©Copyright 2017 HP Development Company, L.P. · Web viewAlso, modify the second config file to...

©Copyright 2017 HP Development Company, L.P.

Notice: The information contained in this document, including URL, other web site references, screen shots or step by step instructional guidance are samples provided for informational purposes only. Appropriate modifications may be needed for solutions prior to applying the TPM patch such as, but not limited to Secure Boot, Bit Locker, Virtual Smart Card, 3rd party encryption products, VPN products prior to applying the TPM firmware upgrade (or patch). HP has no direct or indirect visibility or ability to predict all the cases as to how organizations are using the TPM. Customers are solely responsible for ensuring that the TPM firmware upgrade does not adversely impact their own use cases. All information provided in this document is provided on an “as is” basis and nothing herein should be construed as constituting an additional warranty. HP does not warrant or guarantee the guidance contained in this document and customers are strongly urged to do their own testing and customization of these instructions to meet their particular use case. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. HP expressly disclaims any and all liability related to or arising from the use of or reliance upon the instructional guidance contained in this document. Additionally, HP shall not be liable for technical or editorial errors or omissions contained herein.

TPM Firmware Upgrade Task SequenceDocument HistoryRevision Date Initia

lsDescription

1.0 11/08/17

NN Initial version Task Sequence for TPM sp81900 and

sp82133 (Win 10 only)1.1 11/15/1

7NN Updated document including HP disclaimer

2.0 11/28/17

NN Updated document Task sequence for TPM sp81900, sp82133,

sp82132 (Win 10 and win 7) with the following updates:

o Have the right call to clear TPMo Have the proper .hpsign files for

TPMConfigster to detect signed TPMConfig and firmware bin files

o Add scripts to create HP_TOOLS partition

o Re-arrange the flow to be more readable

o Remov all steps relating to auto logon

o Disable virtualization BIOS setting, trusted Execution Technology (TXT) and Intel Software Guard Extension (SGX)

3.0 01/18/18

NN Updated Task Sequence for 5 SoftPaqs (sp81900, sp82133, sp82132, sp82147, sp82407)

o Added OS conditions for all SoftPaqs W7, W8.1, W10

o Updated OS condition checks in Own TPM steps

o Moved the Win 10 1607 check to earlier so both Own TPM steps can reference the check result.

o Replaced with TPM config Utility 2.0.2.1

4.0 05/01/18

NN Updated Task Sequence for SoftPaq sp85540 which it supersedes sp81900 and sp82417

o new version of TPM config 2.0.3.1 and TPM firmware bin files version 7.63 and workstation SLB 9660

Environment and validation information

In this practice, we have tested task sequence version 3.0 on the following client systems via SCCM server:

1. SCCM Servero Running Windows server OS 2012 R2o Configuration Manager Console version 5.0.8239.1403

2. Client systemo SP85540 – ProBook 440 G4, ProBook 640 G3, ProBook 470 G5,

Elite Desk 800 DM G3, ProDesk 400 G2 DM, Desktop Workstation Z240 and Z440,

o SP82133 – Elitebook 725 G2, ProBook 470 G2, Elite Desk 705 G1 DM

o SP82407 – None.o SP82132 - Due to the limitation of hardware, we have not

validated any supported system for this SoftPaqo Running Windows 7 Enterprise, Windows 10 version RS1, RS3,

and RS4.o BIOS version – latesto TPM version 1.2 and 2.0o BitLocker enabled

Prerequisites

1. BIOS Configuration Utility (BCU) tool version 4.0.24.1 (sp81841). This SoftPaq is available on Manageability website http://www8.hp.com/us/en/ads/clientmanagement/download.html

2. Download appropriate TPM firmware bin files from this ftp https://ftp.hp.com/pub/caps-softpaq/cmit/example/TPMFWUpgrade/TPMFWReadme.docx

Please also refer to this Security Bulletin for the correct SoftPaq for your systemhttps://support.hp.com/us-en/document/c05792935

3. Apply the Windows operating system updates (see Affected Products table for specific package KB numbers) firstWARNING: Do NOT apply the TPM firmware update prior to applying the Windows operating system mitigation update. Doing so will render your system unable to determine if your system is affected. You will need this information to conduct full remediationAccording to Microsoft post https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012, customers need to install OS updates prior to doing TPM firmware update

Create folders for packages in Task Sequence

1. Create HP BIOS Configuration Utility foldero On SCCM server, create a folder, name it “HP Client BIOS

Configuration Utility, and place all BCU files in hereo Run BCU to get a config file

Ex: BiosConfigUtility64.exe /get:”config.txt”

https://support.hp.com/us-en/document/c05792935

https://ftp.hp.com/pub/caps-softpaq/cmit/example/TPMFWUpgrade

http://www8.hp.com/us/en/ads/clientmanagement/download.html

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012


o Open config.txt and modify the TPM setting as shown in the picture below

o Save the modified config file as desired. o For example: RepsetTPM.txto Also, modify the second config file to disable TPM physical

presence (PPI) for sp81900’s supported systems as shown in the picture below

o Save the second modified config file as desired. For example: TPMNoPrompts.txt

o Create BIOS Password bin file Execute HPQPswd.exe or HPQPwd64.exe Follow on screen instruction to create a password bin

file Save the password bin file in the same directory of BCU

The HP Client BIOS Configuration Utility folder should contain the following files

2. Create folder HP TPM Config Utility and place all necessary files here.

3. Create folder IFXo Create subfolder called sp82132

Place IFXTPMUpdate application and necessary files here

o Create subfolder called sp82133 Place IFXTPMUpdate application and necessary files here

o Create subfolder called sp82407 Place IFXTPMUpdate application and necessary files here

4. Create a folder for Registry Update Packageo Have all registry files in this folder

ResetOSManagedAuthLevel

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM]

"OSManagedAuthLevel"=dword:00000002

SetOSManagedAuthLevel

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM]"OSManagedAuthLevel"=dword:00000004

5. Create a folder for TPM Scripto Have all necessary files in this folder

ClearTP.ps1#--------------------------------------------------------------------------------# DISCLAIMER:# © 2017 HP Development Company. All rights reserved. # The sample script here is not supported under any HP standard support program or service. # The sample script is provided AS IS without warranty of any kind. # HP disclaims all implied warranties including, without limitation, # any implied warranties of merchantability or of fitness for a particular purpose. # The entire risk arising out of the use or performance of the sample script # and documentation remains with you. In no event shall HP, its authors, # or anyone else involved in the creation, production, or delivery of the script # be liable for any damages whatsoever (including, without limitation, damages for # loss of business profits, business interruption, loss of business information, # or other pecuniary loss) arising out of the use of or inability to use the sample

# script or documentation, even if HP has been advised of the possibility of such damages.#=====================================================================# Filename: ClearTPM.ps1# Description: Clear, enable, and activate the TPM.

$objTPM = Get-WmiObject -Class "Win32_Tpm" -ComputerName $env:COMPUTERNAME -Namespace "ROOT\CIMV2\Security\MicrosoftTpm"Write-Host "Clear, enable, and activate the TPM"$objRet = $objTPM.SetPhysicalPresenceRequest(14)$retCode = $objRet.ReturnValueIf ($retCode -eq 0) {

Write-Host "Successfully cleared the TPM chip. A reboot is required."} else {

Write-Host "Failed to clear TPM ownership. Exiting... Error=$($retCode)" -ForegroundColor Red Exit $retCode}

CreateHP_TOOLS.txt

sel vol c:shrink desired=500create part primformat quick fs=FAT32 label=HP_TOOLSassign letter Tlis disdet dislis pardet parexit

DeleteHP_TOOLS.txt

sel vol HP_TOOLS_DRIVE_LETTERdel part overridesel vol c:extend noerrexit

Delete-HPToolsPartition.ps1#--------------------------------------------------------------------------------# DISCLAIMER:# © 2017 HP Development Company. All rights reserved. # The sample script here is not supported under any HP standard support program or service. # The sample script is provided AS IS without warranty of any kind.

# HP disclaims all implied warranties including, without limitation, # any implied warranties of merchantability or of fitness for a particular purpose. # The entire risk arising out of the use or performance of the sample script # and documentation remains with you. In no event shall HP, its authors, # or anyone else involved in the creation, production, or delivery of the script # be liable for any damages whatsoever (including, without limitation, damages for # loss of business profits, business interruption, loss of business information, # or other pecuniary loss) arising out of the use of or inability to use the sample # script or documentation, even if HP has been advised of the possibility of such damages.#=====================================================================# Filename: Delete-HPToolsPartition.ps1# Description: Delete HP_TOOLS partition if it exists. #=====================================================================

$objHP_TOOLSPart = Get-WmiObject -Class "Win32_LogicalDisk" -ComputerName $env:COMPUTERNAME -Namespace "ROOT\CIMV2" -filter "VolumeName = 'HP_TOOLS' and FileSystem = 'FAT32'"if ($objHP_TOOLSPart -eq $null){ Write-Host "No HP_TOOLS partition"}else{ # Get the drive letter of HP_TOOLS partition. $drive = $objHP_TOOLSPart.DeviceID Write-Host "HP_TOOLS partition drive letter=$drive"

# Get the location to the script. if(!$PSScriptRoot) { $PSScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent }

$inputFileName = "DeleteHP_TOOLS.txt" $path = Join-Path -Path $PSScriptRoot -ChildPath "$inputFileName" $tempPath = "C:\$inputFileName" Write-Host "Content of template input file before calling diskpart:" Get-Content $path

# Load DeleteHP_TOOLS.txt and replace the place holder with the HP_TOOLS partition drive letter. $newContent = (Get-Content $path | Out-String) -replace "(.*?)HP_TOOLS_DRIVE_LETTER(.*)",('$1{0}$2' -f $drive) Write-Host "new content" Write-Host $newContent $newContent | Set-Content $tempPath

# Verbose the content of DeleteHP_TOOLS.txt Write-Host "Content of input file before calling diskpart:" Get-Content $tempPath

if (Test-Path $tempPath) { Write-Host "Running diskpart to remove HP_TOOLS partition" Start-Process -FilePath "diskpart" -Wait -Verbose -ArgumentList " /s $tempPath" # Clean up the input file Write-Host "Remove the input file to diskpart" Remove-Item -Path $tempPath }} ForceError.cmd

Echo Force error 1exit /b 1

Get-TPMOwnerInfo.vbs

'================================================================================='' This script demonstrates the retrieval of Trusted Platform Module (TPM) ' recovery information from Active Directory for a particular computer.'' It returns the TPM owner information stored as an attribute of a ' computer object.'' Last Updated: 12/05/2012' Last Reviewed: 12/05/2012'' Microsoft Corporation'' Disclaimer' ' The sample scripts are not supported under any Microsoft standard support program' or service. The sample scripts are provided AS IS without warranty of any kind.

' Microsoft further disclaims all implied warranties including, without limitation, ' any implied warranties of merchantability or of fitness for a particular purpose. ' The entire risk arising out of the use or performance of the sample scripts and ' documentation remains with you. In no event shall Microsoft, its authors, or ' anyone else involved in the creation, production, or delivery of the scripts be ' liable for any damages whatsoever (including, without limitation, damages for loss ' of business profits, business interruption, loss of business information, or ' other pecuniary loss) arising out of the use of or inability to use the sample ' scripts or documentation, even if Microsoft has been advised of the possibility ' of such damages.'' Version 1.0 - Initial release' Version 1.1 - Updated GetStrPathToComputer to search the global catalog.' Version 1.1.2 - Tested and re-released for Windows 8 and Windows Server 2012'' HP update - Added script to get the TPM owner password hash from TPM Devices' - Output the hash to pwd.tpm file' '=================================================================================

' --------------------------------------------------------------------------------' Usage' --------------------------------------------------------------------------------

Sub ShowUsage Wscript.Echo "USAGE: Get-TpmOwnerInfo [Optional Computer Name]" Wscript.Echo "If no computer name is specified, the local computer is assumed." WScript.QuitEnd Sub

' --------------------------------------------------------------------------------' Parse Arguments' --------------------------------------------------------------------------------

Set args = WScript.Arguments

Select Case args.Count

Case 0 ' Get the name of the local computer Set objNetwork = CreateObject("WScript.Network") strComputerName = objNetwork.ComputerName Case 1 If args(0) = "/?" Or args(0) = "-?" Then ShowUsage Else strComputerName = args(0) End If Case Else ShowUsage

End Select

' --------------------------------------------------------------------------------' Get path to Active Directory computer object associated with the computer name' --------------------------------------------------------------------------------

Function GetStrPathToComputer(strComputerName)

' Uses the global catalog to find the computer in the forest ' Search also includes deleted computers in the tombstone

Set objRootLDAP = GetObject("LDAP://rootDSE") namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com

strBase = "<GC://" & namingContext & ">" Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOOBject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection

strFilter = "(&(objectCategory=Computer)(cn=" & strComputerName & "))" strQuery = strBase & ";" & strFilter & ";distinguishedName;subtree"

objCommand.CommandText = strQuery objCommand.Properties("Page Size") = 100 objCommand.Properties("Timeout") = 100 objCommand.Properties("Cache Results") = False

' Enumerate all objects found.

Set objRecordSet = objCommand.Execute If objRecordSet.EOF Then WScript.echo "The computer name '" & strComputerName & "' cannot be found."

WScript.Quit 1 End If

' Found object matching name

Do Until objRecordSet.EOF dnFound = objRecordSet.Fields("distinguishedName") GetStrPathToComputer = "LDAP://" & dnFound objRecordSet.MoveNext Loop

' Clean up. Set objConnection = Nothing Set objCommand = Nothing Set objRecordSet = Nothing

End Function

' --------------------------------------------------------------------------------' Securely access the Active Directory computer object using Kerberos' --------------------------------------------------------------------------------

Set objDSO = GetObject("LDAP:")strPath = GetStrPathToComputer(strComputerName)

WScript.Echo "Accessing object: " + strPath

Const ADS_SECURE_AUTHENTICATION = 1Const ADS_USE_SEALING = 64 '0x40Const ADS_USE_SIGNING = 128 '0x80

Set objComputer = objDSO.OpenDSObject(strPath, vbNullString, vbNullString, _ ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)

' --------------------------------------------------------------------------------' Get the TPM owner information from the Active Directory computer object' --------------------------------------------------------------------------------

On Error Resume Next'If TPM password hash is available at owner information, get it.strOwnerInformation = objComputer.Get("msTPM-OwnerInformation") WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation

'If TPM password hash is in TPM Devicesif strOwnerInformation is nothing then ' Get the CN strOwnerInformation = objComputer.Get("msTPM-TpmInformationForComputer")

WScript.echo "msTPM-TpmInformationForComputer: " + strOwnerInformation

if (strOwnerInformation <> "") then ' Get the TPM entry. strPath = "LDAP://" & strOwnerInformation 'WScript.Echo "Accessing object: " + strPath

Set objTPM = objDSO.OpenDSObject(strPath, vbNullString, vbNullString, _ ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)

' Get the TPM owner password strOwnerInformation = objTPM.Get("msTPM-OwnerInformation") 'WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation end ifend if

if (strOwnerInformation = "") then WScript.echo "The TPM owner information is not available in AD." WScript.Quit 1end if

' --------------------------------------------------------------------------------' Generate the TPM password file.' --------------------------------------------------------------------------------Set objFSO=CreateObject("Scripting.FileSystemObject")

' How to write fileoutFile="c:\pwd.tpm"vbCRLF = Chr(13) & Chr(10)strContent = "<?xml version=""1.0"" encoding=""UTF-8""?>" & vbCRLF & _"" & vbCRLF & _"<tpmOwnerData version=""1.0"" softwareAuthor=""Microsoft Windows [Version 6.1.7601]"" creationDate=""2017-11-15T23:32:48-08:00"" creationUser=""domain\user"" machineName=""machine"">" & vbCRLF & _" <tpmInfo manufacturerId=""1229346816""/>" & vbCRLF & _" <ownerAuth>" & strOwnerInformation & "</ownerAuth>" & vbCRLF & _

"</tpmOwnerData>" & vbCrLf

WScript.Echo "Writing " & outFileSet objFile = objFSO.CreateTextFile(outFile,True)objFile.Write strContentobjFile.Close

WScript.echo outFile & " is ready to use"

OwnTPM.ps1#--------------------------------------------------------------------------------# DISCLAIMER:# © 2017 HP Development Company. All rights reserved. # The sample script here is not supported under any HP standard support program or service. # The sample script is provided AS IS without warranty of any kind. # HP disclaims all implied warranties including, without limitation, # any implied warranties of merchantability or of fitness for a particular purpose. # The entire risk arising out of the use or performance of the sample script # and documentation remains with you. In no event shall HP, its authors, # or anyone else involved in the creation, production, or delivery of the script # be liable for any damages whatsoever (including, without limitation, damages for # loss of business profits, business interruption, loss of business information, # or other pecuniary loss) arising out of the use of or inability to use the sample # script or documentation, even if HP has been advised of the possibility of such damages.#=====================================================================# Filename: OwnTPM.ps1# Description: Take ownership of the TPM with a random # GUID as the TPM owner information. #=====================================================================

$objTPM = Get-WmiObject -Class "Win32_Tpm" -ComputerName $env:COMPUTERNAME -Namespace "ROOT\CIMV2\Security\MicrosoftTpm"Write-Host "Verify that the TPM is enabled, activated and ownership allowed."$isEnabled = $objTPM.IsEnabled().isEnabled$isActivated = $objTPM.IsActivated().isActivated$ownershipAllowed = $objTPM.IsOwnershipAllowed().IsOwnershipAllowed

If (-not($isEnabled -eq $true -and $isActivated -eq $true -and $ownershipAllowed -eq $true)) {

Write-Host "The TPM state (isEnabled=$isEnabled, isActivated=$isActivated, $ownershipAllowed=$ownershipAllowed) does not allow ownership." -ForegroundColor Red Exit 1}

Write-Host "TPM is enabled, activated and ownership allowed."

# Create a new guid and use it as TPM owner password.$GUID = [guid]::NewGuid()

$ownerAuth = $objTPM.ConvertToOwnerAuth($GUID).OwnerAuth$objRet = $objTPM.TakeOwnership($ownerAuth)$retCode = $objRet.ReturnValue

If ($retCode -eq 0) {Write-Host "Successfully take ownership of the TPM."

} else {Write-Host "Failed to take ownership of TPM. Exiting... Error=$retCode" -

ForegroundColor Red Exit $retCode}

RunProgram.ps1param( [string]$program, [string]$inputArgs)

$program = "$PSScriptRoot\$program"

$pinfo = New-Object System.Diagnostics.ProcessStartInfo$pinfo.FileName = "$program"$pinfo.RedirectStandardError = $true$pinfo.RedirectStandardOutput = $true$pinfo.UseShellExecute = $false$pinfo.Arguments = "$inputArgs"$p = New-Object System.Diagnostics.Process$p.StartInfo = $pinfo$p.Start() | Out-Null$p.WaitForExit()$stdout = $p.StandardOutput.ReadToEnd()$stderr = $p.StandardError.ReadToEnd()Write-Host "$stdout"Write-Host "stderr=$stderr"Write-Host "Exit code=" + $p.ExitCode

Create Packages in ConfigMgr

Create package HP Client BIOS Configuration Utility1. In the Configuration Manager Console, click Software Library2. Expand Application Management3. Right click Packages and select Create Package

4. Name the package as desired and enter any additional information on the first page of the wizard.

Note: Make sure to select the correct source file location

5. Click Next6. Select Do not create a program option, and click Next

7. Click Next on the summary page8. There is the notification when the wizard is completed successfully.

9. Click Close.

Create package HP TPM Config1. Similar steps to create HP BIOS Configuration Utility. Follow 9 steps

to complete creating HP TPM Config package. Ensure to adjust the correct source folder.

Create package IFX1. Similar steps to create HP BIOS Configuration Utility. Follow 9 steps

to complete creating IFX package. Ensure to locate the correct source folder.

Create package Registry Update Package1. Similar steps to create HP BIOS Configuration Utility. Follow 9 steps

to complete creating Registry Update package. Ensure to locate the correct source folder.

Create package TPM Script Package1. Similar steps to create HP BIOS Configuration Utility. Follow 9 steps

to complete creating TPM Script package. Ensure to locate the correct source folder.

Distribute the newly created packages1. Right click each of the newly created packages and select

Distribute Content2. Click Next at the general screen3. At the Content Destination screen, click Add >Distribution

Point4. Select the appropriate distribution point5. There is a notification when the content is distributed successfully.

Prepare ConfigMgr Client Follow these steps to prepare and join client systems into domain network if you have not done so.

1. Join the client system to the domain2. Make sure to add File and Printer Sharing and Windows

Management Instrumentation (WMI) exceptions to Windows Firewall

3. In the Configuration Manager Console, make sure client system is discovered and displayed under Devices.

4. Install Configuration Manager client to the system.5. Create device collection containing target client for deployment.

Create Task Sequence1. In the Configuration Manager console, click Software Library.2. In the Software Library workspace, expand Overview, and then

click Operating Systems.3. Right click Task Sequences, and then select Create Task

Sequence.

4. Select Create a new custom task sequence.

5. Enter the task sequence name, description, boot image as desired, and click Next

6. At the summary page, click Next.7. Click Close when the Crate Task Sequence Wizard completed

successfully.

8. Your task sequence is created under Software Library > Overview > Operating Systems > Task Sequences.

9. Right click on the newly created task sequence and select Edit10. Task sequence is displayed. 11. Add new group Add > Group and name it as desired. 12. Add five variable tasks by clicking Add > General >Set Task

Sequence Variable

13. Name the first variable task as Is sp85540 needed and provide info as follow

o Properties tab Task sequence variable = sp85540 Value = Needed

o Options tab Add condition(s)

All these conditions are true.

Root\cimv2Select catpion from Win32_OperatingSystem where Caption like ‘%Windows%7%’ or Caption like ‘Windows%8.1%’ or Caption like ‘%Windows%10%’

Note: All products listed in the query below are retrieved and based on the support list from sp85540’s CVA file.

Root\cimv2select * from Win32_BaseBoard where Product like '%80FC%' or Product like '%82CA%' or Product like '%80FB%' or Product like '%80FA%' or Product like '%82DE%' or Product like '%8084%' or Product like '%8238%' or Product like '%807E%' or Product like '%8236%' or Product like '%807E%' or Product like '%8236%' or Product like '%807C%' or Product like '%8292%' or Product like '%8079%' or Product like '%828C%' or Product like '%8079%' or Product like '%828C%' or Product like '%8170%' or Product like '%8300%' or Product like '%827D%' or Product like '%82EF%' or Product like '%83D0%' or Product like '%815A%' or Product like '%82EB%' or Product like '%828B%' or Product like '%818F%' or Product like '%80FF%' or Product like '%822C%' or Product like '%8377%' or Product like '%8100%' or Product like '%822E%' or Product like '%837B%' or Product like '%8101%' or Product like '%8231%' or Product like '%837D%' or Product like '%80EF%' or Product like '%823C%' or Product like '%8102%' or Product like

'%8234%' or Product like '%837F%' or Product like '%80FD%' or Product like '%82AA%' or Product like '%80FE%' or Product like '%823A%' or Product like '%80FD%' or Product like '%82AA%' or Product like '%80FE%' or Product like '%823A%' or Product like '%8334%' or Product like '%828C%' or Product like '%80D5%' or Product like '%8275%' or Product like '%8079%' or Product like '%828C%' or Product like '%80D6%' or Product like '%8270%' or Product like '%80D4%' or Product like '%826B%' or Product like '%83FD%' or Product like '%81C3%' or Product like '%805B%' or Product like '%8266%' or Product like '%8265%' or Product like '%835B%' or Product like '%8053%' or Product like '%829A%' or Product like '%8299%' or Product like '%829B%' or Product like '%829F%' or Product like '%8057%' or Product like '%829C%' or Product like '%829B%' or Product like '%830A%' or Product like '%8055%' or Product like '%806A%' or Product like '%82A5%' or Product like '%8062%' or Product like '%82A2%' or Product like '%8062%' or Product like '%82A1%' or Product like '%805F%' or Product like '%8169%' or Product like '%805D%' or Product like '%829E%' or Product like '%82B4%' or Product like '%8169%' or Product like '%829D%' or Product like '%8063%' or Product like '%82A6%' or Product like '%8063%' or Product like '%805E%' or Product like '%82B5%' or Product like '%8139%' or Product like '%8376%' or Product like '%8115%' or Product like '%82BF%' or Product like '%8183%' or Product like '%802E%' or Product like '%802F%' or Product like '%81C5%' or Product like '%212B%' or Product like '%81C6%' or Product like '%212A%' or Product like '%81C7%' or Product like '%2129%'

Root\cimv2\security\MicrosoftTPMselect * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and ((SpecVersion like '2.0%' and ManufacturerVersion like '7.%' and ManufacturerVersion < '7.63') or (SpecVersion like '2.0%' and ManufacturerVersion like '5.%' and ManufacturerVersion < '5.62') or(SpecVersion like '1.2%' and ManufacturerVersion like '4.4%' and ManufacturerVersion < '4.43') or

(SpecVersion like '1.2%' and ManufacturerVersion like '6.4%' and ManufacturerVersion < '6.43'))

14. Name the second variable task as Is sp82133 needed and provide info as followo Properties tab

Task sequence variable = sp82133 Value = Needed


All these conditions are true


Root\cimv2

select * from Win32_BaseBoard

where

Product like '%2255%' or Product like '%22DA%' or Product like '%2270%' or Product like '%2271%' or Product like '%805C%' or Product like '%2216%' or Product like '%8042%' or Product like '%221B%' or Product like '%221D%' or Product like '%2009%' or Product like

'%2235%' or Product like '%2236%' or Product like '%2234%' or Product like '%2249%' or Product like '%224A%' or Product like '%2248%' or Product like '%2247%' or Product like '%2246%' or Product like '%225A%' or Product like '%221C%' or Product like '%2253%' or Product like '%8158%' or Product like '%8103%' or Product like '%18E9%' or Product like '%198E%' or Product like '%21F5%' or Product like '%2215%' or Product like '%225F%' or Product like '%225E%' or Product like '%213D%' or Product like '%2187%' or Product like '%2124%' or Product like '%21B4%' or Product like '%8000%' or Product like '%21F6%' or Product like '%18EB%' or Product like '%2171%' or Product like '%805A%' or Product like '%2B60%' or Product like '%8184%' or Product like '%8267%'

root\cimv2\security\MicrosoftTPM

select * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and SpecVersion like '1.2%' and ManufacturerVersion < '4.43'

Root\cimv2

select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%10%'

15. Name the third variable task as Is sp82132 needed and provide info as followo Properties tab





root\cimv2select * from Win32_BaseBoard where Product like '%8256%' or Product like '%2B5E%'

root\cimv2select * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and SpecVersion like '1.2%' and ManufacturerVersion < '6.43'

root\cimv2select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%10%'





root\cimv2select * from Win32_BaseBoard where Product like '%190A%' or Product like '%2157%' or Product like

'%213E%'or Product like '%198F%' or Product like '%1993%' or Product like '%1994%' or Product like '%2101%'or Product like '%2102%' or Product like '%21B3%' or Product like '%1946%' or Product like '%1947%'or Product like '%1944%' or Product like '%1942%' or Product like '%1940%' or Product like '%1991%'or Product like '%1992%' or Product like '%1909%' or Product like '%2175%' or Product like '%2179%' or Product like '%2B2A%' or Product like '%22AD%' or Product like '%18E6%' or Product like '%1998%'or Product like '%8027%' or Product like '%8027%' or Product like '%1825%' or Product like '%21D0%'or Product like '%2B34%' or Product like '%213D%' or Product like '%2187%' or Product like '%2124%' or Product like '%21B4%' or Product like '%18EA%' or Product like '%18E5%' or Product like

'%18E7%' or Product like '%18E8%' or Product like '%18E4%' or Product like '%2155%' or Product like '%2145%'or Product like '%8076%' or Product like '%2B4A%'

root\cimv2\security\MicrosoftTPMselect * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and SpecVersion like '1.2%' and ManufacturerVersion like '4.3%' and ManufacturerVersion < '4.34'

root\cimv2select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%8.1%' or Caption like '%Windows%10%'





root\cimv2select * from Win32_BaseBoard where Product like '%8115%' or Product like '%82BF%' or Product like '%8183%' or Product like '%802E%' or Product like '%802F%' or Product like '%81C5%' or Product like '%212B%' or Product like '%81C6%' or Product like '%212A%' or Product like '%81C7%' or Product like '%2129%'

root\cimv2\security\MicrosoftTPMselect * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and ((SpecVersion like '2.0%' and ManufacturerVersion < '7.62' ) or (SpecVersion like '1.2%' and ManufacturerVersion like '6.4%' and ManufacturerVersion < '6.43') or (SpecVersion like '1.2%' and ManufacturerVersion < '4.43'))

root\cimv2select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%8.1%' or Caption like '%Windows%10%'

18. Add new group by clicking Add > New Groupo Properties tab - Name group as Update TPM Firmwareo Option tab – Add following conditions

19. Add Set OSD BitLocker Status variable task under Update TPM Firmware groupo Properties tab

Task Sequence Variable = OSDBitLockerStatus Value=Protected


root\cimv2\Security\MicrosoftVolumeEncryptionselect * from win32_encryptablevolume where driveletter = 'c:' and protectionstatus = '1'

20. Add Suspend BitLocker command line task by clicking Add > General > Command lineo Properties tab

Command line: %windir%\system32\manage-bde.exe -protectors -disable c:

o Options tab Success codes = 0 3010 Add condition(s)

21. Add Is Windows 10 1607 or later variable task o Properties tab

Task Sequence Variable = Win10_1607_or_Later Value = True


22. Add sub group named sp85540 under Update TPM Firmware group


23. Add Need to create HP_TOOLS partition? variable task under sp85540 groupo Properties tab

Task Sequence Variable = CreateHP_TOOLS Value = True


root\cimv2Select * from Win32_DiskPartition Where Type = "GPT: System"

root\cimv2 select DeviceID from Win32_LogicalDisk where VolumeName = 'HP_TOOLS' and FileSystem = 'FAT32'

root\cimv2Select * From Win32_LogicalDisk Where DeviceID = 'C:' and FreeSpace >= 524288000

24. Add Create HP_TOOLS partition command line tasko Properties tab

Command line diskpart /s CreateHP_TOOLS.txt

Package = Browse to TPM Script


25. Add Set TPM BIOS Setting command line tasko Properties tab

Command line BiosConfigUtility.exe /set:"TPMNoPrompts.txt" /cpwdfile:HP123456.bin

Package = Browse to HP Client BIOS Configuration Utility package

o Options tab Success codes = 0 3010

26. Add Restart Computer tasko Properties tab

Under Specify what to run after restart section, select The currently installed default operating system option

27. Add Suspend BitLocker command line tasko Properties tab

Command line%windir%\system32\manage-bde.exe -protectors -disable c:


28. Add Call TPMConfig to ge initial TPM information command line task

o Properties tab Command line

TPMConfig.exe -s -t%temp%\TPMInfo.BeforeUpdate.txt -l%temp%\TPMConfig.log

Package = Browse to HP TPM Config Utility 2.0.2.1 package


29. Add Call TPMConfig to upgrade TPM 1.2 command line tasko Properties tab

Command line TPMConfig.exe -s -a1.2 -l%temp%\TPMConfig.log

Package = Browse to HP TPM Config Utility package

o Options tab Success code = 0 3010 Add condition

root\cimv2\Security\MicrosoftTpmselect * from Win32_TPM where SpecVersion like '1.2%'

30. Add Call TPMConfigto upgrade TPM 2.0 command line task o Properties

Command lineTPMConfig.exe -s -a2.0 -l%temp%\TPMConfig.log

Package = Browse to HP TPM Config Utility package

o Options tab Success code = 0 3010 Add condition

root\cimv2\Security\MicrosoftTpm

select * from Win32_TPM where SpecVersion like '2.0%'

31. Add Restart tasko Properties tab

Under Specify what to run after restart section, select The currently installed default operating system option.

Select Notify the user before restarting option with messageThe computer must restart to upgrade the TPM firmware




33. Add Call TPMConfig to get TPM information command line task

o Properties tab Command lineTPMConfig.exe -s -t%temp%\TPMInfo.BeforeUpdate.txt -l%temp%\TPMConfig.log Package = Browse to HP TPM Config Utility 2.0.2.1

package


34. Add Call TPMConfigster to get TPM Manufacturer Version power shell script tasko Properties tab

Package = Browse to TPM Script 1.0 package Script name:

RunProgram.ps1 Parameters:

TPMConfigster.exe /FW_VER PowerShell execution policy = Bypass


35. Add Delete HP_TOOLS partition (if created by this TS) PowerShell script task by clicking Add > General > Run PowerShell Scripto Properties tab

o Options tab Add conditions

root\cimv2select DeviceID from Win32_LogicalDisk where VolumeName = 'HP_TOOLS' and FileSystem = 'FAT32'

Variable CreateHP_TOOLS equals “True”

36. Add Clear TPM on Next Boot Run PowerShell script tasko Properties tab

Package = Browse to TPM Script package Script Name = ClearTPM.ps1 PowerShell execution policy = Bypass

37. Add Restart tasko Properties tab


Select Notify the user before restarting option with messageThe computer must restart to upgrade the TPM firmware

38. Add OwnTPM Run PowerShell Script tasko Properties tab

Package = Browse to TPM Script package Script Name = OwnTPM.ps1 PowerShell execution policy = Bypass

o Options tab Add condition(s): If All conditions are true:

Root\cimv2\security\microsofttpmselect * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'False'

Variable Win10_1607_or_later

39. Add new group Update TPM Firmware – IFX under Update TPM Firmware group

o Options tab Add condition(s): Any of these are true

40. Add Set IFXTool File Name set dynamic variable tasko Properties tab

Dynamic rules and variables

41. Add sub group Windows 10 (before 1607), Windows 8.1 and 7

o Options tab Add condition

42. Add Get TPM Owner Password from AD command line taskIn the example task sequence, this task is disabled. Enabling this task will enable “Delete TPM Owner password file if exits” task


cscript Get-TPMOwnerInfo.vbs Package = Browse to TPM Script package Run this step as the following account

Need to provide the domain admin credential here


43. Add Call Infineon tool to get update info command line task


%IFXTool% /info Package = Browse to IFX package


44. Add Call Infineon tool to update TPM firmware command line task


%IFXTool% /update /logfile:C:\TPMupdate.log /pwdfile:c:\pwd.tpm Package = Browse to IFX package


45. Add Call TPMConfigster to get TPM Manufacturer Version run PowerShell Script task

o Properties tab Package = Browse to HP TPM Script package Script name

RunProgram.ps1 Parameters

TPMconfigster.exe /FW_VER PowerShell execution policy = Bypass

46. Add Clear TPM on Next Booto Properties tab

Package = Browse to TPM Script package Script Name = ClearTPM.ps1 PowerShell execution policy = Bypass

47. Add Delete TPM owner password file if exits command line taskIn the example task sequence, this task is disabled by default. It will get enabled automatically once you enable the previous task “Get TPM Owner Password from AD”


Cmd /c del /F c:\pwd.tpm

o Options tab Add conditions



49. Add Own TPM Run PowerShell Script tasko Properties tab

Package = Browse to TPM Script 1.0 package Script name = OwnTPM.ps1 PowerShell execution policy = Bypass


Root\wimv2\security\microsofttpmselect * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'False'

50. Add new group Windows 10 1607 or later under group Update TPM Firmware – IFX


51. Add Change OS Managed Auth Level command line task o Properties tab

Command linereg import SetOSManagedAuthLevel.reg

Package = Browse to Registry Update Package


52. Add Set TPM BIOS Setting command line tasko Properties tab

Command lineBiosConfigUtility.exe /set:"ResetTPM.txt" /cpwdfile:HP123456.bin

Package = Browse to HP BIOS Configuration Utility Package




54. Add Clear TPM on Next Boot Run PowerShell Script tasko Properties tab

Package = Browse to TPM Script package Script name = ClearTPM.ps1 PowerShell execution policy = Bypass



56. Add new sub group Update TPM Firmware under group

Windows 10 1607 or later then add the following tasks under this new sub group

57. Add Set OSDBitLockerStatus set task sequence variable task

o Properties tab Task Sequence Variable = OSDBitLockerStatus Value = Protected

o Options tab

Add condition



o Options tab Success codes = 0 3010 Add condition

59. Add Call Infineon tool to get update info command line task


%IFXTool% /info Package = Browse to IFX package


60. Add Call Infineon tool to update TPM firmware command line task


%IFXTool% /update /logfile:C:\TPMupdate.log Package = Browse to IFX package


61. Add Call TPMConfigster to get TPM Manufacturer Version Run PowerShell Script task

o Properties tab Package = Browse to HP TPM Script 1.0 package Script name

RunProgram.ps1 Parameters

RunProgram.ps1 PowerShell execution policy = Bypass



63. Add Restore OS Managed Auth Level command line task under group Windows 10 1607 or later


reg import ResetOSManagedAuthLevel.reg Package = Browse to Registry Update Package


64. Add Clear TPM on Next Boot Run PowerShell Script task under group Windows 10 1607 or later

o Properties tab Package = Browse to TPM Script package Script name = ClearTPM.ps1 PowerShell execution policy = Bypass

65. Add Restart Computer task under group Windows 10 1607 or later.

o Properties tab Under Specify what to run after restart section,

select The currently installed default operating system option

66. Add Resume BitLocker command line task under group Update TPM Firmware


%windir%\system32\manage-bde.exe -protectors -enable c:

o Options tab Success codes = 0 3010 Add condition

The complete task sequence should be looked like this

Continue…

References







©Copyright 2017 HP Development Company, L.P. · Web viewAlso, modify the second config file to...

Documents

Transcript of ©Copyright 2017 HP Development Company, L.P. · Web viewAlso, modify the second config file to...