©Copyright 2017 HP Development Company, L.P.



?Copyright 2017 HP Development Company, L.P.Notice: The information contained in this document, including URL, other web site references, screen shots or step by step instructional guidance are samples provided for informational purposes only. Appropriate modifications may be needed for solutions prior to applying the TPM patch such as, but not limited to Secure Boot, Bit Locker, Virtual Smart Card, 3rd party encryption products, VPN products prior to applying the TPM firmware upgrade (or patch). HP has no direct or indirect visibility or ability to predict all the cases as to how organizations are using the TPM.?Customers are solely responsible for ensuring that the TPM firmware upgrade does not adversely impact their own use cases. All information provided in this document is provided on an “as is” basis and nothing herein should be construed as constituting an additional warranty. HP does not warrant or guarantee the guidance contained in this document and customers are strongly urged to do their own testing and customization of these instructions to meet their particular use case.? The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. HP expressly disclaims any and all liability related to or arising from the use of or reliance upon the instructional guidance contained in this document. Additionally, HP shall not be liable for technical or editorial errors or omissions contained herein. TPM Firmware Upgrade Task SequenceDocument HistoryRevisionDateInitialsDescription1.011/08/17NNInitial versionTask Sequence for TPM sp81900 and sp82133 (Win 10 only)1.111/15/17NNUpdated document including HP disclaimer2.011/28/17NNUpdated document Task sequence for TPM sp81900, sp82133, sp82132 (Win 10 and win 7) with the following updates:Have the right call to clear TPMHave the proper .hpsign files for TPMConfigster to detect signed TPMConfig and firmware bin filesAdd scripts to create HP_TOOLS partitionRe-arrange the flow to be more readableRemov all steps relating to auto logonDisable virtualization BIOS setting, trusted Execution Technology (TXT) and Intel Software Guard Extension (SGX)3.001/18/18NNUpdated Task Sequence for 5 SoftPaqs (sp81900, sp82133, sp82132, sp82147, sp82407)Added OS conditions for all SoftPaqs W7, W8.1, W10 Updated OS condition checks in Own TPM stepsMoved the Win 10 1607 check to earlier so both Own TPM steps can reference the check result.Replaced with TPM config Utility 2.0.2.14.005/01/18NNUpdated Task Sequence for SoftPaq sp85540 which it supersedes sp81900 and sp82417 new version of TPM config 2.0.3.1 and TPM firmware bin files version 7.63 and workstation SLB 9660Environment and validation informationIn this practice, we have tested task sequence version 3.0 on the following client systems via SCCM server:SCCM ServerRunning Windows server OS 2012 R2Configuration Manager Console version 5.0.8239.1403Client systemSP85540 – ProBook 440 G4, ProBook 640 G3, ProBook 470 G5, Elite Desk 800 DM G3, ProDesk 400 G2 DM, Desktop Workstation Z240 and Z440,SP82133 – Elitebook 725 G2, ProBook 470 G2, Elite Desk 705 G1 DM SP82407 – None.SP82132 - Due to the limitation of hardware, we have not validated any supported system for this SoftPaqRunning Windows 7 Enterprise, Windows 10 version RS1, RS3, and RS4.BIOS version – latestTPM version 1.2 and 2.0BitLocker enabledPrerequisitesBIOS Configuration Utility (BCU) tool version 4.0.24.1 (sp81841). This SoftPaq is available on Manageability website appropriate TPM firmware bin files from this ftp also refer to this Security Bulletin for the correct SoftPaq for your system the Windows operating system updates (see Affected Products table for specific package KB numbers) firstWARNING: Do NOT apply the TPM firmware update prior to applying the Windows operating system mitigation update. Doing so will render your system unable to determine if your system is affected. You will need this information to conduct full remediationAccording to Microsoft post , customers need to install OS updates prior to doing TPM firmware updateCreate folders for packages in Task SequenceCreate HP BIOS Configuration Utility folderOn SCCM server, create a folder, name it “HP Client BIOS Configuration Utility, and place all BCU files in hereRun BCU to get a config fileEx: BiosConfigUtility64.exe /get:”config.txt”Open config.txt and modify the TPM setting as shown in the picture belowSave the modified config file as desired. For example: RepsetTPM.txtAlso, modify the second config file to disable TPM physical presence (PPI) for sp81900’s supported systems as shown in the picture belowSave the second modified config file as desired. For example: TPMNoPrompts.txtCreate BIOS Password bin fileExecute HPQPswd.exe or HPQPwd64.exe Follow on screen instruction to create a password bin fileSave the password bin file in the same directory of BCUThe HP Client BIOS Configuration Utility folder should contain the following filesCreate folder HP TPM Config Utility and place all necessary files here.Create folder IFXCreate subfolder called sp82132Place IFXTPMUpdate application and necessary files hereCreate subfolder called sp82133Place IFXTPMUpdate application and necessary files hereCreate subfolder called sp82407Place IFXTPMUpdate application and necessary files hereCreate a folder for Registry Update PackageHave all registry files in this folderResetOSManagedAuthLevel[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM]"OSManagedAuthLevel"=dword:00000002SetOSManagedAuthLevel[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM]"OSManagedAuthLevel"=dword:00000004Create a folder for TPM ScriptHave all necessary files in this folderClearTP.ps1#--------------------------------------------------------------------------------# DISCLAIMER:# ? 2017 HP Development Company. All rights reserved. # The sample script here is not supported under any HP standard support program or service. # The sample script is provided AS IS without warranty of any kind. # HP disclaims all implied warranties including, without limitation, # any implied warranties of merchantability or of fitness for a particular purpose. # The entire risk arising out of the use or performance of the sample script # and documentation remains with you. In no event shall HP, its authors, # or anyone else involved in the creation, production, or delivery of the script # be liable for any damages whatsoever (including, without limitation, damages for # loss of business profits, business interruption, loss of business information, # or other pecuniary loss) arising out of the use of or inability to use the sample # script or documentation, even if HP has been advised of the possibility of such damages.#=====================================================================# Filename: ClearTPM.ps1# Description: Clear, enable, and activate the TPM. $objTPM = Get-WmiObject -Class "Win32_Tpm" -ComputerName $env:COMPUTERNAME -Namespace "ROOT\CIMV2\Security\MicrosoftTpm"Write-Host "Clear, enable, and activate the TPM"$objRet = $objTPM.SetPhysicalPresenceRequest(14)$retCode = $objRet.ReturnValueIf ($retCode -eq 0) {Write-Host "Successfully cleared the TPM chip. A reboot is required."} else {Write-Host "Failed to clear TPM ownership. Exiting... Error=$($retCode)" -ForegroundColor Red Exit $retCode} CreateHP_TOOLS.txtsel vol c:shrink desired=500create part primformat quick fs=FAT32 label=HP_TOOLSassign letter Tlis disdet dislis pardet parexitDeleteHP_TOOLS.txtsel vol HP_TOOLS_DRIVE_LETTERdel part overridesel vol c:extend noerrexitDelete-HPToolsPartition.ps1#--------------------------------------------------------------------------------# DISCLAIMER:# ? 2017 HP Development Company. All rights reserved. # The sample script here is not supported under any HP standard support program or service. # The sample script is provided AS IS without warranty of any kind. # HP disclaims all implied warranties including, without limitation, # any implied warranties of merchantability or of fitness for a particular purpose. # The entire risk arising out of the use or performance of the sample script # and documentation remains with you. In no event shall HP, its authors, # or anyone else involved in the creation, production, or delivery of the script # be liable for any damages whatsoever (including, without limitation, damages for # loss of business profits, business interruption, loss of business information, # or other pecuniary loss) arising out of the use of or inability to use the sample # script or documentation, even if HP has been advised of the possibility of such damages.#=====================================================================# Filename: Delete-HPToolsPartition.ps1# Description: Delete HP_TOOLS partition if it exists. #===================================================================== $objHP_TOOLSPart = Get-WmiObject -Class "Win32_LogicalDisk" -ComputerName $env:COMPUTERNAME -Namespace "ROOT\CIMV2" -filter "VolumeName = 'HP_TOOLS' and FileSystem = 'FAT32'"if ($objHP_TOOLSPart -eq $null){ Write-Host "No HP_TOOLS partition"}else{ # Get the drive letter of HP_TOOLS partition. $drive = $objHP_TOOLSPart.DeviceID Write-Host "HP_TOOLS partition drive letter=$drive" # Get the location to the script. if(!$PSScriptRoot) { $PSScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent } $inputFileName = "DeleteHP_TOOLS.txt" $path = Join-Path -Path $PSScriptRoot -ChildPath "$inputFileName" $tempPath = "C:\$inputFileName" Write-Host "Content of template input file before calling diskpart:" Get-Content $path # Load DeleteHP_TOOLS.txt and replace the place holder with the HP_TOOLS partition drive letter. $newContent = (Get-Content $path | Out-String) -replace "(.*?)HP_TOOLS_DRIVE_LETTER(.*)",('$1{0}$2' -f $drive) Write-Host "new content" Write-Host $newContent $newContent | Set-Content $tempPath # Verbose the content of DeleteHP_TOOLS.txt Write-Host "Content of input file before calling diskpart:" Get-Content $tempPath if (Test-Path $tempPath) { Write-Host "Running diskpart to remove HP_TOOLS partition" Start-Process -FilePath "diskpart" -Wait -Verbose -ArgumentList " /s $tempPath" # Clean up the input file Write-Host "Remove the input file to diskpart" Remove-Item -Path $tempPath }} ForceError.cmdEcho Force error 1exit /b 1Get-TPMOwnerInfo.vbs'================================================================================='' This script demonstrates the retrieval of Trusted Platform Module (TPM) ' recovery information from Active Directory for a particular computer.'' It returns the TPM owner information stored as an attribute of a ' computer object.'' Last Updated: 12/05/2012' Last Reviewed: 12/05/2012'' Microsoft Corporation'' Disclaimer' ' The sample scripts are not supported under any Microsoft standard support program' or service. The sample scripts are provided AS IS without warranty of any kind. ' Microsoft further disclaims all implied warranties including, without limitation, ' any implied warranties of merchantability or of fitness for a particular purpose. ' The entire risk arising out of the use or performance of the sample scripts and ' documentation remains with you. In no event shall Microsoft, its authors, or ' anyone else involved in the creation, production, or delivery of the scripts be ' liable for any damages whatsoever (including, without limitation, damages for loss ' of business profits, business interruption, loss of business information, or ' other pecuniary loss) arising out of the use of or inability to use the sample ' scripts or documentation, even if Microsoft has been advised of the possibility ' of such damages.'' Version 1.0 - Initial release' Version 1.1 - Updated GetStrPathToComputer to search the global catalog.' Version 1.1.2 - Tested and re-released for Windows 8 and Windows Server?2012'' HP update - Added script to get the TPM owner password hash from TPM Devices' - Output the hash to pwd.tpm file' '=================================================================================' --------------------------------------------------------------------------------' Usage' --------------------------------------------------------------------------------Sub ShowUsage Wscript.Echo "USAGE: Get-TpmOwnerInfo [Optional Computer Name]" Wscript.Echo "If no computer name is specified, the local computer is assumed." WScript.QuitEnd Sub' --------------------------------------------------------------------------------' Parse Arguments' --------------------------------------------------------------------------------Set args = WScript.ArgumentsSelect Case args.Count Case 0 ' Get the name of the local computer Set objNetwork = CreateObject("work") strComputerName = puterName Case 1 If args(0) = "/?" Or args(0) = "-?" Then ShowUsage Else strComputerName = args(0) End If Case Else ShowUsageEnd Select' --------------------------------------------------------------------------------' Get path to Active Directory computer object associated with the computer name' --------------------------------------------------------------------------------Function GetStrPathToComputer(strComputerName) ' Uses the global catalog to find the computer in the forest ' Search also includes deleted computers in the tombstone Set objRootLDAP = GetObject("LDAP://rootDSE") namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com strBase = "<GC://" & namingContext & ">" Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("mand") objConnection.Provider = "ADsDSOOBject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection strFilter = "(&(objectCategory=Computer)(cn=" & strComputerName & "))" strQuery = strBase & ";" & strFilter & ";distinguishedName;subtree" mandText = strQuery objCommand.Properties("Page Size") = 100 objCommand.Properties("Timeout") = 100 objCommand.Properties("Cache Results") = False ' Enumerate all objects found. Set objRecordSet = objCommand.Execute If objRecordSet.EOF Then WScript.echo "The computer name '" & strComputerName & "' cannot be found." WScript.Quit 1 End If ' Found object matching name Do Until objRecordSet.EOF dnFound = objRecordSet.Fields("distinguishedName") GetStrPathToComputer = "LDAP://" & dnFound objRecordSet.MoveNext Loop ' Clean up. Set objConnection = Nothing Set objCommand = Nothing Set objRecordSet = Nothing End Function' --------------------------------------------------------------------------------' Securely access the Active Directory computer object using Kerberos' --------------------------------------------------------------------------------Set objDSO = GetObject("LDAP:")strPath = GetStrPathToComputer(strComputerName)WScript.Echo "Accessing object: " + strPathConst ADS_SECURE_AUTHENTICATION = 1Const ADS_USE_SEALING = 64 '0x40Const ADS_USE_SIGNING = 128 '0x80Set objComputer = objDSO.OpenDSObject(strPath, vbNullString, vbNullString, _ ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)' --------------------------------------------------------------------------------' Get the TPM owner information from the Active Directory computer object' --------------------------------------------------------------------------------On Error Resume Next'If TPM password hash is available at owner information, get it.strOwnerInformation = objComputer.Get("msTPM-OwnerInformation") WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation 'If TPM password hash is in TPM Devicesif strOwnerInformation is nothing then ' Get the CN strOwnerInformation = objComputer.Get("msTPM-TpmInformationForComputer") WScript.echo "msTPM-TpmInformationForComputer: " + strOwnerInformation if (strOwnerInformation <> "") then ' Get the TPM entry. strPath = "LDAP://" & strOwnerInformation 'WScript.Echo "Accessing object: " + strPath Set objTPM = objDSO.OpenDSObject(strPath, vbNullString, vbNullString, _ ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING) ' Get the TPM owner password strOwnerInformation = objTPM.Get("msTPM-OwnerInformation") 'WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation end ifend ifif (strOwnerInformation = "") then WScript.echo "The TPM owner information is not available in AD." WScript.Quit 1end if' --------------------------------------------------------------------------------' Generate the TPM password file.' --------------------------------------------------------------------------------Set objFSO=CreateObject("Scripting.FileSystemObject")' How to write fileoutFile="c:\pwd.tpm"vbCRLF = Chr(13) & Chr(10)strContent = "<?xml version=""1.0"" encoding=""UTF-8""?>" & vbCRLF & _"<!-- " & vbCRLF & _"This page is a backup of Trusted Platform Module (TPM) owner" & vbCRLF & _"authorization information. Upon request, use the authorization information to" & vbCRLF & _"prove ownership of the computer's TPM." & vbCRLF & vbCRLF & vbCRLF & _"IMPORTANT: Please keep this file in a secure location away from your computer's" & vbCRLF & _"local hard drive." & vbCRLF & _"-->" & vbCRLF & _"<tpmOwnerData version=""1.0"" softwareAuthor=""Microsoft Windows [Version 6.1.7601]"" creationDate=""2017-11-15T23:32:48-08:00"" creationUser=""domain\user"" machineName=""machine"">" & vbCRLF & _"<tpmInfo manufacturerId=""1229346816""/>" & vbCRLF & _"<ownerAuth>" & strOwnerInformation & "</ownerAuth>" & vbCRLF & _"</tpmOwnerData>" & vbCrLfWScript.Echo "Writing " & outFileSet objFile = objFSO.CreateTextFile(outFile,True)objFile.Write strContentobjFile.CloseWScript.echo outFile & " is ready to use"OwnTPM.ps1#--------------------------------------------------------------------------------# DISCLAIMER:# ? 2017 HP Development Company. All rights reserved. # The sample script here is not supported under any HP standard support program or service. # The sample script is provided AS IS without warranty of any kind. # HP disclaims all implied warranties including, without limitation, # any implied warranties of merchantability or of fitness for a particular purpose. # The entire risk arising out of the use or performance of the sample script # and documentation remains with you. In no event shall HP, its authors, # or anyone else involved in the creation, production, or delivery of the script # be liable for any damages whatsoever (including, without limitation, damages for # loss of business profits, business interruption, loss of business information, # or other pecuniary loss) arising out of the use of or inability to use the sample # script or documentation, even if HP has been advised of the possibility of such damages.#=====================================================================# Filename: OwnTPM.ps1# Description: Take ownership of the TPM with a random # GUID as the TPM owner information. #===================================================================== $objTPM = Get-WmiObject -Class "Win32_Tpm" -ComputerName $env:COMPUTERNAME -Namespace "ROOT\CIMV2\Security\MicrosoftTpm"Write-Host "Verify that the TPM is enabled, activated and ownership allowed."$isEnabled = $objTPM.IsEnabled().isEnabled$isActivated = $objTPM.IsActivated().isActivated$ownershipAllowed = $objTPM.IsOwnershipAllowed().IsOwnershipAllowedIf (-not($isEnabled -eq $true -and $isActivated -eq $true -and $ownershipAllowed -eq $true)) {Write-Host "The TPM state (isEnabled=$isEnabled, isActivated=$isActivated, $ownershipAllowed=$ownershipAllowed) does not allow ownership." -ForegroundColor Red Exit 1}Write-Host "TPM is enabled, activated and ownership allowed." # Create a new guid and use it as TPM owner password.$GUID = [guid]::NewGuid()$ownerAuth = $objTPM.ConvertToOwnerAuth($GUID).OwnerAuth$objRet = $objTPM.TakeOwnership($ownerAuth)$retCode = $objRet.ReturnValueIf ($retCode -eq 0) {Write-Host "Successfully take ownership of the TPM."} else {Write-Host "Failed to take ownership of TPM. Exiting... Error=$retCode" -ForegroundColor Red Exit $retCode} RunProgram.ps1param( [string]$program, [string]$inputArgs)$program = "$PSScriptRoot\$program"$pinfo = New-Object System.Diagnostics.ProcessStartInfo$pinfo.FileName = "$program"$pinfo.RedirectStandardError = $true$pinfo.RedirectStandardOutput = $true$pinfo.UseShellExecute = $false$pinfo.Arguments = "$inputArgs"$p = New-Object System.Diagnostics.Process$p.StartInfo = $pinfo$p.Start() | Out-Null$p.WaitForExit()$stdout = $p.StandardOutput.ReadToEnd()$stderr = $p.StandardError.ReadToEnd()Write-Host "$stdout"Write-Host "stderr=$stderr"Write-Host "Exit code=" + $p.ExitCode Create Packages in ConfigMgrCreate package HP Client BIOS Configuration UtilityIn the Configuration Manager Console, click Software LibraryExpand Application ManagementRight click Packages and select Create PackageName the package as desired and enter any additional information on the first page of the wizard.Note: Make sure to select the correct source file locationClick NextSelect Do not create a program option, and click NextClick Next on the summary pageThere is the notification when the wizard is completed successfully. Click Close.Create package HP TPM ConfigSimilar steps to create HP BIOS Configuration Utility. Follow 9 steps to complete creating HP TPM Config package. Ensure to adjust the correct source folder.Create package IFXSimilar steps to create HP BIOS Configuration Utility. Follow 9 steps to complete creating IFX package. Ensure to locate the correct source folder.Create package Registry Update PackageSimilar steps to create HP BIOS Configuration Utility. Follow 9 steps to complete creating Registry Update package. Ensure to locate the correct source folder.Create package TPM Script PackageSimilar steps to create HP BIOS Configuration Utility. Follow 9 steps to complete creating TPM Script package. Ensure to locate the correct source folder.Distribute the newly created packagesRight click each of the newly created packages and select Distribute ContentClick Next at the general screenAt the Content Destination screen, click Add >Distribution PointSelect the appropriate distribution pointThere is a notification when the content is distributed successfully.Prepare ConfigMgr Client Follow these steps to prepare and join client systems into domain network if you have not done so. Join the client system to the domainMake sure to add File and Printer Sharing and Windows Management Instrumentation (WMI) exceptions to Windows FirewallIn the Configuration Manager Console, make sure client system is discovered and displayed under Devices.Install Configuration Manager client to the system.Create device collection containing target client for deployment.Create Task SequenceIn the Configuration Manager console, click Software Library.In the Software Library workspace, expand Overview, and then click Operating Systems.Right click Task Sequences, and then select Create Task Sequence.Select Create a new custom task sequence.Enter the task sequence name, description, boot image as desired, and click NextAt the summary page, click Next.Click Close when the Crate Task Sequence Wizard completed successfully.Your task sequence is created under Software Library > Overview > Operating Systems > Task Sequences.Right click on the newly created task sequence and select EditTask sequence is displayed. Add new group Add > Group and name it as desired. Add five variable tasks by clicking Add > General >Set Task Sequence VariableName the first variable task as Is sp85540 needed and provide info as followProperties tabTask sequence variable = sp85540Value = NeededOptions tabAdd condition(s)All these conditions are true. Root\cimv2Select catpion from Win32_OperatingSystem where Caption like ‘%Windows%7%’ or Caption like ‘Windows%8.1%’ or Caption like ‘%Windows%10%’Note: All products listed in the query below are retrieved and based on the support list from sp85540’s CVA file. Root\cimv2select * from Win32_BaseBoard where Product like '%80FC%' or Product like '%82CA%' or Product like '%80FB%' or Product like '%80FA%' or Product like '%82DE%' or Product like '%8084%' or Product like '%8238%' or Product like '%807E%' or Product like '%8236%' or Product like '%807E%' or Product like '%8236%' or Product like '%807C%' or Product like '%8292%' or Product like '%8079%' or Product like '%828C%' or Product like '%8079%' or Product like '%828C%' or Product like '%8170%' or Product like '%8300%' or Product like '%827D%' or Product like '%82EF%' or Product like '%83D0%' or Product like '%815A%' or Product like '%82EB%' or Product like '%828B%' or Product like '%818F%' or Product like '%80FF%' or Product like '%822C%' or Product like '%8377%' or Product like '%8100%' or Product like '%822E%' or Product like '%837B%' or Product like '%8101%' or Product like '%8231%' or Product like '%837D%' or Product like '%80EF%' or Product like '%823C%' or Product like '%8102%' or Product like '%8234%' or Product like '%837F%' or Product like '%80FD%' or Product like '%82AA%' or Product like '%80FE%' or Product like '%823A%' or Product like '%80FD%' or Product like '%82AA%' or Product like '%80FE%' or Product like '%823A%' or Product like '%8334%' or Product like '%828C%' or Product like '%80D5%' or Product like '%8275%' or Product like '%8079%' or Product like '%828C%' or Product like '%80D6%' or Product like '%8270%' or Product like '%80D4%' or Product like '%826B%' or Product like '%83FD%' or Product like '%81C3%' or Product like '%805B%' or Product like '%8266%' or Product like '%8265%' or Product like '%835B%' or Product like '%8053%' or Product like '%829A%' or Product like '%8299%' or Product like '%829B%' or Product like '%829F%' or Product like '%8057%' or Product like '%829C%' or Product like '%829B%' or Product like '%830A%' or Product like '%8055%' or Product like '%806A%' or Product like '%82A5%' or Product like '%8062%' or Product like '%82A2%' or Product like '%8062%' or Product like '%82A1%' or Product like '%805F%' or Product like '%8169%' or Product like '%805D%' or Product like '%829E%' or Product like '%82B4%' or Product like '%8169%' or Product like '%829D%' or Product like '%8063%' or Product like '%82A6%' or Product like '%8063%' or Product like '%805E%' or Product like '%82B5%' or Product like '%8139%' or Product like '%8376%' or Product like '%8115%' or Product like '%82BF%' or Product like '%8183%' or Product like '%802E%' or Product like '%802F%' or Product like '%81C5%' or Product like '%212B%' or Product like '%81C6%' or Product like '%212A%' or Product like '%81C7%' or Product like '%2129%'Root\cimv2\security\MicrosoftTPMselect * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and ((SpecVersion like '2.0%' and ManufacturerVersion like '7.%' and ManufacturerVersion < '7.63') or (SpecVersion like '2.0%' and ManufacturerVersion like '5.%' and ManufacturerVersion < '5.62') or(SpecVersion like '1.2%' and ManufacturerVersion like '4.4%' and ManufacturerVersion < '4.43') or(SpecVersion like '1.2%' and ManufacturerVersion like '6.4%' and ManufacturerVersion < '6.43')) Name the second variable task as Is sp82133 needed and provide info as followProperties tabTask sequence variable = sp82133Value = NeededOptions tabAdd condition(s)All these conditions are trueNote: All products listed in the query below are retrieved and based on the support list from sp82133’s CVA file.Root\cimv2select * from Win32_BaseBoard? where? Product like '%2255%' or Product like '%22DA%' or Product like '%2270%' or Product like '%2271%' or Product like '%805C%' or Product like '%2216%' or Product like '%8042%' or Product like '%221B%' or Product like '%221D%' or Product like '%2009%' or Product like '%2235%' or Product like '%2236%' or Product like '%2234%' or Product like '%2249%' or Product like '%224A%' or Product like '%2248%' or Product like '%2247%' or Product like '%2246%' or Product like '%225A%' or Product like '%221C%' or Product like '%2253%' or Product like '%8158%' or Product like '%8103%' or Product like '%18E9%' or Product like '%198E%' or Product like '%21F5%' or Product like '%2215%' or Product like '%225F%' or Product like '%225E%' or Product like '%213D%' or Product like '%2187%' or Product like '%2124%' or Product like '%21B4%' or Product like '%8000%' or Product like '%21F6%' or Product like '%18EB%' or Product like '%2171%' or Product like '%805A%' or Product like '%2B60%' or Product like '%8184%' or Product like '%8267%'root\cimv2\security\MicrosoftTPMselect * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and SpecVersion like '1.2%' and ManufacturerVersion < '4.43'Root\cimv2select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%10%' Name the third variable task as Is sp82132 needed and provide info as followProperties tabTask sequence variable = sp82132Value = NeededOptions tabAdd condition(s)All these conditions are trueNote: All products listed in the query below are retrieved and based on the support list from sp82132’s CVA file.root\cimv2select * from Win32_BaseBoard where Product like '%8256%' or Product like '%2B5E%'root\cimv2select * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and SpecVersion like '1.2%' and ManufacturerVersion < '6.43'root\cimv2select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%10%'Name the third variable task as Is sp82407 needed and provide info as followProperties tabTask sequence variable = sp82407Value = NeededOptions tabAdd condition(s)All these conditions are trueroot\cimv2select * from Win32_BaseBoard where Product like '%190A%' or Product like '%2157%' or Product like '%213E%'or Product like '%198F%' or Product like '%1993%' or Product like '%1994%' or Product like '%2101%'or Product like '%2102%' or Product like '%21B3%' or Product like '%1946%' or Product like '%1947%'or Product like '%1944%' or Product like '%1942%' or Product like '%1940%' or Product like '%1991%'or Product like '%1992%' or Product like '%1909%' or Product like '%2175%' or Product like '%2179%' or Product like '%2B2A%' or Product like '%22AD%' or Product like '%18E6%' or Product like '%1998%'or Product like '%8027%' or Product like '%8027%' or Product like '%1825%' or Product like '%21D0%'or Product like '%2B34%' or Product like '%213D%' or Product like '%2187%' or Product like '%2124%' or Product like '%21B4%' or Product like '%18EA%' or Product like '%18E5%' or Product like '%18E7%' or Product like '%18E8%' or Product like '%18E4%' or Product like '%2155%' or Product like '%2145%'or Product like '%8076%' or Product like '%2B4A%'root\cimv2\security\MicrosoftTPMselect * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and SpecVersion like '1.2%' and ManufacturerVersion like '4.3%' and ManufacturerVersion < '4.34'root\cimv2select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%8.1%' or Caption like '%Windows%10%'Name the third variable task as Is sp82147 needed and provide info as followProperties tabTask sequence variable = sp82147Value = NeededOptions tabAdd condition(s)All these conditions are trueroot\cimv2select * from Win32_BaseBoard where Product like '%8115%' or Product like '%82BF%' or Product like '%8183%' or Product like '%802E%' or Product like '%802F%' or Product like '%81C5%' or Product like '%212B%' or Product like '%81C6%' or Product like '%212A%' or Product like '%81C7%' or Product like '%2129%'root\cimv2\security\MicrosoftTPMselect * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and ((SpecVersion like '2.0%' and ManufacturerVersion < '7.62' ) or (SpecVersion like '1.2%' and ManufacturerVersion like '6.4%' and ManufacturerVersion < '6.43') or (SpecVersion like '1.2%' and ManufacturerVersion < '4.43'))root\cimv2select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%8.1%' or Caption like '%Windows%10%'Add new group by clicking Add > New GroupProperties tab - Name group as Update TPM FirmwareOption tab – Add following conditionsAdd Set OSD BitLocker Status variable task under Update TPM Firmware groupProperties tab Task Sequence Variable = OSDBitLockerStatus Value=ProtectedOptions tab Add condition(s) root\cimv2\Security\MicrosoftVolumeEncryptionselect * from win32_encryptablevolume where driveletter = 'c:' and protectionstatus = '1'Add Suspend BitLocker command line task by clicking Add > General > Command lineProperties tabCommand line: %windir%\system32\manage-bde.exe -protectors -disable c:Options tabSuccess codes = 0 3010Add condition(s)Add Is Windows 10 1607 or later variable task Properties tabTask Sequence Variable = Win10_1607_or_LaterValue = TrueOptions tabAdd condition(s)Add sub group named sp85540 under Update TPM Firmware groupOptions tabAdd condition(s) Add Need to create HP_TOOLS partition? variable task under sp85540 groupProperties tabTask Sequence Variable = CreateHP_TOOLSValue = TrueOptions tabAdd condition(s)root\cimv2Select * from Win32_DiskPartition Where Type = "GPT: System"root\cimv2 select DeviceID from Win32_LogicalDisk where VolumeName = 'HP_TOOLS' and FileSystem = 'FAT32'root\cimv2Select * From Win32_LogicalDisk Where DeviceID = 'C:' and FreeSpace >= 524288000Add Create HP_TOOLS partition command line taskProperties tabCommand line diskpart /s CreateHP_TOOLS.txtPackage = Browse to TPM Script Options tabSuccess codes = 0 3010Add condition(s)Add Set TPM BIOS Setting command line taskProperties tabCommand line BiosConfigUtility.exe /set:"TPMNoPrompts.txt" /cpwdfile:HP123456.binPackage = Browse to HP Client BIOS Configuration Utility packageOptions tabSuccess codes = 0 3010Add Restart Computer taskProperties tabUnder Specify what to run after restart section, select The currently installed default operating system optionAdd Suspend BitLocker command line taskProperties tabCommand line%windir%\system32\manage-bde.exe -protectors -disable c:Options tabSuccess codes = 0 3010Add condition(s)Add Call TPMConfig to ge initial TPM information command line taskProperties tabCommand lineTPMConfig.exe -s -t%temp%\TPMInfo.BeforeUpdate.txt -l%temp%\TPMConfig.logPackage = Browse to HP TPM Config Utility 2.0.2.1 packageOptions tabSuccess codes = 0 3010 Add Call TPMConfig to upgrade TPM 1.2 command line taskProperties tabCommand line TPMConfig.exe -s -a1.2 -l%temp%\TPMConfig.logPackage = Browse to HP TPM Config Utility packageOptions tabSuccess code = 0 3010Add conditionroot\cimv2\Security\MicrosoftTpmselect * from Win32_TPM where SpecVersion like '1.2%'Add Call TPMConfigto upgrade TPM 2.0 command line task PropertiesCommand lineTPMConfig.exe -s -a2.0 -l%temp%\TPMConfig.logPackage = Browse to HP TPM Config Utility packageOptions tabSuccess code = 0 3010Add conditionroot\cimv2\Security\MicrosoftTpmselect * from Win32_TPM where SpecVersion like '2.0%'Add Restart taskProperties tabUnder Specify what to run after restart section, select The currently installed default operating system option.Select Notify the user before restarting option with messageThe computer must restart to upgrade the TPM firmwareAdd Suspend BitLocker command line taskProperties tabCommand line%windir%\system32\manage-bde.exe -protectors -disable c:Options tabSuccess codes = 0 3010Add condition(s)Add Call TPMConfig to get TPM information command line taskProperties tabCommand lineTPMConfig.exe -s -t%temp%\TPMInfo.BeforeUpdate.txt -l%temp%\TPMConfig.logPackage = Browse to HP TPM Config Utility 2.0.2.1 packageOptions tabSuccess codes = 0 3010Add Call TPMConfigster to get TPM Manufacturer Version power shell script taskProperties tabPackage = Browse to TPM Script 1.0 packageScript name:RunProgram.ps1Parameters:TPMConfigster.exe /FW_VERPowerShell execution policy = BypassOptions tabSuccess codes = 0 3010Add Delete HP_TOOLS partition (if created by this TS) PowerShell script task by clicking Add > General > Run PowerShell ScriptProperties tabOptions tabAdd conditionsroot\cimv2select DeviceID from Win32_LogicalDisk where VolumeName = 'HP_TOOLS' and FileSystem = 'FAT32'Variable CreateHP_TOOLS equals “True”Add Clear TPM on Next Boot Run PowerShell script taskProperties tabPackage = Browse to TPM Script packageScript Name = ClearTPM.ps1PowerShell execution policy = BypassAdd Restart taskProperties tabUnder Specify what to run after restart section, select The currently installed default operating system option.Select Notify the user before restarting option with messageThe computer must restart to upgrade the TPM firmwareAdd OwnTPM Run PowerShell Script taskProperties tabPackage = Browse to TPM Script packageScript Name = OwnTPM.ps1PowerShell execution policy = BypassOptions tabAdd condition(s): If All conditions are true:Root\cimv2\security\microsofttpmselect * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'False'Variable Win10_1607_or_laterAdd new group Update TPM Firmware – IFX under Update TPM Firmware groupOptions tabAdd condition(s): Any of these are trueAdd Set IFXTool File Name set dynamic variable taskProperties tabDynamic rules and variablesAdd sub group Windows 10 (before 1607), Windows 8.1 and 7Options tabAdd conditionAdd Get TPM Owner Password from AD command line taskIn the example task sequence, this task is disabled. Enabling this task will enable “Delete TPM Owner password file if exits” task Properties tabCommand line cscript Get-TPMOwnerInfo.vbsPackage = Browse to TPM Script packageRun this step as the following accountNeed to provide the domain admin credential hereOptions tabSuccess codes = 0 3010Add Call Infineon tool to get update info command line taskProperties tabCommand line%IFXTool% /infoPackage = Browse to IFX packageOptions tabSuccess codes = 0 3010Add Call Infineon tool to update TPM firmware command line taskProperties tabCommand line%IFXTool% /update /logfile:C:\TPMupdate.log /pwdfile:c:\pwd.tpmPackage = Browse to IFX packageOptions tabSuccess codes = 0 3010Add Call TPMConfigster to get TPM Manufacturer Version run PowerShell Script taskProperties tabPackage = Browse to HP TPM Script packageScript nameRunProgram.ps1ParametersTPMconfigster.exe /FW_VERPowerShell execution policy = Bypass Add Clear TPM on Next BootProperties tabPackage = Browse to TPM Script packageScript Name = ClearTPM.ps1PowerShell execution policy = BypassAdd Delete TPM owner password file if exits command line taskIn the example task sequence, this task is disabled by default. It will get enabled automatically once you enable the previous task “Get TPM Owner Password from AD” Properties tabCommand lineCmd /c del /F c:\pwd.tpmOptions tabAdd conditionsAdd Restart Computer taskProperties tabUnder Specify what to run after restart section, select The currently installed default operating system option.Add Own TPM Run PowerShell Script taskProperties tabPackage = Browse to TPM Script 1.0 packageScript name = OwnTPM.ps1PowerShell execution policy = BypassOptions tabAdd conditionRoot\wimv2\security\microsofttpmselect * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'False'Add new group Windows 10 1607 or later under group Update TPM Firmware – IFXOptions tabAdd conditionAdd Change OS Managed Auth Level command line task Properties tabCommand linereg import SetOSManagedAuthLevel.regPackage = Browse to Registry Update PackageOptions tabSuccess codes = 0 3010Add Set TPM BIOS Setting command line taskProperties tabCommand lineBiosConfigUtility.exe /set:"ResetTPM.txt" /cpwdfile:HP123456.binPackage = Browse to HP BIOS Configuration Utility PackageOptions tabSuccess codes = 0 3010Add Restart Computer taskProperties tabUnder Specify what to run after restart section, select The currently installed default operating system optionAdd Clear TPM on Next Boot Run PowerShell Script taskProperties tabPackage = Browse to TPM Script packageScript name = ClearTPM.ps1PowerShell execution policy = BypassAdd Restart Computer taskProperties tabUnder Specify what to run after restart section, select The currently installed default operating system optionAdd new sub group Update TPM Firmware under group Windows 10 1607 or later then add the following tasks under this new sub groupAdd Set OSDBitLockerStatus set task sequence variable taskProperties tabTask Sequence Variable = OSDBitLockerStatusValue = ProtectedOptions tabAdd conditionAdd Suspend BitLocker command line taskProperties tabCommand line%windir%\system32\manage-bde.exe -protectors -disable c:Options tabSuccess codes = 0 3010Add conditionAdd Call Infineon tool to get update info command line taskProperties tabCommand line%IFXTool% /infoPackage = Browse to IFX packageOptions tabSuccess codes = 0 3010Add Call Infineon tool to update TPM firmware command line taskProperties tabCommand line%IFXTool% /update /logfile:C:\TPMupdate.logPackage = Browse to IFX packageOptions tabSuccess codes = 0 3010Add Call TPMConfigster to get TPM Manufacturer Version Run PowerShell Script taskProperties tabPackage = Browse to HP TPM Script 1.0 packageScript name RunProgram.ps1Parameters RunProgram.ps1PowerShell execution policy = BypassAdd Restart Computer taskProperties tabUnder Specify what to run after restart section, select The currently installed default operating system optionAdd Restore OS Managed Auth Level command line task under group Windows 10 1607 or laterProperties tabCommand linereg import ResetOSManagedAuthLevel.regPackage = Browse to Registry Update Package Options tabSuccess codes = 0 3010Add Clear TPM on Next Boot Run PowerShell Script task under group Windows 10 1607 or laterProperties tabPackage = Browse to TPM Script packageScript name = ClearTPM.ps1PowerShell execution policy = BypassAdd Restart Computer task under group Windows 10 1607 or later.Properties tabUnder Specify what to run after restart section, select The currently installed default operating system option Add Resume BitLocker command line task under group Update TPM Firmware Properties tabCommand line%windir%\system32\manage-bde.exe -protectors -enable c:Options tabSuccess codes = 0 3010Add conditionThe complete task sequence should be looked like thisContinue…References ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download