Provisioning a HP Sure Recover Custom Image in a Modern Managed Cloud Environment
The hybrid working environment, where users are working from home or not at a fixed desk location poses additional challenges for IT resilience. One of those areas is the recovery of a non-functional device that requires a fresh Windows image to get the end-user productive again.
In a traditional office environment, IT has been less challenged by recovery and the plan for many organizations would be to send an on-site technician to the user’s desk with a flash drive to re-image the user’s PC. In a scenario where ransomware has most of an organization’s PC estate failing to boot, IT could become quickly overwhelmed. Modern managed devices also set new expectations, and home-based workers expect their devices to be managed and software issues resolved without the need to travel into an office.
HP Sure Recover is built into the hardware & firmware of selected HP business devices and helps to securely install the operating system from a network location.
When the system drive does not contain a bootable operating system, the user is given a prompt to begin network-based recovery. Sure Recover will re-format the drive, download the recovery agent, and re-install an operating system. The whole process is completed securely with the HP Endpoint Security Controller providing a hardened root of trust to validate the image.
For remote users, the recovery image can be provided through cloud infrastructure such as Azure. This allows for scenarios such as a user’s modern managed laptop to recover when traveling, or a branch office location to have access to the recovery image over the internet instead of in-branch infrastructure.
Further details on HP Sure Recover architecture can be found in the whitepaper.
Creating a Sure Recover file hosting server
Sure Recover requires both an Agent and an OS image for recovery. The agent is the WinPE (boot.wim) image used to deploy the operating system image. The OS is your custom operating system image (install.wim). These files are hosted on an FTP or HTTP server, along with manifest files to verify their integrity. When Sure Recover is configured with the URL location, it will read the manifest to understand which files to download for the recovery process.
While the choice of server configuration is flexible, in this example we are using the FTP service of the IIS role on a standalone Azure-hosted Windows server.
1. To begin, we type Virtual Machines into Azure Portal and click to ‘Create’ a new Virtual machine.
2. We select the correct subscription for billing and create a new Resource Group. A separate Resource Group allows us to hold all our resources for the solution together.
3. The instance details can be customized to your requirements. A server hosting the image files does not require massive resources and there is not a mandated operating system. In this demo, we use a ‘D2s_v3’ virtual machine with Windows Server 2019 as the operating system. For a lab environment, a smaller virtual machine such as ‘B2s’ is sufficient to run the FTP service.
4. Next we can go ahead and configure the remaining virtual machine settings for our requirements. Additional settings include disk requirements and networking settings. For our demo, we used a new Network Security Group with its own VNet.
Note, this is a lab environment for testing and a production scenario will have significantly more security settings in place. Your environment should be validated in line with corporate guidelines and security best practice.
When we click ‘Create’ Azure will deploy all the necessary components to our Resource Group, allowing for easy management of all the resources in the solution.
5. Once the virtual machine has been provisioned, we can modify any additional settings by selecting the resource from the Azure Portal. By default, our virtual machine does not have a static IP and will be dynamically assigned a new address each time the virtual machine is started.
For Sure Recover, the endpoint device will be configured to use a static recovery location.
Open the Public IP address resource and navigate to Configuration Settings. We can set a static IP, or use the DNS name label option instead.
Once our virtual machine is provisioned, we can set up our FTP or HTTP server to host the recovery files. There is not a specific sever required and popular choices such as FileZilla can be used. For our example, we will be using the FTP server built into Windows Internet Information Services.
1. Use Server Manager to install the FTP role.
- Manage> Add Roles & Features> Role Based> Web Server (IIS).
Proceed to install and wait for the Wizard to complete.
2. With the IIS & FTP role installed, we can go ahead and create a new FTP site inside IIS Manager by right-clicking on Sites. We set the physical path to a new Sure Recover folder and did not use SSL (Sure Recover supports HTTP & FTP). Any additional settings such as the FTP port, authenticated users, and security settings can be configured when creating the site.
The login details of an authenticated user will be used by Sure Recover to access the server.
3. If IIS is used as the hosting solution, we need to add MIME entries configured as “Application/octet-stream” for the following:
Network Firewall settings
Inside our virtual machine, we need to configure the firewall settings for the FTP server. The data channel port range is used for downloading files over the FTP connection and set at the server root level.
The external IP address is the Public IP address listed inside the overview for the virtual machine in the Azure Portal.
When the FTP role is installed on the Virtual Machine, Windows Firewall automatically sets up the inbound rules to allow traffic through.
Remember, if you set a dynamic IP address in Azure, the external IP address will change each time the virtual machine is started and the firewall setting will need to be modified.
Further details on configuring IIS Firewall settings.
Inside the Azure Portal, we must also set up the firewall settings to allow FTP traffic. We are using a Network Security Group, so the changes will affect all the resources inside the NSG.
The Ports are set to Allow in the inbound rule settings and must match the chosen ports in your FTP configuration. We used the default port 21 for the Command port and the range 60000-65000 for our data ports.
Creating a recovery image
With our infrastructure in place, the next step is to get both of our recovery images set up and copied across to the FTP storage location. As well as the image files, Sure Recover requires a few extra components to allow the images to be securely downloaded.
Manifest file- When Sure Recover is configured it will first read the manifest file which must also be uploaded to the FTP location. The manifest is used to verify the integrity of the file content before it is downloaded.
Signature file – The manifest is signed to prevent modification and a signature file is generated. The signature file must be present along with the manifest in our storage location.
The HP Agent or a Custom Agent can be used with Sure Recover. As the HP Agent works with a custom OS image, it is easiest to use the HP Agent as we will be doing here.
The ‘HP Sure Recover Agent Package’ can be found on the driver download page for each supported platform. The current version is sp113105.
Download and extract the package using 7-Zip or a similar tool. Inside contains a folder called ‘HP Sure Recover Agent’ that contains all the components needed for the recovery agent. The entire contents of this folder can be copied across to a folder named Agent in the FTP directory root.
The second folder inside the extracted SoftPaq contains the Sure Recover Agent Public Key (hpsr_agent_public_key.pem) which is used to verify the signature of the signature file (recovery.sig).
Keep the key for when we provision the device, but it does not need to be uploaded to the FTP directory.
Operating system image
The operating system image can be made up of a single custom Wim or split SWM. As we are using Azure’s cloud infrastructure for this demo we will use a single Wim file. We need to end up with a similar file structure to our recovery agent where our storage location contains the image files, along with the manifest and signature file.
A detailed whitepaper including scripts on generating all of the necessary components can be found here: HP Sure Recover User Guide. At a high level, the steps include:
Once our custom Wim file is ready we need to generate the manifest file. The whitepaper above contains a Powershell script (page 6) to create the manifest. Once the script has run, we can open the Manifest. Inside we can see details of each file used in our custom image and the checksums.
Manifest signature file
With the manifest file created we can sign it and generate the manifest signature file. The previous whitepaper contains a detailed breakdown of how to generate the signature file on page 8. We use OpenSSL to first generate a public and private key pair.
The signature file is then generated based on the private key file and the result is a .sig file. We use the public key when provisioning Sure Recover on the device to verify the signature has been signed by the private key.
Once our signature file has been generated, we can create a folder called ‘OS’ in the FTP storage location root directory. The OS image file components can be copied over.
Sure Recover needs to be provisioned on each device with the details on where to access the secure recovery image. By default, if Sure Recover is not provisioned it will use the HP cloud recovery image from hp.com.
The HP manageability features can be configured using several tools depending on your IT environment. We will be using the HP Client Management Script Library; a set of Powershell modules for managing the HP security features. The Script Library can be deployed to devices in advance using Microsoft Endpoint Manager.
Secure Platform Management
The firmware on HP commercial devices uses an underlying foundation called Secure Platform Management (SPM). This foundation doesn’t do much by itself but serves as a secure platform for features such as Sure Admin and Sure Recover.
The first step to enabling Sure Recover is to provision the SPM. The process involves creating two certificates: a signing key certificate, and an endorsement key certificate.
A full post on provisioning the SPM can be found here Secure Platform Management with the HP Client Management Script Library. We will assume that the SPM has been provisioned and your device shows the state as ‘provisioningInProgress’ or ‘Provisioned’ when running the Powershell command Get-HPSecurePlatformState.
With the Secure Platform enabled, the device firmware will only accept commands from a signed payload file. First, we must create the payload that will contain details of the Sure Recover configuration. We then set the payload on the device which configures the settings into the firmware.
New-HPSureRecoverImageConfigurationPayload -Image Agent -SigningKeyFile SK.pfx -SigningKeyPassword pass -PublicKeyFile hpsr_agent_public_key.pem -Username LocalAdmin -Password pass -Url “ftp://surerecover-demo.uksouth.cloudapp.azure.com/Agent” -OutputFile Agentpayload.dat
Set-HPSecurePlatformPayload -PayloadFile Agentpayload.dat
New-HPSureRecoverImageConfigurationPayload -Image OS -SigningKeyFile SK.pfx -SigningKeyPassword pass -PublicKeyFile OSPubKey.pem -Username LocalAdmin -Password pass -Url “ftp://surerecover-demo.uksouth.cloudapp.azure.com/OS/image.mft” -OutputFile OSpayload.dat
Set-HPSecurePlatformPayload -PayloadFile OSpayload.dat
By running these Powershell commands we have created a configuration payload file that contains the URL and login details for the server hosting the Sure Recover files. We then set the Payload, which will apply the settings in the device firmware. Notice for the agent we only need to give the directory location where the manifest is located. This is because Sure Recover expects the manifest to be called ‘recovery.mft’ and will look for this file inside of the directory.
To confirm our settings have been applied we can use:
HP Sure Recover is now enabled on the device and will work with an ethernet cable and active internet connection.
Using Sure Recover via an ethernet connection is great, but a challenge with modern managed notebooks is they are very rarely connected using a wired internet connection. Whether working from an office hot desk or from home, most users will be connected via Wi-Fi.
For 2020 model year platforms, HP integrated a preboot wireless networking capability into the device firmware. Preboot Wi-Fi allows the firmware to connect to a wireless network independently before Windows has launched. In a recovery scenario, this is useful to allow the device to connect to the network even if Windows is no longer able to boot. A user does not have to plug in a wired internet connection and can allow their device to recover connected to the corporate Wi-Fi network.
Not all devices support preboot Wi-Fi and there are some base requirements including specific WLAN cards (Intel AX201, AC-9560) and disabling AMT. Multiple wireless network profiles can be configured, and most authentication methods are supported, except for captive portals.
For mass deployments, Pre-boot Wi-Fi can be configured with a WMI script on the device. For our demo, it can also be enabled via the F3 menu during system startup. From the menu, we can select ‘Wi-fi Configuration’ and then select the mac address of the NIC to configure the Wi-Fi settings.
In the ‘Manage Wi-Fi- Network’ settings, we can also choose to connect automatically or edit the network details later.
Full details on configuring Pre-Boot W-Fi- settings, including using WMI scripts can be found in this Pre-boot Wi-Fi Whitepaper.
With our firmware wireless networking set-up, we need to enable Sure Recover to use Wi-Fi. By default, Sure Recover will use a wired network connection and won’t check over Wi-Fi, even if pre-boot wireless networking is configured.
To enable Sure Recover over Wi-Fi, we need to send another configuration payload to the firmware. This time we will use Bios flags to change the Sure Recover configuration settings.
New-HPSureRecoverConfigurationPayload -SigningKeyFile SK.pfx -SigningKeyPassword ”Pass" -OSImageFlags NetworkBasedRecovery, WiFi -OutputFile ConfigPayload.dat
With wireless networking set-up, our Sure Recover configuration is complete. We can use Get-HPSureRecoverState – all to view the status of our Sure Recover configuration. When everything is set correctly we can see the URL locations for the Agent and OS images, as well the Wi-Fi setting enabled in the Bios flags.
Trigger Sure Recover
We can trigger Sure Recover by several methods. Pressing F11 on start-up will bring up the firmware recovery menu. We can select Network Recovery to start the recovery process over a wired or wireless network.
The New-SureRecoverTriggerRecoveryPayload command from CMSL can also be used to generate a payload to initiate recovery. As with previous configurations, we must first create the payload and then set it. The recovery process will begin on the next reboot.
New-HPSureRecoverTriggerRecoveryPayload -SigningKeyFile SK.pfx -SigningKeyPassword “Pass” -ErasePolicy EraseSecureStorage -OutputFile TriggerPayload.dat
Set-HPSecurePlatformPayload -PayloadFile TriggerPayload.dat
HP Sure recover provides a secure method to recover an operating system image where a PC does not have a bootable OS. Combined with the cloud and Pre-Boot Wi-Fi, a user’s PC can be recovered without the need to connect to a wired network or bring the device to IT.
On HP devices equipped with an optional eMMC Sure Recover module, the recovery image can be pre-staged from the network location in advance. The recovery process can complete, even if a network connection is not available at the time of recovery.