Remediating BIOS updates with Microsoft Endpoint Manager Proactive Remediation and HP Client Management Script Library (HPCMSL)

We previously looked at deploying HP Client Management Script Library via Microsoft Endpoint Manager, and also at how to remedate a simple BIOS setting. In this post, we'll look at something slightly more complex: handling HP BIOS updates via the Intune Proactive Remeditation feature.

As in the previous blog post, we'll start by crafting the two scripts, detect.ps1 and remediate.ps1. We will use Get-HPBIOSUpdates for both detection and remediation. There are some things to keep in mind:

  • HP Client Management Script Library only supports the HP business products after around 2016 or later.

  • PCs that still boot in "legacy" (non-UEFI) mode are not supported. You must be booted in UEFI mode.

  • Windows 10 is the only supported operating system.

  • The script will need to be able to access the Internet (specifically, ftp.hp.com port 443). You will need to properly deploy the apropriate proxy settings for the script to operate.

  • If your version of the BIOS has the option to postpone flashing, be very careful. If the user postpones the update in preboot, bitlocker will be re-enabled. You must account for this and disable Bitlocker again after the system reboots. The detection script will detect that the previous flash did not complete, and trigger the remediation to disable bitlocker again.

Important: the way the remediation script is crafted, it will call Get-HPBIOSUpdates to suspend Bitlocker for one reboot, if active on the system. This means that you should attempt to reboot the system soon after the remediation occurs, to minimize the time Bitlocker is not protecting the system.


Ok, on with the story.

Detection and remediation scripts

For the detection script, we will determine if the BIOS is up to date. If it is, there is no reason to disturb the user.

Here's our simple detection script:

exit ([int](-not (Get-HPBIOSUpdates -check)))

Yep, not very fancy. You could improve this to compensate for some limitations in the proactive remediation feature. For example, suppose, you only want remediation to happen on Fridays:

if ((Get-Date).DayOfWeek -eq "Friday") {
   exit ([int](-not (Get-HPBIOSUpdates -check))) 
}
exit 0

Now for the remediation script:

if (-not (Get-HPBIOSUpdates -check))
{
	Get-HPBIOSUpdates -Flash  -Bitlocker Suspend -Yes
}
exit 0

The wrapping call for Get-HPBIOSUpdates here is actually optional, and you could cut down on the network traffic by removing it. This will cause the inside Get-HPBIOSUpdates to print out a message such as "This system is already running BIOS version xx.xx" and exit gracefully. During preview, this worked correctly, but we are showing the safer, more verbose alternative here.


Now switch over to your Intune Endpoint Management console, and go to Reports -> Endpoint Analytics -> Proactive Remediations. Once there, click the "Create Script Package" button:


This will begin the wizard to define your remediation.


Under the Basics tab, fill in the fields to describe your remediation, and click Next.

Under the Settings tab, select the two powershell scripts you created before (detect.ps1 and remediate.ps1). Turn on "run script in 64-bit mode", and leave the other settings off, then click 'Next':


Under the Assignments tab, target your remediation to specific device groups, as needed, and click 'Next'.

Finally, on the Review + Create tab, review your work and click 'Create' to complete the process.

 

This is about it. You may want to review how often your remediation will run (currently it defaults to daily). As mentioned before, you can check this by checking your script package properties:

Possible enhancements

The Get-HPBIOSUpdates accepts the URL of a local repository if you prefer to maintain your own repository of BIOS bin files, rather than rely on ftp.hp.com. This approach is currently beyond the scope of this blog post.


Teaser image by Pok Rye, Malaysia, via pexels.com.

Author : txvalp

Great post, could you also make one for setting BIOS password with Microsoft Endpoint Manager Proactive Remediation and HP Client Management Script Library ?

Because Get-HPBiOSUpgrades -check will trigger if the installed BIOS is newer, and because the BIOS verisons returned are 8 months out-of-date, this code resulted in BIOS rollbacks on all my Elitebook 840 G6's.

@pwoodward, the 'Get-HPBiosUpdates -Check' command returns false if the system BIOS is older than what is available at HP. I am not sure how the check would miss on the BIOS version and return false when you have a newer., or same, version than available from HP. Do you know what version of the BIOS was already installed and what version it downgraded to? Also, can you run 'Get-HPBiosUpdates -Check' in PS and see what it returns on one of your G6 laptops?

I agree with @pwoodward, it has rollbacked Elitebook 840 G6's from R70 Ver. 01.07.02 to R70 Ver. 01.05.03; we only had a few on that version so was not a huge deal for us. I do get a return of This system is already running BIOS version 1.05.03 but if i run $BIOS = Get-SoftpaqList -Bitness 64 -Os win10 -OsVer 2004 | Where {$_.Name -like "*BIOS and System Firmware*"} the $BIOS.Version = 1.07.02; additionally 20H2 is not recognized with -OsVer. But overall this is Awesome stuff. This is more a Microsoft question, is there a way using Azure KQL or Endpoint analytics that I can get an inventory of all devices BIOS versions. It would be ideal if it could be in the hardware blade in Endpoint Endpoint Manager and run reports on it.

CMSL v1.6 final release (now available) should have some protection against unexpected rollbacks. Please evaluate upgrading.

Hi, I am new to this. I have created your suggested remediation process. it works really well but I need to update the BIOS on 400 HP Elite Desk PC's which have an Admin password set for the BIOS. When the PC's reboot, they ask for the BIOS Admin password to proceed with the update. Is there a way to stop this happening as I do not want to give this out to staff? Any help would be appreciated.

@andrew.derrick - the runstring options for the Get-HPBIOSUpdates CMSL command includes a password field... you can get details at https://developers.hp.com/hp-client-management/doc/get%E2%80%90hpbiosupdates... the password field is only used with the -flash option