Introduction
This whitepaper details changes to HP's process for releasing system firmware to Microsoft Windows Update. It provides information on the upcoming change, the benefits of this new policy, and methods for IT Administrators to block these updates if necessary.
HP Platforms Covered in This Document
The document lists various HP Notebook and Desktop models from 2018, 2019, and 2020 that are covered by this update process.
Why is HP Releasing BIOS Updates as Automatic via Windows Update?
HP is transitioning to automatic BIOS updates via Windows Update to enhance performance and security. This simplifies the update process, especially for remote work environments, and allows for quicker remediation of security vulnerabilities.
How is BIOS Updated Through Windows Update?
System firmware updates are delivered through Windows Update using the Unified Extensible Firmware Interface (UEFI) standard, specifically the UEFI Capsule mechanism.
What is UEFI Capsule?
UEFI Capsule is a mechanism for passing runtime data to the UEFI BIOS. It includes a header, firmware image, and code for secure updates, delivered via Windows Update or Linux Vendor Firmware Service (LVFS).
Does HP Already Submit BIOS to Windows Update?
Yes, HP currently submits BIOS updates to Windows Update as manual/optional updates.
What is Changing?
HP will begin submitting updates to Windows Update via Automatic Updates for criteria including high-priority security issues and critical customer/functional issues.
Which OS Versions are Targeted
HP targets Windows 10, Version v1809(RS5) and later OS versions for these updates.
Quality Assurance via Windows Update
Updates are deployed using a flighting process to ensure a high-quality experience. This involves insider flighting, monitoring telemetry, and gradual rollout after successful completion.
When this new update process will start
HP plans to start Windows Update Automatic submission for BIOS in January 2021.
Potential Issues an IT Administrator Needs to Consider
IT Administrators should be aware of settings like “Lock BIOS Version” to manage specific version requirements and “Native OS Firmware Update Service” to control automatic updates. The document also mentions potential considerations for BitLocker Recovery Key and EFI Partition Size Requirements, providing a link for more details: HP Support Document.
Blocking Windows Update BIOS Updates with BIOS Settings
The “Native OS Firmware Update Service” setting in the BIOS can be used to enable or disable UEFI Capsule BIOS updates. Setting it to “Disable” will block updates from Windows Update.
Prompt for Admin Authentication on Capsule Update
The “Prompt for Admin authentication on Capsule Update” setting controls the password requirement for BIOS updates via UEFI Capsule. The default is “Disable.”
How to Manage BIOS Settings Related to UEFI Capsule Update
BIOS settings can be managed through the F10 BIOS interface or using tools like the HP Client Management Script Library and the BIOS Configuration Utility (BCU).
HP Client Management Script Library
This library provides PowerShell modules to simplify managing HP clients, including functions to get and set BIOS settings. Documentation can be found via a provided link.
BIOS Configuration Utility
HP's BIOS Configuration Utility (BCU) is a tool for deploying BIOS settings from a file to HP Systems.
FAQ
- What happens if my system is not plugged AC in while WU start updating BIOS? If AC is not plugged in and battery is below 50%, a message will appear. Update will fail if AC is not connected, leading to a yellow-banged device manager entry on the next boot.
- What if user Lock specific BIOS version (block BIOS update from any method) vs Native OS firmware update service (block firmware update from WU)? To qualify BIOS releases before broad rollout, set “Native OS firmware update service” to “Disable.” To lock the HP BIOS to a specific version, set “Lock BIOS Version” to “Enable.”
- Detail for ESP partition: HP Support Document
- System Firmware: BIOS is part of system firmware, which also includes manageability engine and USB-C controller firmware.
