Lenovo BIOS Certificates PowerShell Module Reference#

Module: Lenovo.BIOS.Certificates
Version: 1.0.8
Author: Devin McDermott
Company: Lenovo
Description: This PowerShell module provides easy access to the Lenovo Certificate WMI classes.

Overview#

The Lenovo BIOS Certificates module enables secure management of BIOS settings and certificates on Lenovo devices through WMI (Windows Management Instrumentation). The module supports both local private key files and Azure Key Vault integration for signing BIOS commands.

Prerequisites#

Administrator privileges required - The module requires running PowerShell as Administrator
Supported file formats: DER and PEM for certificates and private keys
Azure integration (optional): Requires Az.Accounts and Az.KeyVault modules

Exported Cmdlets#

1. Get-LnvSignedWmiCommand#

Synopsis: Creates the WMI parameter for the specified class with the signature from your private key.

Description: This cmdlet makes the appropriate parameter for the specified method. Required parameters are the KeyFile location (or Azure Key Vault details) and the Method name. Other parameters will be determined based on the Method parameter.

Parameters:

Parameter	Type	Required	Parameter Set	Description
KeyFile	String	Yes	LocalFile	The location of the private key you wish to use to sign the command
VaultName	String	Yes	Azure	The name of the Azure Key Vault containing the key
KeyName	String	Yes	Azure	The name of the key in Azure Key Vault
Method	String	Yes	Both	The name of the class that you wish to use
SettingName	String	Conditional	Both	Method: SetBiosSetting - The name of the setting you wish to change
SettingValue	String	Conditional	Both	Method: SetBiosSetting - The value of the setting you wish to change
MachineSerial	String	Conditional	Both	Method: ClearBiosCertificate - The serial of the machine which you want to clear the certificate from
Password	String	Conditional	Both	Method: ChangeBiosCertificateToPassword - The password that you want to set instead of the current certificate
NewCertFile	String	Conditional	Both	Method: UpdateBiosCertificate - The new certificate file to replace the one currently set
FunctionName	String	Conditional	Both	Method: SetFunctionRequest - The name of the function you wish to call
FunctionValue	String	Conditional	Both	Method: SetFunctionRequest - The value of the function call

Valid Methods:

SetBiosSetting - Set a BIOS setting
SaveBiosSettings - Save BIOS settings
ClearBiosCertificate - Clear BIOS certificate
ChangeBiosCertificateToPassword - Change certificate authentication to password
LoadDefaultSettings - Load default BIOS settings
LoadFactoryDefaultSettings - Load factory default settings
UpdateBiosCertificate - Update BIOS certificate
SetFunctionRequest - Execute a specific function request
LoadCustomDefaultSettings - Load custom default settings
SaveCustomDefaultSettings - Save custom default settings

Valid Function Names for SetFunctionRequest:

ClearSecurityChip
ResetFingerprintData
ResettoSetupMode
RestoreFactoryKeys
ClearAllSecureBootKeys
ResetSystemToFactoryDefaults

Examples:

# Set a BIOS setting using local key file
Get-LnvSignedWmiCommand -Method SetBiosSetting -KeyFile "C:\Keys\private.pem" -SettingName "WakeOnLAN" -SettingValue "Enable"

# Save BIOS settings using Azure Key Vault
Get-LnvSignedWmiCommand -Method SaveBiosSettings -VaultName "MyVault" -KeyName "MySigningKey"

# Clear BIOS certificate
Get-LnvSignedWmiCommand -Method ClearBiosCertificate -KeyFile "C:\Keys\private.pem" -MachineSerial "PC123456"

# Change certificate to password authentication
Get-LnvSignedWmiCommand -Method ChangeBiosCertificateToPassword -KeyFile "C:\Keys\private.pem" -Password "MySecurePassword"

# Update BIOS certificate
Get-LnvSignedWmiCommand -Method UpdateBiosCertificate -KeyFile "C:\Keys\private.pem" -NewCertFile "C:\Certs\newcert.pem"

# Execute function request
Get-LnvSignedWmiCommand -Method SetFunctionRequest -KeyFile "C:\Keys\private.pem" -FunctionName "ClearSecurityChip" -FunctionValue "Yes"

Output: Returns a signed WMI command string that can be used with Submit-LnvBiosChange.

2. Submit-LnvBiosChange#

Synopsis: Calls a WMI method with the provided parameters.

Description: Sends an invoke command to the specified class with the provided parameters.

Parameters:

Parameter	Type	Required	Description
Command	String	Yes	A string generated by Get-LnvSignedWmiCommand or a string in the format ClassName[,Parameters]

Examples:

# Using a signed command from Get-LnvSignedWmiCommand
$signedCommand = Get-LnvSignedWmiCommand -Method SetBiosSetting -KeyFile "C:\Keys\private.pem" -SettingName "WakeOnLAN" -SettingValue "Enable"
Submit-LnvBiosChange -Command $signedCommand

# Using direct command format
Submit-LnvBiosChange -Command "Lenovo_SetBiosSetting,WakeOnLAN,Enable"

3. Submit-LnvBiosConfigFile#

Synopsis: Applies all signed commands in a file to the machine.

Description: Reads the file with signed WMI commands and applies each one to the machine.

Parameters:

Parameter	Type	Required	Description
ConfigFile	String	Yes	The path to the config file containing signed commands

Examples:

Submit-LnvBiosConfigFile -ConfigFile "C:\Config\SignedCommands.ini"

File Format: The config file should contain one signed WMI command per line, typically generated by Convert-LnvBiosConfigFile.

4. Convert-LnvBiosConfigFile#

Synopsis: Converts a BIOS configuration file into signed WMI commands.

Description: Takes a configuration file with BIOS settings and converts each setting into a signed WMI command using the specified private key or Azure Key Vault key.

Parameters:

Parameter	Type	Required	Parameter Set	Description
ConfigFile	String	Yes	Both	The path to the configuration file
KeyFile	String	Yes	LocalFile	The path to the private key file
VaultName	String	Yes	Azure	The name of the Azure Key Vault
KeyName	String	Yes	Azure	The name of the key in Azure Key Vault
OutFileName	String	No	Both	Optional output file name (defaults to "Signed" + original filename)

Examples:

# Convert config file using local key
Convert-LnvBiosConfigFile -ConfigFile "C:\Config\BiosSettings.ini" -KeyFile "C:\Keys\private.pem" -OutFileName "SignedSettings.ini"

# Convert config file using Azure Key Vault
Convert-LnvBiosConfigFile -ConfigFile "C:\Config\BiosSettings.ini" -VaultName "MyVault" -KeyName "MySigningKey"

Input File Format: The configuration file should contain settings in the format:

SettingName,SettingValue
WakeOnLAN,Enable
SecureBoot,Disable

5. Get-LnvUnlockCode#

Synopsis: Retrieves the unlock code from an unlock file.

Description: Retrieves the unlock code from an unlock file using the specified private key.

Parameters:

Parameter	Type	Required	Parameter Set	Description
UnlockFile	String	Yes	Both	The path to the unlock file
KeyFile	String	Yes	LocalFile	The path to the private key file
VaultName	String	No	Azure	The name of the Azure Key Vault
KeyName	String	No	Azure	The name of the key in Azure Key Vault

Examples:

# Get unlock code using local key file
Get-LnvUnlockCode -UnlockFile "C:\Unlock\unlock.dat" -KeyFile "C:\Keys\private.pem"

# Get unlock code using Azure Key Vault
Get-LnvUnlockCode -UnlockFile "C:\Unlock\unlock.dat" -VaultName "MyVault" -KeyName "MySigningKey"

Output: Returns the decrypted unlock code as a string.

6. Set-LnvBiosCertificate#

Synopsis: Sets a BIOS certificate on the system.

Description: Installs or updates a BIOS certificate from either a local file or Azure Key Vault.

Parameters:

Parameter	Type	Required	Parameter Set	Description
CertFile	String	Yes	LocalFile	The path to the certificate file
VaultName	String	Yes	Azure	The name of the Azure Key Vault
VaultCertificateName	String	Yes	Azure	The name of the certificate in Azure Key Vault
Pass	String	No	Both	Optional password for the certificate
CertType	String	No	Both	Certificate type: "Unspecified", "SVC", or "SMC"

Examples:

# Set certificate from local file
Set-LnvBiosCertificate -CertFile "C:\Certs\bios.pem"

# Set certificate with password
Set-LnvBiosCertificate -CertFile "C:\Certs\bios.pem" -Pass "CertPassword" -CertType "SVC"

# Set certificate from Azure Key Vault
Set-LnvBiosCertificate -VaultName "MyVault" -VaultCertificateName "BiosCert"

Note: This cmdlet supports -WhatIf and -Confirm parameters for safety.

7. Test-LnvCheckForAzureModule#

Synopsis: Checks if the specified Azure module is installed.

Description: Verifies whether a specific Azure PowerShell module is available on the system.

Parameters:

Parameter	Type	Required	Description
ModuleName	String	Yes	The name of the Azure module to check for

Examples:

# Check if Az.Accounts module is installed
Test-LnvCheckForAzureModule -ModuleName "Az.Accounts"

# Check if Az.KeyVault module is installed
Test-LnvCheckForAzureModule -ModuleName "Az.KeyVault"

Output: Returns $true if the module is installed, $false otherwise.

Common Usage Patterns#

1. Basic BIOS Setting Management#

# Generate signed command
$command = Get-LnvSignedWmiCommand -Method SetBiosSetting -KeyFile "C:\Keys\private.pem" -SettingName "WakeOnLAN" -SettingValue "Enable"

# Apply the setting
Submit-LnvBiosChange -Command $command

# Save settings to make them persistent
$saveCommand = Get-LnvSignedWmiCommand -Method SaveBiosSettings -KeyFile "C:\Keys\private.pem"
Submit-LnvBiosChange -Command $saveCommand

2. Batch Configuration Management#

# Create a configuration file with multiple settings
$configFile = "C:\Config\BiosSettings.ini"
@"
WakeOnLAN,Enable
SecureBoot,Disable
VirtualizationTechnology,Enable
"@ | Out-File $configFile

# Convert to signed commands
Convert-LnvBiosConfigFile -ConfigFile $configFile -KeyFile "C:\Keys\private.pem"

# Apply all signed commands
Submit-LnvBiosConfigFile -ConfigFile "C:\Config\SignedBiosSettings.ini"

3. Azure Key Vault Integration#

# Ensure Azure modules are available
if (-not (Test-LnvCheckForAzureModule "Az.Accounts") -or -not (Test-LnvCheckForAzureModule "Az.KeyVault")) {
    Write-Error "Required Azure modules not found. Please install Az.Accounts and Az.KeyVault"
    return
}

# Connect to Azure (if not already connected)
Connect-AzAccount

# Use Azure Key Vault for signing
$command = Get-LnvSignedWmiCommand -Method SetBiosSetting -VaultName "MyKeyVault" -KeyName "BiosSigningKey" -SettingName "WakeOnLAN" -SettingValue "Enable"
Submit-LnvBiosChange -Command $command

4. Certificate Management#

# Set a new BIOS certificate
Set-LnvBiosCertificate -CertFile "C:\Certs\newcert.pem" -CertType "SVC"

# Update existing certificate using signed command
$updateCommand = Get-LnvSignedWmiCommand -Method UpdateBiosCertificate -KeyFile "C:\Keys\private.pem" -NewCertFile "C:\Certs\updated.pem"
Submit-LnvBiosChange -Command $updateCommand

Error Handling#

The module implements comprehensive error handling and logging. Common error scenarios include:

File not found: Invalid paths to key files, certificate files, or configuration files
Invalid file format: Only DER and PEM formats are supported for keys and certificates
Empty files: The module validates that files contain actual data
Azure connectivity: Azure-related functions require active Azure connection
Permissions: Administrator privileges are required for BIOS operations
WMI errors: Issues communicating with the Lenovo WMI classes

All functions log their activities and errors for troubleshooting purposes.

Security Considerations#

Private Key Security: Keep private key files secure and limit access
Certificate Validation: Ensure certificates are from trusted sources
Administrator Rights: The module requires elevated privileges
Azure Security: When using Azure Key Vault, ensure proper access policies
Command Signing: All BIOS commands must be properly signed for security

Module Files and Directories#

The module creates and uses the following directory structure:

%ProgramData%\Lenovo\
├── BIOSCertificates\
│   ├── Logs\          # Module operation logs
│   └── Output\        # Generated signed command files

Version History#

Version 1.0.8

Initial public release with Azure Key Vault support and enhanced functionality

Version 1.0.7

Technical Preview release adding Azure Key Vault support

Version 1.0.6

Technical Preview release

For additional support or questions, please vist Lenovo's Enterprise Client Management Forum.