Automating UEFI Firmware Updates

In our previous blog post we talked about the state of UEFI firmware running on Windows laptops attached to one of our research networks.

In case you don’t recall the conclusion: We were surprised that many of the devices were running out-of-date firmware and decided to investigate ways in which automated UEFI firmware updates could be scaled to meet the needs of an Enterprise. This blog tells the story of what happened next.

Testing times

We set ourselves a simple initial goal – To test successful deployment of UEFI firmware updates in an enterprise-like lab environment, one that could scale to meet the needs of a large organisation. We decided our initial tests would cover Dell, HP and Lenovo laptops as well as Microsoft Surface devices.

The first thing we found is that Surface firmware is exposed as a device driver and Microsoft take advantage of this to deliver firmware patches via Windows Update. So all you have to do on the Surface is use Windows Update and you automatically get the latest firmware versions installed.

Unfortunately, DellHP and Lenovo don’t currently update UEFI firmware through Windows Update. Instead, they all offer their own enterprise management tools for UEFI firmware. HP and Dell also publish catalogues of UEFI firmware updates for their platforms.

In our testing, we found it easiest to take advantage of these catalogues by using Microsoft System Center Update Publisher (SCUP) in conjunction with System Center Configuration Manager (SCCM) to push out updates to client machines. This allowed us to target the Dell and HP devices at the same time, without having to run multiple client management solutions. The SCCM client also offered the ability to automatically suspend BitLocker during a restart, something which is critical to many organisations when deploying a UEFI firmware update.

For Lenovo, we had to take a different approach. Lenovo’s System Update and Update Retriever tools can be used to deploy UEFI firmware updates, but they do not provide the capability to suspend BitLocker. Lenovo do offer a plugin to SCCM as a paid for service, but we opted to take advantage of a custom task sequence in SCCM. This provided the necessary steps to target the update, suspend BitLocker, stage the firmware update, and restart the device to perform the update.

Updated guidance

Testing was successful and firmware updates have since been reliably installed on a wide range of devices, not just in the lab but also with live deployments at other government departments.

So, as a result of this work, we are updating our Windows 10 EUD guidance to explain how you can automate your own UEFI firmware updates. Look out for the guidance later this month and let us know if you find our approach useful.

Source: National Cyber Security Centre

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

/by
You might also like
Serviceteam IT Security News iOS 11 Update includes Patches for Eight Vulnerabilities
Serviceteam IT Security News Is it worth taking out personal cyber insurance in case you are caught up in a data hack?
Serviceteam IT Security News NCSC advice for Reddit users
Serviceteam IT Security News Vulnerability management
Serviceteam IT Security News Apple announces new security and privacy measures amid surge in cyber-attacks
Serviceteam IT Security News Secure development is everyone's concern