Questo articolo è disponibile anche in lingua italiana al seguente link: Microsoft Intune: configurare HP Connect per la gestione dei BIOS centralizzata – WindowServer.it
That Microsoft’s idea of making Intune increasingly a centralized tool for managing endpoints has been clear for quite some time. Even hardware vendors have noticed this, and they already offer their own solutions but understand that it is not always possible to tell companies to use two different platforms to carry out configurations and maintenance activities.
Among these tasks, there is perhaps the most complicated of all: the centralized configuration of the BIOS. If Microsoft has made available, for some time, a subset of rules to lock down some components of the device, such as camera, boot order, Bluetooth, WiFi, etc.
However, not all devices support these functions but more importantly, not all BIOS are equal in terms of functions.
Since April 2023, a new feature has landed within Microsoft Intune that allows IT administrators to connect extensions from hardware vendors. The first to join this solution is HP, but more partners are on the way.
As can be seen from the image, through HP Connect it is possible to pilot firmware updates but also to carry out massive configurations quickly and easily.
Integrating the two worlds is quite easy but you need to have a Global Admin account because you need to approve the HP application in order to interact with your tenant.
Once this is done, you will be able to access the administration console where the management policies will be created.
Since HP Connect is not Microsoft Intune, it is not able to read yet in all its components and this results in an inability to read the filters that are created in Intune. The solution today consists in creating a group, within Azure Active Directory, where all the devices belonging to the HP family are taken.
The Security Group must be dynamic, which requires an Azure AD P1 or P2 license, and must contain the query shown in the image.
If it is true that Windows Update is also able to update computer firmware, it is also true that this operation takes place in an uncontrolled manner by the IT Admins, which is not particularly appreciated because sometimes incorrect firmware can cause problems.
HP Connect allows you to create an update plan, also based on the type of model to differentiate the update strategy. To create a new plan, just create a policy and select BIOS Update.
The policy allows you to do two things:
- Choose whether to always install the latest version or to install only in the presence of Critical Issues
- Choose the type of device to apply the rule to (all or specific device families)
This second option can be useful to make a first alignment of certain obsolete devices, but also to make a validation test before the global rollup. The final step is the association with an Azure AD group, which is why the group was created before creating the policy.
User Experience & Reporting
Like all scripts/updates driven by Intune, the operation becomes transparent for the user who will see the BIOS updates arrive as if they were Windows Updates. Behind the scenes there’s a Proactive Remediation that apply all rules created; you can change the schedule time but is not suggested.
From admin side, if you want check what happen, there’s a nice report under Proactive Remediation side.
HP Connect opens a new path to the management and security of devices integrated with Microsoft Intune. We expect other vendors to arrive soon but in the meantime this feature is really interesting.