HP Service Pack for ProLiant Quick Start Guide

ManualsBrandsHP ManualsServerHP ProLiant BL495c G5 Server

Disabling BitLocker to permit firmware updates (Windows only)

The TPM, when used with BitLocker, measures a system state. Upon detection of a changed ROM

image, it restricts access to the Windows file system if the user cannot provide the recovery key.

HP SUM detects if a TPM is enabled in your system. For some newer models of HP ProLiant servers,

if a TPM is detected in your system or with any remote server selected as a target, HP SUM utilities

for HP iLO, Smart Array, NIC, and BIOS warn users prior to a flash. If the user does not temporarily

disable BitLocker and does not cancel the flash, the BitLocker recovery key is needed to access the

user data upon reboot.

A recovery event is triggered in the following situations:

• You do not temporarily disable BitLocker before flashing the system BIOS when using the

Microsoft BitLocker Drive Encryption.

• You have optionally selected to measure HP iLO, Smart Array, and NIC firmware.

If HP SUM detects a TPM, a warning message appears:

CAUTION: A Trusted Platform Module (TPM) has been detected in this

system. Failure to perform proper OS encryption procedures will results

in loss of access to your data if recovery key is not available.

Recommended procedure for Microsoft Windows (R) BitLocker (TM) is to

\”suspend\” BitLocker prior to System ROM or Option ROM firmware flash.

If you do not have your recovery key or have not suspended BitLocker,

exit this flash. Failure to follow these instructions will results in

loss of access to your data.

To enable firmware updates without the need to type in the TPM password on each server, the

BitLocker Drive Encryption must be temporarily disabled. Disabling the BitLocker Drive Encryption

keeps the hard drive data encrypted. However, BitLocker uses a plain text decryption key that is

stored on the hard drive to read the information. After the firmware updates have been completed,

the BitLocker Drive Encryption can be re-enabled. Once the BitLocker Drive Encryption has been

re-enabled, the plain text key is removed and BitLocker secures the drive again.

CAUTION: Temporarily disabling BitLocker Drive Encryption can compromise drive security and

should only be attempted in a secure environment. If you are unable to provide a secure

environment, HP recommends providing the boot password and leaving BitLocker Drive Encryption

enabled throughout the firmware update process. This requires setting the /tpmbypass parameter

for HP SUM or the firmware update is blocked.

To temporarily disable BitLocker support to allow firmware updates:

1. Click Start, and then search for gpedit.msc in the Search Text box.

2. When the Local Group Policy Editor starts, click Local Computer Policy.

3. Click Computer Configuration→Administrative Templates→Windows Components→BitLocker

Drive Encryption.

4. When the BitLocker settings are displayed, double-click Control Panel Setup: Enable Advanced

startup options.

5. When the dialog box appears, click Disable.

6. Close all windows, and then start the firmware update.

To enable advanced startup options:

1. Enter cscript manage-bde.wsf -protectors -disable c:

2. When the firmware update process is completed, the BitLocker Drive Encryption support can

be re-enabled by following steps 1 through 4 but clicking Enabled in step 5 instead. The

following command can be used to re-enable BitLocker Drive Encryption after firmware

deployment has completed.

3. Enter cscript manage-bde.wsf -protectors -enable c:

8 Downloading and installing an SPP