I’ve been using Windows Update for Business for some time with the option to enable driver updates for all my managed workstations. Until recently, I’ve not had any show-stopping issues with doing driver updates that way, but a recent BIOS update on some HP devices did cause some issues – devices were asking for a Bitlocker recovery key after updating, and even one device was asking for the BIOS password.
After reviewing this, we decided to utilize another method specifically for updating the BIOS. But rather than disable all driver updates in the WUfB policy, on HP workstations we simply disabled the option in the BIOS called “Native OS Firmware Update Service”. This option prevents WUfB from updating the BIOS but still allows updating of other drivers.
Note that this setting may not be present in all BIOS versions – after inventorying my devices I found around 66% supported this setting.
Below are a couple of Intune Proactive remediations scripts that can be used to disable this option in the BIOS.
If you have a BIOS password set, to provide some simple masking first convert it to base64 like so:
[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("MyBIOSPwd"))
Then add it to the remediation script.
The scripts I use are in my GitHub repo here.
