Changing the BIOS Supervisor Password with Intune and the Think BIOS Config Tool
For security purposes, there may be a requirement to change the supervisor password for BIOS access. There are a few ways to accomplish this, either programmatically using a couple lines of code or with the Think BIOS Config Tool. The former would be easiest but does pose quite the risk by exposing your supervisor password in plain text, which is a big no-no. So instead, we're going to use the Think BIOS Config Tool and an encrypted password file to tackle this scenario, which has become quite common these days it seems.
Solution Overview
This solution uses a PowerShell script to change the BIOS supervisor password by invoking the Think BIOS Config Tool, which passes a password file containing the encrypted supervisor password for authentication and password update.
Preparing the Password File
First, download and extract the Think BIOS Config Tool, which can be found here.
Note
Ensure version 1.41 or higher of the tool is used
Launch the tool as Admin and tick the box beside Supervisor password set on the target machine. This will unlock additional options.
Enter your current supervisor password in the Enter password field. In the Enter encrypting key field, either specify your own key (it can be anything you want) or click the Generate a key button to generate a random string.
Next, tick the box beside Change Supervisor password. This will unlock 2 extra fields where you specify the new supervisor password.
Finally, click the Create password change file button. This will generate an .ini file in the directory where the tool was invoked.
Note
Whenever you generate a password file, the name of the .ini will be the model of the machine it was generated from. You can rename it if you'd like.
If you open the .ini file, you'll see a long string on a single line. This is the encrypted password that will be used for BIOS authentication so you're not passing the "real" one in plain text.
Preparing the Win32 App
Copy the password file (.ini) and the Think BIOS Config Tool (.hta) to a new directory.
Download the Update-SVP.ps1 file from my GitHub and save it to the directory containing the .hta and .ini.
Warning
Before proceeding, you'll need to populate the $secretKey variable with the encrypting key you used to generate the password file
Using the Win32 Content Prep Tool, we're going to wrap these 3 items up and convert to an .intunewin file.
An example command to create the .intunewin file
Creating the Win32 App
App Information
Add a new Windows app (Win32) in the Intune admin center and choose the .intunewin app package file you just created to upload. Fill out the required fields and click next.
Program
Install command
Uninstall command
Change Device restart behavior to Determine behavior based on return codes.
Requirements
Operating system architecture: 64-bit
Minimum operating system: 1607
Add a new Registry requirement rule
Key path: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS
Value name: SystemManufacturer
Registry key requirement: String comparison
Operator: Equals
Value: LENOVO
Detection rules
Add a File rule type to check for a .status file
Path: %ProgramData%\Lenovo\ThinkBiosConfig
File or folder: .svp.status
Detection method: File or folder exists
No dependencies or supersedence is required so click through and assign the app to a group of devices.
Experience
On a machine that's received the app assignment, a toast notification should be presented to complete a restart to finish the installation. This assumes a successful password change.
To verify this, look under C:\ProgramData\Lenovo\ThinkBIOSConfig for a svp.status file. If you open the log file, you will see the tool found the password .ini file and successfully changed the password.
Note
The log file name will change by machine. It's prefixed with the Machine Type Model followed by Serial.
If the app installation failed, there can be a few scenarios that would cause this.
- No supervisor password is set on the target machine
- The encrypting key is incorrect
On a failed machine, the log will show Access Denied for password change if either of the above scenarios are true.
Warning
If a device has failed consecutive installs with an incorrect encrypting key, a prompt stating "Security password retry count exceeded" will be presented on the next reboot.