Dell Command | Update Application 4.0.0 encrypted bios password

Both statements are false.

Bios passwords are stored in a serial EEPROM.  BIOS passwords are NEVER IN THE OS or Registry.

Bios passwords also encrypt and lock the hard drive.

Putting new drive will not resolve this as the new drive will become locked and useless as soon as you turn on and don't know the password.

If you call dell support and prove ownership they can give you a unique to your system bypass password.

If you cannot prove ownership they will not help you.

So what are the options to mass update BIOS without giving the bios password to users or entering it manually in DCU? 

Thanks,
Sylvain

Just from what I looked at you can store it in DCU, but Dell also has a tool called PowerShellProvider.  I haven't completed this yet, I'm currently searching for the most secure way to complete the exact task you're asking about.

I don't think this asnwer accurately answers the original poster's question. The OP was refferring to how DCU stores the password when entered manually in dcu-cli.exe. And not about how the BIOS password is stored on the machine it's self. As-in when you enter the Bios Password in the DCU settings when run as admin. Another method is command line however it exposes your password in plain text. There is also a management server that can store the bios password. I would bet both the dcu-cli.exe and the management server likely use the same method (encrypt ans store in the registry). The question is what type of encryption. I'm concerned with the level of security of this feature and will avoid using it until I'm confident it's secure.