Disabling BitLocker to permit firmware updates (Windows only)

To allow firmware updates, temporarily disable BitLocker support.

Procedure
  1. Click Start, and then search for gpedit.msc in the Search Text box.
  2. When the Local Group Policy Editor starts, click Local Computer Policy.
  3. Click Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.
  4. When the BitLocker settings are displayed, double-click Control Panel Setup: Enable Advanced startup options.
  5. When the dialog box appears, click Disable.
  6. Close all windows, and then start the firmware update.

To enable advanced startup options:

  • Enter cscript manage-bde.wsf -protectors -disable c:

  • When the firmware update process is completed, the BitLocker Drive Encryption support can be re-enabled by following steps 1 through 4 but clicking Enabled in step 5 instead. The following command can be used to re-enable BitLocker Drive Encryption after firmware deployment has completed.

  • Enter cscript manage-bde.wsf -protectors -enable c:

The following table describes TPM detection scenarios that you might encounter.

Scenario

Result

TPM is detected and enabled, using GUI mode, and a system ROM must be updated.

SUM displays a warning message indicating that it detected TPM. SUM offers an option to Ignore Warnings. You can only deploy the updates if you select Ignore Warnings.

TPM is detected and enabled, using CLI or Input file mode, the /tpmbypass switch is not given, and firmware must be applied to the server. GUI mode does not support /tpmbypass.

No warning appears. Because the installation is silent, the installation is terminated and cannot continue. The SUM user log for the node will indicate that TPM was present but no /tpmbypass or /ignore_warnings was passed.

TPM is detected and enabled with Option ROM Measuring, using GUI mode, and a system ROM must be updated.

A warning message appears. You can only deploy the updates if you select Ignore Warnings.

TPM is detected and enabled with Option ROM Measuring, using CLI or Input file mode, the /tpmbypass switch is not given, and any firmware updated must be applied to the server.

No warning appears. Because the installation is silent, the installation is terminated and cannot continue. The SUM user log for the node will indicate that TPM was present but no /tpmbypass or /ignore_warnings was passed.

TPM is detected and enabled, using CLI or Input file mode, the installation occurs, and the /tpmbypass switch or /ignore_warnings switch is supplied.

The installation occurs.

In the SUM GUI, you can ignore TPM on the Deploy screen. You can also ignore TPM in CLI or interactive CLI mode.