HP Connect for Microsoft Endpoint Manager

​
The ultimate in BIOS hardening by HP​

In the early days of 2022, HP quietly launched the Cloud version of HP Sure Admin, rebranding it as HP Connect. This solution allows you to implement Multi-Factor Authentication (MFA) for accessing the BIOS (Basic Input Output System) on your machines.​

Security in the field of information systems has been a major issue for several decades. The goal is to protect company data from malicious individuals. Today, all IT stakeholders are well aware that the most significant risk comes from the user. That’s why organizations in the sector encourage companies to involve their employees in the information security process.​

Every day, new vulnerabilities are discovered, and IT teams must regularly deploy updates to address them promptly. The workstation remains the primary front that engineers must defend on a daily basis. However, there are certain vulnerabilities, especially in laptops, where we remain powerless.​

One such vulnerability is securing the BIOS. This can be very problematic for a company when a workstation is lost or stolen. In 2022, all companies must have solutions in place to secure their workstations.​

10 essential tools to know:​

• Disk encryption for workstations: Microsoft BitLocker​
• USB storage device blocking: DLP, FRP​
• Securing access to the local Administrator account: LAPS​
• Presence of antivirus and antispam suite throughout the environment: Defender, McAfee, Symantec​
• Deployment of security updates across the environment: WSUS, WUfB​
• Version control for applications and drivers: Intune, MECM, WSO​
• Data backup and user customizations: OneDrive, ESR​
• Access control policies: configuration profile, conditional access, GPO​
• User identity verification: MFA, WHfB, SSPR​
• Network traffic security solution: Firewall, Proxy, VPN​

At Synapsys, the implementation and maintenance of these tools are fully mastered by our Modern Workplace experts. These are also the points on which we train our junior consultants within the Modern Workplace Squad. The presence of such solutions is essential to ensure the security of your IT infrastructure with confidence.​

Why should we deter such attacks?​

Today, when a workstation goes missing, we can remotely erase the contents of the disk if the machine has a network connection. However, if the machine remains offline, it remains usable for the individual who has obtained it, and the potentially exploitable data is still accessible.​

One might argue that the loss of a workstation is not a significant damage for a large company. However, the disappearance of a machine leads to the following situations:​

• Halting the progress of a collaborator’s tasks and consequently a service.​
• An additional task for the local team.​
• An additional incident to be studied by the cybersecurity team.​
• In vain searches conducted by various support and system engineering teams.​
• Initiating actions to combat data theft (Wipe, theft reports, etc.).​

Cumulatively, these actions result in a significant amount of working time. It is important to note that each of these actions is repeated with each new reported case. Hours of work that could have been dedicated to ensuring the smooth operation or advancement of one or more projects.​

​
What can be done to avoid this? Provide a lock with each machine?​

The data on the machine is supposed to be secure. The only way to deter these acts would be to emulate Apple, i.e., make the device unusable for anyone except the owner. The operating system does not allow implementing such a level of security. We need to go down to the firmware layer to meet this need, commonly referred to as the BIOS. There is only one option: secure access to the BIOS.​

In 2022, all enterprise workstations should, at a minimum, have:​

• A password for BIOS access,​
• Be in UEFI (Unified Extensible Firmware Interface),​
• Disable Legacy mode,​
• Enable Secure Boot,​
• Activate the Trusted Platform Module (TPM) chip.​

This is the bare minimum. Unfortunately, the BIOS password is the same for an entire batch of machines or even an entire fleet. Therefore, if the password leaks once, this security becomes non-existent.​

The three main manufacturers (Lenovo, DELL, & HP) offer solutions to change this password remotely. However, the final problem remains the same; access is only temporarily secured.​

Here is a non-exhaustive list of attacks that can be used by a hacker with physical access to your machine, even if you have fully secured your OS:​

• Disable Secure Boot to install a root kit,​
• Disable Direct Memory Access (DMA) to then read your information,​
• Format your machine’s disk.​

It’s crucial to understand that once access to your BIOS has been compromised, there is no turning back. No matter how hard you try to reinstall your machine’s OS, update and reset your BIOS, the hacker’s access to your machine will persist. Your only recourse is to contact the manufacturer or flash the BIOS yourself, which will void the warranty.​

The second point to note is that this type of attack is undetectable by the user, and no antivirus solution can detect and stop such an attack before the damage is done.​

How to secure your BIOS permanently? Here’s what HP has been offering for the past three years:​

Voici ce que HP propose depuis déjà 3 ans :

​
A QR code? Enter a code? Yes, indeed! It’s a double-factor authentication.​

MFA on the BIOS, one had to think about it, and HP offers it with HP Sure Admin, available on all enterprise laptops released since 2018. This solution is relatively unknown to the public.​

HP Sure Admin provides modern security for configuring and managing the BIOS of your PCs. Modern because administrators will be able to manage BIOS settings remotely without physical intervention.​

This solution replaces the traditional password-based access with the use of certificates. HP Sure Admin is a feature that owners of recent HP machines can install and customize.​

What are the prerequisites?​

• A fleet of HP laptops with an SPM chip,​
• Having an up-to-date BIOS is recommended,​
• Windows 10/11 with Microsoft .Net version 4.8 or higher,​
• Deploy the following applications on workstations (via MECM):​
  • HP CMSL (HP Client Management Script Library),​
  • HP MIK client (Manageability Integration Kit),​
  • HP BCU (BIOS Configuration Utility).​

How does HP Sure Admin work?

In practice, you need to provision the public key of 2 different certificates on the SPM (Secure Platform Module) chip of your machine. The 2 private keys of your certificates must remain in your virtual safe and should never be transmitted under any circumstances. Without these 2 private keys, the hacker will be unable to access and modify your BIOS.​

​

1. Use HP MIK and HP BCU for remote BIOS configuration and management.​
2. Use the HP Sure Admin application on a smartphone to access the BIOS user interface when necessary, as remote management is possible.​
3. Deploy configuration files to target PCs with an SPM chip that supports Enhanced BIOS Authentication Mode (EBAM).​

Definitions :

EK : Endorsement Key                                  SK : Signing Key

LAK : Local Access Key                                EBAM : Enhanced BIOS Authentication Mode

Two Operating Methods Considered:​

1. Standalone Mode:​

1. Complete prerequisites.​
2. Manually provision the public keys of EK and SK on the SPM chip of the machine and activate HP Sure Admin.​
3. Create a new key pair via OpenSSL for LAK.​
4. Generate a QR code to provision the LAK private key of the machine and activate EBAM.​
5. Install the HP Sure Admin application (Android/iOS) on your smartphone to scan the QR code and enter the PIN to access the BIOS.​
6. This method can be useful for a Proof of Concept (PoC) on different models in your fleet.​

2. Recommended Mode for Real Security in a Production Environment:​

1. Install the HP MIK MECM server add-on on one of your MECM distribution points.​
2. Package HP CMSL, BCU, HP MIK client applications, .NET 4.8 update, and BIOS if necessary.​
3. Generate a QR code using the public key.​
4. Create two additional applications:​
   1. The first to provision EK and SK public keys on the SPM chips of PCs and activate HP Sure Admin (the machine must restart after this step).​
   2. The second to install OpenSSL, create a key pair, provision the LAK private key, activate EBAM, and send the LAK public key to your hosted HP KMS server on Azure (subscription required). The machine must restart to apply the changes.​
5. Create a task sequence, add your applications, the two reboots, and deploy it to a collection containing only compatible laptops.​
6. Install the HP Sure Admin application (Android/iOS) on your smartphone to scan the QR code and enter the PIN to access the BIOS.​

Implementation Challenges and Expertise Needed:​

• Application packaging.​
• PowerShell script creation.​
• MECM usage: Application, script, task sequence creation.​
• Deployment and monitoring of a task sequence from the MECM console.​
• Knowledge of the hardware components of your fleet models.​
• Cryptography knowledge for generating certificates and RSA keys.​

Fortunately, support from the Synapsys Cloud Squad helped address these challenges. Once HP Sure Admin is deployed on your fleet, you can manage BIOS settings for your machines through the SCCM console using the HP MIK add-on.​

​
Challenges Encountered:​

• Managing different models.​
• Installing OpenSSL on machines (Security team validation).​
• Using HP KMS via Azure (Cloud team validation).​
• Removing the user verification PIN code.​
• Managing access for Azure guest accounts for the provider responsible for masterization.​

Limitations of this Management Approach:​

• Management is possible only when devices are connected to your IT infrastructure.​
• Requires a Cloud Management Gateway (CMG) on Azure, incurring additional costs that vary based on usage.​
• Has limitations for Hybrid Workplaces.​

In January 2022, HP released HP Connect, a SaaS service enabling the use of HP Sure Admin and other security-related features via Microsoft Intune. HP recognized the trend of companies transitioning from on-premises to the cloud. If you’re curious about what Intune is and what it allows, I recommend reading this article by Tom Machado, which explains it well. Here’s what the dashboard looks like on admin.hp.com.

HP Connect for Microsoft Endpoint Manager provides access to the following features:​

BIOS Update:​

• Keep the fleet up to date without installing drivers right after release.​
• Choose to install critical updates only.​
• Select a specific version.​

BIOS Configurations:​

• Configure your BIOS settings.​

BIOS Authentication Method:​

• HP Sure Admin.​
• Traditional password.​

Prerequisites for HP Connect:​

• Azure AD (Active Directory) tenant.​
• Microsoft Endpoint Manager (MEM) Intune tenant.​
• MEM configured as MDM (Mobile Device Management) for your devices.​
• Enroll your machines in Azure AD and Intune.​
• Microsoft 365 E3/A3 or E5/A5 subscription to enroll your Azure machines.​
• Authorize the HP Connect SaaS service to interact with your AAD Tenant.​
• ​

How HP Connect Works: Simply accept the permission request from the HP MEM Connector App when creating your Azure and Intune tenant.​

​
Then, you will have access to the HP Connect Dashboard through which you can:​

• Create policies​
• Edit policies​
• Update the BIOS of devices​
• Apply policies to groups of Azure AD devices​
• Track the deployment of policies.

What are the other security solutions that can be managed via HP Connect in the future?​

• HP Sure Start​
• HP Sure Run​
• HP Sure Recover​
• HP Sure Sense​
• HP Sure View​
• HP Sure Click​
• HP Privacy Camera​
• HP Endpoint Security Controller​
• Features related to conversion via TPM​
• Improvement of Microsoft Device Guard​

Conclusion:​

HP has revolutionized the field of workstation security with HP Sure Admin. Today, thanks to the combination of HP Connect and HP Sure Admin, if you have a fleet of HP laptops, you will be able to fully secure their access to the BIOS.​

If you are interested in implementing HP Connect and HP Sure Admin, feel free to contact Synapsys. The implementation of HP Connect may be eligible for the FastTrack program. To learn more about the FastTrack program, you can also check out Laurent Bigayon’s article, our Modern Workplace Technical Leader.​

Links to HP documentation:​

http://hp.com/wolfsecurityforbusiness​

http://h10032.www1.hp.com/ctg/Manual/c06529817​

https://h20195.www2.hp.com/v2/getpdf.aspx/4AA7-7307ENW.pdf​