OSD problem - enable Bitlocker on HP-computers

Hello,

I just created a tasksequence to deploy windows 7 on a machine and now I stuck in the step activating tpm which i do with the command manage-bde -tpm -turnon, followed by a reboot.
My problem now: When the system is rebooted the Bios prompts me to press F1 to accept the changes made to the tpm settings.
Is there a way to do this unattended? Any possibilities to script this step?

Thx
Chris

are you using the default bitlockers steps in the task sequence or custom steps you created?

Here the steps in detaol:
Activate tpm                    -  manage-bde.exe -tpm -TurnOn
restart              
create BL partition          - BdeHdCfg.exe -target c: shrink -newdriveletter b: -size 1500 -quiet
restart
enable BL                         - Built in step with current os driv, tpm only and AD - no wait

Chris

Hi Chris,

I am having the same problem. Did you resolve it? If yes, can you please let me know how you did it?

Best Regrads,
Kalam

We are using bitlocker on Vista clients during deployment.  Fortunately for us we have an HP agreement whereby machines are delivered with the BIOS configured for bitlocker (as well as the core WIM already cached on clients)

What you could do is use the HP SSM Bios configuration tool to set the necessary BIOS settings early on in the task sequence.   We have used this to set the Wireless lan switching setting (as this it yet configured for us inthe HP factory).  We have also used the BIOS update tool to make sure all clients running a minimum BIOS level across the estate.

I downloaded the tool, installed and  ran on HP 6930 P in order to enable TPM in BIOS
firstly I run the following command
c:\program Files\Hewlett-Packard\SSM>BiosConfigUtility.EXE /GETCONFIG:CONFIG.TXT

opened the CONFIG.txt
 

By default, "Embedded Security Device Availability" is Hidden

I modified the settings as below and made "Embedded Security Device Availability" Available as follows and saved it



ran the following command to se the settings in BIOS

Here I got the error message saying "Dependency condition is not Met" and return value is 13 which is " Falied to change setting"

Can you please advise what am I doing wrong?

Best Regards
Kalam

I have solved the problems . Please let me know if you need to know how I did it.

dmkalam were you able to make C:\Windows\System32\manage-bde.exe -tpm -turnon silent?
Ours is disabled now due to another issue but we ended up putting this near the end when it was on.

I've been fighting the same problem and I don't think there is a method to Turn on and active the TPM without going through the BIOS at some point.  I'm actually looking at using a modified WinPE with a shortcut that runs manage-bde.exe -tpm -turnon and then reboot the machine to actually turn it on the in BIOS and then boot back into WinPE to run the Task Sequence.  If you find a better way, please post because I'd love to use it myself.

dmkalam


I have solved the problems . Please let me know if you need to know how I did it.

Yes, please.

Sorry for late response.
@jconnor, not possible to run it silently

@Barker and Crobl
Please post your email address, I will send it by email as it has multiple files.
Best Regards,
Kalam

cyrus dot robl at gmail dot com

Hi  Kalam,
can you please let me know how you solved it ( dimagon at gmx dot at)?
THX,
Dima

First and foremost, your task sequence should be updating the HP BIOS.  All the HP laptops, desktops, and workstations we use have fixes for either BitLocker directly, or for the BiosConfigUtility.exe used to change the TPM settings.  We have the BIOS upgrade steps right at the start of our Task Sequence.  Basically, it is just a Group that runs if manufacturer=Hewlett-Packard, a step to remove the BIOS password, and a Run Command Line steps that upgrade the BIOS using a package.  (Alternately, you can include a password file with the BIOS rather than removing the password.)

In the State Restore group, we have a package that sets the BIOS password and applies the BIOS settings for the TPM so it silently activates on next reboot.  After the reboot, we have a step to take ownership of the TPM using mange-bde.exe and then the Enable BitLocker step.

You need to check the BiosConfigUtility.exe /GetConfig file for each of your models (after you have upgraded the BIOS) as some of the settings have different names on different models.  You can use one config file for all of the models - the utility ignores settings that don't exist on that particular model.  Be sure the order of changes in the config file makes sense - you can't change the Embedded Security Activation Policy if the Embedded Security Device is not Available.    Be sure you have a BIOS password set before doing /SetConfig, as most security settings cannot be changed if no password is set.  Refer to the documentation that comes for HP SSM for all the command line switches and about the config file.

(Side Note:  If you have a bunch of BitLocker-enabled machines that keep prompting for the recovery code, then check to ensure you are running the latest BIOS!  You can upgrade the BIOS of a BitLocker-enabled machine after suspending the protectors with 'manage-bde.exe -protectors -disable C:'.  After rebooting, you can do 'manage-bde -protectors -enable C:'.  This allows you to access the hard drive but doesn't actually go through the long process of decrypting.) 



Nash