Can'r change the values of certain BIOS settings with HP.CLientManagement commands

4 posts / 0 new
Last post
Author
Message
mhippensteel
Posted: 19 November 2021 - 8:18am
Can'r change the values of certain BIOS settings with HP.CLientManagement commands

I am writing a detection/remediation script. Some PCs need the setting "Configure Legacy Support and Secure Boot" option to be set to value "Legacy Support Disable and Secure Boot Enable". When I run 

Set-HPBIOSSettingValue -name "Configure Legacy Support and Secure Boot" -Value "Legacy Support Disable and Secure Boot Disable"

it outputs success message but when I run 

Get-HPBIOSSettingValue -name "Configure Legacy Support and Secure Boot"

it outputs the original setting. This is a recurring problem. Any advice?

Top
Author
Message
txvalp
Posted: 18 January 2022 - 2:00pm
Re: Can'r change the values of certain BIOS settings with HP....

Were you able to figure it out? Not sure what would cause this, unless maybe you have some other policy enforcement running that is reverting it.

What system is it on?

 

Top
Author
Message
mhippensteel
Posted: 19 January 2022 - 6:33am
Re: Can'r change the values of certain BIOS settings with HP....

No we were't. I tried using the Set HpBiosCnfiguration utility with the same results. I think the problem is the ReuqiresPhysicalPresence property configured to 1 on some settings. Here is the outputted object in question from a command

  

Get-HPBIOSSetting -name "Configure Legacy Support and Secure Boot"     


Class                    : HPBIOS_BIOSEnumeration
DisplayInUI              : 1
IsReadOnly               : 0
Name                     : Configure Legacy Support and Secure Boot
Path                     : \Security\Secure Boot Configuration
Prerequisites            : 
PrerequisiteSize         : 0
RequiresPhysicalPresence : 1
SecurityLevel            : 1
Sequence                 : 19010
Value                    : *Legacy Support Enable and Secure Boot Disable,Legacy Support Disable and Secure Boot Enable,Legacy Support Disable and Secure Boot Disable
CurrentValue             : Legacy Support Enable and Secure Boot Disable
PossibleValues           : {Legacy Support Enable and Secure Boot Disable, Legacy Support Disable and Secure Boot Enable, Legacy Support Disable and Secure Boot Disable}
Size                     : 3
Active                   : True
InstanceName             : ACPI\PNP0C14\1_0
PSComputerName           : 

We want to change this to the new value "Legacy Support Disable and Secure Boot Enable". Should be easy as using the Set-HPBIOSSettingValue command in the script to change it, but it's not. After testing I think it is becasue of the RequiresPhysicalPresence = 1 that we need to reboot and enter a 4 digit pin for this new configuration value to take effect. Is this observation correct? Any way to truly make this a no-touch modification and bybass or reset  'RequiresPhysicalPresence '?

Top
Author
Message
txvalp
Posted: 19 January 2022 - 8:34am
Re: Can'r change the values of certain BIOS settings with HP....

The RequirePhysicalPresence indicates that the user will need to accept the change during POST. If they reject the change, they setting will revert back to its original value.

To bypass this, I believe you can turn off Physical Presence requirement. However to turn off Physical Presence, it will still require a one time PP prompt that you will need to accept, but after that you will not be prompted anymore. However please keep in mind that turning off physical presence could potentially expose you to remote attacks, so it's not recommended as a security practice. 

To turn off phsical presence, there is a setting for that, I believe it's called "Physical Presence Interface".

If you choose to go this route, please discuss it with your security team.

 

Top
Please login to comment