Automating Dell BIOS Password Management with PowerShell and CCTK

 Automating Dell BIOS Password Management with PowerShell and CCTK

Managing BIOS passwords across enterprise devices is a critical security requirement. Ensuring that BIOS credentials are updated consistently helps protect systems from unauthorized configuration changes and strengthens overall endpoint security.

This PowerShell script provides a structured and automated approach to updating Dell BIOS setup passwords using Dell Command Configure Toolkit (CCTK), while maintaining robust logging and state tracking.

  • Overview of the Script

The script is designed to:

  • Retrieve old and new BIOS passwords from SCCM Task Sequence variables
  • Execute the CCTK command to update the BIOS password
  • Capture output and exit codes
  • Log all activity to a centralized file
  • Persist execution results in the Windows Registry
  • Prevent repeated execution once successful
  • Task Sequence Integration

 

The script integrates directly with Microsoft Configuration Manager using:

PowerShell

$tsEnv = New-Object -ComObject Microsoft.SMS.TSEnvironment

Show more lines

It retrieves secure variables:

  • OldPwd → Current BIOS password
  • NewPwd → New BIOS password to be set

This allows password rotation to be managed centrally and securely through task sequences.

  • Centralized Logging

All operations are logged to:

C:\ProgramData\LogFiles

Each execution generates a timestamped log file:

PowerShell

CCTK_BIOSChange_yyyyMMdd_HHmmss.log

Show more lines

The logging function captures:

  • Timestamp
  • Log level
  • Execution messages

This ensures complete transparency for auditing and troubleshooting.

  • Pre-Execution Validation

Before running the password update, the script checks a registry key:

HKLM:\SOFTWARE\DellBIOSMgmt

It evaluates the previously stored exit code:

PowerShell

$exitcode = (Get-ItemProperty -Path $Regpath).exitcode

Show more lines

  • Behavior:
  • If the previous execution was successful → script skips execution
  • If not executed or failed → script proceeds

This prevents unnecessary reconfiguration and reduces system impact.

  • BIOS Password Update Using CCTK

The core operation is executed using Dell’s Command Configure utility:

PowerShell

.\cctk.exe --setuppwd=$NewPwd --valsetuppwd=$OldPwd

Show more lines

  • Key points:
  • --valsetuppwd validates the current password
  • --setuppwd applies the new password
  • Output and errors are captured for logging

The script also captures the process exit code:

PowerShell

$Exit = $LASTEXITCODE

 

Show more lines

  • Detailed Logging and Output Capture

The script logs both:

  • Command output
  • Exit code

This ensures visibility into:

  • Success cases
  • Validation failures (incorrect old password)
  • Device compatibility issues
  • Registry-Based State Tracking

After execution, the script stores detailed information in the registry:

HKLM:\SOFTWARE\DellBIOSMgmt

  • Stored values include:
  • LastBIOSPwdChangeAttempt → Timestamp of execution
  • LogFilePath → Location of logs
  • ChangedBy → User account executing the script
  • OutputMessage → CCTK command output
  • ExitCode → Result of the operation

This registry-based tracking acts as a lightweight state management system, allowing future runs to determine whether the operation has already succeeded.

  • Idempotent Execution Design

A key strength of this script is its idempotent behavior.

If the BIOS password has already been successfully updated:

PowerShell

else { Write-Log "Already successful. skipping..." }

Show more lines

This ensures:

  • No repeated password changes
  • Reduced risk of errors
  • Improved efficiency during repeated deployments
  • Error Handling and Resilience

The script handles failures gracefully by:

  • Logging all command output
  • Recording exit codes for analysis
  • Allowing retries if previous attempts failed

This design makes troubleshooting easier and ensures reliability in large-scale deployments.

  • Security Considerations
  • Passwords are retrieved securely from Task Sequence variables
  • No hardcoded credentials are stored in the script
  • Execution details are logged without exposing sensitive input values directly

This aligns with enterprise security best practices.

  • Workflow Summary
  1. Initialize environment and logging
  2. Retrieve BIOS passwords from task sequence
  3. Check registry for previous execution status
  4. Execute CCTK password update command
  5. Capture output and exit code
  6. Write logs and update registry
  7. Skip future runs if already successful
  • Benefits of This Approach
  • Automation: Eliminates manual BIOS password updates
  • Consistency: Ensures standardized configuration across devices
  • Traceability: Full logging and registry tracking
  • Efficiency: Prevents redundant executions
  • Security: Uses controlled and centralized credential handling
  • Conclusion

This script demonstrates a practical and efficient way to manage BIOS password changes in an enterprise environment. By combining PowerShell automation, Dell CCTK, structured logging, and registry-based tracking, it delivers a reliable and scalable solution.

It transforms what is typically a manual and error-prone task into a repeatable, auditable, and secure process, making it well-suited for modern device management strategies.

 

Set-Location $PSScriptRoot

$tsEnv = New-Object -ComObject Microsoft.SMS.TSEnvironment

$OldPwd = $tsEnv.Value("OldPwd")

$NewPwd = $tsEnv.Value("NewPwd")

$LogPath = "C:\ProgramData\LogFiles"

$Logfile = "$LogPath\CCTK_BIOSChange_$(Get-Date -Format yyyyMMdd_HHmmss).log"

$Regpath = "HKLM:\SOFTWARE\DellBIOSMgmt"

Function Write-Log{

param([string] $Message,

[String]$level = "Information")

 

$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"

$entry = "[$timestamp] [$level] [$Message]"

Add-Content -Path $Logfile -Value $entry

}

if(!(test-path $LogPath)){New-Item -Path $LogPath -ItemType Directory -Force |Out-Null

Write-Log "$LogPath created"}

$exitcode = (Get-ItemProperty -Path $Regpath).exitcode

if ($exitcode -ne 0 -or !($exitcode)){

# Run CCTK command

$output = & ".\cctk.exe" --setuppwd=$NewPwd --valsetuppwd=$OldPwd 2>&1

$Exit = $LASTEXITCODE

Write-Log $output

Write-Log "ExitCode: $Exit"

# Log to registry

New-Item -Path "HKLM:\SOFTWARE\DellBIOSMgmt" -Force | Out-Null

$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"

Set-ItemProperty -Path "HKLM:\SOFTWARE\DellBIOSMgmt" -Name "LastBIOSPwdChangeAttempt" -Value $timestamp

Set-ItemProperty -Path "HKLM:\SOFTWARE\DellBIOSMgmt" -Name "LogFilePath" -Value $LogPath

Set-ItemProperty -Path "HKLM:\SOFTWARE\DellBIOSMgmt" -Name "ChangedBy" -Value "$env:USERNAME"

Set-ItemProperty -Path "HKLM:\SOFTWARE\DellBIOSMgmt" -Name "OutputMessage" -Value "$output"

Set-ItemProperty -Path "HKLM:\SOFTWARE\DellBIOSMgmt" -Name "ExitCode" -Value "$Exit"

}

else{Write-Log "Already successful. skipping..."}

package Folder Structure:


TS Structure:







By

No comments:

Post a Comment

Leave your valuable words here for improve better.

Subscribe to: Post Comments (Atom)