The 1E BIOS to UEFI Password Setup task sequence enables you make use of a whitelist of admin passwords which are required when changing settings in BIOS. You can add this step from task sequence drop down menu:

On this page:

This task sequence is a two-step process:

  1. Create a password list.
  2. Determine the behavior of the task sequence:
     
    • Use existing password
    • Set New Password – appends the new password to the password list and uses this password

      On Lenovo machines where an admin BIOS password is not enforced you cannot set a new one using this particular behavior. This is a vendor designed characteristic.
    • Remove Password – not recommended if you intend to implement the Trusted Platform Module (TPM)

Execution order for the task sequence

This task sequence must execute before any other BIOS to UEFI steps. When it runs:

  1. The system is checked to see if a BIOS admin password is set.
    1. If it is not, go to step 2.
    2. If it is, it uses the passwords in the list sequentially for authentication.
      • If authentication fails, exit with error code 5 (access denied)
      • If authentication succeeds, go to step 2
  2. If the BIOS admin password does not require an update, the task sequence continues.
  3. If the BIOS admin password requires an update, it sets the new password and the task sequence continues. This new password is used for subsequent UEFI related configurations.
  4. If the BIOS admin password is to be removed, it removes it and the task sequence continues.

Managing your password list

  1. To add a new password to the list:
    1. Under the Password List, click Add
    2. On the New Password dialog:
      Adding a new admin BIOS password to the list
      • In Identifier:, enter a logical name for this password
      • In Password:, enter the password to associate with this logical name
    3. Click Save.
  2. To remove an existing password:
    1. From the Password List, choose the password you want to remove.
    2. Click Remove.
  3. To modify an existing password:
    1. From the Password List, choose the password you want to change.
    2. Click Edit.
    3. Modify the attributes for the password.
    4. Click Save.
  4. To reorder the list:
    1. From the Password List, choose the password you want to reorder.
    2. Click the Up/Down arrows to reorder it.

Limitations

On most HP and Lenovo machines, BIOS password authentication is limited to 3 attempts. After this, the system locks down and must be restarted before you can resume. The task sequence returns error code 0x5 (access denied) if password authentication fails.

To mitigate this:

  1. Use the password step with only 3 passwords.
    1. 1E BIOS to UEFI Password step will exit with error code 5 (access denied) if it can not find the correct password from the given list OR the password attempt limit exceeded.
  2. Add a new group Restart and check BIOS password. Add the following in the group:
    1. Put a condition on this group is to be executed only when _SMSTSLastActionRetCode=5.
    2. Add a restart step in this group.
    3. Add a new 1E BIOS to UEFI Password Setup step with a new set of passwords.

On Lenovo machines, the password retry limit is enabled by default. In the event that the automated password authentication fails the 3 attempts, the system will not boot and you must enter setup and manually enter the correct BIOS password to remove this error on reboots.

We recommend you only use 3 passwords in your list for HP and Lenovo devices to avoid any failures in the task sequences.