your task sequence should be updating the HP BIOS
. All the HP laptops, desktops, and workstations we use have fixes for either BitLocker directly, or for the BiosConfigUtility.exe used to change the TPM settings. We have the BIOS upgrade steps right at the start of our Task Sequence. Basically, it is just a Group that runs if manufacturer=Hewlett-Packard, a step to remove the BIOS password, and a Run Command Line steps that upgrade the BIOS using a package. (Alternately, you can include a password file with the BIOS rather than removing the password.)
In the State Restore group, we have a package that sets the BIOS password and applies the BIOS settings for the TPM so it silently activates on next reboot. After the reboot, we have a step to take ownership of the TPM using mange-bde.exe and then the Enable BitLocker step.
You need to check the BiosConfigUtility.exe /GetConfig file for each of your models (after you have upgraded the BIOS) as some of the settings have different names on different models. You can use one config file for all of the models - the utility ignores settings that don't exist on that particular model. Be sure the order of changes in the config file makes sense - you can't change the Embedded Security Activation Policy if the Embedded Security Device is not Available. Be sure you have a BIOS password set before doing /SetConfig, as most security settings cannot be changed if no password is set. Refer to the documentation that comes for HP SSM for all the command line switches and about the config file.
(Side Note: If you have a bunch of BitLocker-enabled machines that keep prompting for the recovery code, then check to ensure you are running the latest BIOS! You can upgrade the BIOS of a BitLocker-enabled machine after suspending the protectors with 'manage-bde.exe -protectors -disable C:'. This allows you to access the hard drive but doesn't actually go through the long process of decrypting. After rebooting, you can do 'manage-bde -protectors -enable C:'. )
<message edited by npherson on Monday, March 19, 2012 12:19 PM>
First and foremost,