How to Update HP BIOS on Commercial Platforms

BIOS Updates, a How-To Guide

HP BIOS (aka firmware) manages the hardware on every HP desktop, laptop, and workstation and receives several updates in a year.  An HP BIOS update includes not only the basic firmware for the motherboard but may contain updates for individual hardware components that would not operate without their own firmware. When, let’s say, the USB-c controller gets updated by the manufacturer, Intel for example, a new version of the firmware may be packaged (along with the BIOS and other updates) into a single bin file residing in the BIOS Softpaq.

HP releases BIOS/Firmware updates 3-4 times/year for most platforms. These updates usually benefit users by patching vulnerabilities, fixing known issues, and providing important feature enhancements. With the rise of cyber virus and malware attacks, now also being attempted for the BIOS, keeping the BIOS updated is critical, and having an update process in place is becoming more important than ever.

NOTE: HP commercial BIOS firmware is cryptologically signed as part of HP’ BIOSPhere security. This can prevent most attacks where a BIOS update is attempted with a bogus bin file. These kinds of attacks have been increasing in cyberspace, and HP’s technology help prevent those attacks from succeeding.

HP provides several ways to update the BIOS on commercial platforms. This blog will review these options, including.

  • Individual Web Download
  • Via F10 Boot Setup menu
  • Creating a BIOS Package for distribution
  • Using the HP Client Management Script Library
  • With HP Image Assistant
  • Updating with WU

Individual Web Download

HP BIOS/Firmware updates are packaged into a Softpaq, and HP support web pages provide the latest information on BIOS and its download location. 

The HP support site is hosted at Official HP® Support, where you can find the download pages for your device. As an example, here is a search for a HP ZBook 15 G5 Mobile Workstation

Once on location, selecting the ‘Software, Drivers and Firmware’ link will get to the listing that will include the latest BIOS Softpaq for the platform

When downloading a BIOS softpaq and running the executable, you will be asked if you want to update the system or create media for installing on other, similar, devices. The 

Softpaq will unpack (by default) to C:\SWsetup and open the dialog to choose your option

NOTE: HP Image Assistant (HPIA) is an great tool to find and download Softpaqs (including BIOS) for any supported platform and can be used to download and automatically unpack them. The setup can then be executed from the BIOS folder.

If you chose '(*) Update', the installation process will take the bin file (from the unpacked Softpaq location), split it into its various firmware components, and deposit each to the system UEFI partition. To note, the firmware bin file will contain the basic UEFI BIOS, but may also hold other required firmware updates, as mentioned above.

Once the pieces are in place on the UEFI system partition, the installation begins when the device reboots. During the reboot, the BIOS and all other components are installed. The update itself may reboot the device more than once, and for those systems with the HP Sure Start (BIOS self-healing) technology, the final reboot is where a backup copy of the system BIOS and security settings are stored in a secure HP Sure Start space. This backup copy of the BIOS is used to automatically recover should some kind of BIOS failure occur in the future.

NOTE: Due to the size of the firmware contained in the update, HP recommends a minimum system partition size of 300MB, and optimally 500MB to account for future needs.

F10 Setup

HP Commercial BIOS F10 Setup utility can be used to update the BIOS from either a local source (e.g., USB key) or HP.com, if network connectivity is available. For updating directly from HP, the default path that the BIOS will resolve to download the firmware file is preloaded and set up at the factory.

Local update can be initiated by entering the BIOS pressing F10 at power on, and in the Main menu, selecting ‘Update System BIOS’

Then, selecting ‘Updating System and Supported Device Firmware Using Local Media’
 

If the updated BIOS files have been posted to the system UEFI partition or a USB key (see section above for creating the USB key), the update is initiated.

Notice that this dialog shows additional settings to control BIOS updates. The F10 Setup Guide document describes these in detail

NOTE: HP hosts BIOS for our platforms and a user can effectively download and update the BIOS by selecting '-> Check HP.com for BIOS Updates'. The assumption is that the devices can access the Internet during power-on.
 

Creating a BIOS Package

Customers with Endpoint Management environments that would like to package BIOS updates to push to HP systems remotely, here are the steps to get it setup.

If a BIOS Softpaq is downloaded, you can unpack it by running the Softpaq itself with the options ‘/s /e’. For example
sp113769 /s /e
which will unpack the contents to C:\SWSETP\SP113769, as seen here

Now that we have the BIOS available, how do we set it up to install silently? The answer is in the CVA file associated with the original BIOS Softpaq (sp113769.cva in our case)

The CVA file is an initialization type of file that contains all the knowledge our tools use to handle the Softpaq, including the silent install instructions. For our purpose, opening sp113769.cva in Notepad, we see the following lines:

With this information, we can create a package that installs the BIOS on the client devices. You will find the ‘HpFirmwareUpdRec.exe’ application in the bin folder. So, all the is left is to package the bin folder, copy it to a PC that needs it and then run the executable shown above with the runstring options
 

Using the HP Client Management Script Library (CMSL)

The HP Client Management script Library provides different methods to update the BIOS/Firmware on HP commercial systems. The CMSL commands are documented online at CMSL

Updating BIOS from HP.com
 

If the update was allowed over the Internet, then a simple command like the following will do the trick, and could be easily scripted. The first command confirms if there is an update to the installed version of the BIOS, and if Yes, then the BIOS is updated

if ( -not (Get-HPBiosUpdates –Check) ) {
       Get-HPBiosUpdates –Flash [-Force] [[-Password] <String>] [-Bitlocker suspend]
}

The command will find the appropriate firmware Softpaq at HP, download it, and set up the UEFI partition. The [-Bitlocker] option can be used to suspend drive encryption so the next reboot will not require recovery action. The attractiveness of this command is that it has the intelligence to determine the correct BIOS to the system.

I If the BIOS is protected with a password, Get-HPBiosUpdates allows the password to be used as a runstring option, as shown above. NOTE: Use single quotes around the password to prevent PowerShell from interpreting special characters in the string

 

Updating BIOS from company source

For customers that want more control of the BIOS/Firmware update process or perhaps because Internet downloads are disallowed, the following CMSL method allows the BIOS/Firmware bin file to be used for the update. IT downloads the BIOS bin file for a required platform, create a package that runs a CMSL command with the bin file on each endpoint, send the command and bin file to each device needed the update.

The steps would then be

Download the BIOS bin file for a specific platform (next example for a HP ZBook 15 G5, motherboard ID/SysID: 842A). This command will download the latest version of the BIOS bin file

Get-HPBIOSUpdates -Platform 842A -Download -SaveAs <String> -Quiet

Next, create a package to copy the bin file to the device and run this command to update the BIOS. Password string can be included

Update-HPFirmware [[-Password] <String>] Q70_011600.bin

If the BIOS is password protected, the update command Update-HPFIrmware command will allow the password to be added as a runstring option, as shown above.

 
Installing the CMSL modules on HP devices
 

The CMSL modules Softpaq and can be unpacked and installed on ALL supported HP commercial systems (supported product list is the same as for HP Image Assistant). An easy installation option is to copy the folder of the unpacked CMSL Softpaq to each client at:

%ProgramFiles%\WindowsPowerShell\Modules

Then, a script can simply import the modules with

Import-module HPCMSL

and use any of the available commands

HP Image Assistant (HPIA)

HP Image Assistant (HPIA) can perform BIOS updates by itself and be scripted to silently run on a supported HP client device. Here is the list of supported patforms. IT Administrators can package HPIA to run directly on each client from a local path, or a remote share. HPIA does not require installation so it will execute directly from the folder it run from.

The following command will update the BIOS (and ONLY the BIOS) of the system it is running on – but only if required !!!:

cd ..\HPIA_Path
.\HPImageAssistant.exe /Operation:Analyze /Category:BIOS /action:Install /silent /reportFolder:c:\HPIA\Report /Debug

The /Debug option is not required, but always useful as it generates an additional detail log with much more information that can be useful for troubleshooting installation issues.

HP Image Assistant can also pull BIOS update files from a company share folder (acting as a repository). When HPIA command includes the runstring option ‘/Offlinemode:<path_to_repo>’, it will reach out to the path listed instead of contacting HP. Details on creating and maintaining an HPIA repository folder is described in this blog

NOTE: If the HP CMSL is installed on a client device, you can use a CMSL command to download and install (e.g., unpack it to a folder of your choosing), and be available for use.

import-module hpcmsl
Install-HPImageAssistant -Extract [[-DestinationPath] <String>]

 

Updating via WU

At the time a BIOS update is packaged into an HP Softpaq and posted on HP's FTP, the contents of the Softpaq (not the Softpaq itself) is uploaded to Microsoft's Windows Update database. Windows Update then can make the BIOS firmware available to devices that are scanning against it. Note that Microsoft has built telemetry into the process that might hide certain updates, including BIOS/firmware, if the telemetry shows that a number of failures were encountered

For devices with Windows 10 Pro, WU will scan on its regular schedule and if a BIOS update was available in the backend it will be offered and applied. For Enterprises that are manageing updates via Windows Update for Business, you have to enable these updates to apply via WU on end user devices

 

Author : dan.felman