Monday, May 8, 2017

BIOS Sledgehammer: fully automated BIOS updates, TPM firmware update and BIOS settings for HP business devices

When we started our Windows 10 project last year, it was decided that we need to support 85% of our entire device fleet which are HP business client devices

At the same time, we also agreed on a “Security first” approach which means that Windows 10 will only be rolled out in UEFI boot mode with Secure Boot on and, if supported, with a TPM 2.0 firmware. This is required to get the maximum benefit from the security features in Windows 10 like Device Guard.

Given that most devices has never received a regular firmware update, it was clear that we need BIOS updates, TPM updates and BIOS setting changes on nearly all devices. As we use our device three to five years, this meant we need to support about 20 different HP models.

The “classic” way would be to create a job/script that does all changes for exactly one model, declare this model as “Supported” and move on to the next model. The PowerShell scripts required for this would be copied so at the end we would have 20 slightly different scripts and if we need to support future devices, it would be even more. On top of that, there would be no central place we could check which BIOS version we install on model X.

We decided to use a complete different approach, with the following design goal:

  • Create a central, file-based repository where everything is stored
  • This should contain BIOS firmware files, TPM firmware files, BIOS settings and BIOS passwords
  • A shared-nothing approach should be used, so each model has its own stack of files. This ensures that supporting a new device does not accidently break other models
  • The repository should be sorted by model, e.g. EliteBook 850 G2, EliteBook Folio 1040 G1
  • Everything should be configurable using normal Text (*.TXT) files, no extra scripting for any model
  • In any case, no downgrade should ever happen.

Given that I had developed some firmware updates, I thought this couldn’t be that complicated. Turned out, I was totally wrong about this. To give you an idea:

  • HP has at least five different BIOS version schemas:
    - SBF13 F.64 (Yes, that’s a „F“ as major version)
    - N02 Ver. 02.07 01/11/2016
    - L83 Ver. 01.34
    - L01 v02.53 10/20/2014
  • A TPM upgrade from 1.2 to 2.0 could lead to a LOWER firmware version because the firmware is from a different vendor (never happened for HP so far, but this is at least possible for DELL  and I wanted the script to be prepared)
  • For TPM upgrades it is also necessary to full decrypt BitLocker it it’s in use since all keys will be lost during the TPM upgrade flash.
  • The details why something went wrong are in the private log files of the HP tools, so they need to be appended to the “main” log file to know what went wrong.
  • Finally, we found out that we have several BIOS passwords in use so the script needed some way to test several passwords until the correct one is found.

I spare you the details of how many tries it took until I got it right, but the first version BIOS Sledgehammer went into production in 2016-11 and was used on 500 machines since then with exactly one defect so far that was caused by a power loss during the upgrade process.

The usage is as follows:

  • Download and extract the latest version from the repository
  • It comes with several examples for several HP models, but does not include the actual firmware files
  • To get a full set of examples, run "StartExampleDownloads.bat” which will download them from HP.com
  • Check the file structure and files, this should be mostly self explanatory
  • Grab a test machine (for best results, this machine should be on Windows 10 already) and execute BiosSledgehammer.ps1
  • Check what it does, tweak around with the different settings files for your model (it will tell you exactly which files are used) and change the configuration to your liking
  • The full documentation is on the repository as README.md
  • When you have everything ready, you can use it directly from MDT or SCCM. It will detect the environment and save the logs to the matching \logfiles folder
  • As an extra bonus, as of 2017-04, it also supports the “BIOS legacy to UEFI” change introduced with Windows 10 1703 (using MBR2GPT.exe) with the –ActivateUEFIBoot command line switch

BIOS Sledgehammer is open source and available under the Apache 2 license, which means: You can use it without any cost, on any number of devices.

Enjoy.