BIOS update through HPIA and Bitlocker management

3 posts / 0 new
Last post
Author
Message
AlexandreP
Posted: 25 August 2021 - 2:33pm
BIOS update through HPIA and Bitlocker management

Hi all,

We are in the process of setting a recurrent execution of HP Image Assistant on our devices. We are still evaluating the execution mechanism (be it a scheduled task or a recurrent advertisement through SCCM); in any case, since most devices are turned off at night, we expect to run HPIA at any moment of the day -- but to prevent service interruption, we will not enforce a device restart until a user initiates it from Windows or during a maintenance window at night, whichever comes first.

Problem is, our devices are Bitlockered -- there is an Intune policy ensuring that our drives are and stay encrypted. The HP BIOS softpaqs do suspend Bitlocker protection when run from HPIA; but we started to observe that on some devices, protection got resumed before the device is restarted, resulting in a user having to enter a recovery key to confirm the changes. We tracked that the protection resumes after a random delay after a BIOS update has been staged, and that a "BitLocker MDM policy Refresh" scheduled task is responsible for this resume.

We got in touch with Microsoft, and they replied that this is an expected behavior. If a policy is set to ensure that drives are encrypted, and Bitlocker is found in a suspended state during a compliance evaluation, then the "BitLocker MDM policy Refresh" task will resume Bitlocker protection.

Which brings this question: how do you manage BIOS updates on active devices (i.e. not during imaging)? Do you enforce a restart immediately after the BIOS update has been staged? How do you manage that on devices that are offline/unreachable during maintenance windows?

Thanks :)

Top
Author
Message
txvalp
Posted: 3 September 2021 - 2:36pm
Re: BIOS update through HPIA and Bitlocker management

Yes, if you schedule a reboot to happen immediately, that may be a good approach, if it works for you.  Microsoft is probably dismissing this too easily, if you are doing an administrative suspend of bitlocker, there should be away to inform their tools that it was done on purpose, and it should stay suspended until reboot.

There are some other things you can do, such as controlling which PCRs are used for protection, but these changes should not be done without discussing them with your Cybersecurity team, as it may weaken your protection.

Top
Author
Message
AlexandreP
Posted: 13 September 2021 - 2:19pm
Re: BIOS update through HPIA and Bitlocker management

So we filed a Design Change Request to Microsoft to prevent Bitlocker protection to resume when it was suspended i.e. manually using 'Suspend-BitlockerVolume' or, in this case, through an firmware update installer.

We got a reply that the DCR was declined, and that the behavior is what what expected -- even though the protection was legitimately suspended, the policy is set to require Bitlocker, hence it resumed the protection. A note was even added that: "BIOS update should be applied at a time when the machines can be rebooted immediately. We would like to keep the products secured and keeping the machine out of suspended for a time would keep the machine in a vulnerable state". Hum...

Didn't know about Platform Configuration Registers (I'm not so much savvy with Bitlocker configuration). I always thought that Bitlocker protection had to be suspended, no matter what, during a firmware update. If I read documentation correctly, then by enabling "Allow Secure Boot for integrity validation" policy, it would not be necessary to suspend Bitlocker protection, since the new firmware would be digitally signed by an authorized publisher? Might ask security team to look at it, then.

We are also starting to look at applying BIOS updates through Windows Update, but per the whitepaper (c06696094 (hp.com)) it seems to be on hold. Maybe the team has encountered the same issue as we did during the test phase!

Top
Please login to comment