In this blog, we’re going to look at how to secure your bios with HP Sure Admin. In my previous blog, I showed what HP Connect is and what you can do with it. One of the things you can do with HP Connect is to secure the Bios with HP Sure Admin. HP Sure Admin allows you to secure the bios with Entra ID authentication. This has the advantage that there is no password that can be misused for unauthorized access. Any access to the bios must be validated by an authorized user account. This prevents unwanted changes and modifications to the bios and improves security.
Why Secure the BIOS?
An important part of hardening (securing) a computer is blocking access to the Bios. The Bios is the link between hardware and software on your computer. When you’ve got access to the bios, you’re able to turn on or off certain features that can compromise the computer’s security. Examples of these features are Secure Boot, TPM, virtualization, etc.
How does it work?
In order to use HP Sure Admin, a policy must be created in HP Connect. This policy is used to configure HP Secure Platform Management (SPM). This is a trusted environment in the UEFI BIOS of corporate HP devices. For trusted communication with SPM, an Endorsement and Signing key is used and provisioned through HP Connect. Through SPM, Enhanced BIOS Authentication Mode (EBAM) is then enabled. EBAM secures local access to the BIOS. And lastly, a Local Access Key (LAK) is provisioned. The Local Access Key is used to access the BIOS through the HP Sure Admin app.
You can use HP Sure Admin at no additional cost. There are some prerequisites before you can secure bios with HP Sure Admin.
- A configured HP Connect environment
- A supported HP Business computer that launched in 2019 or later, like: Pro and Elite Desktops, Pro and Elite Notebooks, Z Desktops and Z Mobile Workstations
- The requirements for remediations
- An Android or iOS device (only iPhone supported) with the HP Sure Admin app installed
- Global Administrator or Intune Administrator role to setup
Setup HP Sure Admin with HP Connect and Intune
Besides Intune, there are other ways to configure HP Sure Admin, but this is quite complex. My recommendation is to use HP Connect with Intune. In this blog I will use Intune to demonstrate the setup. Let’s get started and secure your bios with HP Sure Admin.
1. Open a web browser and go to https://connect.admin.hp.com and then press “Sign In.”
2. Select “Policies” on the left and press “New policy” to create a policy for HP Sure Admin.
3. Enter a policy name and select the policy type “Bios Authentication” (1) and press “Next” to continue.
4. Select “Hp Sure Admin (Recommended)”(1) and press “New SPM”(2).
5. The “Add New SPM Key Pair” blade appears. Enter a name and possibly a description. You now have the option to have Endorsement and Signing Key generated by HP Connect or to upload certificates yourself. In this blog I will use the generated certificates.
6. By default, certificates generated by Hp Connect are created without details and are valid for 1 year. By pressing the arrow (1) when creating, you can modify the validity period and details (2) yourself. Press “Save” to create the key pair.
7. Now that the SPM Key pair has been created, the Local Access Key must be created. Press “New LAK” to create a key.
8. As with the SPM Key pair, you have the same two options to create the Local Access Key (LAK). Upload a certificate or create a new LAK. As with the SPM I will generate the certificate with HP connect. Press “Save” to save the changes.
9. Press “Save” to save the Policy and continue.
10. A popup appears that the new policy has been created. Pressing “Apply” allows you to assign the policy and pressing “Close” closes the window and you can assign the policy later. In this case, I choose “Apply” to assign the configuration.
11. When assigning BIOS settings, my preference is to assign them to a device group. Select a group and press “Next.”
12. Check the settings and press “Publish.” After you confirm publishing, a remediation is created in Intune to apply the policy to the devices in the group.
13. A remediation is created in Intune that is applied once a day to the devices in the assigned group. If you like it’s possible to adjust the interval manually to a different interval.
14. Now that the policy is assigned, we will need to wait until the policy is applied. Check the chapter “Monitoring the policy” on how to check the status of the policy on the device.
Setup Access to BIOS
To access the bios using HP Sure Admin, you need permissions. These permissions are controlled in Entra ID. Who has default permissions is not clearly stated in the HP Connect manual. It only talks about how to give non-administrators access. You can give users rights by adding them to the enterprise app: HP MEM Connector Services.
Then give them the role: HP Sure Admin Local Access All directory
After the user is added to the enterprise app, he or she can log into the HP Sure Admin app and by scanning the QR log into the BIOS. If users are removed from this group they will also lose access to the BIOS.
Access the BIOS?
When you have HP Sure Admin activated and you press F10 to go to the BIOS you will be presented with the “BIOS Administrator Credential” screen. Instead of a request for a BIOS password, you will see a QR code on this screen and a request to enter a response code.
To generate a response code, you must have the “HP Sure Admin” app on your phone. With this, you scan the QR code and are then prompted to log in with your admin account.
Then your account will be validated and you will get response code. The response code is only valid during this session.
After you enter and confirm this code, you will get access to the Bios settings.
What is good to know: you only secure the BIOS Setup “F10” with this, other settings in the Startup menu remain available. In addition, to use HP Sure Admin there is no need to have an Internet connection on the laptop, only on the phone you use to authenticate with Entra ID.
Monitoring the policy
Now we will look at how the policy is applied and what the end user sees when you apply the policy. Because EBAM has a dependency on SPM, the policy is applied in two steps.
1. Provisioning HP Secure Platform Management (SPM)
The first time the remediation script runs, it will detect that SPM is not yet configured. It is then provisioned and a reboot is triggered to complete the installation. You can find this in AgentExecutor.log.
The user will see a message asking them to restart the computer to perform the update. By dismissing the notification, the policy change will be implemented on the next reboot.
To verify that someone is physically on After the reboot, the user is prompted to enter a code displayed on the screen.
After the code is retyped by the user, the computer is rebooted and SPM is activated.
2. Provisioning Enhanced BIOS Authentication Mode (EBAM)
Now that SPM is configured, EBAM can be configured. For this, the LAK must be loaded. Applying Local Access Key can be seen in the log:
The configuration is now complete and it is now possible to log in with the HP Sure Admin app.