BiosConfigUtility.exe) to configure various BIOS features and a Password Encryption Utility (HPQPswd.exe), designed to encrypt the BIOS password, and store it in a file.

Download and extract the latest version from HP's support website.

First things first, it’s essential to create the password file needed to specify a new or current password using the HP Password Encryption Utility (HPQPswd.exe). If you are trying to protect managed assets, do not pass go until you have set the BIOS setup password. Additionally, you will not be able to modify a subset of firmware settings until you've secured BIOS access. Run the executable without parameters, enter your password, specify the file path and name, and hit "OK."

Next, capture host machine configuration data by running:

BiosConfigUtility64.exe /Get:"C:\temp\%ModelName%.REPSET"

Edit the %ModelName%.REPSET file and remove properties that are read-only (such properties will be ignored with a warning if specified anyway). You should also delete settings that you do not want to change. Below is a sample configuration file I captured from an HP Z440 workstation:

BIOSConfig 1.0
;
;     Originally created by BIOS Configuration Utility
;     Version: 4.0.13.1
;     Date="2016/09/14" Time="14:04:19" UTC="0"
;
;     Found 181 settings
Configure Legacy Support and Secure Boot
                Enable Legacy Support and Disable Secure Boot
                *Disable Legacy Support and Enable Secure Boot
                Disable Legacy Support and Disable Secure Boot
TPM Device
                Hidden
                *Available
TPM State
                Disable
                *Enable
Legacy Boot Options
                *Disable
                Enable
UEFI Boot Options
                Disable
                *Enable
SATA Controller Mode
                IDE
                *AHCI
                RAID
Virtualization Technology (VT-x)
                Disable
                *Enable
Intel VT for Directed I/O (VT-d)
                Disable
                *Enable

It’s important to note and observe that HP frequently changes settings strings between models - unlike Dell, which has been very consistent thus far. For example, possible states for "LAN / WLAN Auto Switching" used to be "Enabled/Disabled" until they were changed to "Enable/Disable" on the newest HP EliteBook G5 systems. Perhaps someone needs to start a Kickstarter campaign to buy HP's developers a few books on the importance of consistent data naming conventions?

I also disagree with the statement that you can create one configuration text file with all the settings you want to change and deploy it to all systems in the enterprise. In theory, if a particular system does not support the specified setting, it will be ignored. However, to apply model specific configurations and evaluate the exit code that is returned by the BCU in the process, you will have to work with multiple configuration files (I routinely create one configuration file per model when I work with HP hardware). You can, of course, choose to disagree with my approach and use one configuration file that rules them all and acts as a common denominator – that’s entirely up to you. But hopefully, I could highlight possible implications when using the more simplistic approach.

Next, place your password file (the script assumes password.bin), your REPSET formatted config files and the BiosConfigUtility tool in the script folder. Edit the PowerShell script and add your models into the mix.

# Make sure we use the right model
Switch ($Model)
{
                "HP EliteBook 840 G3"{
                               $cmdLine = ' /Set:"' + $PSScriptRoot + '\HPEliteBook840G3.REPSET" /CurSetupPasswordFile:"' + $PSScriptRoot + '\password.bin"'             
                }
                "HP Z440 Workstation"{
                               $cmdLine = ' /Set:"' + $PSScriptRoot + '\HPZ440Workstation.REPSET" /CurSetupPasswordFile:"' + $PSScriptRoot + '\msits.bin"'
                }
                Default
                {              
                               Write-Host "$Model is unsupported, exit"
                               Exit 0
                }
}

Then, copy everything to your deployment share, for example into the following folder: %SCRIPTROOT%\BIOS\HP.

Assuming you are running the script during a "wipe-and-load" scenario (in-place upgrade works similarly though), create following two "Run Command Line" steps in the Pre-Install phase of your Windows 10 task sequence:

• powershell.exe -command "Set-ExecutionPolicy Bypass"
• powershell.exe -File %SCRIPTROOT%\BIOS\HP\BiosConfigUtility64.ps1

Add following execution condition to the BiosConfigUtility step:

The next time you run your task sequence, the script will set your BIOS password (if currently not set) and modify the system BIOS configuration.

Note: HP does not recommend that you mix replicated setup changes with BIOS firmware updates. Based on conversations with the product team, there shouldn't be any detrimental effects when you change BIOS configuration and subsequently perform firmware update without restarting the system between each operation - unless the internal structure of BIOS configuration settings information changes. This approach may even be required to accommodate cases in which performing a BIOS update in FullOS causes a BSOD (which used to be the case on HP EliteBook 840/850 G3).

That's it!

Tweet me if you fancy or have any questions.