Blog post

Automating UEFI Firmware Updates

Created:  17 Oct 2017
Updated:  17 Oct 2017
Author:  Mike H
Automating UEFI Firmware updates

In our previous blog post we talked about the state of UEFI firmware running on Windows laptops attached to one of our research networks.

In case you don't recall the conclusion: We were surprised that many of the devices were running out-of-date firmware and decided to investigate ways in which automated UEFI firmware updates could be scaled to meet the needs of an Enterprise. This blog tells the story of what happened next.

Testing times

We set ourselves a simple initial goal - To test successful deployment of UEFI firmware updates in an enterprise-like lab environment, one that could scale to meet the needs of a large organisation. We decided our initial tests would cover Dell, HP and Lenovo laptops as well as Microsoft Surface devices.

The first thing we found is that Surface firmware is exposed as a device driver and Microsoft take advantage of this to deliver firmware patches via Windows Update. So all you have to do on the Surface is use Windows Update and you automatically get the latest firmware versions installed.

Unfortunately, DellHP and Lenovo don’t currently update UEFI firmware through Windows Update. Instead, they all offer their own enterprise management tools for UEFI firmware. HP and Dell also publish catalogues of UEFI firmware updates for their platforms.

In our testing, we found it easiest to take advantage of these catalogues by using Microsoft System Center Update Publisher (SCUP) in conjunction with System Center Configuration Manager (SCCM) to push out updates to client machines. This allowed us to target the Dell and HP devices at the same time, without having to run multiple client management solutions. The SCCM client also offered the ability to automatically suspend BitLocker during a restart, something which is critical to many organisations when deploying a UEFI firmware update.

For Lenovo, we had to take a different approach. Lenovo’s System Update and Update Retriever tools can be used to deploy UEFI firmware updates, but they do not provide the capability to suspend BitLocker. Lenovo do offer a plugin to SCCM as a paid for service, but we opted to take advantage of a custom task sequence in SCCM. This provided the necessary steps to target the update, suspend BitLocker, stage the firmware update, and restart the device to perform the update.

Updated guidance

Testing was successful and firmware updates have since been reliably installed on a wide range of devices, not just in the lab but also with live deployments at other government departments.

So, as a result of this work, we are updating our Windows 10 EUD guidance to explain how you can automate your own UEFI firmware updates. Look out for the guidance later this month and let us know if you find our approach useful.

7 comments

Andy L - 19 Oct 2017
Have you tried doing a Dell BIOS update when using a different disk encryption system to Bitlocker? It basically kills your machine unless you know exactly how to recover it!
Mike H - 23 Oct 2017
Thanks for the post Andy. In our testing, we have only considered BitLocker. In all cases with BitLocker enabled, we suspended it before performing the UEFI system firmware update, such that the system did not boot in to recovery mode due to initial boot measurements having changed following the update to the firmware.

In the case of alternatives to BitLocker, assuming that the software provides similar capabilities, we would expect that a similar step would be required. This could be done for example by building a task sequence in SCCM that includes a step to suspend the disk encryption software for a single restart, prior to performing the update and thus prevent the device being forced in to recovery mode.
Lee Fisher - 21 Oct 2017
Thanks for the research, I was under the impression that Windows Update was covering firmware updates from MOST Windows OEMs, not just the OEM Microsoft.
Hopefully future blog posts will also cover updating firmware on Linux systems, using fwupd.
Mike H - 23 Oct 2017
Hi Lee. Based on our research, whilst Windows 10 devices support device and system firmware updates via a firmware driver package, many OEMs today still distribute their system firmware updates separately via their own support sites.

Therefore, even if the system requirements are met, it is still reliant on the manufacturer distributing the update as a signed driver package via Windows Update as we currently see on Surface devices. We would like to see this approach adopted more widely in order to simplify the approach of applying a firmware update.
Michael K - 05 Nov 2017
Hi Mike - Thanks for the advice. Do UEFI firmware updates include updates to device TPM firmware? After the recent ROCA vulnerability affecting a particular TPM vendors crypto library - I wondered if device vendors UEFI firmware updates could address this issue.
Michael H - 08 Nov 2017
Hi Michael, good question. Whilst the blog has focused on UEFI firmware updates, manufacturers do often package other firmware updates as part of a system firmware update. It is therefore possible that TPM firmware updates may be issued as part of a system firmware update by OEMs, but due to the complexities of updating a TPM, firmware updates are more likely to be issued as a standalone tool.

In the case of the recent ROCA vulnerability that you refer to, you can read our guidance at https://www.ncsc.gov.uk/guidance/roca-infineon-tpm-and-secure-element-rsa-vulnerability-guidance. The main point that I would highlight is that the key step for remediation is to apply the manufacturer issued firmware update. Whilst the NCSC blog describes applying UEFI firmware updates, the techniques for automating their deployment should apply equally well to deploying the latest TPM firmware update.

The ROCA vulnerability serves as a great example of the importance of applying firmware updates and having a strategy in place to be able to automate this. It also demonstrates the need for OEMs to simplify this process.
Michael K - 17 Nov 2017
Thanks Michael H for the helpful answer :)

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No