To be certain we have a secure system from chip to cloud, it is fundamental to boot device from a trusted BIOS - often referred as secure boot. HP Connect for Microsoft Endpoint Manager is a cloud application designed to ease the management of UEFI BIOS on supported HP systems. This blog post will cover updating the BIOS on HP devices using MEM.
|We need to have control of the boot environment of our managed devices|
Please note: This is not a sponsored post!
HP Connect for MEM
- BIOS Updates
- Always up to date
- Critical versions only
- specific version
- BIOS Settings
- Supported on a per platform basis
- BIOS Authentication
- HP Sure Admin (HP Sure Admin Infosheet)
- Administrative access to Microsoft Azure
- An appropriate subscription for Microsoft Endpoint Manager which allows the use of Proactive Remediations
Onboarding to HP Connect
- Log in to https://admin.hp.com as a Global Administrator for the tenant.
- Accept the permissions for the organization.
|The Home page for HP Connect for Microsoft Endpoint Manager|
|(device.deviceManufacturer -eq "HP")|
|wmic computersystem get manufacturer|
HP Connect Policies
Bios Update Policies
- Keep BIOS of all devices always updated
- Deploy only critical BIOS updates
- Establish a rule for a specific device model
Policy to keep all devices always updated
- Navigate to Policies in the left hand menu of HP Connect for MEM and create a new policy
- Define a Policy Name which will be shown in MEM. Set the policy type to be Bios Update
- As BIOS update method, select to "Keep BIOS of all devices always updated".
- The new policy will now be created, and it can be applied to Azure AD Groups and published to AAD.
- The new proactive remediation policy is now published to MEM.
How is the policy applied?
- BIOS UEFI capsule bin file is downloaded
- The capsule file components are hosted on the UEFI System partition
- UEFI BIOS in device is made aware of the pending update
- On next reboot, UEFI BIOS performs the update
A BIOS update policy will not automatically restart the device: therefore, the update will not occur until such action is taken. Once a BIOS update policy is applied, the device will display a toaster notification message like the following:
The overview for the configured proactive remediation gives information about how the script package is performing on the targeted devices.
|Note the change in the graphs as a new BIOS version is available and updated|