HP ProLiant BL465c Server Blade User Manual

To enable firmware updates without the need to type in the TPM password on each server, the
BitLocker Drive Encryption must be temporarily disabled. Disabling the BitLocker Drive Encryption
keeps the hard drive data encrypted. However, BitLocker uses a plain text decryption key that is
stored on the hard drive to read the information. After the firmware updates have been completed,
the BitLocker Drive Encryption can be re-enabled. Once the BitLocker Drive Encryption has been
re-enabled, the plain text key is removed and BitLocker secures the drive again.

NOTE:

Temporarily disabling BitLocker Drive Encryption can compromise drive security and

should only be attempted in a secure environment. If you are unable to provide a secure
environment, HP recommends providing the boot password and leaving BitLocker Drive Encryption
enabled throughout the firmware update process. This requires setting the /tpmbypass parameter
for HP SUM or the firmware update is blocked.

To temporarily disable BitLocker support to allow firmware updates:
1.

Click Start, and then search for gpedit.msc in the Search Text box.

2.

When the Local Group Policy Editor starts, click Local Computer Policy.

3.

Click Computer Configuration

→Administrative Templates→Windows Components→Bitlocker

Drive Encryption.

4.

When the BitLocker settings are displayed, double-click Control Panel Setup: Enable Advanced
startup options.

5.

When the dialog box appears, click Disable.

6.

Close all windows, and then start the firmware update.

To enable advanced startup options:
1.

Enter cscript manage-bde.wsf -protectors -disable c:

2.

When the firmware update process is completed, the BitLocker Drive Encryption support can
be re-enabled by following steps 1 through 4 but clicking Enabled in step 5 instead. The
following command can be used to re-enable BitLocker Drive Encryption after firmware
deployment has completed.

3.

Enter cscript manage-bde.wsf -protectors -enable c:

The following table describes TPM detection scenarios that you might encounter.

Result

Scenario

A warning message appears. Select OK to continue. The
installation is not canceled.

If TPM is detected and enabled, the installation is not silent,
and a system ROM must be updated.

No warning appears. A new log file is generated
(%systemdrive%\cpqsystem\log\cpqstub.log

).

If TPM is detected and enabled, the installation is silent,
the /tpmbypass switch is not given, and any firmware
updated must be applied to the server.

Because the installation is silent, the installation is
terminated and cannot continue.

A warning message appears. After selecting OK, you can
continue. The installation is not canceled.

If TPM is detected and enabled with Option ROM
Measuring, the installation is not silent, and a system ROM
must be updated.

No warning appears. A new log file is generated
(%systemdrive%\cpqsystem\log\cpqstub.log).

If TPM is detected and enabled with Option ROM
Measuring, the installation is silent; the /tpmbypass

14

Deployment options