HP notebooks, enable TPM when using Offline Bitlocker
-
Friday, September 14, 2012 8:24 AMWe're using MDT 2012 Update 1 for deployment of Windows 7 and Windows 8 Enterprise to HP notebooks. I need to enable TPM during the Task Sequence deployment. This blog details the steps http://deploymentbunny.com/2010/10/18/enable-tpm-via-task-sequence-on-hp-boxes/, but we're using the new Offline Bitlocker feature and this won't work, it happens too late. How can I resolve this?
All Replies
-
Friday, September 14, 2012 1:08 PMWas I unclear? I know how to use BiosConfigUtility, but since there's been a change as to when BitLocker encrypts (Offline Bitlocker) I can't use the details found in the blog I provided in my first post. Or am I mistaken?
-
Friday, September 14, 2012 2:15 PMMove your TPM custom task to an earlier stage.
-
Friday, September 14, 2012 3:42 PM
I found two errors in my configuration. I was testing with an old HP laptop and the BiosConfigUtility couldn't change anything until the BIOS was updated, also I didn't have a "Reboot the computer after installing this application" checkbox.
I've moved the task to Preinstall Phase, just before the Enable Bitlocker (Offline). I'll test this as soon as I get to the office.
I'll probably also change the task to remove the BIOS password after enabling TPM:
BIOSConfigUtility.exe /nspwd:"password" /setconfig:TPMEnable.REPSET
BIOSConfigUtility.exe /nspwd:"" /cspwd:"password"Thank you both.
-
Thursday, September 20, 2012 10:10 AM
This isn't as simple as moving the task to an earlier stage. First using an application in the preinstall phase (before Enable Bitlocker (Offline)) gives me errors, I fixed this by using a Run Command Line, but the problem is that after executing a .bat file with:
BIOSConfigUtility.exe /nspwd:"password" /setconfig:TPMEnable.REPSET
BIOSConfigUtility.exe /nspwd:"" /cspwd:"password"The computer is not restarted and TPM is not turned on, as a result Bitlocker isn't enabled.
If I add a Restat computer task or add wpeutil reboot in the .bat file it reboots, but doesn't boot to the network and does not continue the deployment.
Any help is appreciated.
-
Saturday, October 06, 2012 9:15 PM
Can anyone please help out with this. All I want is to enable TPM automatically so I can use the new Bitlocker Offline (to speed things up), and the TPM ownership password must be written to AD.
Can this be done?
-
Tuesday, October 16, 2012 7:11 PM
-
Thursday, October 18, 2012 7:05 AM
Thank you for your reply Niall.
This is what my TS looks like:
I've put up the smsts.log here: http://sdrv.ms/TvFBw4
The content of the hpbios.bat is:
BiosConfigUtility.exe /setConfig:TPMEnable.REPSET /nspwd:"temp1234"
BiosConfigUtility.exe /nspwd:"" /cspwd:"temp1234"
wpeutil rebootThe problem is that the computer reboots and I get: "An operating system wasn't found. Try disconnecting any drives that don't contain an operating system. Press Ctrl+Alt+Del to restart."
If I remove wpeutil reboot, the computer is not restarted and TPM is not turned on, as a result Bitlocker isn't enabled.
If I add a Restat computer task or add wpeutil reboot in the .bat file it reboots, but doesn't boot to the network and does not continue the deployment. -
Monday, November 05, 2012 5:48 PMNiall or anyone else, is what I provided not enough, do you need additional information to assist me?
-
Tuesday, November 06, 2012 9:00 AM
You might have made some progress since you posted in the forum.
Could you please specify @ what stage are you having an issue?
Also - When I use the HP tools, I always make sure that you are able to run it successfully using manual command line. Once manual works, put them in the TS.
Also, why are you rebooting (wpeutil reboot) within the batch file? If you need to reboot a machine, you have to add the reboot task within the TS rather than batch files or something else doing it.
Another thing - seems like the machine is running full OS when you are trying to run wpeutil reboot. This command is a WinPE command though...
Regards, Vik Singh "If this thread answered your question, please click on "Mark as Answer"
-
Tuesday, November 06, 2012 4:46 PMThe only way I can see that this would work would be to add a step to apply WinPE to the local drive and set it to boot from that. That's the only way to reboot while in WinPE and have ot boot back to WinPE.
-
Wednesday, November 07, 2012 3:11 PM
The order of the command should be with the PWD first:
BiosConfigUtility.exe /nspwd:"temp1234" /setConfig:TPMEnable.REPSET
this works for me every single time as a group in the state restore.
-
Friday, November 09, 2012 7:13 AM
@Vik Singh: I'm having the issue at, Restart Computer (I changed it so it's not rebooted through wpeutil), but I still get: "An operating system wasn't found. Try disconnecting any drives that don't contain an operating system. Press Ctrl+Alt+Del to restart."
@eschloss: I sure hope not. This can be done through SCCM (http://www.niallbrady.com/2012/09/23/how-can-i-pre-provision-bitlocker-in-winpe-for-windows-8-deployments-using-configuration-manager-2012-sp1/), not sure why this wouldn't be possible through MDT only.
@Shrek46: If I run this at State Restore stage, the hard drive is not empty and the encryption takes a lot longer then doing so at the Bitlocker Offline stage.
-
Saturday, November 10, 2012 3:56 PMHPBios utility requires the complete windows subsystem in order to run, so I do not think you will be able to run it before the Windows 7 setup has been completed or is already running. why does the time it takes matters? Your machine is being protected from the very first minute.
- Edited by Shrek46 Saturday, November 10, 2012 4:18 PM
-
Saturday, November 10, 2012 9:10 PM
Shrek46 my understanding of this might not be correct, but if I use Bitlocker (Offlline) in the early stages, then the encryption happens on an almost empty drive and is completed much, much faster then in the State Restore stage.
When deploying machines, I want to take as little time as possible, esp. if MDT allows it.
-
Monday, November 12, 2012 3:17 PM
That is correct and will happen if you already have TPM and password enabled on the target device, so your choice would be to enable it manually prior of deploying.
I personally do not see an issue with the time it takes, performance has pretty much not been an issue, it is a background task. so I guess you have to make a decision what is more reasnoble time wise for you, and that is a ll new thread :-.
-
Sunday, February 17, 2013 9:01 AM
Hi
I know the thread is old, anyway..
Don´t use REPSET with HP SSM.exe thats about to be depricated in some ways I think! I am deploying like thousands of HP Notebook, Desktops and Workstations and im just running four simple Custom made Tasks in WAIK & MDT2010 Update 1, ADK & MDT2012 Update 1.
First of all, I run almost everything in "State Restore" stage that i have Custom made changes. (atleast with Bitlocker).
*If your computer is completely NEW then my Bitlocker encryption is not (Offline) because of the Bios Setup Password and Enable TPM Device is not set and it will encrypt afterwards = slow.. not on SSD-disk though.. ;-)
*If your computer is already in use and just needs a fresh install then it uses Bitlocker(Offline) because then the Bios Setup Password and TPM Device is already Enabled and the encryption goes really fast. (Only in ADK)
So, this is how I do it.
In "State Restore" I use the "Custom Tasks" folder after Tattoo sequence.1. I created a Task Sequence (TS) that calls on a applications "HP Reset BIOS Password" in "Custom Tasks" folder and execute this command (.\Applications\HP SSM\BiosConfigUtility.exe /cspwd:PassW0rd/nspwd:"") This reset the password to nothing and disables the TPM Device.
2. I create another TS like Restart computer variable. This Restart the computer and cleans the bios settings with the changes i made.
3. I create a TS like up in the "1." using the HP SSM tool to update BIOS automatically if there is a newer of course using this command (.\Applications\HP SSM\SSM.exe \\%SERVER%\SSM\SSMFS\BIOSUPDATES /ACCEPT /CANCEL:10 /INSTALL /NOCVAUPDATE /NOREBOOT /LOG:\\%SERVER%\DeploymentLogs
4. I create a TS like "2." Restart computer variable.
5. I create a TS like "1." thats set a Password not remove it like "1." I execute this command (.\Applications\HP SSM\BiosConfigUtility.exe /nspwd:PassW0rd)
6. I create a TS like "1." that Enables the TPM Device and other stuff using a CONFIG.txt file I´ve modified, I execute this command (.\Applications\HP SSM\BiosConfigUtility.exe /cspwd:PassW0rd /SetConfig:CONFIG.txt
7. I create a TS like "2. & 4." Restart computer variable.
Thats it.. and it works like a charm!
*In CONFIG.txt you have made the changes that you want to do in your BIOS settings for HP Computers like changing password, enable TPM, disable firewire etc.
Latest BiosConfigUtility (ATM) you can get here: ftp://ftp.hp.com/pub/softpaq/sp58501-59000/sp58888.exe
Hope that can help.
Best regards
- Edited by Code 46 Sunday, February 17, 2013 9:04 AM
- Edited by Code 46 Sunday, February 17, 2013 9:05 AM
- Edited by Code 46 Sunday, February 17, 2013 9:08 AM
- Edited by Code 46 Sunday, February 17, 2013 9:08 AM
- Edited by Code 46 Sunday, February 17, 2013 9:11 AM
- Edited by Code 46 Sunday, February 17, 2013 9:58 AM
- Edited by Code 46 Sunday, February 17, 2013 9:59 AM
- Edited by Code 46 Sunday, February 17, 2013 10:00 AM
- Edited by Code 46 Sunday, February 17, 2013 3:16 PM
- Edited by Code 46 Monday, February 18, 2013 9:26 AM
- Edited by Code 46 Monday, February 18, 2013 1:46 PM
- Edited by Code 46 Wednesday, February 20, 2013 6:02 AM
-
Wednesday, April 24, 2013 5:00 PMThis is an old thread but I have the same issue he is having. Basically he has already enabled TPM and updated BIOS. The problem is that when you restart after each one of those tasks it wont boot to the USB drive since it's not set that way in the BIOS for boot order. Basically we need to be able to boot from the drive instead of having to manually select the usb drive every time we restart.
.png)
