Disabling BitLocker to permit firmware updates (Windows only)

The TPM, when used with BitLocker, measures a system state. Upon detection of a changed ROM image, it restricts access to the Windows file system if the user cannot provide the recovery key. HP SUM detects if a TPM is enabled on a node. For some newer models of ProLiant servers, if a TPM is detected in your system or with any remote server selected as a target, HP SUM utilities for iLO, Smart Array, NIC, and BIOS warn users prior to a flash. If the user does not temporarily disable BitLocker and does not cancel the flash, the BitLocker recovery key is needed to access the user data upon reboot.

A recovery event is triggered in the following situations:

You do not temporarily disable BitLocker before flashing the system BIOS when using the Microsoft BitLocker Drive Encryption.
You have optionally selected to measure iLO, Smart Array, and NIC firmware.

If HP SUM detects a TPM, it displays a message.

To enable firmware updates without the need to type in the TPM password on each server, temporarily disable BitLocker Drive Encryption. Disabling the BitLocker Drive Encryption keeps the hard drive data encrypted. However, BitLocker uses a plain text decryption key that is stored on the hard drive to read the information. After the firmware updates have been completed, re-enable BitLocker Drive Encryption. Re-enabling BitLocker Drive Encryption removes the plain text key and BitLocker secures the drive.


	CAUTION: Temporarily disabling BitLocker Drive Encryption can compromise drive security and should only be attempted in a secure environment. If you are unable to provide a secure environment, Hewlett Packard Enterprise recommends providing the boot password and leaving BitLocker Drive Encryption enabled throughout the firmware update process. This requires setting the `/tpmbypass` parameter for HP SUM or the firmware update is blocked.

To temporarily disable BitLocker support to allow firmware updates:

Click Start, and then search for gpedit.msc in the Search Text box.
When the Local Group Policy Editor starts, click Local Computer Policy.
Click Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption.
When the BitLocker settings are displayed, double-click Control Panel Setup: Enable Advanced startup options.
When the dialog box appears, click Disable.
Close all windows, and then start the firmware update.

To enable advanced startup options:

Enter cscript manage-bde.wsf -protectors -disable c:
When the firmware update process is completed, the BitLocker Drive Encryption support can be re-enabled by following steps 1 through 4 but clicking Enabled in step 5 instead. The following command can be used to re-enable BitLocker Drive Encryption after firmware deployment has completed.
Enter cscript manage-bde.wsf -protectors -enable c:

The following table describes TPM detection scenarios that you might encounter.

Scenario	Result
TPM is detected and enabled, using GUI mode, and a system ROM must be updated.	HP SUM displays a warning message indicating that it detected TPM. HP SUM offers an option to Ignore Warnings. You can only deploy the updates if you select Ignore Warnings.
TPM is detected and enabled, using CLI or Input file mode, the `/tpmbypass` switch is not given, and any firmware updated must be applied to the server. GUI mode does not support `/tpmbypass`.	No warning appears. A new log file is generated `(%systemdrive%\cpqsystem\log\cpqstub.log`). Because the installation is silent, the installation is terminated and cannot continue.
TPM is detected and enabled with Option ROM Measuring, using GUI mode, and a system ROM must be updated.	A warning message appears. After selecting OK, you can continue. The installation is not canceled.
TPM is detected and enabled with Option ROM Measuring, using CLI or Input file mode, the `/tpmbypass` switch is not given, and any firmware updated must be applied to the server.	No warning appears. A new log file is generated (`%systemdrive%\cpqsystem\log\cpqstub.log`). Because the installation is silent, the installation is terminated and cannot continue.
TPM is detected and enabled, CLI or Input file mode, the installation occurs, and the `/tpmbypass` switch is supplied.	The installation occurs.

prev	up	next
Deploying Synergy System servers with HP SUM	home	Using Linux and HP-UX root credentials for remote nodes