Trusted Platform Module
The TPM, when used with BitLocker, measures a system state and, upon detection of a changed ROM image, restricts access to the Windows® file system if the user cannot provide the recovery key. HP Smart Update Manager detects if a TPM is enabled in your system. If a TPM is detected in your system or with any remote server selected as a target, for some newer models of ProLiant, HP Smart Update Manager utilities for iLO, Smart Array, NIC, and BIOS warn users prior to a flash. If the user does not temporarily disable BitLocker and does not cancel the flash, the BitLocker recovery key is needed to access the user data upon reboot.
A recovery event is triggered if:
- The user does not temporarily disable BitLocker before flashing the System BIOS when using the Microsoft BitLocker Drive Encryption.
- The user has optionally selected to measure iLO, Smart Array, and NIC firmware.
If HP Smart Update Manager detects a TPM, a pop-up warning message appears.
To enable firmware updates without the need to type in the TPM password on each server, the BitLocker Drive Encryption must be temporarily disabled. Disabling the BitLocker Drive Encryption keeps the hard drive data encrypted. However, BitLocker uses a plain text decryption key that is stored on the hard drive to read the information. After the firmware updates have been completed, the BitLocker Drive Encryption can be re-enabled. Once the BitLocker Drive Encryption has been re-enabled, the plain text key is removed and BitLocker secures the drive again.
NOTE: Temporarily disabling BitLocker Drive Encryption can compromise drive security and should only be attempted in a secure environment. If you are unable to provide a secure environment, HP recommends providing the boot password and leaving BitLocker Drive Encryption enabled throughout the firmware update process. This requires the /tpmbypass parameter for HP Smart Update Manager or the firmware update is blocked.
To temporarily disable BitLocker support to allow firmware updates, perform the following:
- Click Start, and then search for gpedit.msc in the Search Text box.
- When the Local Group Policy Editor starts, click Local Computer Policy.
- Click Computer Configuration>Administrative Templates>Windows Components>BitLocker Drive Encryption.
- When the BitLocker settings are displayed, double-click Control Panel Setup: Enable Advanced startup options.
- When the dialog box appears, click Disable.
- Close all the windows, and then start the firmware update.
To enable advanced startup options, use the following command:
cscript manage-bde.wsf -protectors -disable c:
When the firmware update process is completed, the BitLocker Drive Encryption support can be re-enabled by following steps 1 through 4 but clicking Enabled in step 5 instead. The following command can be used to re-enable BitLocker Drive Encryption after firmware deployment has completed.
cscript manage-bde.wsf -protectors -enable c: