Transcription

HP BIOS Configuration Utility (BCU)User Guide

Copyright 2012–2015, 2019, 2021 HP Development Company, L.P.Intel and Core are trademarks of Intel Corporation in the U.S. and other countries. Microsoft , Windows , and Windows Vista are trademarks of theMicrosoft group of companies.Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, CommercialComputer Software,Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commerciallicense.The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the expresswarranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall notbe liable for technical or editorial errors or omissions contained herein.Seventh Edition: August 2021First Edition: May 2012Document Part Number: 700600-007

User input syntax keyText that you must enter into a user interface is indicated by fixed-width font.Table -1 Syntax and their descriptionsItemDescriptionText without brackets or bracesItems you must type exactly as shown Text inside angle brackets A placeholder for a value you must provide; omit the brackets[Text inside square brackets]Optional items; omit the brackets{Text inside braces}A set of items from which you must choose only one; omit thebraces A separator for items from which you must choose only one; omitthe vertical bar.Items that can or must repeat; omit the ellipsisiiiiv User input syntax keyTable of contents1 Getting started . 1What is HP BIOS Configuration Utility? . 1System requirements . . 1Installation . 12 Command-line parameters . 23 BIOS configuration . 4WMI support required . 4Replicated setup . 4Important notes . . 5Password management . 6BCU with HP Sure Admin . 6Comments . 8Appendix A Error codes . 9Appendix B Sample configuration file . 12

Appendix C HP Password Encryption Utility . 18vvi

1Getting startedWhat is HP BIOS Configuration Utility?HP BIOS Configuration Utility (BCU) is a free utility that enables you to do the following: Read available BIOS settings and their values from a supported desktop, workstation, or notebookcomputer Set or reset Setup Password on a supported desktop, workstation, or notebook computer Replicate BIOS settings across multiple client computersDownload the latest version of BCU from http://www.hp.com/go/clientmanagement.System requirementsTable 1-1 Minimum hardware and software for clientsWindows 7, Windows 8, Windows 8.1, Windows PE (version 4.0.1.1 or later), Windows 10.NOTE: BIOS setting management is supported under Windows PE 3.x, 4.0, or 5.0. See WMI support required on page 4.NOTE: Support of Windows XP and Windows Vista has been deprecated in BCU version 4.0.InstallationRun the BCU SoftPaq to install its contents to the folder PROGAMFILESDIR \HP\BIOSConfiguration Utility\, where PROGAMFILESDIR is the Program Files folder on the targetsystem (For example, C:\PROGRAM FILES). The resulting files at the target folder include: BIOSConfigUtility.exe BIOSConfigUtility64.exe HPQPswd.exe HPQPswd64.exe BCUsignature32.dll BCUsignature64.dll Internet shortcut to BIOS Configuration Utility User Guide.pdf1

What is HP BIOS Configuration Utility?2Command-line parametersUse the following syntax to run BCU:BIOSConfigUtility.exe options —or—BIOSConfigUtility64.exe options The valid options are:ParameterDescription/Get:"filename"Gets the configuration data.—or—NOTE:console.If "filename" is empty, BCU writes configuration data to the output/GetConfig:"filename"/Set:"filename"Modifies the system BIOS configuration. Accepts only REPSET formatted rdFile:”filename”Specifies the current BIOS Setup Password by providing an encrypted passwordfile. Current password should be provided when changing BIOS settings orpassword. Can specify only one current password file. Use HPQPswd.exe togenerate password file. See Password management on page 6 for additionaldetails on this utility.—or—NOTE: Requires BCU version 3.0.1.1 or later./cpwdfile:”filename”If using a BCU version earlier than 4.0.1.1, use /NewSetupPasswordFile:”filename”Specifies the new BIOS Setup Password by providing an encrypted password file.To remove the password, use /npwdfile:””. Use HPQPswd.exe to generatethe password file. See Password management on page 6 for additional detailson this utility.—or—NOTE: Clearing the BIOS Setup Password will remove all BIOS Users./npwdfile:”filename”Requires BCU version 3.0.1.1 or later./cspwdfile:”filename”—or——or—If using a BCU version earlier than 4.0.1.1, use /nspwdfile:”filename”./?Displays a help message.—or—/Help/SetDefaultsSets BIOS settings to their default values.NOTE: /SetDefaults does not change every possible value; also, it does notchange settings on an individual basis.2/verboseWhen used with /Set, displays details about each setting, such as success, thereason for failure (warning), or failure code (error)./WarningAsErrWhen used with /Set, displays details about each setting. Unlike /verbose,

any settings not applied due to warnings cause BCU to return program error code13 instead of success.Chapter 2 Command-line parametersParameterDescriptionNOTE:Requires BCU 3.0.11.1 or later. When both /verbose and /WarningAsErr are used, /WarningAsErr will take precedence./UnicodeChecks platform support for Unicode passwords only. If not supported, returnserror code 32. Use only in batch files; this command is not compatible with othercommands.NOTE: Requires BCU version 4.0.1.1 or later./logGenerates the log folder and log file default to the executable folder.NOTE: Requires BCU version 4.0.1.1 or later./getvalueGets the value of a given setting without using the config file.Example: BIOSConfigUtility.exe /getvalue:”Asset TrackingNumber”NOTE: Requires BCU version 4.0.1.1 or later./setvalueSets the value of a given setting without using the config file.Example: BIOSConfigUtility.exe /setvalue:”Asset TrackingNumber”,”12345678”NOTE: Requires BCU version 4.0.1.1 or later./ot:valueWhen this value is set to 0, a setting will be rejected if the anti-replay valuespecified is less than what is stored by the firmware.When this value is set to 1 a setting will be rejected if the anti-reply valuespecified is less than or equal to what is stored by the firmware.Since BCU uses the same anti-replay value for all the settings made within a file,when it is used with a settings file containing multiple changes, this value must beset to 0 or only 1 setting will get applied./ar:valueProvides AntiReplay value. The firmware compares the anti-replay value used foreach setting with an internal value (initially 0). If the value provided with thesetting is less than (or equal based on the /ot setting) to what is stored then thesetting is rejected. If the setting is accepted. the firmware updates its internalvalue with the value used by the setting. This logic is used to prevent oldersettings from being reused for security reasons. A common method of simplifyingthe management of this value is to use the epoch / unix time in UTC as thevalue. The current values stored by the BIOS are available in the BIOS settings:/uid:valueProvides the MachineID Universally Unique Identifier (UUID) this is available in theBIOS setting “Universally Unique Identifier (UUID)” and can be used to target thesetting to a single platform.Using a value of FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF allows the settings to beapplied on any machine. The default value isFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.3

/pkey:“*.pfx”Specifies the path /filename to the PFX file that contains the private key to usewhen signing the settings./pkeypwd:valueOptional. If the specified PFX file is password protected, this specifies thepassword to the PFX file/addauthstrGenerates BCU-AuthString.txt.NOTE:Includes the unique signature strings required to change BIOS settingson a system with HP Sure Admin enabled.4

3BIOS configurationBCU is a Windows-based tool that lets you create standard configuration settings and deploy them across theenterprise. By creating a configuration text file with only the setting you want to change, you can deploy it toall systems in the enterprise. If a particular system does not support the specified setting, it will be ignored.WMI support requiredBCU requires HP custom WMI namespace and WMI classes (at the namespace root\HP\InstrumentedBIOS)provided by BIOS. BCU will only support models with a WMI-compliant BIOS, which are most commercial HPdesktops, notebooks, and workstations.Before running BCU, it is helpful to make sure that the HP BIOS WMI classes are in the namespace root\HP\InstrumentedBIOS. When using BCU in WinPE, ensure that the WMI component is added to the boot imageusing Microsoft Deployment Image Servicing and Management (DISM) tool.Replicated setupTo create, save, and deploy the configuration settings, complete the following procedure:1.Run the program BIOSConfigUtility.exe using the /GetConfig:config.txt command-lineparameter.2.Edit the file config.txt. Remove properties that you do not want to change and modify the otherproperties.NOTE: Some properties, such as model and manufacturer, are read-only. Such properties will beignored with a warning if specified during /SetConfig.NOTE: If a property value has not changed in the input configuration file from its existing value in BIOS,it will be skipped during /SetConfig. It is recommended to remove such settings during /SetConfig operation.NOTE: If a property name or value is invalid or does not exist on the client system, such settings will beignored with a warning during /SetConfig.The following config.txt example shows a configuration file that changes some properties:BIOSConfig 1.0;; Originally created by BIOS Configuration Utility; Version 4.0.10.1 ; Date "2015-03-20"Time "14:37:40" UTC "-5";; Found 214 settingsAsset Tracking NumberCORPTAG001ABCDEF5

Removable Media BootEnable*Disable RemovableMedia WriteEnable*DisableEnter Ownership Tag propertyof company XYZBoot OrderNetwork ControllerPnP Device#1Hard Drive (C:)CD-ROM DriveIDE CD-ROM Drive MultibayDevice (A: or CD-ROM)Diskette Drive (A:)USB deviceCover LockUnlock*Lock3.Run BIOSConfigUtility.exe with the /SetConfig:config.txt command-line parameter to apply thesettings contained in config.txt.Important notes The /Set and /Get functionality is supported on select commercial desktop, mobile, and workstationsystems. Supported settings vary by model. In BCU version 4.0.1.1 and later, the first line of the configuration file must be the word “BIOSConfig,”followed by the file format version, currently 1.0. For backwards compatibility, the word “English” isaccepted. This keyword is deprecated and support may be removed in the future. For BCU versions earlierthan 4.0.1.1, the first line must be the word “English.” The settings are indented with a tab character.IMPORTANT: Indenting with space characters will not work. There is no space between /command: and the file name. Arguments containing spaces must be entered within quotes. For commands that contain two comma-separated arguments, there must not be a space before or afterthe comma.Replicated setup6Chapter 3 BIOS configuration

Only password changes are guaranteed to take effect immediately and without a reboot. All othersettings might not take effect until after a reboot. The exact strings for some boot devices may vary between models. For example, the network controllerfor Boot Order was identified with the tag “PNP Device #1” on one system and “Network Controller” onnewer systems. If your environment includes a mix of systems, then ensure that all known values for aparticular boot device are placed together in the list relative to the next type of boot device. See theprevious example. Devices not found on the system are ignored. See the previous example, noting thatCD-ROM is specified several different ways. It is recommended that you do not mix replicated setup changes with software updates that include BIOSfirmware updates. It is a best practice to perform each operation independently and to restart the systembetween each operation. This procedure accommodates cases in which the internal structure of BIOSconfiguration setting information changes between BIOS revisions.Password managementBCU also has the ability to establish, modify, and remove the BIOS setup password. Use the HP PasswordEncryption Utility (HPQPswd.exe) to create the password file needed to specify new or current password. It isavailable at HP Client Management Solutions website at http://www.hp.com/go/clientmanagement. See HPPassword Encryption Utility on page 18 for password utility usage samples.Use the following sample command to create a setup password on a system with no existing password:BIOSConfigUtility.exe /nspwdfile:"new password.bin"Use the following sample command to modify the BIOS setup password use:BIOSConfigUtility.exe /nspwdfile:"new password.bin" /cspwdfile:"currentpassword.bin"Use the following sample command to remove the BIOS setup password use:BIOSConfigUtility.exe /nspwdfile:"" /cspwdfile:"current password.bin"NOTE: A password change command can be combined with BIOS configuration, in which case the password ismodified before the configuration is applied.BIOSConfigUtility.exe /set:"configuration.txt" /nspwdfile:"new password.bin"BCU with HP Sure AdminHP Sure Admin enables BIOS Enhanced authentication mode (BEAM). This mode allows you to set up additionalsteps for authentication.When a system has HP Sure Admin enabled, BIOS requires an authorization string in order to allow changes toBIOS settings rather than using a BIOS Admin Password. The authorization string contains the values specifiedby the /ot, /ar, and /uid command line options, as well as a cryptographic signature.NOTE: To Enable Enhanced BIOS Authentication Mode. Secure Platform Mode must be in the Provisioned state,and you must use a authorization string either using beamsetting.txt or /addauthstr to enable ordisable.There are three ways to change settings on a system that has HP Sure Admin enabled.The following example shows you how to add an authorization string to a config file:1.Run the following command: BIOSConfigUtility.exe /get:config. To create a copy of config.txt7

2.Open config.txt and make any changes you want to the configuration. 3. Run the following command:BIOSConfigUtility.exe /set: config .txt /ar:0 / ot:0 /pkey: signing key .pfx/addauthstrNOTE: This command creates a file called BCU-Authstring.txt.This depends on the anti-replay counter currently stored by the BIOS to be 0 and /ot:0.To run this command a second time, change the /ar parameter to a larger number.Refer to the definition of /ar for more details.4.Run the following command: BIOSConfigUtility.exe /set:BCU-AuthString.txt NOTE:Allchanges should now be applied.The second method of making changes to a system with HP Sure Admin enabled is to use beamsetting.txt1.Run the following command: BIOSConfigUtility.exe /get: config .txt2.Open config .txt, and make any changes you want to the configuration.3.Put a file called beamsetting.txt in the root folder with BIOSConfigUtility.exe that includes thefollowing information:4. HP Beam Mode Setting AntiReplayValue 0 OneTime 0 TargetID FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF PrivateKey signing key .pfxRun the following command: BIOSConfigUtility.exe /set: config .txtNOTE:The TargetID field in beamsetting.txt is the Universally Unique Identifier (UUID) of the system. Ifyou want the signature strings to only be valid for one system, you can enter the Universally Unique Identifier (UUID)in this field. To apply the config file to multiple systems, leave as FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.To apply settings directly from the command prompt without BCU-Authstring.txt or beamsetting.txt:1.Run the following command: BIOSConfigutility.exe /get: config .txt2.Open config .txt, and make any changes you want to the configuration. 3. Run the following command:BIOSConfigUtility.exe /set: config .txt /ar:0 / ot:0 /pkey: signing key .pfxBCU with HP Sure Admin8Chapter 3 BIOS configuration

CommentsBCU configuration files support adding comments by using the ‘;’ (semicolon) character. Any line that beginswith‘;’ is treated as a comment. The white space (including tab) in front of ‘;’ is ignored. The comment does notcarry over to the next line.Example usage of comments:BIOSConfig 1.0; This file shows usage of comments in configuration files ; Below is anexample of comments using semicolon at beginning of lineSunday; *Disable; Enable; Below is an example of comments using semicolon after white space(includes tab)Monday;*Disable;Enable; Below is an example where the semicolon is NOT considered as a comment.Parallel PortIO 3BC; IRQ 7IO 378; NOT commentAError codesTable A-1 Error codesError codeDescriptionNotes0SuccessOperation succeeded.1Not SupportedWMI result code – Setting is not supported on system.2UnknownWMI result code – Operation failed for unknown reason.3TimeoutWMI result code – Operation timed out.4FailedWMI result code – Operation failed.9

105Invalid ParameterWMI result code – A parameter is missing or wrong type.6Access DeniedWMI result code – Setting modification failed due to BIOS permissions.10Valid password not provided.BCU was unable to find a valid password on the command-line in thefollowing cases: When attempting to change the password, the correct passwordwas not provided. When attempting to change the password, the new password didnot satisfy password requirements for the platform. When attempting to change setting values, the correct passwordwas not provided.11Config file not valid.BCU was unable to locate the configuration file or unable to read the fileat the specified path.12First line in config file is not the keyword“BIOSConfig”.First line in the configuration file must be the word “BIOSConfig”followed by the file format version, currently “1.0”.13Failed to change setting.14BCU not ready to write file.Not used.15Command-line syntax error.Possible reasons for this error include the following:BCU failed to change one or more settings. Use /verbose or /WarningAsErr to get status per setting. Invalid command-line option specified. Use /? or /Help foravailable options. Invalid combination of command-line options used. Multiple password files were specified. Only one new or currentsetup password file can be provided on command-line. No configuration file name was specified with /set. No file name was specified with /cspwdfile or /nspwdfile.16Unable to write to file or system.BCU was unable to connect to HP BIOS WMI. WMI classes are corruptedor the system is not supported. See the section WMI support requiredon page 4 for additional information.17Help is invoked.Show usage text.Chapter 3 BIOS configuration

Table A-1 Error codes (continued)11Error codeDescriptionNotes18Setting is unchanged.This return code is returned by BCU on a per setting basis when /verbose or /WarningAsErr options are specified. Settings with thisreturn code are skipped when BCU attempts to write to BIOS and do notaffect BCU return code.19Setting is read-only.This return code is returned by BCU on a per setting basis when /verbose or /WarningAsErr options are specified. Settings withthis return code are skipped when BCU attempts to write to BIOS. When/ verbose is used, this return code generates a warning and does notaffect the BCU return code. If /WarningAsErr is used, it results inBCU error code 13.20Invalid setting name.This return code is returned by BCU on a per setting basis when /verbose or /WarningAsErr options are specified. Settings withthis return code are skipped when BCU attempts to write to BIOS. When/ verbose is used, this return code generates a warning and does notaffect the BCU return code. If /WarningAsErr is used, it results inBCU error code 13.21Invalid setting value.This return code is returned by BCU on a per setting basis when /verbose or /WarningAsErr options are specified. Settings withthis return code are skipped when BCU attempts to write to BIOS. When/ verbose is used, this return code generates a warning and does notaffect the BCU return code. If /WarningAsErr is used, it results inBCU error code 13.23Unable to connect to HP BIOS WMInamespace.System not supported. Unable to connect to HP BIOS WMI namespace:root\HP\InstrumentedBIOS. See the section WMI support requiredon page 4 for additional information.24Unable to connect to HP WMI namespace.System not supported. Unable to connect to HP WMI namespace: root\HP. See the section WMI support required on page 4 for additionalinformation.25Unable to connect to PUBLIC WMInamespace.System not supported. Unable to connect to PUBLIC WMI namespace:root\CIMV2. Ensure that WMI service is enabled and running.30Password file error.Unable to read or decrypt the password file.31Password is not F10 compatible.If a platform does not support Unicode passwords, BCU can set andchange the password, but the password will not function in F10 Setup.BCU must be used to change or clear it.32Platform does not support Unicodepasswords.Returned when the /Unicode option is used to check for support.33No settings to apply found in Config file.Config file contains no settings or they are commented out.35Missing parameter.BCU OneTime Not Found.36Missing parameter.BCU AntiReplayValue Not Found.37Missing parameter.BCU PrivateKey Not Found.38Corrupt or missing file.BCU Unable LoadDll BCUsignature.

39DLL file error.BCU Unable GetClass entry.40DLL file error.BCU Unable GetClass Point41Invalid UID.Invalid Universal Unique Identifier.Appendix A Error codesTable A-1 Error codes (continued)12Error codeDescriptionNotes0x80040002Unexpected WMI error.PFX file does not contain a private key.0x80070056Unexpected WMI error.PFX file is protected with a password and no or invalid password isprovided0x80092009Unexpected WMI error.Invalid PFX file0x80070002Unexpected WMI error.The system cannot find the file specifiedAppendix B Sample configuration file

BSample configuration fileThis configuration file shows a partial list of the BIOS settings for an HP ZBook 15:BIOSConfig 1.0; ; Originally created by BIOS Configuration Utility; Version: 4.0.1.1 ; Date "2014-09-17" Time "09:39:33"UTC "-5"; ; Found 244 settings;ManufacturerHewlett-PackardProduct NameHP ZBook 15System Board ID1909Universal Unique ocessor TypeIntel(R) Core(TM) i7-4900MQ CPUSKU NumberD5H49AV#ABAWarranty Start Date00/00/0000Processor leTuesday*Disable13

eFriday*DisableEnableSaturday*DisableEnable BIOS Power-On Time (hh:mm)00:00PCID VersionA3.00System Configuration IDA3008DD20303Define Custom URLTotal Memory Size16384 MBMemory Slot 1 InformationTop - Slot 2 (under) Hynix/Hyundai 4096 MB @ 1600 MHzMemory Slot 2 InformationBottom-Slot 2(right) Samsung 4096 MB @ 1600 MHzMemory Slot 3 InformationTop - Slot 1 (top) Hynix/Hyundai 4096 MB @ 1600 MHz Memory Slot 4InformationBottom-Slot 1(left) Samsung 4096 MB @ 1600 MHzDefine Customized Boot OptionEnter Feature Byte3X47676J6S6b7M7Q7U7W7saBaw.BQEnter Build ID14Appendix B Sample configuration file

13WWAVCW601#SABA#DABABIOS Date06/24/2014System BIOS VersionL70 Ver. 01.10Serial NumberCND3220CMXVideo BIOS RevisionIntel(R) GOP Driver [5.0.1028]Video BIOS Revision 2 nVidia 05/15/14Keyboard Controller Version94.51Ownership TagAsset Tracking NumberPrimary Battery Serial Number13577 5/4/2013Serial port*DisableEnableThunderbolt portDisplayPort onlyPCIe and DisplayPort*PCIe and DisplayPort - require user approval for Thunderbolt legacydevicesSecondary Battery Serial NumberNo Battery PresentParallel port*DisableEnableFlash media readerDisable*EnableUSB Port15

Disable*EnableExpress Card SlotDisable*EnableSmart Card*DisableEnableWWAN FCC IDNo Device PresentWLAN FCC IDPD96235ANHBluetooth FCC IDPD96235ANHSystem Board CTPXXXXA2WV4PYXWProduct Family103C 5336AN G D L BUS B HP S ELI eSATA PortDisable*EnableGPS FCC IDNo Device PresentMicroCode alianoDanskNederlandsSuomiJapanese16Appendix B Sample configuration file

NorskPortuguesSvenskaSimplified ChineseTraditional ChineseCustom Logo*DisableEnable CD-ROM boot*DisableEnableFast BootDisable*EnableBacklit Keyboard Timeout *5 secs.15 secs.30 secs.1 min.5 mins.NeverSD Card boot*DisableEnable Floppy boot*DisableEnablePXE Internal NTC boot*DisableEnableLegacy Boot Order mSATA Drive Notebook Upgrade BayNotebook Hard DriveUSB FloppyUSB CD-ROMUSB Hard DriveNotebook Ethernet Dock Upgrade Bay eSATA Drive Boot Device 13 .17

CHP Password Encryption UtilityThe HP Password Encryption Utility (HPQPswd.exe) accepts a password entered by the user, encrypts thepassword, and then stores it in a file for use by the BIOS. This utility can be used in either command-linemode or GUI mode. To run it in GUI mode, double-click the executable or run without parameters.HP recommends using a strong password to protect managed assets.The following is a sample command to create a password file in silent mode:HpqPswd.exe /s /p"12345678" /f"sample password.bin"In this example, /p specifies the password, and /f specifies the name and path of the encrypted file.NOTE: Use the /? command to invoke help for additional information on the password utility.HPQPswd.exe currently supports a maximum of 32 characters.18

Appendix C HP Password Encryption Utility19

5 3 BIOS configuration BCU is a Windows-based tool that lets you create standard configuration settings and deploy them across the enterprise.