HP Connect for Microsoft Endpoint Manager

Digital Workplace Intune
Description de l'image
Le Rhino

The ultimate in BIOS hardening by HP​

In the early days of 2022, HP quietly launched the Cloud version of HP Sure Admin, rebranding it as HP Connect. This solution allows you to implement Multi-Factor Authentication (MFA) for accessing the BIOS (Basic Input Output System) on your machines.​

Security in the field of information systems has been a major issue for several decades. The goal is to protect company data from malicious individuals. Today, all IT stakeholders are well aware that the most significant risk comes from the user. That’s why organizations in the sector encourage companies to involve their employees in the information security process.​

Every day, new vulnerabilities are discovered, and IT teams must regularly deploy updates to address them promptly. The workstation remains the primary front that engineers must defend on a daily basis. However, there are certain vulnerabilities, especially in laptops, where we remain powerless.​

One such vulnerability is securing the BIOS. This can be very problematic for a company when a workstation is lost or stolen. In 2022, all companies must have solutions in place to secure their workstations.​

10 essential tools to know:​

At Synapsys, the implementation and maintenance of these tools are fully mastered by our Modern Workplace experts. These are also the points on which we train our junior consultants within the Modern Workplace Squad. The presence of such solutions is essential to ensure the security of your IT infrastructure with confidence.​

Why should we deter such attacks?​

Today, when a workstation goes missing, we can remotely erase the contents of the disk if the machine has a network connection. However, if the machine remains offline, it remains usable for the individual who has obtained it, and the potentially exploitable data is still accessible.​

One might argue that the loss of a workstation is not a significant damage for a large company. However, the disappearance of a machine leads to the following situations:​

Cumulatively, these actions result in a significant amount of working time. It is important to note that each of these actions is repeated with each new reported case. Hours of work that could have been dedicated to ensuring the smooth operation or advancement of one or more projects.​

What can be done to avoid this? Provide a lock with each machine?​

The data on the machine is supposed to be secure. The only way to deter these acts would be to emulate Apple, i.e., make the device unusable for anyone except the owner. The operating system does not allow implementing such a level of security. We need to go down to the firmware layer to meet this need, commonly referred to as the BIOS. There is only one option: secure access to the BIOS.​

In 2022, all enterprise workstations should, at a minimum, have:​

This is the bare minimum. Unfortunately, the BIOS password is the same for an entire batch of machines or even an entire fleet. Therefore, if the password leaks once, this security becomes non-existent.​

The three main manufacturers (Lenovo, DELL, & HP) offer solutions to change this password remotely. However, the final problem remains the same; access is only temporarily secured.​

Here is a non-exhaustive list of attacks that can be used by a hacker with physical access to your machine, even if you have fully secured your OS:​

It’s crucial to understand that once access to your BIOS has been compromised, there is no turning back. No matter how hard you try to reinstall your machine’s OS, update and reset your BIOS, the hacker’s access to your machine will persist. Your only recourse is to contact the manufacturer or flash the BIOS yourself, which will void the warranty.​

The second point to note is that this type of attack is undetectable by the user, and no antivirus solution can detect and stop such an attack before the damage is done.​

How to secure your BIOS permanently? Here’s what HP has been offering for the past three years:​

Voici ce que HP propose depuis déjà 3 ans :

A QR code? Enter a code? Yes, indeed! It’s a double-factor authentication.​

MFA on the BIOS, one had to think about it, and HP offers it with HP Sure Admin, available on all enterprise laptops released since 2018. This solution is relatively unknown to the public.​

HP Sure Admin provides modern security for configuring and managing the BIOS of your PCs. Modern because administrators will be able to manage BIOS settings remotely without physical intervention.​

This solution replaces the traditional password-based access with the use of certificates. HP Sure Admin is a feature that owners of recent HP machines can install and customize.​

What are the prerequisites?​

How does HP Sure Admin work?

In practice, you need to provision the public key of 2 different certificates on the SPM (Secure Platform Module) chip of your machine. The 2 private keys of your certificates must remain in your virtual safe and should never be transmitted under any circumstances. Without these 2 private keys, the hacker will be unable to access and modify your BIOS.​

  1. Use HP MIK and HP BCU for remote BIOS configuration and management.​
  2. Use the HP Sure Admin application on a smartphone to access the BIOS user interface when necessary, as remote management is possible.​
  3. Deploy configuration files to target PCs with an SPM chip that supports Enhanced BIOS Authentication Mode (EBAM).​

Definitions :

EK : Endorsement Key                                  SK : Signing Key

LAK : Local Access Key                                EBAM : Enhanced BIOS Authentication Mode

Two Operating Methods Considered:

1. Standalone Mode:

  1. Complete prerequisites.​
  2. Manually provision the public keys of EK and SK on the SPM chip of the machine and activate HP Sure Admin.​
  3. Create a new key pair via OpenSSL for LAK.​
  4. Generate a QR code to provision the LAK private key of the machine and activate EBAM.​
  5. Install the HP Sure Admin application (Android/iOS) on your smartphone to scan the QR code and enter the PIN to access the BIOS.​
  6. This method can be useful for a Proof of Concept (PoC) on different models in your fleet.​

2. Recommended Mode for Real Security in a Production Environment:

  1. Install the HP MIK MECM server add-on on one of your MECM distribution points.​
  2. Package HP CMSL, BCU, HP MIK client applications, .NET 4.8 update, and BIOS if necessary.​
  3. Generate a QR code using the public key.​
  4. Create two additional applications:​
    1. The first to provision EK and SK public keys on the SPM chips of PCs and activate HP Sure Admin (the machine must restart after this step).​
    2. The second to install OpenSSL, create a key pair, provision the LAK private key, activate EBAM, and send the LAK public key to your hosted HP KMS server on Azure (subscription required). The machine must restart to apply the changes.​
  5. Create a task sequence, add your applications, the two reboots, and deploy it to a collection containing only compatible laptops.​
  6. Install the HP Sure Admin application (Android/iOS) on your smartphone to scan the QR code and enter the PIN to access the BIOS.​

Implementation Challenges and Expertise Needed:

Fortunately, support from the Synapsys Cloud Squad helped address these challenges. Once HP Sure Admin is deployed on your fleet, you can manage BIOS settings for your machines through the SCCM console using the HP MIK add-on.​

Challenges Encountered:

Limitations of this Management Approach:​

In January 2022, HP released HP Connect, a SaaS service enabling the use of HP Sure Admin and other security-related features via Microsoft Intune. HP recognized the trend of companies transitioning from on-premises to the cloud. If you’re curious about what Intune is and what it allows, I recommend reading this article by Tom Machado, which explains it well. Here’s what the dashboard looks like on admin.hp.com.

HP Connect for Microsoft Endpoint Manager provides access to the following features:​

BIOS Update:

BIOS Configurations:

BIOS Authentication Method:

Prerequisites for HP Connect:

How HP Connect Works: Simply accept the permission request from the HP MEM Connector App when creating your Azure and Intune tenant.​

Then, you will have access to the HP Connect Dashboard through which you can:​

What are the other security solutions that can be managed via HP Connect in the future?​


HP has revolutionized the field of workstation security with HP Sure Admin. Today, thanks to the combination of HP Connect and HP Sure Admin, if you have a fleet of HP laptops, you will be able to fully secure their access to the BIOS.​

If you are interested in implementing HP Connect and HP Sure Admin, feel free to contact Synapsys. The implementation of HP Connect may be eligible for the FastTrack program. To learn more about the FastTrack program, you can also check out Laurent Bigayon’s article, our Modern Workplace Technical Leader.​

Links to HP documentation:​




Articles Similaires

Digital Workplace

​The Challenges of Hybridization in the Modern Workplace: Perspectives and Strategies​

The Emergence of Hybridization​ Hybridization of IT infrastructures is a major challenge for businesses, whether they are small or large....

Digital Workplace

Managing Access Security in Microsoft Intune​

​The definition of roles and scopes in IT tools is a central issue in a modern workplace project. Due to...

Digital Workplace

MAM vs BYOD: What Are the Differences?​

Personal devices in the workplace are common, with many employees, both internal and external, preferring to use their own devices...