Best Practice for firmware updates and settings change while in secure boot

Rainer Pollmann · ‎Jun 08 2017

What are your tips / best practices, if we want either to update a device's firmware (e.g. surface pro, book) or to simply change bios setting (even switch from secure boot off to on) WITHOUT any manual step ?

Even your SEMM (for Surface models) does not enable that, and many other vendors (e.g. Lenovo) can't help us there either.

We (and our customers) would like to realize a real 100% ZERO TOUCH deployment, including all the TPM and Bitlocker stuff too :)

In a recent PSS call you stated

“It ultimately comes down to security.
If SEMM configuration packages were able to be pushed silently to users and the UEFI subsequently enrolled and locked down, all without confirmation by anyone local to the device then the entire device could be rendered useless for purpose if the attack turned off Wi-Fi, Bluetooth, cameras etc.”

which in turn is understandable, but will that be fact forever?

Michael Niehaus · ‎Jun 08 2017

You need to go through a manual process once, to enable the device to be centrally managed. After that point, it should be possible to update firmware and settings quietly. https://docs.microsoft.com/en-us/surface/surface-enterprise-management-mode

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Best Practice for firmware updates and settings change while in secure boot

Best Practice for firmware updates and settings change while in secure boot

RE: Best Practice for firmware updates and settings change while in secure boot