Tuesday, 19 June 2018 09:54

Configuring HP BIOS Using MDT

Written by
Rate this item
(5 votes)


This is the second post in my series that explores one of the most common questions I’ve been asked from folks who are migrating to Windows 10: "How do I go about transitioning from BIOS to UEFI?". So naturally, I’m addressing this question. This time, I am going to discuss automating firmware configuration on supported HP (Hewlett-Packard) notebook, desktop, and workstation models. Now, it's not as if it's been no-man's-land before. I am fully aware that there are blogs out there that talk about doing this kind of thing and I’ve tried a few of the solutions with various rates of success. Still, the feedback I've been getting over the past few weeks has been that I should share my approach when working with the Microsoft Deployment Toolkit (MDT), so, here's my attempt to do precisely that.

If you are familiar with the HP's BIOSConfigUtility, you can skip the remainder of the article and grab the PowerShell script from my GitHub repository along with several sample config files. The script was designed based on my interactions with enterprise customers and has been instrumental in successfully transitioning to, and thriving within, a secure Windows 10 environment. Everybody else, buckle in...

The HP BIOSConfigUtility software is a terrific tool for enabling you to achieve configuration parity with Windows 10 requirements on HP's enterprise client systems. This product consists of a Command Line Interface (BiosConfigUtility.exe) to configure various BIOS features and a Password Encryption Utility (HPQPswd.exe), designed to encrypt the BIOS password, and store it in a file.

Download and extract the latest version from HP's support website.

First things first, it’s essential to create the password file needed to specify a new or current password using the HP Password Encryption Utility (HPQPswd.exe). If you are trying to protect managed assets, do not pass go until you have set the BIOS setup password. Additionally, you will not be able to modify a subset of firmware settings until you've secured BIOS access. Run the executable without parameters, enter your password, specify the file path and name, and hit "OK."


Next, capture host machine configuration data by running:

BiosConfigUtility64.exe /Get:"C:\temp\%ModelName%.REPSET"

Edit the %ModelName%.REPSET file and remove properties that are read-only (such properties will be ignored with a warning if specified anyway). You should also delete settings that you do not want to change. Below is a sample configuration file I captured from an HP Z440 workstation:

BIOSConfig 1.0
;     Originally created by BIOS Configuration Utility
;     Version:
;     Date="2016/09/14" Time="14:04:19" UTC="0"
;     Found 181 settings
Configure Legacy Support and Secure Boot
                Enable Legacy Support and Disable Secure Boot
                *Disable Legacy Support and Enable Secure Boot
                Disable Legacy Support and Disable Secure Boot
TPM Device
TPM State
Legacy Boot Options
UEFI Boot Options
SATA Controller Mode
Virtualization Technology (VT-x)
Intel VT for Directed I/O (VT-d)

It’s important to note and observe that HP frequently changes settings strings between models - unlike Dell, which has been very consistent thus far. For example, possible states for "LAN / WLAN Auto Switching" used to be "Enabled/Disabled" until they were changed to "Enable/Disable" on the newest HP EliteBook G5 systems. Perhaps someone needs to start a Kickstarter campaign to buy HP's developers a few books on the importance of consistent data naming conventions?

I also disagree with the statement that you can create one configuration text file with all the settings you want to change and deploy it to all systems in the enterprise. In theory, if a particular system does not support the specified setting, it will be ignored. However, to apply model specific configurations and evaluate the exit code that is returned by the BCU in the process, you will have to work with multiple configuration files (I routinely create one configuration file per model when I work with HP hardware). You can, of course, choose to disagree with my approach and use one configuration file that rules them all and acts as a common denominator – that’s entirely up to you. But hopefully, I could highlight possible implications when using the more simplistic approach.

Next, place your password file (the script assumes password.bin), your REPSET formatted config files and the BiosConfigUtility tool in the script folder. Edit the PowerShell script and add your models into the mix.

# Make sure we use the right model
Switch ($Model)
                "HP EliteBook 840 G3"{
                               $cmdLine = ' /Set:"' + $PSScriptRoot + '\HPEliteBook840G3.REPSET" /CurSetupPasswordFile:"' + $PSScriptRoot + '\password.bin"'             
                "HP Z440 Workstation"{
                               $cmdLine = ' /Set:"' + $PSScriptRoot + '\HPZ440Workstation.REPSET" /CurSetupPasswordFile:"' + $PSScriptRoot + '\msits.bin"'
                               Write-Host "$Model is unsupported, exit"
                               Exit 0

Then, copy everything to your deployment share, for example into the following folder: %SCRIPTROOT%\BIOS\HP.

Assuming you are running the script during a "wipe-and-load" scenario (in-place upgrade works similarly though), create following two "Run Command Line" steps in the Pre-Install phase of your Windows 10 task sequence:

  • powershell.exe -command "Set-ExecutionPolicy Bypass"
  • powershell.exe -File %SCRIPTROOT%\BIOS\HP\BiosConfigUtility64.ps1


Add following execution condition to the BiosConfigUtility step:


The next time you run your task sequence, the script will set your BIOS password (if currently not set) and modify the system BIOS configuration.

Note: HP does not recommend that you mix replicated setup changes with BIOS firmware updates. Based on conversations with the product team, there shouldn't be any detrimental effects when you change BIOS configuration and subsequently perform firmware update without restarting the system between each operation - unless the internal structure of BIOS configuration settings information changes. This approach may even be required to accommodate cases in which performing a BIOS update in FullOS causes a BSOD (which used to be the case on HP EliteBook 840/850 G3).

That's it!

Tweet me if you fancy or have any questions.

Read 33929 times

Recent Posts

  • Windows 10 21H2 Built-In Apps: What to Keep
    The development of the Windows 10, version 21H2 is finished and the update will soon be available for download from…
    Written on Wednesday, 20 October 2021 11:41
  • Group Policy Changes in Windows 10 21H2
    As Windows 10, version 21H2 update development winds down, Microsoft is now preparing for the final release of the Windows…
    Written on Wednesday, 20 October 2021 07:20
  • Group Policy Changes in Windows 10 20H1 Preview
    As Windows 10 Vibranium Update (20H1) development winds down, Microsoft is now beginning the phase of checking in the final…
    Written on Tuesday, 14 January 2020 04:51
  • An alternative ESU MAK Activation Solution
    This blog post was shared with me by a colleague of mine, Daniel Dorner, a Microsoft Premier Field Engineer. It’s…
    Written on Wednesday, 04 December 2019 21:04
  • The Case of Missing UE-V Templates
    My customers often deal with unexpected Windows behavior and this case is no different. This particular one is especially interesting…
    Written on Tuesday, 03 September 2019 12:20
  • The Case of Changing Default Printer
    While I sometimes long for the day when I no longer have to deal with unexpected Windows 10 behavior, there’s…
    Written on Wednesday, 14 August 2019 20:36