About using SUM with BitLocker

The TPM, when used with BitLocker, measures a system state. Upon detection of a changed ROM image, it restricts access to the Windows file system if the user cannot provide the recovery key. SUM detects if a TPM is enabled on a node. For some newer models of ProLiant servers, if a TPM is detected in your system or with any remote server selected as a target, SUM utilities for iLO, HDD, NIC, and BIOS warn users prior to a flash. If the user does not temporarily disable BitLocker and does not cancel the flash, the BitLocker recovery key is needed to access the user data upon reboot.

A recovery event is triggered in the following situations:

  • You do not temporarily disable BitLocker before flashing the system BIOS when using the Microsoft BitLocker Drive Encryption.

  • You have optionally selected to measure iLO, Smart Array, and NIC firmware.

If SUM detects a TPM, it displays a message.

To enable firmware updates without the need to enter in the TPM password on each server, temporarily disable BitLocker Drive Encryption. Disabling the BitLocker Drive Encryption keeps the hard drive data encrypted. However, BitLocker uses a plain text decryption key that is stored on the hard drive to read the information. After the firmware updates have been completed, re-enable BitLocker Drive Encryption. Re-enabling BitLocker Drive Encryption removes the plain text key and BitLocker secures the drive.

CAUTION:

Temporarily disabling BitLocker Drive Encryption can compromise drive security and only attempt to disable it in a secure environment. If you are unable to provide a secure environment, Hewlett Packard Enterprise recommends providing the boot password and leaving BitLocker Drive Encryption enabled throughout the firmware update process. This requires setting the /tpmbypass parameter for SUM or the firmware update is blocked.