©copyright 2017 hp development company, l.p. · web viewconfiguration manager console version...

©Copyright 2017 HP Development Company, L.P.Notice: The information contained in this document, including URL, other web site references, screen shots or step by step instructional guidance are samples provided for informational purposes only. Appropriate modifications may be needed for solutions prior to applying the TPM patch such as, but not limited to Secure Boot, Bit Locker, Virtual Smart Card, 3rd party encryption products, VPN products prior to applying the TPM firmware upgrade (or patch). HP has no direct or indirect visibility or ability to predict all the cases as to how organizations are using the TPM. Customers are solely responsible for ensuring that the TPM firmware upgrade does not adversely impact their own use cases. All information provided in this document is provided on an “as is” basis and nothing herein should be construed as constituting an additional warranty. HP does not warrant or guarantee the guidance contained in this document and customers are strongly urged to do their own testing and customization of these instructions to meet their particular use case. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. HP expressly disclaims any and all liability related to or arising from the use of or reliance upon the instructional guidance contained in this document. Additionally, HP shall not be liable for technical or editorial errors or omissions contained herein.

TPM Firmware Upgrade Task Sequence

Document History

Revision

Date

Initials

Description

1.0

11/08/17

NN

Initial version

· Task Sequence for TPM sp81900 and sp82133 (Win 10 only)

1.1

11/15/17

NN

Updated document including HP disclaimer

2.0

11/28/17

NN

Updated document

· Task sequence for TPM sp81900, sp82133, sp82132 (Win 10 and win 7) with the following updates:

· Have the right call to clear TPM

· Have the proper .hpsign files for TPMConfigster to detect signed TPMConfig and firmware bin files

· Add scripts to create HP_TOOLS partition

· Re-arrange the flow to be more readable

· Remov all steps relating to auto logon

· Disable virtualization BIOS setting, trusted Execution Technology (TXT) and Intel Software Guard Extension (SGX)

3.0

01/18/18

NN

· Updated Task Sequence for 5 SoftPaqs (sp81900, sp82133, sp82132, sp82147, sp82407)

· Added OS conditions for all SoftPaqs W7, W8.1, W10

· Updated OS condition checks in Own TPM steps

· Moved the Win 10 1607 check to earlier so both Own TPM steps can reference the check result.

· Replaced with TPM config Utility 2.0.2.1

4.0

05/01/18

NN

· Updated Task Sequence for SoftPaq sp85540 which it supersedes sp81900 and sp82417

· new version of TPM config 2.0.3.1 and TPM firmware bin files version 7.63 and workstation SLB 9660

Environment and validation information

In this practice, we have tested task sequence version 3.0 on the following client systems via SCCM server:

1. SCCM Server

· Running Windows server OS 2012 R2

· Configuration Manager Console version 5.0.8239.1403

2. Client system

· SP85540 – ProBook 440 G4, ProBook 640 G3, ProBook 470 G5, Elite Desk 800 DM G3, ProDesk 400 G2 DM, Desktop Workstation Z240 and Z440,

· SP82133 – Elitebook 725 G2, ProBook 470 G2, Elite Desk 705 G1 DM

· SP82407 – None.

· SP82132 - Due to the limitation of hardware, we have not validated any supported system for this SoftPaq

· Running Windows 7 Enterprise, Windows 10 version RS1, RS3, and RS4.

· BIOS version – latest

· TPM version 1.2 and 2.0

· BitLocker enabled

Prerequisites

1. BIOS Configuration Utility (BCU) tool version 4.0.24.1 (sp81841).

This SoftPaq is available on Manageability website http://www8.hp.com/us/en/ads/clientmanagement/download.html

2. Download appropriate TPM firmware bin files from this ftp

https://ftp.hp.com/pub/caps-softpaq/cmit/example/TPMFWUpgrade/TPMFWReadme.docx

Please also refer to this Security Bulletin for the correct SoftPaq for your system

https://support.hp.com/us-en/document/c05792935

3. Apply the Windows operating system updates (see Affected Products table for specific package KB numbers) first

WARNING: Do NOT apply the TPM firmware update prior to applying the Windows operating system mitigation update. Doing so will render your system unable to determine if your system is affected. You will need this information to conduct full remediation

According to Microsoft post https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012, customers need to install OS updates prior to doing TPM firmware update

Create folders for packages in Task Sequence

1. Create HP BIOS Configuration Utility folder

· On SCCM server, create a folder, name it “HP Client BIOS Configuration Utility, and place all BCU files in here

· Run BCU to get a config file

Ex: BiosConfigUtility64.exe /get:”config.txt”

· Open config.txt and modify the TPM setting as shown in the picture below

· Save the modified config file as desired.

· For example: RepsetTPM.txt

· Also, modify the second config file to disable TPM physical presence (PPI) for sp81900’s supported systems as shown in the picture below

· Save the second modified config file as desired.

For example: TPMNoPrompts.txt

· Create BIOS Password bin file

· Execute HPQPswd.exe or HPQPwd64.exe

· Follow on screen instruction to create a password bin file

· Save the password bin file in the same directory of BCU

The HP Client BIOS Configuration Utility folder should contain the following files

2. Create folder HP TPM Config Utility and place all necessary files here.

3. Create folder IFX

· Create subfolder called sp82132

· Place IFXTPMUpdate application and necessary files here





4. Create a folder for Registry Update Package

· Have all registry files in this folder

· ResetOSManagedAuthLevel

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM]

"OSManagedAuthLevel"=dword:00000002

· SetOSManagedAuthLevel

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM]

"OSManagedAuthLevel"=dword:00000004

5. Create a folder for TPM Script

· Have all necessary files in this folder

· ClearTP.ps1

#--------------------------------------------------------------------------------

# DISCLAIMER:

# © 2017 HP Development Company. All rights reserved.

# The sample script here is not supported under any HP standard support program or service.

# The sample script is provided AS IS without warranty of any kind.

# HP disclaims all implied warranties including, without limitation,

# any implied warranties of merchantability or of fitness for a particular purpose.

# The entire risk arising out of the use or performance of the sample script

# and documentation remains with you. In no event shall HP, its authors,

# or anyone else involved in the creation, production, or delivery of the script

# be liable for any damages whatsoever (including, without limitation, damages for

# loss of business profits, business interruption, loss of business information,

# or other pecuniary loss) arising out of the use of or inability to use the sample

# script or documentation, even if HP has been advised of the possibility of such damages.

#=====================================================================

# Filename: ClearTPM.ps1

# Description: Clear, enable, and activate the TPM.

$objTPM = Get-WmiObject -Class "Win32_Tpm" -ComputerName $env:COMPUTERNAME -Namespace "ROOT\CIMV2\Security\MicrosoftTpm"

Write-Host "Clear, enable, and activate the TPM"

$objRet = $objTPM.SetPhysicalPresenceRequest(14)

$retCode = $objRet.ReturnValue

If ($retCode -eq 0) {

Write-Host "Successfully cleared the TPM chip. A reboot is required."

} else {

Write-Host "Failed to clear TPM ownership. Exiting... Error=$($retCode)" -ForegroundColor Red

Exit $retCode

}

· CreateHP_TOOLS.txt

sel vol c:

shrink desired=500

create part prim

format quick fs=FAT32 label=HP_TOOLS

assign letter T

lis dis

det dis

lis par

det par

exit

· DeleteHP_TOOLS.txt

sel vol HP_TOOLS_DRIVE_LETTER

del part override

sel vol c:

extend noerr

exit

· Delete-HPToolsPartition.ps1

#--------------------------------------------------------------------------------

# DISCLAIMER:













#=====================================================================

# Filename: Delete-HPToolsPartition.ps1

# Description: Delete HP_TOOLS partition if it exists.

#=====================================================================

$objHP_TOOLSPart = Get-WmiObject -Class "Win32_LogicalDisk" -ComputerName $env:COMPUTERNAME -Namespace "ROOT\CIMV2" -filter "VolumeName = 'HP_TOOLS' and FileSystem = 'FAT32'"

if ($objHP_TOOLSPart -eq $null)

{

Write-Host "No HP_TOOLS partition"

}

else

{

# Get the drive letter of HP_TOOLS partition.

$drive = $objHP_TOOLSPart.DeviceID

Write-Host "HP_TOOLS partition drive letter=$drive"

# Get the location to the script.

if(!$PSScriptRoot)

{

$PSScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent

}

$inputFileName = "DeleteHP_TOOLS.txt"

$path = Join-Path -Path $PSScriptRoot -ChildPath "$inputFileName"

$tempPath = "C:\$inputFileName"

Write-Host "Content of template input file before calling diskpart:"

Get-Content $path

# Load DeleteHP_TOOLS.txt and replace the place holder with the HP_TOOLS partition drive letter.

$newContent = (Get-Content $path | Out-String) -replace "(.*?)HP_TOOLS_DRIVE_LETTER(.*)",('$1{0}$2' -f $drive)

Write-Host "new content"

Write-Host $newContent

$newContent | Set-Content $tempPath

# Verbose the content of DeleteHP_TOOLS.txt

Write-Host "Content of input file before calling diskpart:"

Get-Content $tempPath

if (Test-Path $tempPath)

{

Write-Host "Running diskpart to remove HP_TOOLS partition"

Start-Process -FilePath "diskpart" -Wait -Verbose -ArgumentList " /s $tempPath"

# Clean up the input file

Write-Host "Remove the input file to diskpart"

Remove-Item -Path $tempPath

}

}

· ForceError.cmd

Echo Force error 1

exit /b 1

· Get-TPMOwnerInfo.vbs

'=================================================================================

'

' This script demonstrates the retrieval of Trusted Platform Module (TPM)

' recovery information from Active Directory for a particular computer.

'

' It returns the TPM owner information stored as an attribute of a

' computer object.

'

' Last Updated: 12/05/2012

' Last Reviewed: 12/05/2012

'

' Microsoft Corporation

'

' Disclaimer

'

' The sample scripts are not supported under any Microsoft standard support program

' or service. The sample scripts are provided AS IS without warranty of any kind.

' Microsoft further disclaims all implied warranties including, without limitation,

' any implied warranties of merchantability or of fitness for a particular purpose.

' The entire risk arising out of the use or performance of the sample scripts and

' documentation remains with you. In no event shall Microsoft, its authors, or

' anyone else involved in the creation, production, or delivery of the scripts be

' liable for any damages whatsoever (including, without limitation, damages for loss

' of business profits, business interruption, loss of business information, or

' other pecuniary loss) arising out of the use of or inability to use the sample

' scripts or documentation, even if Microsoft has been advised of the possibility

' of such damages.

'

' Version 1.0 - Initial release

' Version 1.1 - Updated GetStrPathToComputer to search the global catalog.

' Version 1.1.2 - Tested and re-released for Windows 8 and Windows Server 2012

'

' HP update - Added script to get the TPM owner password hash from TPM Devices

' - Output the hash to pwd.tpm file

'

'=================================================================================

' --------------------------------------------------------------------------------

' Usage

' --------------------------------------------------------------------------------

Sub ShowUsage

Wscript.Echo "USAGE: Get-TpmOwnerInfo [Optional Computer Name]"

Wscript.Echo "If no computer name is specified, the local computer is assumed."

WScript.Quit

End Sub

' --------------------------------------------------------------------------------

' Parse Arguments

' --------------------------------------------------------------------------------

Set args = WScript.Arguments

Select Case args.Count

Case 0

' Get the name of the local computer

Set objNetwork = CreateObject("WScript.Network")

strComputerName = objNetwork.ComputerName

Case 1

If args(0) = "/?" Or args(0) = "-?" Then

ShowUsage

Else

strComputerName = args(0)

End If

Case Else

ShowUsage

End Select

' --------------------------------------------------------------------------------

' Get path to Active Directory computer object associated with the computer name

' --------------------------------------------------------------------------------

Function GetStrPathToComputer(strComputerName)

' Uses the global catalog to find the computer in the forest

' Search also includes deleted computers in the tombstone

Set objRootLDAP = GetObject("LDAP://rootDSE")

namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com

strBase = ""

Set objConnection = CreateObject("ADODB.Connection")

Set objCommand = CreateObject("ADODB.Command")

objConnection.Provider = "ADsDSOOBject"

objConnection.Open "Active Directory Provider"

Set objCommand.ActiveConnection = objConnection

strFilter = "(&(objectCategory=Computer)(cn=" & strComputerName & "))"

strQuery = strBase & ";" & strFilter & ";distinguishedName;subtree"

objCommand.CommandText = strQuery

objCommand.Properties("Page Size") = 100

objCommand.Properties("Timeout") = 100

objCommand.Properties("Cache Results") = False

' Enumerate all objects found.

Set objRecordSet = objCommand.Execute

If objRecordSet.EOF Then

WScript.echo "The computer name '" & strComputerName & "' cannot be found."

WScript.Quit 1

End If

' Found object matching name

Do Until objRecordSet.EOF

dnFound = objRecordSet.Fields("distinguishedName")

GetStrPathToComputer = "LDAP://" & dnFound

objRecordSet.MoveNext

Loop

' Clean up.

Set objConnection = Nothing

Set objCommand = Nothing

Set objRecordSet = Nothing

End Function

' --------------------------------------------------------------------------------

' Securely access the Active Directory computer object using Kerberos

' --------------------------------------------------------------------------------

Set objDSO = GetObject("LDAP:")

strPath = GetStrPathToComputer(strComputerName)

WScript.Echo "Accessing object: " + strPath

Const ADS_SECURE_AUTHENTICATION = 1

Const ADS_USE_SEALING = 64 '0x40

Const ADS_USE_SIGNING = 128 '0x80

Set objComputer = objDSO.OpenDSObject(strPath, vbNullString, vbNullString, _

ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)

' --------------------------------------------------------------------------------

' Get the TPM owner information from the Active Directory computer object

' --------------------------------------------------------------------------------

On Error Resume Next

'If TPM password hash is available at owner information, get it.

strOwnerInformation = objComputer.Get("msTPM-OwnerInformation")

WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation

'If TPM password hash is in TPM Devices

if strOwnerInformation is nothing then

' Get the CN

strOwnerInformation = objComputer.Get("msTPM-TpmInformationForComputer")

WScript.echo "msTPM-TpmInformationForComputer: " + strOwnerInformation

if (strOwnerInformation <> "") then

' Get the TPM entry.

strPath = "LDAP://" & strOwnerInformation

'WScript.Echo "Accessing object: " + strPath

Set objTPM = objDSO.OpenDSObject(strPath, vbNullString, vbNullString, _

ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)

' Get the TPM owner password

strOwnerInformation = objTPM.Get("msTPM-OwnerInformation")

'WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation

end if

end if

if (strOwnerInformation = "") then

WScript.echo "The TPM owner information is not available in AD."

WScript.Quit 1

end if

' --------------------------------------------------------------------------------

' Generate the TPM password file.

' --------------------------------------------------------------------------------

Set objFSO=CreateObject("Scripting.FileSystemObject")

' How to write file

outFile="c:\pwd.tpm"

vbCRLF = Chr(13) & Chr(10)

strContent = "<?xml version=""1.0"" encoding=""UTF-8""?>" & vbCRLF & _

"" & vbCRLF & _

"" & vbCRLF & _

"" & vbCRLF & _

"" & strOwnerInformation & "" & vbCRLF & _

"" & vbCrLf

WScript.Echo "Writing " & outFile

Set objFile = objFSO.CreateTextFile(outFile,True)

objFile.Write strContent

objFile.Close

WScript.echo outFile & " is ready to use"

· OwnTPM.ps1

#--------------------------------------------------------------------------------

# DISCLAIMER:













#=====================================================================

# Filename: OwnTPM.ps1

# Description: Take ownership of the TPM with a random

# GUID as the TPM owner information.

#=====================================================================

$objTPM = Get-WmiObject -Class "Win32_Tpm" -ComputerName $env:COMPUTERNAME -Namespace "ROOT\CIMV2\Security\MicrosoftTpm"

Write-Host "Verify that the TPM is enabled, activated and ownership allowed."

$isEnabled = $objTPM.IsEnabled().isEnabled

$isActivated = $objTPM.IsActivated().isActivated

$ownershipAllowed = $objTPM.IsOwnershipAllowed().IsOwnershipAllowed

If (-not($isEnabled -eq $true -and $isActivated -eq $true -and $ownershipAllowed -eq $true)) {

Write-Host "The TPM state (isEnabled=$isEnabled, isActivated=$isActivated, $ownershipAllowed=$ownershipAllowed) does not allow ownership." -ForegroundColor Red

Exit 1

}

Write-Host "TPM is enabled, activated and ownership allowed."

# Create a new guid and use it as TPM owner password.

$GUID = [guid]::NewGuid()

$ownerAuth = $objTPM.ConvertToOwnerAuth($GUID).OwnerAuth

$objRet = $objTPM.TakeOwnership($ownerAuth)

$retCode = $objRet.ReturnValue

If ($retCode -eq 0) {

Write-Host "Successfully take ownership of the TPM."

} else {

Write-Host "Failed to take ownership of TPM. Exiting... Error=$retCode" -ForegroundColor Red

Exit $retCode

}

· RunProgram.ps1

param(

[string]$program,

[string]$inputArgs

)

$program = "$PSScriptRoot\$program"

$pinfo = New-Object System.Diagnostics.ProcessStartInfo

$pinfo.FileName = "$program"

$pinfo.RedirectStandardError = $true

$pinfo.RedirectStandardOutput = $true

$pinfo.UseShellExecute = $false

$pinfo.Arguments = "$inputArgs"

$p = New-Object System.Diagnostics.Process

$p.StartInfo = $pinfo

$p.Start() | Out-Null

$p.WaitForExit()

$stdout = $p.StandardOutput.ReadToEnd()

$stderr = $p.StandardError.ReadToEnd()

Write-Host "$stdout"

Write-Host "stderr=$stderr"

Write-Host "Exit code=" + $p.ExitCode

Create Packages in ConfigMgr

Create package HP Client BIOS Configuration Utility

1. In the Configuration Manager Console, click Software Library

2. Expand Application Management

3. Right click Packages and select Create Package

4. Name the package as desired and enter any additional information on the first page of the wizard.

Note: Make sure to select the correct source file location

5. Click Next

6. Select Do not create a program option, and click Next

7. Click Next on the summary page

8. There is the notification when the wizard is completed successfully.

9. Click Close.

Create package HP TPM Config

1. Similar steps to create HP BIOS Configuration Utility. Follow 9 steps to complete creating HP TPM Config package. Ensure to adjust the correct source folder.

Create package IFX

1. Similar steps to create HP BIOS Configuration Utility. Follow 9 steps to complete creating IFX package. Ensure to locate the correct source folder.

Create package Registry Update Package

1. Similar steps to create HP BIOS Configuration Utility. Follow 9 steps to complete creating Registry Update package. Ensure to locate the correct source folder.

Create package TPM Script Package

1. Similar steps to create HP BIOS Configuration Utility. Follow 9 steps to complete creating TPM Script package. Ensure to locate the correct source folder.

Distribute the newly created packages

1. Right click each of the newly created packages and select Distribute Content

2. Click Next at the general screen

3. At the Content Destination screen, click Add >Distribution Point

4. Select the appropriate distribution point

5. There is a notification when the content is distributed successfully.

Prepare ConfigMgr Client

Follow these steps to prepare and join client systems into domain network if you have not done so.

1. Join the client system to the domain

2. Make sure to add File and Printer Sharing and Windows Management Instrumentation (WMI) exceptions to Windows Firewall

3. In the Configuration Manager Console, make sure client system is discovered and displayed under Devices.

4. Install Configuration Manager client to the system.

5. Create device collection containing target client for deployment.

Create Task Sequence

1. In the Configuration Manager console, click Software Library.

2. In the Software Library workspace, expand Overview, and then click Operating Systems.

3. Right click Task Sequences, and then select Create Task Sequence.

4. Select Create a new custom task sequence.

5. Enter the task sequence name, description, boot image as desired, and click Next

6. At the summary page, click Next.

7. Click Close when the Crate Task Sequence Wizard completed successfully.

8. Your task sequence is created under Software Library > Overview > Operating Systems > Task Sequences.

9. Right click on the newly created task sequence and select Edit

10. Task sequence is displayed.

11. Add new group Add > Group and name it as desired.

12. Add five variable tasks by clicking Add > General >Set Task Sequence Variable

13. Name the first variable task as Is sp85540 needed and provide info as follow

· Properties tab

· Task sequence variable = sp85540

· Value = Needed

· Options tab

· Add condition(s)

All these conditions are true.

Root\cimv2

Select catpion from Win32_OperatingSystem where Caption like ‘%Windows%7%’ or Caption like ‘Windows%8.1%’ or Caption like ‘%Windows%10%’

Note: All products listed in the query below are retrieved and based on the support list from sp85540’s CVA file.

Root\cimv2

select * from Win32_BaseBoard

where Product like '%80FC%' or Product like '%82CA%' or Product like '%80FB%' or Product like '%80FA%' or Product like '%82DE%' or Product like '%8084%' or Product like '%8238%' or Product like '%807E%' or Product like '%8236%' or Product like '%807E%' or Product like '%8236%' or Product like '%807C%' or Product like '%8292%' or Product like '%8079%' or Product like '%828C%' or Product like '%8079%' or Product like '%828C%' or Product like '%8170%' or Product like '%8300%' or Product like '%827D%' or Product like '%82EF%' or Product like '%83D0%' or Product like '%815A%' or Product like '%82EB%' or Product like '%828B%' or Product like '%818F%' or Product like '%80FF%' or Product like '%822C%' or Product like '%8377%' or Product like '%8100%' or Product like '%822E%' or Product like '%837B%' or Product like '%8101%' or Product like '%8231%' or Product like '%837D%' or Product like '%80EF%' or Product like '%823C%' or Product like '%8102%' or Product like '%8234%' or Product like '%837F%' or Product like '%80FD%' or Product like '%82AA%' or Product like '%80FE%' or Product like '%823A%' or Product like '%80FD%' or Product like '%82AA%' or Product like '%80FE%' or Product like '%823A%' or Product like '%8334%' or Product like '%828C%' or Product like '%80D5%' or Product like '%8275%' or Product like '%8079%' or Product like '%828C%' or Product like '%80D6%' or Product like '%8270%' or Product like '%80D4%' or Product like '%826B%' or Product like '%83FD%' or Product like '%81C3%' or Product like '%805B%' or Product like '%8266%' or Product like '%8265%' or Product like '%835B%' or Product like '%8053%' or Product like '%829A%' or Product like '%8299%' or Product like '%829B%' or Product like '%829F%' or Product like '%8057%' or Product like '%829C%' or Product like '%829B%' or Product like '%830A%' or Product like '%8055%' or Product like '%806A%' or Product like '%82A5%' or Product like '%8062%' or Product like '%82A2%' or Product like '%8062%' or Product like '%82A1%' or Product like '%805F%' or Product like '%8169%' or Product like '%805D%' or Product like '%829E%' or Product like '%82B4%' or Product like '%8169%' or Product like '%829D%' or Product like '%8063%' or Product like '%82A6%' or Product like '%8063%' or Product like '%805E%' or Product like '%82B5%' or Product like '%8139%' or Product like '%8376%' or Product like '%8115%' or Product like '%82BF%' or Product like '%8183%' or Product like '%802E%' or Product like '%802F%' or Product like '%81C5%' or Product like '%212B%' or Product like '%81C6%' or Product like '%212A%' or Product like '%81C7%' or Product like '%2129%'

Root\cimv2\security\MicrosoftTPM

select * from win32_tpm where

IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True'

and (

(SpecVersion like '2.0%' and ManufacturerVersion like '7.%' and ManufacturerVersion < '7.63') or

(SpecVersion like '2.0%' and ManufacturerVersion like '5.%' and ManufacturerVersion < '5.62') or

(SpecVersion like '1.2%' and ManufacturerVersion like '4.4%' and ManufacturerVersion < '4.43') or

(SpecVersion like '1.2%' and ManufacturerVersion like '6.4%' and ManufacturerVersion < '6.43')

)

14. Name the second variable task as Is sp82133 needed and provide info as follow

· Properties tab


· Value = Needed

· Options tab

· Add condition(s)

All these conditions are true


Root\cimv2


where

Product like '%2255%' or Product like '%22DA%' or Product like '%2270%' or Product like '%2271%' or Product like '%805C%' or Product like '%2216%' or Product like '%8042%' or Product like '%221B%' or Product like '%221D%' or Product like '%2009%' or Product like '%2235%' or Product like '%2236%' or Product like '%2234%' or Product like '%2249%' or Product like '%224A%' or Product like '%2248%' or Product like '%2247%' or Product like '%2246%' or Product like '%225A%' or Product like '%221C%' or Product like '%2253%' or Product like '%8158%' or Product like '%8103%' or Product like '%18E9%' or Product like '%198E%' or Product like '%21F5%' or Product like '%2215%' or Product like '%225F%' or Product like '%225E%' or Product like '%213D%' or Product like '%2187%' or Product like '%2124%' or Product like '%21B4%' or Product like '%8000%' or Product like '%21F6%' or Product like '%18EB%' or Product like '%2171%' or Product like '%805A%' or Product like '%2B60%' or Product like '%8184%' or Product like '%8267%'

root\cimv2\security\MicrosoftTPM

select * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and SpecVersion like '1.2%' and ManufacturerVersion < '4.43'

Root\cimv2

select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%10%'

15. Name the third variable task as Is sp82132 needed and provide info as follow

· Properties tab


· Value = Needed

· Options tab

· Add condition(s)



root\cimv2


where Product like '%8256%' or Product like '%2B5E%'

root\cimv2

select * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and SpecVersion like '1.2%' and ManufacturerVersion < '6.43'

root\cimv2

select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%10%'


· Properties tab


· Value = Needed

· Options tab

· Add condition(s)


root\cimv2


where Product like '%190A%' or Product like '%2157%' or Product like '%213E%'

or Product like '%198F%' or Product like '%1993%' or Product like '%1994%' or Product like '%2101%'

or Product like '%2102%' or Product like '%21B3%' or Product like '%1946%' or Product like '%1947%'

or Product like '%1944%' or Product like '%1942%' or Product like '%1940%' or Product like '%1991%'

or Product like '%1992%' or Product like '%1909%' or Product like '%2175%' or Product like '%2179%'

or Product like '%2B2A%' or Product like '%22AD%' or Product like '%18E6%' or Product like '%1998%'

or Product like '%8027%' or Product like '%8027%' or Product like '%1825%' or Product like '%21D0%'

or Product like '%2B34%' or Product like '%213D%' or Product like '%2187%' or Product like '%2124%' or Product like '%21B4%' or Product like '%18EA%' or Product like '%18E5%' or Product like '%18E7%' or Product like '%18E8%' or Product like '%18E4%' or Product like '%2155%' or Product like '%2145%'

or Product like '%8076%' or Product like '%2B4A%'


select * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and SpecVersion like '1.2%' and ManufacturerVersion like '4.3%' and ManufacturerVersion < '4.34'

root\cimv2

select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%8.1%' or Caption like '%Windows%10%'


· Properties tab


· Value = Needed

· Options tab

· Add condition(s)


root\cimv2


where Product like '%8115%' or Product like '%82BF%' or Product like '%8183%' or Product like '%802E%' or Product like '%802F%' or Product like '%81C5%' or Product like '%212B%' or Product like '%81C6%' or Product like '%212A%' or Product like '%81C7%' or Product like '%2129%'


select * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'True' and ((SpecVersion like '2.0%' and ManufacturerVersion < '7.62' ) or (SpecVersion like '1.2%' and ManufacturerVersion like '6.4%' and ManufacturerVersion < '6.43') or (SpecVersion like '1.2%' and ManufacturerVersion < '4.43'))

root\cimv2

select Caption from Win32_OperatingSystem where Caption like '%Windows%7%' or Caption like '%Windows%8.1%' or Caption like '%Windows%10%'

18. Add new group by clicking Add > New Group

· Properties tab - Name group as Update TPM Firmware

· Option tab – Add following conditions

19. Add Set OSD BitLocker Status variable task under Update TPM Firmware group

· Properties tab

· Task Sequence Variable = OSDBitLockerStatus

· Value=Protected

· Options tab

· Add condition(s)

root\cimv2\Security\MicrosoftVolumeEncryption

select * from win32_encryptablevolume where driveletter = 'c:' and protectionstatus = '1'

20. Add Suspend BitLocker command line task by clicking Add > General > Command line

· Properties tab

· Command line: %windir%\system32\manage-bde.exe -protectors -disable c:

· Options tab

· Success codes = 0 3010

· Add condition(s)

21. Add Is Windows 10 1607 or later variable task

· Properties tab

· Task Sequence Variable = Win10_1607_or_Later

· Value = True

· Options tab

· Add condition(s)

22. Add sub group named sp85540 under Update TPM Firmware group

· Options tab

· Add condition(s)

23. Add Need to create HP_TOOLS partition? variable task under sp85540 group

· Properties tab

· Task Sequence Variable = CreateHP_TOOLS

· Value = True

· Options tab

· Add condition(s)

· root\cimv2

Select * from Win32_DiskPartition Where Type = "GPT: System"

· root\cimv2

select DeviceID from Win32_LogicalDisk where VolumeName = 'HP_TOOLS' and FileSystem = 'FAT32'

· root\cimv2

Select * From Win32_LogicalDisk Where DeviceID = 'C:' and FreeSpace >= 524288000

24. Add Create HP_TOOLS partition command line task

· Properties tab

· Command line

diskpart /s CreateHP_TOOLS.txt

· Package = Browse to TPM Script

· Options tab


· Add condition(s)

25. Add Set TPM BIOS Setting command line task

· Properties tab

· Command line

BiosConfigUtility.exe /set:"TPMNoPrompts.txt" /cpwdfile:HP123456.bin

· Package = Browse to HP Client BIOS Configuration Utility package

· Options tab


26. Add Restart Computer task

· Properties tab

· Under Specify what to run after restart section, select The currently installed default operating system option

27. Add Suspend BitLocker command line task

· Properties tab

· Command line

%windir%\system32\manage-bde.exe -protectors -disable c:

· Options tab


· Add condition(s)

28. Add Call TPMConfig to ge initial TPM information command line task

· Properties tab

· Command line

TPMConfig.exe -s -t%temp%\TPMInfo.BeforeUpdate.txt -l%temp%\TPMConfig.log

· Package = Browse to HP TPM Config Utility 2.0.2.1 package

· Options tab


29. Add Call TPMConfig to upgrade TPM 1.2 command line task

· Properties tab

· Command line

TPMConfig.exe -s -a1.2 -l%temp%\TPMConfig.log

· Package = Browse to HP TPM Config Utility package

· Options tab

· Success code = 0 3010

· Add condition

root\cimv2\Security\MicrosoftTpm

select * from Win32_TPM where SpecVersion like '1.2%'

30. Add Call TPMConfigto upgrade TPM 2.0 command line task

· Properties

· Command line

TPMConfig.exe -s -a2.0 -l%temp%\TPMConfig.log

· Package = Browse to HP TPM Config Utility package

· Options tab

· Success code = 0 3010

· Add condition

root\cimv2\Security\MicrosoftTpm

select * from Win32_TPM where SpecVersion like '2.0%'

31. Add Restart task

· Properties tab

· Under Specify what to run after restart section, select The currently installed default operating system option.

· Select Notify the user before restarting option with message

The computer must restart to upgrade the TPM firmware


· Properties tab

· Command line


· Options tab


· Add condition(s)

33. Add Call TPMConfig to get TPM information command line task

· Properties tab

· Command line

TPMConfig.exe -s -t%temp%\TPMInfo.BeforeUpdate.txt -l%temp%\TPMConfig.log

· Package = Browse to HP TPM Config Utility 2.0.2.1 package

· Options tab


34. Add Call TPMConfigster to get TPM Manufacturer Version power shell script task

· Properties tab

· Package = Browse to TPM Script 1.0 package

· Script name:

RunProgram.ps1

· Parameters:

TPMConfigster.exe /FW_VER

· PowerShell execution policy = Bypass

· Options tab


35. Add Delete HP_TOOLS partition (if created by this TS) PowerShell script task by clicking Add > General > Run PowerShell Script

· Properties tab

· Options tab

· Add conditions

· root\cimv2

select DeviceID from Win32_LogicalDisk where VolumeName = 'HP_TOOLS' and FileSystem = 'FAT32'

· Variable CreateHP_TOOLS equals “True”

36. Add Clear TPM on Next Boot Run PowerShell script task

· Properties tab

· Package = Browse to TPM Script package

· Script Name = ClearTPM.ps1


37. Add Restart task

· Properties tab


· Select Notify the user before restarting option with message

The computer must restart to upgrade the TPM firmware

38. Add OwnTPM Run PowerShell Script task

· Properties tab


· Script Name = OwnTPM.ps1


·

· Options tab

· Add condition(s): If All conditions are true:

· Root\cimv2\security\microsofttpm

select * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'False'

· Variable Win10_1607_or_later

39. Add new group Update TPM Firmware – IFX under Update TPM Firmware group

· Options tab

· Add condition(s): Any of these are true

40. Add Set IFXTool File Name set dynamic variable task

· Properties tab

· Dynamic rules and variables

41. Add sub group Windows 10 (before 1607), Windows 8.1 and 7

· Options tab

· Add condition

42. Add Get TPM Owner Password from AD command line task

In the example task sequence, this task is disabled. Enabling this task will enable “Delete TPM Owner password file if exits” task

· Properties tab

· Command line

cscript Get-TPMOwnerInfo.vbs


· Run this step as the following account

Need to provide the domain admin credential here

· Options tab


43. Add Call Infineon tool to get update info command line task

· Properties tab

· Command line

%IFXTool% /info

· Package = Browse to IFX package

· Options tab


44. Add Call Infineon tool to update TPM firmware command line task

· Properties tab

· Command line

%IFXTool% /update /logfile:C:\TPMupdate.log /pwdfile:c:\pwd.tpm


· Options tab


45. Add Call TPMConfigster to get TPM Manufacturer Version run PowerShell Script task

· Properties tab

· Package = Browse to HP TPM Script package

· Script name

RunProgram.ps1

· Parameters

TPMconfigster.exe /FW_VER


46. Add Clear TPM on Next Boot

· Properties tab


· Script Name = ClearTPM.ps1


·

47. Add Delete TPM owner password file if exits command line task

In the example task sequence, this task is disabled by default. It will get enabled automatically once you enable the previous task “Get TPM Owner Password from AD”

· Properties tab

· Command line

Cmd /c del /F c:\pwd.tpm

· Options tab

· Add conditions


· Properties tab


49. Add Own TPM Run PowerShell Script task

· Properties tab

· Package = Browse to TPM Script 1.0 package

· Script name = OwnTPM.ps1


· Options tab

· Add condition

· Root\wimv2\security\microsofttpm

select * from win32_tpm where IsActivated_InitialValue = 'True' and IsEnabled_InitialValue = 'True' and IsOwned_InitialValue = 'False'

50. Add new group Windows 10 1607 or later under group Update TPM Firmware – IFX

· Options tab

· Add condition

51. Add Change OS Managed Auth Level command line task

· Properties tab

· Command line

reg import SetOSManagedAuthLevel.reg

· Package = Browse to Registry Update Package

· Options tab


52. Add Set TPM BIOS Setting command line task

· Properties tab

· Command line

BiosConfigUtility.exe /set:"ResetTPM.txt" /cpwdfile:HP123456.bin

· Package = Browse to HP BIOS Configuration Utility Package

· Options tab



· Properties tab


54. Add Clear TPM on Next Boot Run PowerShell Script task

· Properties tab


· Script name = ClearTPM.ps1



· Properties tab


·

56. Add new sub group Update TPM Firmware under group Windows 10 1607 or later then add the following tasks under this new sub group

57. Add Set OSDBitLockerStatus set task sequence variable task

· Properties tab

· Task Sequence Variable = OSDBitLockerStatus

· Value = Protected

· Options tab

· Add condition


· Properties tab

· Command line


· Options tab


· Add condition

59. Add Call Infineon tool to get update info command line task

· Properties tab

· Command line

%IFXTool% /info


· Options tab


60. Add Call Infineon tool to update TPM firmware command line task

· Properties tab

· Command line

%IFXTool% /update /logfile:C:\TPMupdate.log


· Options tab


61. Add Call TPMConfigster to get TPM Manufacturer Version Run PowerShell Script task

· Properties tab

· Package = Browse to HP TPM Script 1.0 package

· Script name

RunProgram.ps1

· Parameters

RunProgram.ps1



· Properties tab


63. Add Restore OS Managed Auth Level command line task under group Windows 10 1607 or later

· Properties tab

· Command line

reg import ResetOSManagedAuthLevel.reg

· Package = Browse to Registry Update Package

· Options tab


64. Add Clear TPM on Next Boot Run PowerShell Script task under group Windows 10 1607 or later

· Properties tab


· Script name = ClearTPM.ps1


65. Add Restart Computer task under group Windows 10 1607 or later.

· Properties tab


66. Add Resume BitLocker command line task under group Update TPM Firmware

· Properties tab

· Command line

%windir%\system32\manage-bde.exe -protectors -enable c:

· Options tab


· Add condition

The complete task sequence should be looked like this

Continue…

References



https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012

©copyright 2017 hp development company, l.p. · web viewconfiguration manager console version...

Documents