Remediating BIOS updates with Microsoft Endpoint Manager Proactive Remediation and HP Client Management Script Library (HPCMSL)

We previously looked at deploying HP Client Management Script Library via Microsoft Endpoint Manager, and also at how to remedate a simple BIOS setting. In this post, we'll look at something slightly more complex: handling HP BIOS updates via the Intune Proactive Remeditation feature.

As in the previous blog post, we'll start by crafting the two scripts, detect.ps1 and remediate.ps1. We will use Get-HPBIOSUpdates for both detection and remediation. There are some things to keep in mind:

  • HP Client Management Script Library only supports the HP business products after around 2016 or later.

  • PCs that still boot in "legacy" (non-UEFI) mode are not supported. You must be booted in UEFI mode.

  • Windows 10 is the only supported operating system.

  • The script will need to be able to access the Internet (specifically, ftp.hp.com port 443). You will need to properly deploy the apropriate proxy settings for the script to operate.

  • If your version of the BIOS has the option to postpone flashing, be very careful. If the user postpones the update in preboot, bitlocker will be re-enabled. You must account for this and disable Bitlocker again after the system reboots. The detection script will detect that the previous flash did not complete, and trigger the remediation to disable bitlocker again.

Important: the way the remediation script is crafted, it will call Get-HPBIOSUpdates to suspend Bitlocker for one reboot, if active on the system. This means that you should attempt to reboot the system soon after the remediation occurs, to minimize the time Bitlocker is not protecting the system.


Ok, on with the story.

Detection and remediation scripts

For the detection script, we will determine if the BIOS is up to date. If it is, there is no reason to disturb the user.

Here's our simple detection script:

exit ([int](-not (Get-HPBIOSUpdates -check)))

Yep, not very fancy. You could improve this to compensate for some limitations in the proactive remediation feature. For example, suppose, you only want remediation to happen on Fridays:

if ((Get-Date).DayOfWeek -eq "Friday") {
   exit ([int](-not (Get-HPBIOSUpdates -check))) 
}
exit 0

Now for the remediation script:

if (-not (Get-HPBIOSUpdates -check))
{
	Get-HPBIOSUpdates -Flash  -Bitlocker Suspend -Yes
}
exit 0

The wrapping call for Get-HPBIOSUpdates here is actually optional, and you could cut down on the network traffic by removing it. This will cause the inside Get-HPBIOSUpdates to print out a message such as "This system is already running BIOS version xx.xx" and exit gracefully. During preview, this worked correctly, but we are showing the safer, more verbose alternative here.


Now switch over to your Intune Endpoint Management console, and go to Reports -> Endpoint Analytics -> Proactive Remediations. Once there, click the "Create Script Package" button:


This will begin the wizard to define your remediation.


Under the Basics tab, fill in the fields to describe your remediation, and click Next.

Under the Settings tab, select the two powershell scripts you created before (detect.ps1 and remediate.ps1). Turn on "run script in 64-bit mode", and leave the other settings off, then click 'Next':


Under the Assignments tab, target your remediation to specific device groups, as needed, and click 'Next'.

Finally, on the Review + Create tab, review your work and click 'Create' to complete the process.

 

This is about it. You may want to review how often your remediation will run (currently it defaults to daily). As mentioned before, you can check this by checking your script package properties:

Possible enhancements

The Get-HPBIOSUpdates accepts the URL of a local repository if you prefer to maintain your own repository of BIOS bin files, rather than rely on ftp.hp.com. This approach is currently beyond the scope of this blog post.


Teaser image by Pok Rye, Malaysia, via pexels.com.

Author : txvalp