©copyright 2017 hp development company, l.p. · web viewconfiguration manager console version...
TRANSCRIPT
©Copyright 2017 HP Development Company, L.P.Notice: The information contained in this document, including URL, other web site references, screen shots or step by step instructional guidance are samples provided for informational purposes only. Appropriate modifications may be needed for solutions prior to applying the TPM patch such as, but not limited to Secure Boot, Bit Locker, Virtual Smart Card, 3rd party encryption products, VPN products prior to applying the TPM firmware upgrade (or patch). HP has no direct or indirect visibility or ability to predict all the cases as to how organizations are using the TPM. Customers are solely responsible for ensuring that the TPM firmware upgrade does not adversely impact their own use cases. All information provided in this document is provided on an “as is” basis and nothing herein should be construed as constituting an additional warranty. HP does not warrant or guarantee the guidance contained in this document and customers are strongly urged to do their own testing and customization of these instructions to meet their particular use case. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. HP expressly disclaims any and all liability related to or arising from the use of or reliance upon the instructional guidance contained in this document. Additionally, HP shall not be liable for technical or editorial errors or omissions contained herein.
TPM Firmware Upgrade Task Sequence
Document History
Revision
Date
Initials
Description
1.0
11/08/17
NN
Initial version
· Task Sequence for TPM sp81900 and sp82133 (Win 10 only)
1.1
11/15/17
NN
Updated document including HP disclaimer
2.0
11/28/17
NN
Updated document
· Task sequence for TPM sp81900, sp82133, sp82132 (Win 10 and win 7) with the following updates:
· Have the right call to clear TPM
· Have the proper .hpsign files for TPMConfigster to detect signed TPMConfig and firmware bin files
· Add scripts to create HP_TOOLS partition
· Re-arrange the flow to be more readable
· Remov all steps relating to auto logon
· Disable virtualization BIOS setting, trusted Execution Technology (TXT) and Intel Software Guard Extension (SGX)
3.0
01/18/18
NN
· Updated Task Sequence for 5 SoftPaqs (sp81900, sp82133, sp82132, sp82147, sp82407)
· Added OS conditions for all SoftPaqs W7, W8.1, W10
· Updated OS condition checks in Own TPM steps
· Moved the Win 10 1607 check to earlier so both Own TPM steps can reference the check result.
· Replaced with TPM config Utility 2.0.2.1
4.0
05/01/18
NN
· Updated Task Sequence for SoftPaq sp85540 which it supersedes sp81900 and sp82417
· new version of TPM config 2.0.3.1 and TPM firmware bin files version 7.63 and workstation SLB 9660
Environment and validation information
In this practice, we have tested task sequence version 3.0 on the following client systems via SCCM server:
1. SCCM Server
· Running Windows server OS 2012 R2
· Configuration Manager Console version 5.0.8239.1403
2. Client system
· SP85540 – ProBook 440 G4, ProBook 640 G3, ProBook 470 G5, Elite Desk 800 DM G3, ProDesk 400 G2 DM, Desktop Workstation Z240 and Z440,
· SP82133 – Elitebook 725 G2, ProBook 470 G2, Elite Desk 705 G1 DM
· SP82407 – None.
· SP82132 - Due to the limitation of hardware, we have not validated any supported system for this SoftPaq
· Running Windows 7 Enterprise, Windows 10 version RS1, RS3, and RS4.
· BIOS version – latest
· TPM version 1.2 and 2.0
· BitLocker enabled
Prerequisites
1. BIOS Configuration Utility (BCU) tool version 4.0.24.1 (sp81841).
This SoftPaq is available on Manageability website http://www8.hp.com/us/en/ads/clientmanagement/download.html
2. Download appropriate TPM firmware bin files from this ftp
https://ftp.hp.com/pub/caps-softpaq/cmit/example/TPMFWUpgrade/TPMFWReadme.docx
Please also refer to this Security Bulletin for the correct SoftPaq for your system
https://support.hp.com/us-en/document/c05792935
3. Apply the Windows operating system updates (see Affected Products table for specific package KB numbers) first
WARNING: Do NOT apply the TPM firmware update prior to applying the Windows operating system mitigation update. Doing so will render your system unable to determine if your system is affected. You will need this information to conduct full remediation
According to Microsoft post https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012, customers need to install OS updates prior to doing TPM firmware update
Create folders for packages in Task Sequence
1. Create HP BIOS Configuration Utility folder
· On SCCM server, create a folder, name it “HP Client BIOS Configuration Utility, and place all BCU files in here
· Run BCU to get a config file
Ex: BiosConfigUtility64.exe /get:”config.txt”
· Open config.txt and modify the TPM setting as shown in the picture below
· Save the modified config file as desired.
· For example: RepsetTPM.txt
· Also, modify the second config file to disable TPM physical presence (PPI) for sp81900’s supported systems as shown in the picture below
· Save the second modified config file as desired.
For example: TPMNoPrompts.txt
· Create BIOS Password bin file
· Execute HPQPswd.exe or HPQPwd64.exe
· Follow on screen instruction to create a password bin file
· Save the password bin file in the same directory of BCU
The HP Client BIOS Configuration Utility folder should contain the following files
2. Create folder HP TPM Config Utility and place all necessary files here.
3. Create folder IFX
· Create subfolder called sp82132
· Place IFXTPMUpdate application and necessary files here
· Create subfolder called sp82133
· Place IFXTPMUpdate application and necessary files here
· Create subfolder called sp82407
· Place IFXTPMUpdate application and necessary files here
4. Create a folder for Registry Update Package
· Have all registry files in this folder
· ResetOSManagedAuthLevel
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM]
"OSManagedAuthLevel"=dword:00000002
· SetOSManagedAuthLevel
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM]
"OSManagedAuthLevel"=dword:00000004
5. Create a folder for TPM Script
· Have all necessary files in this folder
· ClearTP.ps1
#--------------------------------------------------------------------------------
# DISCLAIMER:
# © 2017 HP Development Company. All rights reserved.
# The sample script here is not supported under any HP standard support program or service.
# The sample script is provided AS IS without warranty of any kind.
# HP disclaims all implied warranties including, without limitation,
# any implied warranties of merchantability or of fitness for a particular purpose.
# The entire risk arising out of the use or performance of the sample script
# and documentation remains with you. In no event shall HP, its authors,
# or anyone else involved in the creation, production, or delivery of the script
# be liable for any damages whatsoever (including, without limitation, damages for
# loss of business profits, business interruption, loss of business information,
# or other pecuniary loss) arising out of the use of or inability to use the sample
# script or documentation, even if HP has been advised of the possibility of such damages.
#=====================================================================
# Filename: ClearTPM.ps1
# Description: Clear, enable, and activate the TPM.
$objTPM = Get-WmiObject -Class "Win32_Tpm" -ComputerName $env:COMPUTERNAME -Namespace "ROOT\CIMV2\Security\MicrosoftTpm"
Write-Host "Clear, enable, and activate the TPM"
$objRet = $objTPM.SetPhysicalPresenceRequest(14)
$retCode = $objRet.ReturnValue
If ($retCode -eq 0) {
Write-Host "Successfully cleared the TPM chip. A reboot is required."
} else {
Write-Host "Failed to clear TPM ownership. Exiting... Error=$($retCode)" -ForegroundColor Red
Exit $retCode
}
· CreateHP_TOOLS.txt
sel vol c:
shrink desired=500
create part prim
format quick fs=FAT32 label=HP_TOOLS
assign letter T
lis dis
det dis
lis par
det par
exit
· DeleteHP_TOOLS.txt
sel vol HP_TOOLS_DRIVE_LETTER
del part override
sel vol c:
extend noerr
exit
· Delete-HPToolsPartition.ps1
#--------------------------------------------------------------------------------
# DISCLAIMER:
# © 2017 HP Development Company. All rights reserved.
# The sample script here is not supported under any HP standard support program or service.
# The sample script is provided AS IS without warranty of any kind.
# HP disclaims all implied warranties including, without limitation,
# any implied warranties of merchantability or of fitness for a particular purpose.
# The entire risk arising out of the use or performance of the sample script
# and documentation remains with you. In no event shall HP, its authors,
# or anyone else involved in the creation, production, or delivery of the script
# be liable for any damages whatsoever (including, without limitation, damages for
# loss of business profits, business interruption, loss of business information,
# or other pecuniary loss) arising out of the use of or inability to use the sample
# script or documentation, even if HP has been advised of the possibility of such damages.
#=====================================================================
# Filename: Delete-HPToolsPartition.ps1
# Description: Delete HP_TOOLS partition if it exists.
#=====================================================================
$objHP_TOOLSPart = Get-WmiObject -Class "Win32_LogicalDisk" -ComputerName $env:COMPUTERNAME -Namespace "ROOT\CIMV2" -filter "VolumeName = 'HP_TOOLS' and FileSystem = 'FAT32'"
if ($objHP_TOOLSPart -eq $null)
{
Write-Host "No HP_TOOLS partition"
}
else
{
# Get the drive letter of HP_TOOLS partition.
$drive = $objHP_TOOLSPart.DeviceID
Write-Host "HP_TOOLS partition drive letter=$drive"
# Get the location to the script.
if(!$PSScriptRoot)
{
$PSScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent
}
$inputFileName = "DeleteHP_TOOLS.txt"
$path = Join-Path -Path $PSScriptRoot -ChildPath "$inputFileName"
$tempPath = "C:\$inputFileName"
Write-Host "Content of template input file before calling diskpart:"
Get-Content $path
# Load DeleteHP_TOOLS.txt and replace the place holder with the HP_TOOLS partition drive letter.
$newContent = (Get-Content $path | Out-String) -replace "(.*?)HP_TOOLS_DRIVE_LETTER(.*)",('$1{0}$2' -f $drive)
Write-Host "new content"
Write-Host $newContent
$newContent | Set-Content $tempPath
# Verbose the content of DeleteHP_TOOLS.txt
Write-Host "Content of input file before calling diskpart:"
Get-Content $tempPath
if (Test-Path $tempPath)
{
Write-Host "Running diskpart to remove HP_TOOLS partition"
Start-Process -FilePath "diskpart" -Wait -Verbose -ArgumentList " /s $tempPath"
# Clean up the input file
Write-Host "Remove the input file to diskpart"
Remove-Item -Path $tempPath
}
}
· ForceError.cmd
Echo Force error 1
exit /b 1
· Get-TPMOwnerInfo.vbs
'=================================================================================
'
' This script demonstrates the retrieval of Trusted Platform Module (TPM)
' recovery information from Active Directory for a particular computer.
'
' It returns the TPM owner information stored as an attribute of a
' computer object.
'
' Last Updated: 12/05/2012
' Last Reviewed: 12/05/2012
'
' Microsoft Corporation
'
' Disclaimer
'
' The sample scripts are not supported under any Microsoft standard support program
' or service. The sample scripts are provided AS IS without warranty of any kind.
' Microsoft further disclaims all implied warranties including, without limitation,
' any implied warranties of merchantability or of fitness for a particular purpose.
' The entire risk arising out of the use or performance of the sample scripts and
' documentation remains with you. In no event shall Microsoft, its authors, or
' anyone else involved in the creation, production, or delivery of the scripts be
' liable for any damages whatsoever (including, without limitation, damages for loss
' of business profits, business interruption, loss of business information, or
' other pecuniary loss) arising out of the use of or inability to use the sample
' scripts or documentation, even if Microsoft has been advised of the possibility
' of such damages.
'
' Version 1.0 - Initial release
' Version 1.1 - Updated GetStrPathToComputer to search the global catalog.
' Version 1.1.2 - Tested and re-released for Windows 8 and Windows Server 2012
'
' HP update - Added script to get the TPM owner password hash from TPM Devices
' - Output the hash to pwd.tpm file
'
'=================================================================================
' --------------------------------------------------------------------------------
' Usage
' --------------------------------------------------------------------------------
Sub ShowUsage
Wscript.Echo "USAGE: Get-TpmOwnerInfo [Optional Computer Name]"
Wscript.Echo "If no computer name is specified, the local computer is assumed."
WScript.Quit
End Sub
' --------------------------------------------------------------------------------
' Parse Arguments
' --------------------------------------------------------------------------------
Set args = WScript.Arguments
Select Case args.Count
Case 0
' Get the name of the local computer
Set objNetwork = CreateObject("WScript.Network")
strComputerName = objNetwork.ComputerName
Case 1
If args(0) = "/?" Or args(0) = "-?" Then
ShowUsage
Else
strComputerName = args(0)
End If
Case Else
ShowUsage
End Select
' --------------------------------------------------------------------------------
' Get path to Active Directory computer object associated with the computer name
' --------------------------------------------------------------------------------
Function GetStrPathToComputer(strComputerName)
' Uses the global catalog to find the computer in the forest
' Search also includes deleted computers in the tombstone
Set objRootLDAP = GetObject("LDAP://rootDSE")
namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com
strBase = ""
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOOBject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
strFilter = "(&(objectCategory=Computer)(cn=" & strComputerName & "))"
strQuery = strBase & ";" & strFilter & ";distinguishedName;subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 100
objCommand.Properties("Cache Results") = False
' Enumerate all objects found.
Set objRecordSet = objCommand.Execute
If objRecordSet.EOF Then
WScript.echo "The computer name '" & strComputerName & "' cannot be found."
WScript.Quit 1
End If
' Found object matching name
Do Until objRecordSet.EOF
dnFound = objRecordSet.Fields("distinguishedName")
GetStrPathToComputer = "LDAP://" & dnFound
objRecordSet.MoveNext
Loop
' Clean up.
Set objConnection = Nothing
Set objCommand = Nothing
Set objRecordSet = Nothing
End Function
' --------------------------------------------------------------------------------
' Securely access the Active Directory computer object using Kerberos
' --------------------------------------------------------------------------------
Set objDSO = GetObject("LDAP:")
strPath = GetStrPathToComputer(strComputerName)
WScript.Echo "Accessing object: " + strPath
Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_USE_SEALING = 64 '0x40
Const ADS_USE_SIGNING = 128 '0x80
Set objComputer = objDSO.OpenDSObject(strPath, vbNullString, vbNullString, _
ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)
' --------------------------------------------------------------------------------
' Get the TPM owner information from the Active Directory computer object
' --------------------------------------------------------------------------------
On Error Resume Next
'If TPM password hash is available at owner information, get it.
strOwnerInformation = objComputer.Get("msTPM-OwnerInformation")
WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation
'If TPM password hash is in TPM Devices
if strOwnerInformation is nothing then
' Get the CN
strOwnerInformation = objComputer.Get("msTPM-TpmInformationForComputer")
WScript.echo "msTPM-TpmInformationForComputer: " + strOwnerInformation
if (strOwnerInformation <> "") then
' Get the TPM entry.
strPath = "LDAP://" & strOwnerInformation
'WScript.Echo "Accessing object: " + strPath
Set objTPM = objDSO.OpenDSObject(strPath, vbNullString, vbNullString, _
ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)
' Get the TPM owner password
strOwnerInformation = objTPM.Get("msTPM-OwnerInformation")
'WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation
end if
end if
if (strOwnerInformation = "") then
WScript.echo "The TPM owner information is not available in AD."
WScript.Quit 1
end if
' --------------------------------------------------------------------------------
' Generate the TPM password file.
' --------------------------------------------------------------------------------
Set objFSO=CreateObject("Scripting.FileSystemObject")
' How to write file
outFile="c:\pwd.tpm"
vbCRLF = Chr(13) & Chr(10)
strContent = "<?xml version=""1.0"" encoding=""UTF-8""?>" & vbCRLF & _
"" & vbCRLF & _
"" & vbCRLF & _
"" & vbCRLF & _
"" & strOwnerInformation & "" & vbCRLF & _
"" & vbCrLf
WScript.Echo "Writing " & outFile
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write strContent
objFile.Close
WScript.echo outFile & " is ready to use"
· OwnTPM.ps1
#--------------------------------------------------------------------------------
# DISCLAIMER:
# © 2017 HP Development Company. All rights reserved.
# The sample script here is not supported under any HP standard support program or service.
# The sample script is provided AS IS without warranty of any kind.
# HP disclaims all implied warranties including, without limitation,
# any implied warranties of merchantability or of fitness for a particular purpose.
# The entire risk arising out of the use or performance of the sample script
# and documentation remains with you. In no event shall HP, its authors,
# or anyone else involved in the creation, production, or delivery of the script
# be liable for any damages whatsoever (including, without limitation, damages for
# loss of business profits, business interruption, loss of business information,
# or other pecuniary loss) arising out of the use of or inability to use the sample
# script or documentation, even if HP has been advised of the possibility of such damages.
#=====================================================================
# Filename: OwnTPM.ps1
# Description: Take ownership of the TPM with a random
# GUID as the TPM owner information.
#=====================================================================
$objTPM = Get-WmiObject -Class "Win32_Tpm" -ComputerName $env:COMPUTERNAME -Namespace "ROOT\CIMV2\Security\MicrosoftTpm"
Write-Host "Verify that the TPM is enabled, activated and ownership allowed."
$isEnabled = $objTPM.IsEnabled().isEnabled
$isActivated = $objTPM.IsActivated().isActivated
$ownershipAllowed = $objTPM.IsOwnershipAllowed().IsOwnershipAllowed
If (-not($isEnabled -eq $true -and $isActivated -eq $true -and $ownershipAllowed -eq $true)) {
Write-Host "The TPM state (isEnabled=$isEnabled, isActivated=$isActivated, $ownershipAllowed=$ownershipAllowed) does not allow ownership." -ForegroundColor Red
Exit 1
}
Write-Host "TPM is enabled, activated and ownership allowed."
# Create a new guid and use it as TPM owner password.
$GUID = [guid]::NewGuid()
$ownerAuth = $objTPM.ConvertToOwnerAuth($GUID).OwnerAuth
$objRet = $objTPM.TakeOwnership($ownerAuth)
$retCode = $objRet.ReturnValue
If ($retCode -eq 0) {
Write-Host "Successfully take ownership of the TPM."
} else {
Write-Host "Failed to take ownership of TPM. Exiting... Error=$retCode" -ForegroundColor Red
Exit $retCode
}
· RunProgram.ps1
param(
[string]$program,
[string]$inputArgs
)
$program = "$PSScriptRoot\$program"
$pinfo = New-Object System.Diagnostics.ProcessStartInfo
$pinfo.FileName = "$program"
$pinfo.RedirectStandardError = $true
$pinfo.RedirectStandardOutput = $true
$pinfo.UseShellExecute = $false
$pinfo.Arguments = "$inputArgs"
$p = New-Object System.Diagnostics.Process
$p.StartInfo = $pinfo
$p.Start() | Out-Null
$p.WaitForExit()
$stdout = $p.StandardOutput.ReadToEnd()
$stderr = $p.StandardError.ReadToEnd()
Write-Host "$stdout"
Write-Host "stderr=$stderr"
Write-Host "Exit code=" + $p.ExitCode
Create Packages in ConfigMgr
Create package HP Client BIOS Configuration Utility
1. In the Configuration Manager Console, click Software Library
2. Expand Application Management
3. Right click Packages and select Create Package
4. Name the package as desired and enter any additional information on the first page of the wizard.
Note: Make sure to select the correct source file location
5. Click Next
6. Select Do not create a program option, and click Next
7. Click Next on the summary page
8. There is the notification when the wizard is completed successfully.
9. Click Close.
Create package HP TPM Config
1. Similar steps to create HP BIOS Configuration Utility. Follow 9 steps to complete creating HP TPM Config package. Ensure to adjust the correct source folder.
Create package IFX
1. Similar steps to create HP BIOS Configuration Utility. Follow 9 steps to complete creating IFX package. Ensure to locate the correct source folder.
Create package Registry Update Package
1. Similar steps to create HP BIOS Configuration Utility. Follow 9 steps to complete creating Registry Update package. Ensure to locate the correct source folder.
Create package TPM Script Package
1. Similar steps to create HP BIOS Configuration Utility. Follow 9 steps to complete creating TPM Script package. Ensure to locate the correct source folder.
Distribute the newly created packages
1. Right click each of the newly created packages and select Distribute Content
2. Click Next at the general screen
3. At the Content Destination screen, click Add >Distribution Point
4. Select the appropriate distribution point
5. There is a notification when the content is distributed successfully.
Prepare ConfigMgr Client
Follow these steps to prepare and join client systems into domain network if you have not done so.
1. Join the client system to the domain
2. Make sure to add File and Printer Sharing and Windows Management Instrumentation (WMI) exceptions to Windows Firewall
3. In the Configuration Manager Console, make sure client system is discovered and displayed under Devices.
4. Install Configuration Manager client to the system.
5. Create device collection containing target client for deployment.
Create Task Sequence
1. In the Configuration Manager console, click Software Library.
2. In the Software Library workspace, expand Overview, and then click Operating Systems.
3. Right click Task Sequences, and then select Create Task Sequence.
4. Select Create a new custom task sequence.
5. Enter the task sequence name, description, boot image as desired, and click Next
6. At the summary page, click Next.
7. Click Close when the Crate Task Sequence Wizard completed successfully.
8. Your task sequence is created under Software Library > Overview > Operating Systems > Task Sequences.
9. Right click on the newly created task sequence and select Edit
10. Task sequence is displayed.
11. Add new group Add > Group and name it as desired.
12. Add five variable tasks by clicking Add > General >Set Task Sequence Variable
13. Name the first variable task as Is sp85540 needed and provide info as follow
· Properties tab
· Task sequence variable = sp85540
· Value = Needed
· Options tab
· Add condition(s)
All these conditions are true.
Root\cimv2
Select catpion from Win32_OperatingSystem where Caption like ‘%Windows%7%’ or Caption like ‘Windows%8.1%’ or Caption like ‘%Windows%10%’
Note: All products listed in the query below are retrieved and based on the support list from sp85540’s CVA file.
Root\cimv2
select * from Win32_BaseBoard
where Product like '%80FC%' or Product like '%82CA%' or Product like '%80FB%' or Product like '%80FA%' or Product like '%82DE%' or Product like '%8084%' or Product like '%8238%' or Product like '%807E%' or Product like '%8236%' or Product like '%807E%' or Product like '%8236%' or Product like '%807C%' or Product like '%8292%' or Product like '%8079%' or Product like '%828C%' or Product like '%8079%' or Product like '%828C%' or Product like '%8170%' or Product like '%8300%' or Product like '%827D%' or Product like '%82EF%' or Product like '%83D0%' or Product like '%815A%' or Product like '%82EB%' or Product like '%828B%' or Product like '%818F%' or Product like '%80FF%' or Product like '%822C%' or Product like '%8377%' or Product like '%8100%' or Product like '%822E%' or Product like '%837B%' or Product like '%8101%' or Product like '%8231%' or Product like '%837D%' or Product like '%80EF%' or Product like '%823C%' or Product like '%8102%' or Product like '%8234%' or Product like '%837F%' or Product like '%80FD%' or Product like '%82AA%' or Product like '%80FE%' or Product like '%823A%' or Product like '%80FD%' or Product like '%82AA%' or Product like '%80FE%' or Product like '%823A%' or Product like '%8334%' or Product like '%828C%' or Product like '%80D5%' or Product like '%8275%' or Product like '%8079%' or Product like '%828C%' or Product like '%80D6%' or Product like '%8270%' or Product like '%80D4%' or Product like '%826B%' or Product like '%83FD%' or Product like '%81C3%' or Product like '%805B%' or Product like '%8266%' or Product like '%8265%' or Product like '%835B%' or Product like '%8053%' or Product like '%829A%' or Product like '%8299%' or Product like '%829B%' or Product like '%829F%' or Product like '%8057%' or Product like '%829C%' or Product like '%829B%' or Product like '%830A%' or Product like '%8055%' or Product like '%806A%' or Product like '%82A5%' or Product like '%8062%' or Product like '%82A2%' or Product like '%8062%' or Product like '%82A1%' or Product like '%805F%' or Product like '%8169%' or Product like '%805D%' or Product like '%829E%' or Product like '%82B4%' or Product like '%8169%' or Product like '%829D%' or Product like '%8063%' or Product like '%82A6%' or Product like '%8063%' or Product like '%805E%' or Product like '%82B5%' or Product like '%8139%' or Product like '%8376%' or Product like '%8115%' or Product like '%82BF%' or Product like '%8183%' or Product like '%802E%' or Product like '%802F%' or Product like '%81C5%' or Product like '%212B%' or Product like '%81C6%' or Product like '%212A%' or Product like '%81C7%' or Product like '%2129%'
Root\cimv2\security\MicrosoftTPM
select * from win32_tpm where
IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True'
and (
(SpecVersion like '2.0%' and ManufacturerVersion like '7.%' and ManufacturerVersion < '7.63') or
(SpecVersion like '2.0%' and ManufacturerVersion like '5.%' and ManufacturerVersion < '5.62') or
(SpecVersion like '1.2%' and ManufacturerVersion like '4.4%' and ManufacturerVersion < '4.43') or
(SpecVersion like '1.2%' and ManufacturerVersion like '6.4%' and ManufacturerVersion < '6.43')
)
14. Name the second variable task as Is sp82133 needed and provide info as follow
· Properties tab
· Task sequence variable = sp82133
· Value = Needed
· Options tab
· Add condition(s)
All these conditions are true
Note: All products listed in the query below are retrieved and based on the support list from sp82133’s CVA file.
Root\cimv2
select * from Win32_BaseBoard
where
Product like '%2255%' or Product like '%22DA%' or Product like '%2270%' or Product like '%2271%' or Product like '%805C%' or Product like '%2216%' or Product like '%8042%' or Product like '%221B%' or Product like '%221D%' or Product like '%2009%' or Product like '%2235%' or Product like '%2236%' or Product like '%2234%' or Product like '%2249%' or Product like '%224A%' or Product like '%2248%' or Product like '%2247%' or Product like '%2246%' or Product like '%225A%' or Product like '%221C%' or Product like '%2253%' or Product like '%8158%' or Product like '%8103%' or Product like '%18E9%' or Product like '%198E%' or Product like '%21F5%' or Product like '%2215%' or Product like '%225F%' or Product like '%225E%' or Product like '%213D%' or Product like '%2187%' or Product like '%2124%' or Product like '%21B4%' or Product like '%8000%' or Product like '%21F6%' or Product like '%18EB%' or Product like '%2171%' or Product like '%805A%' or Product like '%2B60%' or Product like '%8184%' or Product like '%8267%'
root\cimv2\security\MicrosoftTPM
select * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and SpecVersion like '1.2%' and ManufacturerVersion < '4.43'
Root\cimv2
select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%10%'
15. Name the third variable task as Is sp82132 needed and provide info as follow
· Properties tab
· Task sequence variable = sp82132
· Value = Needed
· Options tab
· Add condition(s)
All these conditions are true
Note: All products listed in the query below are retrieved and based on the support list from sp82132’s CVA file.
root\cimv2
select * from Win32_BaseBoard
where Product like '%8256%' or Product like '%2B5E%'
root\cimv2
select * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and SpecVersion like '1.2%' and ManufacturerVersion < '6.43'
root\cimv2
select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%10%'
16. Name the third variable task as Is sp82407 needed and provide info as follow
· Properties tab
· Task sequence variable = sp82407
· Value = Needed
· Options tab
· Add condition(s)
All these conditions are true
root\cimv2
select * from Win32_BaseBoard
where Product like '%190A%' or Product like '%2157%' or Product like '%213E%'
or Product like '%198F%' or Product like '%1993%' or Product like '%1994%' or Product like '%2101%'
or Product like '%2102%' or Product like '%21B3%' or Product like '%1946%' or Product like '%1947%'
or Product like '%1944%' or Product like '%1942%' or Product like '%1940%' or Product like '%1991%'
or Product like '%1992%' or Product like '%1909%' or Product like '%2175%' or Product like '%2179%'
or Product like '%2B2A%' or Product like '%22AD%' or Product like '%18E6%' or Product like '%1998%'
or Product like '%8027%' or Product like '%8027%' or Product like '%1825%' or Product like '%21D0%'
or Product like '%2B34%' or Product like '%213D%' or Product like '%2187%' or Product like '%2124%' or Product like '%21B4%' or Product like '%18EA%' or Product like '%18E5%' or Product like '%18E7%' or Product like '%18E8%' or Product like '%18E4%' or Product like '%2155%' or Product like '%2145%'
or Product like '%8076%' or Product like '%2B4A%'
root\cimv2\security\MicrosoftTPM
select * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and SpecVersion like '1.2%' and ManufacturerVersion like '4.3%' and ManufacturerVersion < '4.34'
root\cimv2
select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%8.1%' or Caption like '%Windows%10%'
17. Name the third variable task as Is sp82147 needed and provide info as follow
· Properties tab
· Task sequence variable = sp82147
· Value = Needed
· Options tab
· Add condition(s)
All these conditions are true
root\cimv2
select * from Win32_BaseBoard
where Product like '%8115%' or Product like '%82BF%' or Product like '%8183%' or Product like '%802E%' or Product like '%802F%' or Product like '%81C5%' or Product like '%212B%' or Product like '%81C6%' or Product like '%212A%' or Product like '%81C7%' or Product like '%2129%'
root\cimv2\security\MicrosoftTPM
select * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and ((SpecVersion like '2.0%' and ManufacturerVersion < '7.62' ) or (SpecVersion like '1.2%' and ManufacturerVersion like '6.4%' and ManufacturerVersion < '6.43') or (SpecVersion like '1.2%' and ManufacturerVersion < '4.43'))
root\cimv2
select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%8.1%' or Caption like '%Windows%10%'
18. Add new group by clicking Add > New Group
· Properties tab - Name group as Update TPM Firmware
· Option tab – Add following conditions
19. Add Set OSD BitLocker Status variable task under Update TPM Firmware group
· Properties tab
· Task Sequence Variable = OSDBitLockerStatus
· Value=Protected
· Options tab
· Add condition(s)
root\cimv2\Security\MicrosoftVolumeEncryption
select * from win32_encryptablevolume where driveletter = 'c:' and protectionstatus = '1'
20. Add Suspend BitLocker command line task by clicking Add > General > Command line
· Properties tab
· Command line: %windir%\system32\manage-bde.exe -protectors -disable c:
· Options tab
· Success codes = 0 3010
· Add condition(s)
21. Add Is Windows 10 1607 or later variable task
· Properties tab
· Task Sequence Variable = Win10_1607_or_Later
· Value = True
· Options tab
· Add condition(s)
22. Add sub group named sp85540 under Update TPM Firmware group
· Options tab
· Add condition(s)
23. Add Need to create HP_TOOLS partition? variable task under sp85540 group
· Properties tab
· Task Sequence Variable = CreateHP_TOOLS
· Value = True
· Options tab
· Add condition(s)
· root\cimv2
Select * from Win32_DiskPartition Where Type = "GPT: System"
· root\cimv2
select DeviceID from Win32_LogicalDisk where VolumeName = 'HP_TOOLS' and FileSystem = 'FAT32'
· root\cimv2
Select * From Win32_LogicalDisk Where DeviceID = 'C:' and FreeSpace >= 524288000
24. Add Create HP_TOOLS partition command line task
· Properties tab
· Command line
diskpart /s CreateHP_TOOLS.txt
· Package = Browse to TPM Script
· Options tab
· Success codes = 0 3010
· Add condition(s)
25. Add Set TPM BIOS Setting command line task
· Properties tab
· Command line
BiosConfigUtility.exe /set:"TPMNoPrompts.txt" /cpwdfile:HP123456.bin
· Package = Browse to HP Client BIOS Configuration Utility package
· Options tab
· Success codes = 0 3010
26. Add Restart Computer task
· Properties tab
· Under Specify what to run after restart section, select The currently installed default operating system option
27. Add Suspend BitLocker command line task
· Properties tab
· Command line
%windir%\system32\manage-bde.exe -protectors -disable c:
· Options tab
· Success codes = 0 3010
· Add condition(s)
28. Add Call TPMConfig to ge initial TPM information command line task
· Properties tab
· Command line
TPMConfig.exe -s -t%temp%\TPMInfo.BeforeUpdate.txt -l%temp%\TPMConfig.log
· Package = Browse to HP TPM Config Utility 2.0.2.1 package
· Options tab
· Success codes = 0 3010
29. Add Call TPMConfig to upgrade TPM 1.2 command line task
· Properties tab
· Command line
TPMConfig.exe -s -a1.2 -l%temp%\TPMConfig.log
· Package = Browse to HP TPM Config Utility package
· Options tab
· Success code = 0 3010
· Add condition
root\cimv2\Security\MicrosoftTpm
select * from Win32_TPM where SpecVersion like '1.2%'
30. Add Call TPMConfigto upgrade TPM 2.0 command line task
· Properties
· Command line
TPMConfig.exe -s -a2.0 -l%temp%\TPMConfig.log
· Package = Browse to HP TPM Config Utility package
· Options tab
· Success code = 0 3010
· Add condition
root\cimv2\Security\MicrosoftTpm
select * from Win32_TPM where SpecVersion like '2.0%'
31. Add Restart task
· Properties tab
· Under Specify what to run after restart section, select The currently installed default operating system option.
· Select Notify the user before restarting option with message
The computer must restart to upgrade the TPM firmware
32. Add Suspend BitLocker command line task
· Properties tab
· Command line
%windir%\system32\manage-bde.exe -protectors -disable c:
· Options tab
· Success codes = 0 3010
· Add condition(s)
33. Add Call TPMConfig to get TPM information command line task
· Properties tab
· Command line
TPMConfig.exe -s -t%temp%\TPMInfo.BeforeUpdate.txt -l%temp%\TPMConfig.log
· Package = Browse to HP TPM Config Utility 2.0.2.1 package
· Options tab
· Success codes = 0 3010
34. Add Call TPMConfigster to get TPM Manufacturer Version power shell script task
· Properties tab
· Package = Browse to TPM Script 1.0 package
· Script name:
RunProgram.ps1
· Parameters:
TPMConfigster.exe /FW_VER
· PowerShell execution policy = Bypass
· Options tab
· Success codes = 0 3010
35. Add Delete HP_TOOLS partition (if created by this TS) PowerShell script task by clicking Add > General > Run PowerShell Script
· Properties tab
· Options tab
· Add conditions
· root\cimv2
select DeviceID from Win32_LogicalDisk where VolumeName = 'HP_TOOLS' and FileSystem = 'FAT32'
· Variable CreateHP_TOOLS equals “True”
36. Add Clear TPM on Next Boot Run PowerShell script task
· Properties tab
· Package = Browse to TPM Script package
· Script Name = ClearTPM.ps1
· PowerShell execution policy = Bypass
37. Add Restart task
· Properties tab
· Under Specify what to run after restart section, select The currently installed default operating system option.
· Select Notify the user before restarting option with message
The computer must restart to upgrade the TPM firmware
38. Add OwnTPM Run PowerShell Script task
· Properties tab
· Package = Browse to TPM Script package
· Script Name = OwnTPM.ps1
· PowerShell execution policy = Bypass
·
· Options tab
· Add condition(s): If All conditions are true:
· Root\cimv2\security\microsofttpm
select * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'False'
· Variable Win10_1607_or_later
39. Add new group Update TPM Firmware – IFX under Update TPM Firmware group
· Options tab
· Add condition(s): Any of these are true
40. Add Set IFXTool File Name set dynamic variable task
· Properties tab
· Dynamic rules and variables
41. Add sub group Windows 10 (before 1607), Windows 8.1 and 7
· Options tab
· Add condition
42. Add Get TPM Owner Password from AD command line task
In the example task sequence, this task is disabled. Enabling this task will enable “Delete TPM Owner password file if exits” task
· Properties tab
· Command line
cscript Get-TPMOwnerInfo.vbs
· Package = Browse to TPM Script package
· Run this step as the following account
Need to provide the domain admin credential here
· Options tab
· Success codes = 0 3010
43. Add Call Infineon tool to get update info command line task
· Properties tab
· Command line
%IFXTool% /info
· Package = Browse to IFX package
· Options tab
· Success codes = 0 3010
44. Add Call Infineon tool to update TPM firmware command line task
· Properties tab
· Command line
%IFXTool% /update /logfile:C:\TPMupdate.log /pwdfile:c:\pwd.tpm
· Package = Browse to IFX package
· Options tab
· Success codes = 0 3010
45. Add Call TPMConfigster to get TPM Manufacturer Version run PowerShell Script task
· Properties tab
· Package = Browse to HP TPM Script package
· Script name
RunProgram.ps1
· Parameters
TPMconfigster.exe /FW_VER
· PowerShell execution policy = Bypass
46. Add Clear TPM on Next Boot
· Properties tab
· Package = Browse to TPM Script package
· Script Name = ClearTPM.ps1
· PowerShell execution policy = Bypass
·
47. Add Delete TPM owner password file if exits command line task
In the example task sequence, this task is disabled by default. It will get enabled automatically once you enable the previous task “Get TPM Owner Password from AD”
· Properties tab
· Command line
Cmd /c del /F c:\pwd.tpm
· Options tab
· Add conditions
48. Add Restart Computer task
· Properties tab
· Under Specify what to run after restart section, select The currently installed default operating system option.
49. Add Own TPM Run PowerShell Script task
· Properties tab
· Package = Browse to TPM Script 1.0 package
· Script name = OwnTPM.ps1
· PowerShell execution policy = Bypass
· Options tab
· Add condition
· Root\wimv2\security\microsofttpm
select * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'False'
50. Add new group Windows 10 1607 or later under group Update TPM Firmware – IFX
· Options tab
· Add condition
51. Add Change OS Managed Auth Level command line task
· Properties tab
· Command line
reg import SetOSManagedAuthLevel.reg
· Package = Browse to Registry Update Package
· Options tab
· Success codes = 0 3010
52. Add Set TPM BIOS Setting command line task
· Properties tab
· Command line
BiosConfigUtility.exe /set:"ResetTPM.txt" /cpwdfile:HP123456.bin
· Package = Browse to HP BIOS Configuration Utility Package
· Options tab
· Success codes = 0 3010
53. Add Restart Computer task
· Properties tab
· Under Specify what to run after restart section, select The currently installed default operating system option
54. Add Clear TPM on Next Boot Run PowerShell Script task
· Properties tab
· Package = Browse to TPM Script package
· Script name = ClearTPM.ps1
· PowerShell execution policy = Bypass
55. Add Restart Computer task
· Properties tab
· Under Specify what to run after restart section, select The currently installed default operating system option
·
56. Add new sub group Update TPM Firmware under group Windows 10 1607 or later then add the following tasks under this new sub group
57. Add Set OSDBitLockerStatus set task sequence variable task
· Properties tab
· Task Sequence Variable = OSDBitLockerStatus
· Value = Protected
· Options tab
· Add condition
58. Add Suspend BitLocker command line task
· Properties tab
· Command line
%windir%\system32\manage-bde.exe -protectors -disable c:
· Options tab
· Success codes = 0 3010
· Add condition
59. Add Call Infineon tool to get update info command line task
· Properties tab
· Command line
%IFXTool% /info
· Package = Browse to IFX package
· Options tab
· Success codes = 0 3010
60. Add Call Infineon tool to update TPM firmware command line task
· Properties tab
· Command line
%IFXTool% /update /logfile:C:\TPMupdate.log
· Package = Browse to IFX package
· Options tab
· Success codes = 0 3010
61. Add Call TPMConfigster to get TPM Manufacturer Version Run PowerShell Script task
· Properties tab
· Package = Browse to HP TPM Script 1.0 package
· Script name
RunProgram.ps1
· Parameters
RunProgram.ps1
· PowerShell execution policy = Bypass
62. Add Restart Computer task
· Properties tab
· Under Specify what to run after restart section, select The currently installed default operating system option
63. Add Restore OS Managed Auth Level command line task under group Windows 10 1607 or later
· Properties tab
· Command line
reg import ResetOSManagedAuthLevel.reg
· Package = Browse to Registry Update Package
· Options tab
· Success codes = 0 3010
64. Add Clear TPM on Next Boot Run PowerShell Script task under group Windows 10 1607 or later
· Properties tab
· Package = Browse to TPM Script package
· Script name = ClearTPM.ps1
· PowerShell execution policy = Bypass
65. Add Restart Computer task under group Windows 10 1607 or later.
· Properties tab
· Under Specify what to run after restart section, select The currently installed default operating system option
66. Add Resume BitLocker command line task under group Update TPM Firmware
· Properties tab
· Command line
%windir%\system32\manage-bde.exe -protectors -enable c:
· Options tab
· Success codes = 0 3010
· Add condition
The complete task sequence should be looked like this
Continue…
References
https://support.hp.com/us-en/document/c05809624
https://support.hp.com/us-en/document/c05792935
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012