©Copyright 2017 HP Development Company, L.P.
Notice: The information contained in this document, including URL, other web site references, screen shots or step by step instructional guidance are samples provided for informational purposes only. Appropriate modifications may be needed for solutions prior to applying the TPM patch such as, but not limited to Secure Boot, Bit Locker, Virtual Smart Card, 3rd party encryption products, VPN products prior to applying the TPM firmware upgrade (or patch). HP has no direct or indirect visibility or ability to predict all the cases as to how organizations are using the TPM. Customers are solely responsible for ensuring that the TPM firmware upgrade does not adversely impact their own use cases. All information provided in this document is provided on an “as is” basis and nothing herein should be construed as constituting an additional warranty. HP does not warrant or guarantee the guidance contained in this document and customers are strongly urged to do their own testing and customization of these instructions to meet their particular use case. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. HP expressly disclaims any and all liability related to or arising from the use of or reliance upon the instructional guidance contained in this document. Additionally, HP shall not be liable for technical or editorial errors or omissions contained herein.
TPM Firmware Upgrade Task SequenceDocument HistoryRevision Date Initia
lsDescription
1.0 11/08/17
NN Initial version Task Sequence for TPM sp81900 and
sp82133 (Win 10 only)1.1 11/15/1
7NN Updated document including HP disclaimer
2.0 11/28/17
NN Updated document Task sequence for TPM sp81900, sp82133,
sp82132 (Win 10 and win 7) with the following updates:
o Have the right call to clear TPMo Have the proper .hpsign files for
TPMConfigster to detect signed TPMConfig and firmware bin files
o Add scripts to create HP_TOOLS partition
o Re-arrange the flow to be more readable
o Remov all steps relating to auto logon
o Disable virtualization BIOS setting, trusted Execution Technology (TXT) and Intel Software Guard Extension (SGX)
3.0 01/18/18
NN Updated Task Sequence for 5 SoftPaqs (sp81900, sp82133, sp82132, sp82147, sp82407)
o Added OS conditions for all SoftPaqs W7, W8.1, W10
o Updated OS condition checks in Own TPM steps
o Moved the Win 10 1607 check to earlier so both Own TPM steps can reference the check result.
o Replaced with TPM config Utility 2.0.2.1
4.0 05/01/18
NN Updated Task Sequence for SoftPaq sp85540 which it supersedes sp81900 and sp82417
o new version of TPM config 2.0.3.1 and TPM firmware bin files version 7.63 and workstation SLB 9660
Environment and validation information
In this practice, we have tested task sequence version 3.0 on the following client systems via SCCM server:
1. SCCM Servero Running Windows server OS 2012 R2o Configuration Manager Console version 5.0.8239.1403
2. Client systemo SP85540 – ProBook 440 G4, ProBook 640 G3, ProBook 470 G5,
Elite Desk 800 DM G3, ProDesk 400 G2 DM, Desktop Workstation Z240 and Z440,
o SP82133 – Elitebook 725 G2, ProBook 470 G2, Elite Desk 705 G1 DM
o SP82407 – None.o SP82132 - Due to the limitation of hardware, we have not
validated any supported system for this SoftPaqo Running Windows 7 Enterprise, Windows 10 version RS1, RS3,
and RS4.o BIOS version – latesto TPM version 1.2 and 2.0o BitLocker enabled
Prerequisites
1. BIOS Configuration Utility (BCU) tool version 4.0.24.1 (sp81841). This SoftPaq is available on Manageability website http://www8.hp.com/us/en/ads/clientmanagement/download.html
2. Download appropriate TPM firmware bin files from this ftp https://ftp.hp.com/pub/caps-softpaq/cmit/example/TPMFWUpgrade/TPMFWReadme.docx
Please also refer to this Security Bulletin for the correct SoftPaq for your systemhttps://support.hp.com/us-en/document/c05792935
3. Apply the Windows operating system updates (see Affected Products table for specific package KB numbers) firstWARNING: Do NOT apply the TPM firmware update prior to applying the Windows operating system mitigation update. Doing so will render your system unable to determine if your system is affected. You will need this information to conduct full remediationAccording to Microsoft post https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012, customers need to install OS updates prior to doing TPM firmware update
Create folders for packages in Task Sequence
1. Create HP BIOS Configuration Utility foldero On SCCM server, create a folder, name it “HP Client BIOS
Configuration Utility, and place all BCU files in hereo Run BCU to get a config file
Ex: BiosConfigUtility64.exe /get:”config.txt”
o Open config.txt and modify the TPM setting as shown in the picture below
o Save the modified config file as desired. o For example: RepsetTPM.txto Also, modify the second config file to disable TPM physical
presence (PPI) for sp81900’s supported systems as shown in the picture below
o Save the second modified config file as desired. For example: TPMNoPrompts.txt
o Create BIOS Password bin file Execute HPQPswd.exe or HPQPwd64.exe Follow on screen instruction to create a password bin
file Save the password bin file in the same directory of BCU
The HP Client BIOS Configuration Utility folder should contain the following files
2. Create folder HP TPM Config Utility and place all necessary files here.
3. Create folder IFXo Create subfolder called sp82132
Place IFXTPMUpdate application and necessary files here
o Create subfolder called sp82133 Place IFXTPMUpdate application and necessary files here
o Create subfolder called sp82407 Place IFXTPMUpdate application and necessary files here
4. Create a folder for Registry Update Packageo Have all registry files in this folder
ResetOSManagedAuthLevel
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM]
"OSManagedAuthLevel"=dword:00000002
SetOSManagedAuthLevel
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM]"OSManagedAuthLevel"=dword:00000004
5. Create a folder for TPM Scripto Have all necessary files in this folder
ClearTP.ps1#--------------------------------------------------------------------------------# DISCLAIMER:# © 2017 HP Development Company. All rights reserved. # The sample script here is not supported under any HP standard support program or service. # The sample script is provided AS IS without warranty of any kind. # HP disclaims all implied warranties including, without limitation, # any implied warranties of merchantability or of fitness for a particular purpose. # The entire risk arising out of the use or performance of the sample script # and documentation remains with you. In no event shall HP, its authors, # or anyone else involved in the creation, production, or delivery of the script # be liable for any damages whatsoever (including, without limitation, damages for # loss of business profits, business interruption, loss of business information, # or other pecuniary loss) arising out of the use of or inability to use the sample
# script or documentation, even if HP has been advised of the possibility of such damages.#=====================================================================# Filename: ClearTPM.ps1# Description: Clear, enable, and activate the TPM.
$objTPM = Get-WmiObject -Class "Win32_Tpm" -ComputerName $env:COMPUTERNAME -Namespace "ROOT\CIMV2\Security\MicrosoftTpm"Write-Host "Clear, enable, and activate the TPM"$objRet = $objTPM.SetPhysicalPresenceRequest(14)$retCode = $objRet.ReturnValueIf ($retCode -eq 0) {
Write-Host "Successfully cleared the TPM chip. A reboot is required."} else {
Write-Host "Failed to clear TPM ownership. Exiting... Error=$($retCode)" -ForegroundColor Red Exit $retCode}
CreateHP_TOOLS.txt
sel vol c:shrink desired=500create part primformat quick fs=FAT32 label=HP_TOOLSassign letter Tlis disdet dislis pardet parexit
DeleteHP_TOOLS.txt
sel vol HP_TOOLS_DRIVE_LETTERdel part overridesel vol c:extend noerrexit
Delete-HPToolsPartition.ps1#--------------------------------------------------------------------------------# DISCLAIMER:# © 2017 HP Development Company. All rights reserved. # The sample script here is not supported under any HP standard support program or service. # The sample script is provided AS IS without warranty of any kind.
# HP disclaims all implied warranties including, without limitation, # any implied warranties of merchantability or of fitness for a particular purpose. # The entire risk arising out of the use or performance of the sample script # and documentation remains with you. In no event shall HP, its authors, # or anyone else involved in the creation, production, or delivery of the script # be liable for any damages whatsoever (including, without limitation, damages for # loss of business profits, business interruption, loss of business information, # or other pecuniary loss) arising out of the use of or inability to use the sample # script or documentation, even if HP has been advised of the possibility of such damages.#=====================================================================# Filename: Delete-HPToolsPartition.ps1# Description: Delete HP_TOOLS partition if it exists. #=====================================================================
$objHP_TOOLSPart = Get-WmiObject -Class "Win32_LogicalDisk" -ComputerName $env:COMPUTERNAME -Namespace "ROOT\CIMV2" -filter "VolumeName = 'HP_TOOLS' and FileSystem = 'FAT32'"if ($objHP_TOOLSPart -eq $null){ Write-Host "No HP_TOOLS partition"}else{ # Get the drive letter of HP_TOOLS partition. $drive = $objHP_TOOLSPart.DeviceID Write-Host "HP_TOOLS partition drive letter=$drive"
# Get the location to the script. if(!$PSScriptRoot) { $PSScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent }
$inputFileName = "DeleteHP_TOOLS.txt" $path = Join-Path -Path $PSScriptRoot -ChildPath "$inputFileName" $tempPath = "C:\$inputFileName" Write-Host "Content of template input file before calling diskpart:" Get-Content $path
# Load DeleteHP_TOOLS.txt and replace the place holder with the HP_TOOLS partition drive letter. $newContent = (Get-Content $path | Out-String) -replace "(.*?)HP_TOOLS_DRIVE_LETTER(.*)",('$1{0}$2' -f $drive) Write-Host "new content" Write-Host $newContent $newContent | Set-Content $tempPath
# Verbose the content of DeleteHP_TOOLS.txt Write-Host "Content of input file before calling diskpart:" Get-Content $tempPath
if (Test-Path $tempPath) { Write-Host "Running diskpart to remove HP_TOOLS partition" Start-Process -FilePath "diskpart" -Wait -Verbose -ArgumentList " /s $tempPath" # Clean up the input file Write-Host "Remove the input file to diskpart" Remove-Item -Path $tempPath }} ForceError.cmd
Echo Force error 1exit /b 1
Get-TPMOwnerInfo.vbs
'================================================================================='' This script demonstrates the retrieval of Trusted Platform Module (TPM) ' recovery information from Active Directory for a particular computer.'' It returns the TPM owner information stored as an attribute of a ' computer object.'' Last Updated: 12/05/2012' Last Reviewed: 12/05/2012'' Microsoft Corporation'' Disclaimer' ' The sample scripts are not supported under any Microsoft standard support program' or service. The sample scripts are provided AS IS without warranty of any kind.
' Microsoft further disclaims all implied warranties including, without limitation, ' any implied warranties of merchantability or of fitness for a particular purpose. ' The entire risk arising out of the use or performance of the sample scripts and ' documentation remains with you. In no event shall Microsoft, its authors, or ' anyone else involved in the creation, production, or delivery of the scripts be ' liable for any damages whatsoever (including, without limitation, damages for loss ' of business profits, business interruption, loss of business information, or ' other pecuniary loss) arising out of the use of or inability to use the sample ' scripts or documentation, even if Microsoft has been advised of the possibility ' of such damages.'' Version 1.0 - Initial release' Version 1.1 - Updated GetStrPathToComputer to search the global catalog.' Version 1.1.2 - Tested and re-released for Windows 8 and Windows Server 2012'' HP update - Added script to get the TPM owner password hash from TPM Devices' - Output the hash to pwd.tpm file' '=================================================================================
' --------------------------------------------------------------------------------' Usage' --------------------------------------------------------------------------------
Sub ShowUsage Wscript.Echo "USAGE: Get-TpmOwnerInfo [Optional Computer Name]" Wscript.Echo "If no computer name is specified, the local computer is assumed." WScript.QuitEnd Sub
' --------------------------------------------------------------------------------' Parse Arguments' --------------------------------------------------------------------------------
Set args = WScript.Arguments
Select Case args.Count
Case 0 ' Get the name of the local computer Set objNetwork = CreateObject("WScript.Network") strComputerName = objNetwork.ComputerName Case 1 If args(0) = "/?" Or args(0) = "-?" Then ShowUsage Else strComputerName = args(0) End If Case Else ShowUsage
End Select
' --------------------------------------------------------------------------------' Get path to Active Directory computer object associated with the computer name' --------------------------------------------------------------------------------
Function GetStrPathToComputer(strComputerName)
' Uses the global catalog to find the computer in the forest ' Search also includes deleted computers in the tombstone
Set objRootLDAP = GetObject("LDAP://rootDSE") namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com
strBase = "<GC://" & namingContext & ">" Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOOBject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection
strFilter = "(&(objectCategory=Computer)(cn=" & strComputerName & "))" strQuery = strBase & ";" & strFilter & ";distinguishedName;subtree"
objCommand.CommandText = strQuery objCommand.Properties("Page Size") = 100 objCommand.Properties("Timeout") = 100 objCommand.Properties("Cache Results") = False
' Enumerate all objects found.
Set objRecordSet = objCommand.Execute If objRecordSet.EOF Then WScript.echo "The computer name '" & strComputerName & "' cannot be found."
WScript.Quit 1 End If
' Found object matching name
Do Until objRecordSet.EOF dnFound = objRecordSet.Fields("distinguishedName") GetStrPathToComputer = "LDAP://" & dnFound objRecordSet.MoveNext Loop
' Clean up. Set objConnection = Nothing Set objCommand = Nothing Set objRecordSet = Nothing
End Function
' --------------------------------------------------------------------------------' Securely access the Active Directory computer object using Kerberos' --------------------------------------------------------------------------------
Set objDSO = GetObject("LDAP:")strPath = GetStrPathToComputer(strComputerName)
WScript.Echo "Accessing object: " + strPath
Const ADS_SECURE_AUTHENTICATION = 1Const ADS_USE_SEALING = 64 '0x40Const ADS_USE_SIGNING = 128 '0x80
Set objComputer = objDSO.OpenDSObject(strPath, vbNullString, vbNullString, _ ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)
' --------------------------------------------------------------------------------' Get the TPM owner information from the Active Directory computer object' --------------------------------------------------------------------------------
On Error Resume Next'If TPM password hash is available at owner information, get it.strOwnerInformation = objComputer.Get("msTPM-OwnerInformation") WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation
'If TPM password hash is in TPM Devicesif strOwnerInformation is nothing then ' Get the CN strOwnerInformation = objComputer.Get("msTPM-TpmInformationForComputer")
WScript.echo "msTPM-TpmInformationForComputer: " + strOwnerInformation
if (strOwnerInformation <> "") then ' Get the TPM entry. strPath = "LDAP://" & strOwnerInformation 'WScript.Echo "Accessing object: " + strPath
Set objTPM = objDSO.OpenDSObject(strPath, vbNullString, vbNullString, _ ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)
' Get the TPM owner password strOwnerInformation = objTPM.Get("msTPM-OwnerInformation") 'WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation end ifend if
if (strOwnerInformation = "") then WScript.echo "The TPM owner information is not available in AD." WScript.Quit 1end if
' --------------------------------------------------------------------------------' Generate the TPM password file.' --------------------------------------------------------------------------------Set objFSO=CreateObject("Scripting.FileSystemObject")
' How to write fileoutFile="c:\pwd.tpm"vbCRLF = Chr(13) & Chr(10)strContent = "<?xml version=""1.0"" encoding=""UTF-8""?>" & vbCRLF & _"<!-- " & vbCRLF & _"This page is a backup of Trusted Platform Module (TPM) owner" & vbCRLF & _"authorization information. Upon request, use the authorization information to" & vbCRLF & _"prove ownership of the computer's TPM." & vbCRLF & vbCRLF & vbCRLF & _"IMPORTANT: Please keep this file in a secure location away from your computer's" & vbCRLF & _"local hard drive." & vbCRLF & _"-->" & vbCRLF & _"<tpmOwnerData version=""1.0"" softwareAuthor=""Microsoft Windows [Version 6.1.7601]"" creationDate=""2017-11-15T23:32:48-08:00"" creationUser=""domain\user"" machineName=""machine"">" & vbCRLF & _" <tpmInfo manufacturerId=""1229346816""/>" & vbCRLF & _" <ownerAuth>" & strOwnerInformation & "</ownerAuth>" & vbCRLF & _
"</tpmOwnerData>" & vbCrLf
WScript.Echo "Writing " & outFileSet objFile = objFSO.CreateTextFile(outFile,True)objFile.Write strContentobjFile.Close
WScript.echo outFile & " is ready to use"
OwnTPM.ps1#--------------------------------------------------------------------------------# DISCLAIMER:# © 2017 HP Development Company. All rights reserved. # The sample script here is not supported under any HP standard support program or service. # The sample script is provided AS IS without warranty of any kind. # HP disclaims all implied warranties including, without limitation, # any implied warranties of merchantability or of fitness for a particular purpose. # The entire risk arising out of the use or performance of the sample script # and documentation remains with you. In no event shall HP, its authors, # or anyone else involved in the creation, production, or delivery of the script # be liable for any damages whatsoever (including, without limitation, damages for # loss of business profits, business interruption, loss of business information, # or other pecuniary loss) arising out of the use of or inability to use the sample # script or documentation, even if HP has been advised of the possibility of such damages.#=====================================================================# Filename: OwnTPM.ps1# Description: Take ownership of the TPM with a random # GUID as the TPM owner information. #=====================================================================
$objTPM = Get-WmiObject -Class "Win32_Tpm" -ComputerName $env:COMPUTERNAME -Namespace "ROOT\CIMV2\Security\MicrosoftTpm"Write-Host "Verify that the TPM is enabled, activated and ownership allowed."$isEnabled = $objTPM.IsEnabled().isEnabled$isActivated = $objTPM.IsActivated().isActivated$ownershipAllowed = $objTPM.IsOwnershipAllowed().IsOwnershipAllowed
If (-not($isEnabled -eq $true -and $isActivated -eq $true -and $ownershipAllowed -eq $true)) {
Write-Host "The TPM state (isEnabled=$isEnabled, isActivated=$isActivated, $ownershipAllowed=$ownershipAllowed) does not allow ownership." -ForegroundColor Red Exit 1}
Write-Host "TPM is enabled, activated and ownership allowed."
# Create a new guid and use it as TPM owner password.$GUID = [guid]::NewGuid()
$ownerAuth = $objTPM.ConvertToOwnerAuth($GUID).OwnerAuth$objRet = $objTPM.TakeOwnership($ownerAuth)$retCode = $objRet.ReturnValue
If ($retCode -eq 0) {Write-Host "Successfully take ownership of the TPM."
} else {Write-Host "Failed to take ownership of TPM. Exiting... Error=$retCode" -
ForegroundColor Red Exit $retCode}
RunProgram.ps1param( [string]$program, [string]$inputArgs)
$program = "$PSScriptRoot\$program"
$pinfo = New-Object System.Diagnostics.ProcessStartInfo$pinfo.FileName = "$program"$pinfo.RedirectStandardError = $true$pinfo.RedirectStandardOutput = $true$pinfo.UseShellExecute = $false$pinfo.Arguments = "$inputArgs"$p = New-Object System.Diagnostics.Process$p.StartInfo = $pinfo$p.Start() | Out-Null$p.WaitForExit()$stdout = $p.StandardOutput.ReadToEnd()$stderr = $p.StandardError.ReadToEnd()Write-Host "$stdout"Write-Host "stderr=$stderr"Write-Host "Exit code=" + $p.ExitCode
Create Packages in ConfigMgr
Create package HP Client BIOS Configuration Utility1. In the Configuration Manager Console, click Software Library2. Expand Application Management3. Right click Packages and select Create Package
4. Name the package as desired and enter any additional information on the first page of the wizard.
Note: Make sure to select the correct source file location
5. Click Next6. Select Do not create a program option, and click Next
7. Click Next on the summary page8. There is the notification when the wizard is completed successfully.
9. Click Close.
Create package HP TPM Config1. Similar steps to create HP BIOS Configuration Utility. Follow 9 steps
to complete creating HP TPM Config package. Ensure to adjust the correct source folder.
Create package IFX1. Similar steps to create HP BIOS Configuration Utility. Follow 9 steps
to complete creating IFX package. Ensure to locate the correct source folder.
Create package Registry Update Package1. Similar steps to create HP BIOS Configuration Utility. Follow 9 steps
to complete creating Registry Update package. Ensure to locate the correct source folder.
Create package TPM Script Package1. Similar steps to create HP BIOS Configuration Utility. Follow 9 steps
to complete creating TPM Script package. Ensure to locate the correct source folder.
Distribute the newly created packages1. Right click each of the newly created packages and select
Distribute Content2. Click Next at the general screen3. At the Content Destination screen, click Add >Distribution
Point4. Select the appropriate distribution point5. There is a notification when the content is distributed successfully.
Prepare ConfigMgr Client Follow these steps to prepare and join client systems into domain network if you have not done so.
1. Join the client system to the domain2. Make sure to add File and Printer Sharing and Windows
Management Instrumentation (WMI) exceptions to Windows Firewall
3. In the Configuration Manager Console, make sure client system is discovered and displayed under Devices.
4. Install Configuration Manager client to the system.5. Create device collection containing target client for deployment.
Create Task Sequence1. In the Configuration Manager console, click Software Library.2. In the Software Library workspace, expand Overview, and then
click Operating Systems.3. Right click Task Sequences, and then select Create Task
Sequence.
4. Select Create a new custom task sequence.
5. Enter the task sequence name, description, boot image as desired, and click Next
6. At the summary page, click Next.7. Click Close when the Crate Task Sequence Wizard completed
successfully.
8. Your task sequence is created under Software Library > Overview > Operating Systems > Task Sequences.
9. Right click on the newly created task sequence and select Edit10. Task sequence is displayed. 11. Add new group Add > Group and name it as desired. 12. Add five variable tasks by clicking Add > General >Set Task
Sequence Variable
13. Name the first variable task as Is sp85540 needed and provide info as follow
o Properties tab Task sequence variable = sp85540 Value = Needed
o Options tab Add condition(s)
All these conditions are true.
Root\cimv2Select catpion from Win32_OperatingSystem where Caption like ‘%Windows%7%’ or Caption like ‘Windows%8.1%’ or Caption like ‘%Windows%10%’
Note: All products listed in the query below are retrieved and based on the support list from sp85540’s CVA file.
Root\cimv2select * from Win32_BaseBoard where Product like '%80FC%' or Product like '%82CA%' or Product like '%80FB%' or Product like '%80FA%' or Product like '%82DE%' or Product like '%8084%' or Product like '%8238%' or Product like '%807E%' or Product like '%8236%' or Product like '%807E%' or Product like '%8236%' or Product like '%807C%' or Product like '%8292%' or Product like '%8079%' or Product like '%828C%' or Product like '%8079%' or Product like '%828C%' or Product like '%8170%' or Product like '%8300%' or Product like '%827D%' or Product like '%82EF%' or Product like '%83D0%' or Product like '%815A%' or Product like '%82EB%' or Product like '%828B%' or Product like '%818F%' or Product like '%80FF%' or Product like '%822C%' or Product like '%8377%' or Product like '%8100%' or Product like '%822E%' or Product like '%837B%' or Product like '%8101%' or Product like '%8231%' or Product like '%837D%' or Product like '%80EF%' or Product like '%823C%' or Product like '%8102%' or Product like
'%8234%' or Product like '%837F%' or Product like '%80FD%' or Product like '%82AA%' or Product like '%80FE%' or Product like '%823A%' or Product like '%80FD%' or Product like '%82AA%' or Product like '%80FE%' or Product like '%823A%' or Product like '%8334%' or Product like '%828C%' or Product like '%80D5%' or Product like '%8275%' or Product like '%8079%' or Product like '%828C%' or Product like '%80D6%' or Product like '%8270%' or Product like '%80D4%' or Product like '%826B%' or Product like '%83FD%' or Product like '%81C3%' or Product like '%805B%' or Product like '%8266%' or Product like '%8265%' or Product like '%835B%' or Product like '%8053%' or Product like '%829A%' or Product like '%8299%' or Product like '%829B%' or Product like '%829F%' or Product like '%8057%' or Product like '%829C%' or Product like '%829B%' or Product like '%830A%' or Product like '%8055%' or Product like '%806A%' or Product like '%82A5%' or Product like '%8062%' or Product like '%82A2%' or Product like '%8062%' or Product like '%82A1%' or Product like '%805F%' or Product like '%8169%' or Product like '%805D%' or Product like '%829E%' or Product like '%82B4%' or Product like '%8169%' or Product like '%829D%' or Product like '%8063%' or Product like '%82A6%' or Product like '%8063%' or Product like '%805E%' or Product like '%82B5%' or Product like '%8139%' or Product like '%8376%' or Product like '%8115%' or Product like '%82BF%' or Product like '%8183%' or Product like '%802E%' or Product like '%802F%' or Product like '%81C5%' or Product like '%212B%' or Product like '%81C6%' or Product like '%212A%' or Product like '%81C7%' or Product like '%2129%'
Root\cimv2\security\MicrosoftTPMselect * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and ((SpecVersion like '2.0%' and ManufacturerVersion like '7.%' and ManufacturerVersion < '7.63') or (SpecVersion like '2.0%' and ManufacturerVersion like '5.%' and ManufacturerVersion < '5.62') or(SpecVersion like '1.2%' and ManufacturerVersion like '4.4%' and ManufacturerVersion < '4.43') or
(SpecVersion like '1.2%' and ManufacturerVersion like '6.4%' and ManufacturerVersion < '6.43'))
14. Name the second variable task as Is sp82133 needed and provide info as followo Properties tab
Task sequence variable = sp82133 Value = Needed
o Options tab Add condition(s)
All these conditions are true
Note: All products listed in the query below are retrieved and based on the support list from sp82133’s CVA file.
Root\cimv2
select * from Win32_BaseBoard
where
Product like '%2255%' or Product like '%22DA%' or Product like '%2270%' or Product like '%2271%' or Product like '%805C%' or Product like '%2216%' or Product like '%8042%' or Product like '%221B%' or Product like '%221D%' or Product like '%2009%' or Product like
'%2235%' or Product like '%2236%' or Product like '%2234%' or Product like '%2249%' or Product like '%224A%' or Product like '%2248%' or Product like '%2247%' or Product like '%2246%' or Product like '%225A%' or Product like '%221C%' or Product like '%2253%' or Product like '%8158%' or Product like '%8103%' or Product like '%18E9%' or Product like '%198E%' or Product like '%21F5%' or Product like '%2215%' or Product like '%225F%' or Product like '%225E%' or Product like '%213D%' or Product like '%2187%' or Product like '%2124%' or Product like '%21B4%' or Product like '%8000%' or Product like '%21F6%' or Product like '%18EB%' or Product like '%2171%' or Product like '%805A%' or Product like '%2B60%' or Product like '%8184%' or Product like '%8267%'
root\cimv2\security\MicrosoftTPM
select * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and SpecVersion like '1.2%' and ManufacturerVersion < '4.43'
Root\cimv2
select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%10%'
15. Name the third variable task as Is sp82132 needed and provide info as followo Properties tab
Task sequence variable = sp82132 Value = Needed
o Options tab Add condition(s)
All these conditions are true
Note: All products listed in the query below are retrieved and based on the support list from sp82132’s CVA file.
root\cimv2select * from Win32_BaseBoard where Product like '%8256%' or Product like '%2B5E%'
root\cimv2select * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and SpecVersion like '1.2%' and ManufacturerVersion < '6.43'
root\cimv2select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%10%'
16. Name the third variable task as Is sp82407 needed and provide info as followo Properties tab
Task sequence variable = sp82407 Value = Needed
o Options tab Add condition(s)
All these conditions are true
root\cimv2select * from Win32_BaseBoard where Product like '%190A%' or Product like '%2157%' or Product like
'%213E%'or Product like '%198F%' or Product like '%1993%' or Product like '%1994%' or Product like '%2101%'or Product like '%2102%' or Product like '%21B3%' or Product like '%1946%' or Product like '%1947%'or Product like '%1944%' or Product like '%1942%' or Product like '%1940%' or Product like '%1991%'or Product like '%1992%' or Product like '%1909%' or Product like '%2175%' or Product like '%2179%' or Product like '%2B2A%' or Product like '%22AD%' or Product like '%18E6%' or Product like '%1998%'or Product like '%8027%' or Product like '%8027%' or Product like '%1825%' or Product like '%21D0%'or Product like '%2B34%' or Product like '%213D%' or Product like '%2187%' or Product like '%2124%' or Product like '%21B4%' or Product like '%18EA%' or Product like '%18E5%' or Product like
'%18E7%' or Product like '%18E8%' or Product like '%18E4%' or Product like '%2155%' or Product like '%2145%'or Product like '%8076%' or Product like '%2B4A%'
root\cimv2\security\MicrosoftTPMselect * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and SpecVersion like '1.2%' and ManufacturerVersion like '4.3%' and ManufacturerVersion < '4.34'
root\cimv2select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%8.1%' or Caption like '%Windows%10%'
17. Name the third variable task as Is sp82147 needed and provide info as followo Properties tab
Task sequence variable = sp82147 Value = Needed
o Options tab Add condition(s)
All these conditions are true
root\cimv2select * from Win32_BaseBoard where Product like '%8115%' or Product like '%82BF%' or Product like '%8183%' or Product like '%802E%' or Product like '%802F%' or Product like '%81C5%' or Product like '%212B%' or Product like '%81C6%' or Product like '%212A%' or Product like '%81C7%' or Product like '%2129%'
root\cimv2\security\MicrosoftTPMselect * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and ((SpecVersion like '2.0%' and ManufacturerVersion < '7.62' ) or (SpecVersion like '1.2%' and ManufacturerVersion like '6.4%' and ManufacturerVersion < '6.43') or (SpecVersion like '1.2%' and ManufacturerVersion < '4.43'))
root\cimv2select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%8.1%' or Caption like '%Windows%10%'
18. Add new group by clicking Add > New Groupo Properties tab - Name group as Update TPM Firmwareo Option tab – Add following conditions
19. Add Set OSD BitLocker Status variable task under Update TPM Firmware groupo Properties tab
Task Sequence Variable = OSDBitLockerStatus Value=Protected
o Options tab Add condition(s)
root\cimv2\Security\MicrosoftVolumeEncryptionselect * from win32_encryptablevolume where driveletter = 'c:' and protectionstatus = '1'
20. Add Suspend BitLocker command line task by clicking Add > General > Command lineo Properties tab
Command line: %windir%\system32\manage-bde.exe -protectors -disable c:
o Options tab Success codes = 0 3010 Add condition(s)
21. Add Is Windows 10 1607 or later variable task o Properties tab
Task Sequence Variable = Win10_1607_or_Later Value = True
o Options tab Add condition(s)
22. Add sub group named sp85540 under Update TPM Firmware group
o Options tab Add condition(s)
23. Add Need to create HP_TOOLS partition? variable task under sp85540 groupo Properties tab
Task Sequence Variable = CreateHP_TOOLS Value = True
o Options tab Add condition(s)
root\cimv2Select * from Win32_DiskPartition Where Type = "GPT: System"
root\cimv2 select DeviceID from Win32_LogicalDisk where VolumeName = 'HP_TOOLS' and FileSystem = 'FAT32'
root\cimv2Select * From Win32_LogicalDisk Where DeviceID = 'C:' and FreeSpace >= 524288000
24. Add Create HP_TOOLS partition command line tasko Properties tab
Command line diskpart /s CreateHP_TOOLS.txt
Package = Browse to TPM Script
o Options tab Success codes = 0 3010 Add condition(s)
25. Add Set TPM BIOS Setting command line tasko Properties tab
Command line BiosConfigUtility.exe /set:"TPMNoPrompts.txt" /cpwdfile:HP123456.bin
Package = Browse to HP Client BIOS Configuration Utility package
o Options tab Success codes = 0 3010
26. Add Restart Computer tasko Properties tab
Under Specify what to run after restart section, select The currently installed default operating system option
27. Add Suspend BitLocker command line tasko Properties tab
Command line%windir%\system32\manage-bde.exe -protectors -disable c:
o Options tab Success codes = 0 3010 Add condition(s)
28. Add Call TPMConfig to ge initial TPM information command line task
o Properties tab Command line
TPMConfig.exe -s -t%temp%\TPMInfo.BeforeUpdate.txt -l%temp%\TPMConfig.log
Package = Browse to HP TPM Config Utility 2.0.2.1 package
o Options tab Success codes = 0 3010
29. Add Call TPMConfig to upgrade TPM 1.2 command line tasko Properties tab
Command line TPMConfig.exe -s -a1.2 -l%temp%\TPMConfig.log
Package = Browse to HP TPM Config Utility package
o Options tab Success code = 0 3010 Add condition
root\cimv2\Security\MicrosoftTpmselect * from Win32_TPM where SpecVersion like '1.2%'
30. Add Call TPMConfigto upgrade TPM 2.0 command line task o Properties
Command lineTPMConfig.exe -s -a2.0 -l%temp%\TPMConfig.log
Package = Browse to HP TPM Config Utility package
o Options tab Success code = 0 3010 Add condition
root\cimv2\Security\MicrosoftTpm
select * from Win32_TPM where SpecVersion like '2.0%'
31. Add Restart tasko Properties tab
Under Specify what to run after restart section, select The currently installed default operating system option.
Select Notify the user before restarting option with messageThe computer must restart to upgrade the TPM firmware
32. Add Suspend BitLocker command line tasko Properties tab
Command line%windir%\system32\manage-bde.exe -protectors -disable c:
o Options tab Success codes = 0 3010 Add condition(s)
33. Add Call TPMConfig to get TPM information command line task
o Properties tab Command lineTPMConfig.exe -s -t%temp%\TPMInfo.BeforeUpdate.txt -l%temp%\TPMConfig.log Package = Browse to HP TPM Config Utility 2.0.2.1
package
o Options tab Success codes = 0 3010
34. Add Call TPMConfigster to get TPM Manufacturer Version power shell script tasko Properties tab
Package = Browse to TPM Script 1.0 package Script name:
RunProgram.ps1 Parameters:
TPMConfigster.exe /FW_VER PowerShell execution policy = Bypass
o Options tab Success codes = 0 3010
35. Add Delete HP_TOOLS partition (if created by this TS) PowerShell script task by clicking Add > General > Run PowerShell Scripto Properties tab
o Options tab Add conditions
root\cimv2select DeviceID from Win32_LogicalDisk where VolumeName = 'HP_TOOLS' and FileSystem = 'FAT32'
Variable CreateHP_TOOLS equals “True”
36. Add Clear TPM on Next Boot Run PowerShell script tasko Properties tab
Package = Browse to TPM Script package Script Name = ClearTPM.ps1 PowerShell execution policy = Bypass
37. Add Restart tasko Properties tab
Under Specify what to run after restart section, select The currently installed default operating system option.
Select Notify the user before restarting option with messageThe computer must restart to upgrade the TPM firmware
38. Add OwnTPM Run PowerShell Script tasko Properties tab
Package = Browse to TPM Script package Script Name = OwnTPM.ps1 PowerShell execution policy = Bypass
o Options tab Add condition(s): If All conditions are true:
Root\cimv2\security\microsofttpmselect * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'False'
Variable Win10_1607_or_later
39. Add new group Update TPM Firmware – IFX under Update TPM Firmware group
o Options tab Add condition(s): Any of these are true
40. Add Set IFXTool File Name set dynamic variable tasko Properties tab
Dynamic rules and variables
41. Add sub group Windows 10 (before 1607), Windows 8.1 and 7
o Options tab Add condition
42. Add Get TPM Owner Password from AD command line taskIn the example task sequence, this task is disabled. Enabling this task will enable “Delete TPM Owner password file if exits” task
o Properties tab Command line
cscript Get-TPMOwnerInfo.vbs Package = Browse to TPM Script package Run this step as the following account
Need to provide the domain admin credential here
o Options tab Success codes = 0 3010
43. Add Call Infineon tool to get update info command line task
o Properties tab Command line
%IFXTool% /info Package = Browse to IFX package
o Options tab Success codes = 0 3010
44. Add Call Infineon tool to update TPM firmware command line task
o Properties tab Command line
%IFXTool% /update /logfile:C:\TPMupdate.log /pwdfile:c:\pwd.tpm Package = Browse to IFX package
o Options tab Success codes = 0 3010
45. Add Call TPMConfigster to get TPM Manufacturer Version run PowerShell Script task
o Properties tab Package = Browse to HP TPM Script package Script name
RunProgram.ps1 Parameters
TPMconfigster.exe /FW_VER PowerShell execution policy = Bypass
46. Add Clear TPM on Next Booto Properties tab
Package = Browse to TPM Script package Script Name = ClearTPM.ps1 PowerShell execution policy = Bypass
47. Add Delete TPM owner password file if exits command line taskIn the example task sequence, this task is disabled by default. It will get enabled automatically once you enable the previous task “Get TPM Owner Password from AD”
o Properties tab Command line
Cmd /c del /F c:\pwd.tpm
o Options tab Add conditions
48. Add Restart Computer tasko Properties tab
Under Specify what to run after restart section, select The currently installed default operating system option.
49. Add Own TPM Run PowerShell Script tasko Properties tab
Package = Browse to TPM Script 1.0 package Script name = OwnTPM.ps1 PowerShell execution policy = Bypass
o Options tab Add condition
Root\wimv2\security\microsofttpmselect * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'False'
50. Add new group Windows 10 1607 or later under group Update TPM Firmware – IFX
o Options tab Add condition
51. Add Change OS Managed Auth Level command line task o Properties tab
Command linereg import SetOSManagedAuthLevel.reg
Package = Browse to Registry Update Package
o Options tab Success codes = 0 3010
52. Add Set TPM BIOS Setting command line tasko Properties tab
Command lineBiosConfigUtility.exe /set:"ResetTPM.txt" /cpwdfile:HP123456.bin
Package = Browse to HP BIOS Configuration Utility Package
o Options tab Success codes = 0 3010
53. Add Restart Computer tasko Properties tab
Under Specify what to run after restart section, select The currently installed default operating system option
54. Add Clear TPM on Next Boot Run PowerShell Script tasko Properties tab
Package = Browse to TPM Script package Script name = ClearTPM.ps1 PowerShell execution policy = Bypass
55. Add Restart Computer tasko Properties tab
Under Specify what to run after restart section, select The currently installed default operating system option
56. Add new sub group Update TPM Firmware under group
Windows 10 1607 or later then add the following tasks under this new sub group
57. Add Set OSDBitLockerStatus set task sequence variable task
o Properties tab Task Sequence Variable = OSDBitLockerStatus Value = Protected
o Options tab
Add condition
58. Add Suspend BitLocker command line tasko Properties tab
Command line%windir%\system32\manage-bde.exe -protectors -disable c:
o Options tab Success codes = 0 3010 Add condition
59. Add Call Infineon tool to get update info command line task
o Properties tab Command line
%IFXTool% /info Package = Browse to IFX package
o Options tab Success codes = 0 3010
60. Add Call Infineon tool to update TPM firmware command line task
o Properties tab Command line
%IFXTool% /update /logfile:C:\TPMupdate.log Package = Browse to IFX package
o Options tab Success codes = 0 3010
61. Add Call TPMConfigster to get TPM Manufacturer Version Run PowerShell Script task
o Properties tab Package = Browse to HP TPM Script 1.0 package Script name
RunProgram.ps1 Parameters
RunProgram.ps1 PowerShell execution policy = Bypass
62. Add Restart Computer tasko Properties tab
Under Specify what to run after restart section, select The currently installed default operating system option
63. Add Restore OS Managed Auth Level command line task under group Windows 10 1607 or later
o Properties tab Command line
reg import ResetOSManagedAuthLevel.reg Package = Browse to Registry Update Package
o Options tab Success codes = 0 3010
64. Add Clear TPM on Next Boot Run PowerShell Script task under group Windows 10 1607 or later
o Properties tab Package = Browse to TPM Script package Script name = ClearTPM.ps1 PowerShell execution policy = Bypass
65. Add Restart Computer task under group Windows 10 1607 or later.
o Properties tab Under Specify what to run after restart section,
select The currently installed default operating system option
66. Add Resume BitLocker command line task under group Update TPM Firmware
o Properties tab Command line
%windir%\system32\manage-bde.exe -protectors -enable c:
o Options tab Success codes = 0 3010 Add condition
The complete task sequence should be looked like this
Continue…
References
https://support.hp.com/us-en/document/c05809624
https://support.hp.com/us-en/document/c05792935
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012
Top Related