HP Manageability Integration Kit
Technical white paper
HP Manageability Integration
Kit
HP Client Management Solutions
Table of contents
2
3
4
Overview
HP computers are Designed for Manageability (DfM), DfM is centered on two tenets:
•
Provide a means that will assist an IT administrator in managing HP BIOS, hardware, and preinstalled software that comes with the computer.
•
Provide a solution that works with the client management console of an administrator’s choice.
The solution created to address these two tenets is called HP Manageability Integration Kit (MIK).
HP MIK is a client-management-console-agnostic solution that extends management aspects to HP hardware, BIOS, and software capabilities.
The purpose of HP MIK is to enable a user experience that simplifies routine enterprise process and tasks by integrating into existing tools and workflows.
Deploy HP MIK to begin enjoying these key benefits:
•
Speed up the basics of management—Reduce the number of steps needed to create, deploy, and manage images, BIOS, and system security so you can focus on business.
•
Protect data—Secure BIOS settings, set authentication and credentials requirements, enable Device Guard, and manage
Trusted Platform Module (TPM) firmware updates.
•
Manage software—Enable IT administrators to remotely manage features supported by the software, such as HP Client
Security.
HP MIK is optimized to work with Microsoft® System Center Configuration Manager, although it does work with other client management consoles via scripting. This document includes examples and screenshots only of the HP Manageability
Integration Kit plugin within Configuration Manager. For the full user guide, go to the HP Manageability website: http://www.hp.com/go/clientmanagement.
System requirements
HP Manageability Integration Kit can be installed on servers running supported versions of Microsoft System Center
Configuration Manager 2012 and clients running supported Windows® operating systems.
Supported Microsoft System Center Configuration Manager versions
HP Manageability Integration Kit can be installed on servers running the following versions of the Microsoft System Center
Configuration Manager. To determine server operating system requirements, see the Microsoft System Center Configuration
Manager documentation.
•
Microsoft System Center 2012 R2 Configuration Manager service pack 1 (SP1) with or without cumulative update 1 (CU1) or later
•
•
•
Microsoft System Center 2012 R2 Configuration Manager
Microsoft System Center 2012 Configuration Manager SP2 with or without CU1 or later and
Microsoft System Center 2012 Configuration Manager SP1 and
•
Microsoft System Center Configuration Manager 1511, 1602, or 1606
Supported client operating systems
The HP Manageability Integration Kit client components are supported on the following client operating systems:
Note
Some HP Manageability Kit features have additional requirements.
•
Windows 10
•
Windows 8.1
•
Windows 7
Downloading HP Manageability Integration Kit
To download the HP Manageability Integration Kit:
1. Go to http://www.hp.com/go/clientmanagement.
2. Under Resources, select
HP Download Library.
3. Download
HP Manageability Integration Kit (MIK) for Microsoft System Center Configuration Manager.
4. Under MIK Client requirements, download all available SoftPaqs.
Installing HP Manageability Integration Kit into Configuration Manager
1. Verify that any instances of the Configuration Manager console are closed.
2. If HP Client Integration Kit (CIK) is installed on the system, uninstall it.
3. Run the downloaded HP Manageability Integration Kit (MIK) for Microsoft System Center Configuration Manager
SoftPaq and follow the on-screen instructions to complete the installation.
4. Open the Configuration Manager console and verify that HP Manageability Integration Kit is displayed under Assets and Compliance.
Distributing HP Client Support Packages
After the installation is complete, HP Client Support Packages must be pushed out to the local distribution points.
1. In Configuration Manager, select Software Library, select Overview, select Application Management, select
Packages, and then select HP Client Support Packages.
Note
Do not delete or rename the packages in this folder to prevent failure of dependent task sequences.
If a package is deleted, reinstall HP Manageability Integration Kit and select
Repair in the installation wizard. Then, refresh the task sequences using the package. For more information, see Refreshing task sequences. XREF
2. If this is a first-time installation, right-click
HP Client BIOS Configuration Utility and select Distribute Content, and then follow the on-screen instructions to complete the wizard.
– or –
If this is an upgrade, right-click
HP Client BIOS Configuration Utility and select Update Distribution Points, and follow the on-screen instructions to complete the wizard.
3. If this is a first-time installation, right-click HP Client Support Tools and select Distribute Content, and then follow the on-screen instructions to complete the wizard.
– or –
5
6
If this is an upgrade, right-click
HP Client Support Tools and select Update Distribution Points, and follow the onscreen instructions to complete the wizard.
In the Software Library of Configuration Manager, the following menu items (indicated by dashed lines), folders (indicated by dotted-and-dashed lines), and packages (indicated by solid lines) are created after a driver pack or boot image is created via
HP Manageability Integration Kit.
HP Client BIOS Configuration Utility
HP Client Support Tools
Create and Import Driver Pack
Download and Import Driver Packs
Import Downloaded Driver Pack
Create Boot Image
Create Deployment Task Sequence
To open a menu item, either select it in the ribbon menu or use the right-click context menu.
HP MIK plugins
By default, the installer extends the functions of Configuration Manager by adding seven plugins under the HP Manageability
Integration Kit node.
For more information about these plugins, see the following sections.
•
For managing HP BIOS settings, see HP BIOS Configuration.
•
For managing the HP BIOS password, see HP BIOS password.
•
•
For enabling Device Guard, see Device Guard (Windows 10 only).
•
For managing HP Sure Start settings, see HP Sure Start.
•
For upgrading or downgrading the TPM firmware version, see TPM Firmware Update.
•
For managing HP WorkWise application settings, see HP WorkWise (Windows 10 only).
HP MIK also includes all features of HP Client Integration Kit (CIK) to help with operating system deployment.
•
For importing or creating HP driver packs, see HP Client Driver Packs.
•
For creating boot images, see HP client boot images.
•
For example task sequences, see HP client task sequences.
Compliance settings
Policies created or edited using HP MIK plugins are saved as Configuration Manager compliance settings.
To locate a policy:
1. In Configuration Manager, select Assets and Compliance.
2. Select Overview, select Compliance Settings, and then select Configuration Items.
On this page, you can perform Configuration Manager functions, such as opening the Properties dialog box and setting the supported operating systems and hardware.
If you create a configuration item with a plugin, the default name is composed of both the baseline name and the plugin name. For example, a configuration item created with a baseline named My BIOS Configuration Baseline and the HP BIOS
Configuration plugin is named My BIOS Configuration Baseline – BIOS Configuration by default.
Configuration Baselines
IT administrators can select multiple configuration items for one Configuration Baseline. Baselines can also be deployed to different collections.
Right-click Configuration Baselines to select one of the following options:
•
•
•
•
Copy—Clone the baseline
Delete—Delete the baseline
Deploy—Deploy to different collections
Properties—View the deployed collection, edit the evaluation conditions, and filter the categories or users
7
8
HP BIOS Configuration
The BIOS Configuration interface allows the IT administrator to define and deploy BIOS settings policies to client computers.
Supported client platforms
•
HP commercial computers (2015 or later)
Supported client operating systems
•
Windows 10
•
Windows 8.1
•
Windows 7
Prerequisites
•
Microsoft .NET Framework 4.0 or higher.
•
HP Manageability Integration Kit
User interface
There are three columns in the HP BIOS Configuration window.
The
Select column is used to specify whether a setting is enforced by a polity. If a setting is selected, it is set to the specified value. If a setting is cleared, it is not modified.
The
Settings column displays the setting name.
The Values column can be used to either enter a value or select a value from a drop-down menu, depending on the setting.
If a specific syntax is required for an entered value, the box background turns green if the syntax is correct and turns red if the syntax needs to be corrected.
Note
In Category View, a category must be expanded to display all three columns.
The icons next to some settings indicate the following behaviors:
•
—Indicates that a setting is only effective for one restart, and then it resets to the default value.
•
—Indicates that a setting requires confirmation on the next restart, and that the restart cannot be completed until confirmation is given.
List View/Category View button
Select this button to switch between displaying the BIOS settings as a list or grouped categories.
Expand All/Collapse All button
Select this button to expand or collapse the details of each setting.
9
Show only selected/Show All button
Select this button to switch between displaying all available settings or only settings that have been selected.
10
Filter to settings containing
Enter a term to quickly locate a setting in the list of settings, based on a partial string match.
Creating a policy
1. In Configuration Manager, select
Assets and Compliance and then select Overview.
2. Expand
HP Manageability Integration Kit, right-click BIOS Configuration, and then select Create Policy.
3. Enter a Baseline name and start the creating policy wizard.
4. Modify settings by selecting the setting and then selecting the new value.
5. After selecting and modifying BIOS settings, select Next.
6. Review the
Summary page. If changes are necessary, select the Previous button; otherwise, select Save Policy.
7. After the policy has been saved successfully, select Deploy, and then select the target collections to which to apply the policy.
8. Restart the client computers to ensure that the BIOS settings take effect.
Editing a policy
1. In Configuration Manager, select
Assets and Compliances and then select Overview.
2. Expand
HP Manageability Integration Kit, right-click BIOS Configuration, and then select Edit Policy.
3. Select an existing baseline policy to edit and click OK to continue the wizard.
4. Follow steps 4 through 8 of Creating a policy.
11
12
Additional information
Important
If a client computer has a BIOS password configured, that password must be entered in HP BIOS Password before the HP
BIOS Configuration tool can execute successfully.
For client computers, the HP MIK BIOS Configuration logs are stored in %PROGRAMDATA%\HP\HP MIK\Logs.
HP BIOS Password
If there is a BIOS password configured on any of the client computers, use this feature to enter the password into HP
Manageability Integration Kit. Other plugins, such as HP BIOS Configuration, retrieve this password from HP Manageability
Integration Kit to modify the BIOS settings.
This feature does not modify the password on client computers.
HP Client Security with Intel Authenticate Support
HP Client Security with Intel® Authenticate™ Support enables the management of HP Client Security software through
Configuration Manager. HP Client Security uses features built into the BIOS, hardware, and software layers to help protect against attacks, loss, or theft.
Supported client platforms
•
HP commercial computers (2015 or later)
Supported client operating systems
•
Windows 10
•
Windows 8.1
•
Windows 7
Other client system prerequisites
•
Microsoft .NET Framework 4.6.1 or higher
•
•
HP Client Security Manager 9.3.0.2368 or higher
The HP Device Access Manager 8.4.6.0 or higher
•
Intel Authenticate Engine (optional)
Note
Intel Authenticate Engine requires the following additional drivers:
– Intel Management Engine Driver 11.6.0.1019 or higher
– Intel Bluetooth® Driver 19.00.00.1626.3453 or higher
– Intel Graphics Driver 21.20.16.4481 or higher
– Synaptics Touch Fingerprint Driver 5.2.5002.26 or higher
Intel Authenticate Engine is required to access Intel Authenticate support.
User interface
HP Client Security is divided into Client Security Manager and Device Access Manager.
When you open HP Client Security, an introduction with a high-level description of the plugin is displayed. Select
Start
Policy.
Now, you can configure the HP Client Security Settings.
Client Security Manager
Authentication tab
This tab allows you to configure the high-level features of HP Client Security Manager.
The following options are available:
•
Windows Logon—Requires authentication at Windows logon (after the operating system starts)
13
•
•
•
Power On Authentication—Requires authentication at computer start (before the operating system starts)
One Step Logon—Requires authentication only once at first logon prompt. Power-On Authentication must be enabled.
Password Manager—Allows secure logon using security questions in case of a forgotten password or lost authentication device.
Intel Authenticate tab
This tab allows you to configure Intel Authenticate, if Intel Authenticate Engine is installed.
The following options are available:
•
Enable Intel Authenticate—Enables Intel Authenticate support
If this option is enabled, you can select the certificate used to provision or communicate with the Intel Authenticate engine on client computers.
– Type the location of the security certificate—Browse to and select an X.509 certificate file, in Personal Information
Exchange (PFX) format.
– Enter the password to unlock your certificate—Select this option and enter a password, if the certificated is protected by a password.
– My certificate does not have a password—Select this option and enter a password, if the certificated is protected by a password.
Windows Logon Policy tab
This tab allows you to configure Windows Logon authentication.
14
•
•
Add Credential—Adds an additional credentials to be used during Windows Logon. To remove a configured credential, select the X icon in the upper-right corner of the credential.
Restore Default—Restores default settings, providing a way to start configuration from a known state.
Windows Session Policy tab
This tab allows you to configure the policy and credentials used for a Windows session.
•
•
Use Logon Policy—Enables the configured logon polices.
Allowed Credential Options—Select a credential.
Advanced Options tab
This tab allows you to further configure various credentials managed by HP Client Security.
•
Fingerprint Options
– Minimum number of fingerprints and Maximum number of fingerprints—Specify the minimum and maximum number of fingerprints a user can enroll. Force number of fingerprints to enroll must be selected.
–
Fingerprint recognition accuracy—Configure the required fingerprint reader accuracy.
•
•
Smart Card Options
– Lock PC when smart card is removed—Automatically locks the computer when a smart card used as a credential is ejected.
PIN Options
– Set allowed PIN length—Specify the minimum number of characters for a user PIN.
15
Device Access Manager
Hardware tab
In this tab, you can deploy access permission for a variety of device classes or devices. The access can be set for both administrators and standard users. The following device classes and devices are listed: biometric devices, Bluetooth, imaging devices, network adapters, and ports (COM & LPT).
•
•
Allow Access for Administrators—Enables an administrator to access a device class or device
Allow Access for Standard User—Enables a standard user to access a device class or device.
Removable Media tab
On this tab, an IT administrator can set access permissions for removable storage, such as USB drives, and CD/DVD-ROM drives.
16
The options can be configured with one of the following rights each for both administrators and standard users:
•
•
•
Full Access—Allows users to add, edit, delete, and read files from the selected removable media.
Read Only—Allows users only to read files from the selected removable media.
JITA (Just In Time Authentication)—Allows users to add, edit, delete, and read files for the amount of time (beginning after the user has entered their credentials) specified in the dropdown box.
•
No Access—Disables user access to any of the files available in the selected removable media.
Creating a policy
1. In Configuration Manager, select Assets and Compliance, and then select Overview.
2. Select HP Manageability Integration Kit, right-click Client Security Manager, and then select Create Policy.
3. Enter a Baseline name and start the creating policy wizard.
4. Modify settings. After configuring the settings, select Next.
5. Review the
Summary page. If changes are necessary, select the Previous button; otherwise, select Save Policy.
6. After the policy has been saved successfully, select Deploy, and then select the target collections to which to apply the policy.
Editing a policy
1. In Configuration Manager, select
Assets and Compliance, and then select Overview.
1. Select
HP Manageability Integration Kit, right-click Client Security Manager, and then select Edit Policy.
2. Select an existing baseline policy to edit, and the select OK.
3. Follow the on-screen instructions to complete the wizard.
Additional information
Policies created with HP Client Security create configuration items for both Client Security Manager and Device Access
Manager.
Be sure to configure Intel Authenticate before creating policies. See the Intel Authenticate documentation for more information on whether your computer is supported and how to set up Intel Authenticate.
Device Guard (Windows 10 only)
Device Guard is included with Windows 10 and provides hardware- and software-based malware protection, by verifying that applications and drivers are from a trusted source before they are allowed to run. In HP MIK, Device Guard polices provide an easy option for an IT administrator to enable Device Guard.
Supported client platforms
•
HP commercial computers (2015 or later)
Supported client operating systems
•
Windows 10
Other client system prerequisites
•
Microsoft .NET Framework 4.0 or higher
•
HP MIK
17
Creating a policy
1. In Configuration Manager, select Assets and Compliance, and then select Overview.
2. Select HP Manageability Integration Kit, right-click Device Guard, and then select Create Policy.
3. Enter a Baseline name and then follow the on-screen instructions to complete the wizard.
4. Select one of the following options:
18
A. Create a policy to activate device guard support—Modifies the registry on target systems, enables the virtualization extension, enables Hyper-V, and enables Device Guard virtualization-based security.
The following registry settings are modified:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard]
"EnableVirtualizationBasedSecurity"=dword:00000001
"HypervisorEnforcedCodeIntegrity"=dword:00000001
"RequirePlatformSecurityFeatures"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"LsaCfgFlags"=dword:00000001
The following Windows features are modified:
Microsoft Hyper-V and Isolated User Mode are enabled.
The following BIOS settings are modified (if they are available on the client computer)
•
SVM CPU Virtualization is enabled on AMD Platforms
•
•
•
•
Virtualization Technology (VTx) is enabled on Intel platforms
Virtualization Technology for Directed I/O (VTd) is enabled on Intel Platforms
TPM Device is set to available
TPM State are set to available
•
•
•
CD-ROM Boot is disabled
PXE Boot is disabled
USB Storage Boot is disabled
Legacy Boot is disabled
•
•
UEFI Boot is enabled
•
Configure Legacy Boot Support is set to Legacy Support Disable and Secure Boot Enable
B.
Create policy to deactivate device guard support—Disables Device Guard virtualization-based security.
Deactivating Device Guard reverts registry settings to their default settings.
Hyper-V is disabled.
BIOS Virtualization is disabled.
5. Review the Summary page. If changes are necessary, select the Previous button; otherwise, select Save Policy.
6. After the policy has been saved successfully, select Deploy, and then select the target collections to which to apply the policy.
Editing policy
1. In Configuration Manager, select Assets and Compliance, and then select Overview.
2. Select HP Manageability Integration Kit, right-click Device Guard, and then select Edit Policy.
3. Select an existing baseline policy to edit, and then select OK.
4. Complete the procedure for steps 4 through 6 in Creating a policy.
19
Additional information
For client computers, the HP MIK Device Guard policy log is created in %PROGRAMDATA%\HP\HP MIK\Logs.
The following error codes might be encountered:
14
15
16
11
12
13
8
9
10
5
6
7
2
3
4
Error code
0
1
Description
OK
Item is not known. There might be an installation error.
Operating system not supported. See the operating system requirements.
CPU/Chipset not supported. See the platform requirements.
Outdated Graphics Driver. Update the graphics driver before attempting the operation again.
Failed to enable BIOS CPU Virtualization
Failed to set BIOS TPM Device as Available
Failed to disable BIOS USB device boot
Failed to disable BIOS PXE boot
Failed to disable BIOS Floppy boot
Failed to disable BIOS CD-ROM boot
Failed to change BIOS Boot Mode to UEFI Native (Without CSM)
Failed to enable BIOS Secure Boot
Failed to set Hyper-V
Failed to set Isolated User Mode
Error in setting Registry value(s)
Failed to modify Windows features
HP Sure Start
HP Sure Start protects the HP BIOS from any malware or virus threat by verifying the integrity of the BIOS when the computer starts or restarts, by default. Additional policies can increase the frequency with which the BIOS is verified and the
BIOS event log policy can capture any event.
HP Sure Start policy management in HP MIK allows you to manage policies remotely and ensures the appropriate logging and notification of malicious attacks and security breaches in BIOS and the subsequent repairs.
20
Supported client platforms
•
HP 700 series and higher commercial computers (2014 or later)
Supported client operating systems
•
Windows 10
•
•
Windows 8.1
Windows 7
Other client system prerequisites
•
Microsoft .NET Framework 4.0 or higher
•
HP MIK
User interface
BIOS Security Settings tab
•
Verify Boot Block on every boot—Verifies that authorized modifications to the system boot image are stored in the non-volatile memory.
When enabled, HP Sure Start verifies the integrity of the HP firmware boot image when the computer starts or restarts, or exits Hibernation or Sleep mode. This setting provides higher security, but can increase start time.
•
When disabled, HP Sure Start verifies the integrity of the HP firmware boot image when the computer starts or exits
Hibernation or Sleep mode.
Dynamic Runtime Scanning of Boot Block—Verifies the integrity of the HP boot image periodically while the computer is on and the operating system is running.
•
•
When enabled, HP Sure Start verifies the integrity of the HP boot image every 15 minutes.
Lock BIOS Version—Disables BIOS updates.
Sure Start BIOS Setting Protection—Disables changes to all critical BIOS settings and provides enhanced protection for these settings via the HP Sure Start non-volatile memory.
•
The BIOS administrator password is required to enable this setting.
Enhanced HP Firmware Runtime Intrusion Prevention and Detection—Monitors HP system firmware executing out of main memory while the operating system is running.
Events and Recovery Settings tab
These setting control HP Sure Start behavior after a critical security event, such as the BIOS being attacked or corrupted, is identified.
21
22
•
•
•
•
Sure Start Security Event Policy—Select Log Event Only to log all critical security events in the HP Sure Start Audit Log within the HP Sure Start non-volatile memory. Select
Log Event and Power Off System to power off the system after detecting and logging a HP Sure Start Security Event. Because data might be lost, HP recommends using this setting only in situations where security integrity of the system is a higher priority than the risk of potential data loss.
BIOS Data Recovery Policy—Select Automatic to automatically repair any firmware integrity issues in the non-volatile
(flash) memory. Select Manual to repair firmware integrity issues when the Esc+Windows+Up Arrow+Down Arrow key combination is pressed. HP recommends this setting for IT administrators only.
Prompt on Network Controller Configuration Change—Monitors the network controller configuration and prompts the local user if any changes are detected compared to the factory configuration.
Save/Restore Hard Drive Partition Table—Saves the Master Boot Record (MBR) or the GUID Partition Table (GPT) of the system hard drive.
Audit Log tab
If Gather Sure Start event logs is select, HP MIK retrieves HP Sure Start event logs from the client computers and stores them in the Configuration Manager hardware inventory.
Creating a policy
1. In Configuration Manager, select Assets and Compliance, and then select Overview.
2. Select
HP Manageability Integration Kit, right-click Sure Start, and then select Create Policy.
3. Enter a
Baseline name, and then select Start Policy.
4. Modify the settings, and then click Next.
5. Review the Summary page. If changes are necessary, select the Previous button; otherwise, select Save Policy.
23
6. After the policy has been saved successfully, select
Deploy, and then select the target collections to which to apply the policy.
Editing a policy
1. In Configuration Manager, select Assets and Compliance, and then select Overview.
2. Select HP Manageability Integration Kit, right-click Sure Start, and then select Edit Policy.
3. Select an existing baseline policy to edit and select
OK to continue the wizard.
24
4. Complete the procedure for steps 4 through 6 in Creating a policy.
Additional information
Not all features are supported on all systems.
Certain systems might require a manual action to restart after a configuration change.
Audit logs
For client computers, the HP MIK Sure Start policy log is created in %PROGRAMDATA%\HP\HP MIK\Logs.
If enabled, HP MIK retrieves HP Sure Start logs as part of the Configuration Manager hardware inventory.
To view the audit log entries:
1. In Configuration Manager, select Assets and Compliance, select Overview, and then select Devices.
2. Right-click a device, select Start, and then select Resource Explorer.
3. Select
Hardware, and then select HP Sure Start Audit Logs.
TPM Firmware Update
The TPM firmware update policy helps perform the following actions:
•
•
Upgrading from an older TPM 1.2 firmware to a newer TPM 1.2 firmware
Upgrading from an older TPM 2.0 firmware to a newer TPM 2.0 firmware
•
Converting from TPM 1.2 to TPM 2.0
•
Converting from TPM 2.0 to TPM 1.2
Supported client platforms
Desktop computers:
•
HP EliteDesk 705 G2 Desktop Mini PC
•
HP EliteDesk 800 35W G2 Desktop Mini PC
•
HP EliteDesk 800 65W G2 Desktop Mini PC
•
HP EliteDesk 800 G2 Small Form Factor PC
•
HP EliteDesk 800 G2 Tower PC
•
HP EliteOne 800 G2 23-inch Non-Touch All-in-One PC
•
HP EliteOne 800 G2 23-inch Touch All-in-One PC
•
HP ProDesk 400 G2 Desktop Mini PC
•
HP ProDesk 400 G3 Microtower PC
•
HP ProDesk 400 G3 Small Form Factor PC
•
HP ProDesk 480 G3 Microtower PC
•
HP ProDesk 490 G3 Microtower PC
•
HP ProDesk 498 G3 Microtower PC
•
HP ProDesk 600 G2 Desktop Mini PC
•
HP ProDesk 600 G2 Microtower PC
•
HP ProDesk 600 G2 Small Form Factor PC
•
HP ProOne 400 G2 20-inch Non-Touch All-in-One PC
•
HP ProOne 400 G2 20-inch Touch All-in-One PC
•
HP ProOne 600 G1 All-in-One PC
•
HP ProOne 600 G2 21.5-inch Non-Touch All-in-One PC
•
HP RP9 G1 Retail System Model 9015
•
HP RP9 G1 Retail System Model 9018
Notebook computers:
•
•
HP EliteBook 1030 G1 Notebook PC
HP EliteBook 1040 G3 Notebook PC
•
HP EliteBook 725 G3 Notebook PC
•
•
HP EliteBook 745 G3 Notebook PC
HP EliteBook 755 G3 Notebook PC
•
HP EliteBook 820 G3 Notebook PC
•
•
HP EliteBook 840 G3 Notebook PC
HP EliteBook 850 G3 Notebook PC
•
HP EliteBook Folio G1 Notebook PC
•
•
HP Elite x2 1012 G1
HP ProBook 430 G3 Notebook PC
•
HP ProBook 440 G3 Notebook PC
•
•
HP ProBook 450 G3 Notebook PC
HP ProBook 455 G3 Notebook PC
•
HP ProBook 470 G3 Notebook PC
•
•
HP ProBook 640 G2 Notebook PC
HP ProBook 645 G2 Notebook PC
•
HP ProBook 650 G2 Notebook PC
•
•
HP ProBook 655 G2 Notebook PC
HP ZBook 15 G3 Mobile Workstation
25
•
HP ZBook 17 G3 Mobile Workstation
•
HP ZBook Studio G3 Mobile Workstation
Supported client operating systems
•
Windows 10
•
•
Windows 8.1
Windows 7 (TPM 1.2 only)
Other client system prerequisites
•
Infineon SLB9670 TPM chip
•
Latest commercial BIOS
•
•
Microsoft .NET Framework 4.0 or higher.
HP MIK
Creating a policy
1. In Configuration Manager, select
Assets and Compliance, and then select Overview.
2. Select
HP Manageability Integration Kit, right-click TPM Firmware Update, and then select Create Policy.
3. Enter a Baseline name, and then follow the on-screen instructions to complete the wizard.
4. Select the target TPM version, and then select
Create Policy. See Additional information for warnings and limitations.
26
5. Review the
Summary page. If changes are necessary, select the Previous button; otherwise, select Save Policy.
6. After the policy has been saved successfully, select
Deploy, and then select the target collections to which to apply the policy.
Editing a policy
1. In Configuration Manager, select Assets and Compliance, and then select Overview.
2. Select
HP Manageability Integration Kit, right-click BIOS Configuration, and then select Edit Policy.
3. Select an existing baseline policy to edit, and then select
OK to continue the wizard.
4. Complete the procedure for steps 4 through 6 in Creating a policy.
Additional information
Warning
To avoid a complete loss of data, the primary drive must be in a decrypted state before pushing this policy. The policy has a built-in check for BitLocker and WinMagic disk encryption solutions only. If BitLocker or WinMagic drive encryption is used, the policy exits with an appropriate error code logged. The policy does not detect other disk encryption solutions.
TPM can be converted between TPM 1.2 and TPM 2.0 up to a maximum of 64 times.
Converting TPM involves potentially upgrading to a newer TPM firmware. The following rules govern this operation:
•
If the system has TPM 1.2 and the target is TMP 2.0, TPM 2.0 is enabled and upgraded with the latest firmware version.
•
If the system has TPM 2.0 and the target is TPM 1.2, TPM 1.2 is enabled and upgraded with the latest firmware version.
•
If the system has TPM 1.2 and the target is TPM 1.2, TPM 1.2 is upgraded to the latest firmware version.
•
If the system has TPM 2.0 and the target is TPM 2.0, TPM 2.0 is upgraded to the latest firmware version.
This procedure requires a manual action to complete the reboot.
HP WorkWise (Windows 10 only)
HP WorkWise is a smartphone-to-computer integrated HP app that helps you secure, monitor, and simplify your PC experience.
Users can download apps from the Microsoft app store, but IT administrators can specify which features are available on the client computers.
Supported client platforms
•
HP commercial computers (2016 or later)
Client system prerequisites
•
Windows 10 Anniversary Update
•
Microsoft .NET Framework 4.0 or higher.
The HP WorkWise software must be installed on the client computers. For app-specific requirements, see the HP WorkWise documentation.
27
User interface
The user interface for this app allows you to enable or disable the HP WorkWise features.
28
•
•
•
•
All Features—Select to enable all features.
Security—Select to enable both Lock/Unlock and Tamper Detection.
Performance—Select to enable the computer performance monitoring features, PC Dashboard and Hot PC remediation.
Printer—Select to enable Printer Driver Installer.
Creating a policy
1. In Configuration Manager, select Assets and Compliance, and then select Overview.
2. Select HP Manageability Integration Kit, right-click HP WorkWise, and then select Create Policy.
3. Enter a Baseline name, and then follow the on-screen instructions to complete the policy wizard.
4. Modify the settings.
5. Review the
Summary page. If changes are necessary, select the Previous button; otherwise, select Save Policy.
6. After the policy has been saved successfully, select
Deploy, and then select the target collections to which to apply the policy.
Editing a policy
1. In Configuration Manager, select Assets and Compliance, and then select Overview.
2. Select HP Manageability Integration Kit, right-click HP WorkWise, and then select Edit Policy.
3. Select an existing baseline policy to edit and select
OK to continue the wizard.
4. Complete the procedure for steps 4 through 6 in Creating a policy.
HP Client Driver Packs
Creating and importing an HP driver pack
The Create and Import HP Client Driver Pack option displays the drivers for supported HP products. This works similarly to the option previously available with HP CIK.
1. In Configuration Manager, select
Software Library, select Overview, select Operating Systems, and then select
Driver Packages.
2. Select HP Client PCs, and then select Create and Import HP Client Driver Pack. The Create and Import HP Client
Driver Pack wizard is displayed.
3. Select the Operating system.
4. Only the products that support driver-pack creation are displayed in the Available products column. Optionally, enter keywords into the HP product name box, and then press Enter to filter the list of available products.
5. Select an available product, and then select the right-arrow button to add the product to the Selected products column.
29
6. Repeat step 5 to select another product, as necessary. HP recommends selecting products of the same family model to create a driver pack with the optimal relevant drivers. Also, HP recommends selecting no more than five products per driver pack.
For example, you might select HP ProBook 640 G1 Notebook PC and HP ProBook 650 G1 Notebook PC to create an HP
ProBook 600 series G1 Notebook PC driver pack.
7. Click
Next.
8. By default, the
Create driver package with the selected drivers below import option is selected. This creates a driver package for the selected drivers.
A. Enter a
Name for the driver package. Enter a Version and a Comment, if necessary.
B. Under drivers, verify that the drivers to include in the driver package are selected and be sure that all other drivers are cleared.
30
– or –
To import drivers to auto apply or to create a driver pack later, select the I
mport driver(s) only import option. By default, the Driver category for imported drivers is HP Client Driver. Select a different driver category, if necessary.
9. Click Next.
10. If you are creating a driver package, configure the distribution points and network shares as follows:
A. Select the Distribution point(s) to assign the driver pack to specific destinations. Cloud distribution points are not supported.
B. Select the location for Configuration Manager to save the Drivers and Driver package(s). Be sure that the specified locations have sufficient rights to be accessed by all necessary user accounts.
31
11. If you are importing drivers only, select the location for Configuration Manager to save the
Drivers. Be sure that the specified location has sufficient rights to be accessed by all necessary user accounts.
32
12. If you require the import to stop when an error is encountered, clear the Continue on errors option. By default, this box is selected. When multiple drivers are selected, the next selected drivers are imported if the current driver fails to import.
13. By default, HP MIK uses Hypertext Transfer Protocol (HTTP) to download the selected drivers. If necessary, select
FTP.
14. Any change to the settings in
Select network share(s) and other settings enables the Save settings button. Select this button to save the settings for subsequent driver and driver package creation or import procedures.
Downloading and importing HP driver packs
The Download and Import Driver Packs option displays a list of HP products with driver packs. This works similarly to the option previously available with HP CIK.
1. In Configuration Manager, select Software Library, select Overview, select Operating Systems, and then select
Driver Packages.
2. Select HP Client PCs, and then select Download and Import Driver Packs.
3. Select an Operating system.
4. The Available products column displays the products that support driver packs. Optionally, enter keywords into the
HP product name box and press Enter to filter the list of available driver packs.
5. Select a driver pack to include in the targeted operating system deployment, and then select the right arrow button to add the products to the
Selected products column. The associated driver packs of the selected products are displayed in the Available driver packs list.
6. Optionally, select distribution points to assign the imported driver packs to a specific destination; however, cloud distribution points are not supported.
7. If necessary, change the default location for Configuration Manager to save the drivers and driver package. Be sure that the specified location has sufficient rights to be accessed by all necessary user accounts.
Any change to this path or other settings enables the Save settings button. Select this button to save the settings for subsequent driver package download and import procedures.
8. If the driver pack download and import process must stop when an error is encountered, clear the Continue on errors option. By default, this box is selected. When multiple driver packs are selected, the process continues to the next selected driver pack if the download and import process of the current driver pack fails.
9. By default, HP MIK uses HTTP to download the driver packs. If necessary, select FTP.
10. Select
Download and Import to start the driver pack download and import process.
Note
The Reset Form button clears all selections.
During the download and import process, a dialog box displays the current operation and progress. The process downloads the selected driver packs and imports them into Configuration Manager. If one or more selected driver packs already exists in Configuration Manager, the process prompts the user to skip or overwrite the existing driver packs.
After the process is complete, a summary of the import status of each driver pack is displayed.
The imported driver packs are created in
Driver Packages > HP Client Driver Packages.
Before the imported driver packs can be used in a task sequence, they need to be pushed out to the distribution points. If no distribution points were selected in the download and import dialog box or if additional distribution points are needed, select
33
34 each imported driver pack, select
Distribute Content, and then follow the on-screen instructions to push the driver packs to the distribution points.
Note
This process requires a continuous internet connection to ftp.hp.com. If the driver pack information cannot be retrieved from ftp.hp.com on the device with the Configuration Manager console installed, open a browser session to verify the connection, and then try to complete the process again.
If there is no internet connection to ftp.hp.com from the device with the Configuration Manager console installed, obtain the
HP driver packs via one of the following methods and use the
Import Downloaded Driver Pack menu item instead.
Obtaining HP driver packs
There are several ways to obtain driver packs:
Note
Not all driver packs available for download can be used with HP MIK. Driver packs listed under categories such as
System –
Software Management cannot be imported with HP MIK.
•
HP Client Management Solutions website
•
HP Support product pages
•
HP SoftPaq Download Manager (SDM)
To obtain driver packs using the HP Client Management Solutions website:
1. Go to http://www.hp.com/go/clientmanagement.
2. Under Resources, select HP Driver Packs.
3. Select 32-bit or 64-bit, depending on the target operating system.
4. Download the appropriate driver pack for the target client computer and operating system.
To obtain driver packs using HP Support product pages:
1. Go to http://www.hp.com/support.
2. Select
Get software and drivers.
3. Enter the client computer model number, and then select
Find my product.
4. Select the client computer.
5. Select your language and operating system.
6. Under Manageability – Tools, download the appropriate driver pack.
Note
WinPE driver packs listed on the download page are used only to create HP client boot images.
To obtain driver packs using HP SDM:
1. Go to http://www.hp.com/go/clientmanagement.
2. Under Resources, select HP Download Library.
3. Download SoftPaq Download Manager.
4. Select Start, select All Programs, select HP, and then select HP SoftPaq Download Manager.
5. Select Show software for all supported models.
6. Select
English – International as the target language.
7. Under Product Catalog, select the target platform and operating system, and then select
Find Available SoftPaqs.
8. Download the driver packs in the category
Manageability – Driver Pack.
Creating driver packs using HP SDM
To create driver packs using HP SDM (version 3.5.2.0 or higher):
1. Select Start, select All Programs, select HP, and then select HP SoftPaq Download Manager.
2. Select
Tools, and then select Configuration Options.
A. On the
OS Filter tab, select the Win7, Win 8, or Win 8.1 operating system.
B. On the
Language Filter tab, select English – International as the target language.
C. Select OK.
3. On the
Build Driver Pack tab, select the plus sign (+) next to a product category to display all products in the category.
Select products to add to the driver pack.
4. Select the platforms and operating systems, and then select
Find Available SoftPaqs.
5. Select the SoftPaqs to include in the driver pack.
6. In the Download SoftPaqs window, select an action from the drop-down menu next to the Download button:
•
•
Build CAB File—Select this option to use Microsoft Deployment Toolkit or HP MIK in conjunction with Configuration
Manager to deploy the driver pack.
Build ZIP File—Select this option to use HP MIK with Configuration Manager or to manually deploy the driver pack through another application.
7. Select Download.
8. If the EULA appears, accept the license and continue.
9. The Driver Pack Builder screen displays boxes for the Driver Pack Name, OS-Bitness, and Output directory. Enter any necessary information, and then select Build.
10. A message is displayed indicating that the driver pack build is complete. Select OK.
The driver pack and associated logs are now available in the output directory.
Importing HP driver packs
1. In Configuration Manager, select Software Library, select Overview, select Operating Systems, and then select
Driver Packages.
2. In the HP Client PCs section of the ribbon menu, select Import Driver Pack.
3. Under Driver package, select Browse, and then select the HP driver pack to be imported.
4. Optionally, select distribution points to assign the imported driver packages to a specific destination; however, cloud distribution points are not supported.
5. Change the default location for Configuration Manager to save the drivers and driver package, if necessary. Be sure that the specified locations have sufficient rights to be accessed by all necessary user accounts. The location per user is saved automatically after a successful importation.
Any change to this path or other settings enables the
Save settings button. Select this button to save the settings for subsequent driver package download and import procedures.
35
6. Select
Import.
36
During the importation process, a dialog box displays the current operation and progress.
After the importation process is complete, the imported driver pack is available in Software Library under
HP Client Driver
Packages. Before the imported driver pack can be used in a task sequence, it needs to be pushed out to the distribution points. If no distribution points were selected during the import process or if additional distribution points are needed, select the driver pack and then select Distribute Content.
HP client boot images
Obtaining a WinPE driver pack
1. Go to http://www.hp.com/go/clientmanagement.
2. Under Resources, select
HP Download Library.
3. Download either
HP WinPE Driver Pack 32-bit or HP WinPE Driver Pack 64-bit.
Note
Not all platforms or configurations require the WinPE 4.0 driver pack, as WinPE 4.0 already contains many of the necessary hardware drivers needed to support operating system deployment. HP recommends creating and using the WinPE 4.0 driver pack, because the added drivers do not impact systems or configurations that do not need them.
WinPE 5.0 natively supports HP commercial desktops, notebooks, and workstations shipping from 2011 to 2013. Platforms shipping in 2014 or later might require the WinPE 5.0 driver pack. The WinPE 5.0 driver pack cannot be used with WinPE 4.0, nor can the WinPE 4.0 driver pack be used with WinPE 5.0.
Because each version of Configuration Manager supports the customization or addition of drivers and components to a specific version of WinPE only, HP MIK Create Boot Image provides limited support. For more information about the specific requirements for WinPE customization, go to http://technet.microsoft.com/en-us/library/dn387582.aspx.
Before a boot image is made available to a distribution point, Configuration Manager might use Windows Assessment and
Deployment Kit (ADK), particularly DISM.exe, to inject drivers to a boot image. DISM might fail to appropriately recognize the signature of some boot-critical drivers added to the boot image because DISM has certain requirements that depend the version of ADK and the operating system. For more information, go to http://technet.microsoft.com/enus/library/hh825070.aspx.
The HP MIK Create Boot Image feature leverages the Configuration Manager and ADK customization support for boot images, so the limitations of HP MIK are dependent on the Configuration Manager version, the ADK version, and the operating system version of the site server.
Importing a WinPE driver pack and creating boot images
1. In Configuration Manager, select Software Library, select Overview, select Operating Systems, and then select Boot
Images.
2. In the HP Client PCs section of the ribbon menu, select
Create Boot Image.
3. Under HP client WinPE driver pack, select Browse. Select the HP WinPE driver pack to import. HP MIK shows only the boot images appropriate for the selected WinPE driver pack and supported for customization by Configuration
Manager.
4. Select the base boot images to use, and then select Create to create boot images with drivers from the selected HP
WinPE driver pack.
5. Optionally, select distribution points to assign the boot images to a specific destination; however, cloud distribution points are not supported.
6. Change the default locations for Configuration Manager to save the drivers, the driver package, and the boot images, if necessary. Be sure that the specified locations have sufficient rights to be accessed by all necessary user accounts.
The location per user is saved automatically after a successful importation. Any change to this path or other settings enables the Save settings button. Select this button to save the settings for subsequent boot image creation and driver or driver pack import procedures.
Depending on the architecture of the base image and the architecture supported by the Windows Preinstallation
Environment boot image, x86 and/or x64 images are created. HP Windows Preinstallation Environment driver packs for
Windows 10 contain drivers for 64-bit boot images. Windows Preinstallation Environment driver packs for previous versions of Windows contain drivers for both 32- and 64-bit boot images.
After the process is complete, the new boot images are created in
Boot Images > HP Client Boot Images.
To access the command prompt during the WinPE portion (F8) for debugging purposes:
1. Right-click the image and select
Properties, and then select Customization.
2. Select
Enable command support (testing only).
Before these boot images can be used in a task sequence, the boot images need to be pushed out to the distribution point.
If no distribution points were selected in the import process or if additional distribution points are needed, or if there is a change to the boot image properties, select the boot image and then select
Distribute Content.
HP client task sequences
Creating a deployment task sequence
1. In Configuration Manager, select Software Library, select Overview, select Operating Systems, and then select Task
Sequences.
2. In the HP Client PCs section of the ribbon menu, select Create Deployment Task Sequence.
3. Select a template from the Task Sequence Template drop-down menu.
The following examples show how to reference HP tools to aid with the deployment process.
37
4. Enter information as instructed.
5. If you do not plan to use BitLocker Drive Encryption (BDE), clear the Include BitLocker Drive Encryption steps option.
For more information on Configuration Manager BDE steps, go to https://technet.microsoft.com/enus/library/hh846237.aspx.
6. Select Create to create a basic, bare metal deployment task sequence for HP client systems. A message box displays confirmation of the successful creation of the task sequence.
38
Important
Depending on the selected template, some of the steps in the created task sequence are destructive, including the following:
•
Remove Disk Partitions (diskpart clean)
•
Format and Partition Disk
•
Call Intel RSTCli Utility – Delete All Metadata
•
Call Intel RSTCli Utility – Configure RAID Volume
HP recommends creating task sequences and testing them thoroughly in a test environment prior to any production deployments. HP is not responsible for any data loss caused by the created task sequences.
Configuring task sequences
Refresh the list of task sequences to see the created task sequence. Before using the task sequence, additional configuration must be performed for the task sequence to successfully execute.
The template
1. Be sure that the target platform driver pack has been imported. See Importing HP driver packs.
2. Right-click the task sequence and select
Edit.
The following figure is a task sequence created by the Default Template for Windows 7 or Windows 8. This task sequence can be used with either Windows 7 or Windows 8.
There is also the
Default Template for Windows 10. The default disk partition configuration in the templates is different. For Windows 10, the recommended Windows recovery tool partition is at the end of the drive; in previous versions of Windows, it was at the beginning. The default partition takes up 1% of the disk space. Change this value to your Windows recovery image size, usually at least 500 megabytes (MB).
3. Depending on the target operating system of the deployment, some or all of the following steps need to be configured:
•
•
Set BIOS Configuration (Input File)—Allows the setting of BIOS settings via BCU. The TPM must be turned on and
Remove Disk Partitions (diskpart clean)—This step does not need configuration; however, for the task sequence to run properly on all disk scenarios, the deployment and all packages and content within it need to be configured to
information. If this step is not needed, disable the step.
•
Format & Partition Disk—Enables the appropriate step to format and partition the disk to your need. For example, if deploying to a system that is set to UEFI or UEFI Hybrid (with CSM), enable the EFI format step and be sure that the
BIOS format step is disabled.
•
•
Apply Driver Package—Specifies the HP driver package imported for the target platform and operating system.
Apply Network Settings—Specifies the workgroup or domain options for your deployment and enter the correct account information for the task sequence to join an Active Directory domain, if necessary.
Review each additional task sequence step and set parameters as needed.
4. After all task sequence steps have been configured, select either
OK or Apply to save changes. The task sequence can now be modified, and task sequence steps can be added as needed to perform your operations.
Assigning a boot image
1. Right-click the task sequence and select Properties.
2. Select the
Advanced tab and then select Use a Boot Image.
3. Select
Browse and then select the appropriate boot image from the HP Client Boot Images folder.
39
40
Note
Select the boot image with the same architecture as the operating system being deployed (for example, an x86 image for an x86/32-bit operating system and an x64 image for an x64/64-bit operating system).
Allowing access to deployment content
To run properly, the Remove Disk Partitions (diskpart clean) step in the HP MIK task sequence needs to be run directly from the network. For this to happen, all packages and content in the task sequence (including the boot image) need to be configured as follows:
1. Right-click the content/package and select
Properties.
2. Select the
Data Access tab, and select Copy the content in this package to a package share on distribution points.
3. Select
OK.
4. If necessary, select the Access content directly from the distribution point option on the Distribution Points step of the wizard.
If this step is not needed, or if you wish to use the download content setting, disable this task sequence step. If you still need to be able to run this step when the
Download content locally option is selected, see The Remove Disk
5. After the task sequence has been modified and amended as needed, deploy to the target collection and distribute content as needed to use the task sequence. Follow the on-screen instructions to complete this process.
Configuring the Set BIOS Configuration task step
The Set BIOS Configuration (Input File) task step allows the configuration of BIOS settings on platforms managed by HP. This
Run Command Line task uses BCU.
This task sequence step is run with the following command line:
RunBCU.cmd <parameters to pass to BCU>
For a list of parameters and options, see the HP BIOS Configuration Utility User Guide.
This action applies the BIOS settings specified in the selected REPSET file and/or executes specified command line options.
The batch file calls the appropriate version of BCU depending on the architecture of the current operating system.
An example REPSET file is included with the package; \ located in the Config folder of the package source folder and named
BCUSettingExampleOnly.REPSET. If this REPSET file is used in this task step, the command line is as follows:
RunBCU.cmd /setconfig:"Config\BCUSettingExampleOnly.REPSET"
HP recommends saving the REPSET file in the source folder or subfolder of the package so that you can easily reference it in the command line.
Adding and editing configuration files
Note
Be aware of the following when using this task sequence step:
•
After making changes or adding a configuration file to the package folder, be sure to update the
HP Client BIOS
Configuration Utility package to the distribution points to ensure that the new configuration files are available for the task sequence.
•
Some BIOS setting changes might not take effect until after a restart of the target client; a restart might be needed to be sure all settings apply.
•
Changing certain BIOS settings might cause task sequences to fail to complete. Be sure to test the desired BIOS configuration file before deploying the task sequence widely.
•
Certain characters used in BIOS passwords might require special escaping to work properly; see the HP BIOS Configuration
Utility User Guide link included with the HP MIK for details.
For more information, see HP BIOS Configuration Utility (BCU).
41
42
1. Obtain the configuration file from the target platform and edit the file by setting the new values and removing settings and values from the configuration file that are not required to be applied through this configuration.
2. Go to the package source folder location of BCU. By default, the package is located in the HP Client Support Packages section of the Configuration Manager Software Library.
3. Select the source folder location and copy the REPSET file to the folder.
4. Update the distribution points so that the REPSET file is made available to the task sequence.
Refreshing task sequence references
Task sequence references might need to be refreshed if one of the following applies:
•
HP MIK was uninstalled and then reinstalled.
•
Some or all of the HP Client Support Packages were deleted and reinstalled using the Repair option in the installer.
To refresh the references:
1. Right-click the task sequence and select
Edit.
2. Follow the on-screen instructions in the Action column of the following table.
Task sequence step
Set BIOS Configuration (Input File)
Action
Select the package
HP Client BIOS Configuration Utility in the folder HP Client Support
Packages.
Remove Disk Partitions (diskpart clean) Select the package
HP Client Support Tools in the folder HP Client Support Packages.
Using the Configure RAID Example template
Preparing the boot image used by the task sequence
2. Remove any existing Intel Rapid Storage Technology (Intel RST) RAID drivers to avoid any conflict with the driver added in the following step.
3. Add the version of the Intel Rapid Storage Technology RAID Driver that supports the target client systems to the boot image.
Preparing the packages used by the task sequence
2. Go to https://downloadcenter.intel.com, and then search for
Smart Response Technology Command Line Interface
Deployment Tool. Locate the tool version that matches the driver version, and follow the on-screen instructions to download it.
Note
The major version and minor version values of the driver and the command line tool must match.
For example, the command line tool version 12.8.x works with the driver version 12.8.x.
3. Unzip the downloaded file. The file might contain zip files for the 64-bit and 32-bit binaries of the tool. Those also need to be extracted.
4. Copy the extracted files and folders of the command line tool to the location to be the source of the software package for this tool.
5. Create a software package that references the source location.
Configuring task sequence steps
1. To begin configuration, right-click the task sequence and select Edit.
2. The following steps need to be configured:
A.
Call Intel RSTCli Command Line Utility – Delete All Metadata—Removes all previously configured disk metadata. i. Replace the command: The command line in the step, rstcliXX.exe, is just a placeholder. Read the utility documentation carefully and replace the placeholder command with the actual command. The package containing the command line utility in the preparation step earlier needs to be selected in this step.
The following is an example of the command line:
IntelRSTCli\12.8\x64\rstcli64.exe --manage --delete–all-metadata
In this example command, IntelRSTCli\12.8\x64 is the relative location from the source folder to the actual command line utility in the content of the package. ii. Select the Intel command line tool package prepared earlier.
B.
BIOS Configuration task step for more details.
C. Call Intel RSTCli Command Line Utility – Configure RAID Volume—Configures the RAID volume on the target client. i. Replace the command: Like the step to delete all metadata, the command line in the step, rstcliXX.exe, is just a placeholder. See the utility documentation and replace the placeholder command with the actual command. The package containing the command line utility needs to be selected. The following is an example of the command line to configure RAID level one (mirror) with hard drives:
IntelRSTCli\12.8\x64\rstcli64.exe --create --level 1 –n Volume 0-0-0-0
0-10-0
Again, IntelRSTCli\12.8\x64 is the relative location from the source folder to the actual command line utility in the content of the package. ii. Select the Intel command line tool package prepared earlier.
D.
Remove Disk Partitions (diskpart clean)—This step does not need configuration; however, for the task sequence to properly run on all disk scenarios, the deployment and all packages and content within it need to be
for more information.
E.
Format & Partition Disk—By default, the task sequence has the BIOS (legacy/MBR) format step enabled and the
EFI (GPT) step disabled. If deploying to a system that is set to UEFI or UEFI Hybrid (with CSM), enable the EFI format step and disable the BIOS format step.
F. Apply Driver Pack—Specifies the HP driver pack imported for the target platform and operating system.
43
44
G.
Require Reboot to PXE/USB—Because this task sequence requires one or more immediate reboots in the WinPE when the disk has not been defined yet, the RebootStep variable is used to control the flow of the task sequence.
3. Review each task sequence step and set parameters as needed for the rest of the task steps. If these steps do not work, verify that you entered the correct network credentials in the task sequence creation dialog.
4. After all task sequence steps have been configured, select OK or Apply to save changes. The task sequence can now be modified and task sequence steps can be added as needed to perform your desired operations.
Assigning a boot image
1. Right-click the task sequence and select
Properties.
2. Select the Advanced tab and then select Use a Boot Image.
3. Select Browse, and then select the appropriate boot image that had the Intel RST RAID driver added during the boot image preparation.
Note
Select the boot image with the same architecture as the operating system being deployed (for example, an x86 image for an x86/32-bit operating system and an x64 image for an x64/64-bit operating system).
Allowing access to deployment content
To run properly, the
Remove Disk Partitions (diskpart clean) step in the HP MIK Configure RAID Example task sequence needs to be run directly from the network. For this to happen, all packages and content in the task sequence (including the boot image) need to be configured as follows:
1. Right-click the content/package and select Properties.
2. Select the Data Access tab, and select Copy the content in this package to a package share on distribution points.
3. Select
OK.
4. When deploying, the
Access content directly from the distribution point option can be selected on the Distribution
Points step of the wizard.
5. After the task sequence has been modified and amended as needed, deploy to the target collection and distribute content as needed to use the task sequence. Follow the on-screen instructions to complete this process.
Understanding the task sequence execution flow
The task sequence is divided into three task groups—Configure Hardware, Configure RAID, and Install Operating System.
Conditions on the three groups and a computer variable are used to control the processing of the task sequence across multiple reboots over PXE/USB. The Set RebootStep Variable task increments the RebootStep variable by one (1) each time it is executed. If the variable is not present, it is created and set to 0 before being incremented.
During the initial execution of the task sequence, the tasks in the Configure Hardware group are executed. After rebooting and re-executing the task sequence, the Set RebootStep Variable task increments RebootStep to two (2). Because the
Configure Hardware group has the condition that it only runs when the value of the RebootStep variable is one (1), this group is skipped after the reboot. The next group, Configure RAID Volume, looks for a RebootStep value of two (2), then it is executed. The last group, Install Operating System, looks for a RebootStep value of three (3). If this condition is met, the third group of steps runs.
Towards the end of the task sequence, the Reset RebootStep Variable task resets RebootStep to zero (0).
Note the following additional points about deploying a task sequence:
•
•
When deploying a task sequence with reboot to PXE/USB, on the Distribution Points screen, set the deployment options to
Access content directly from a distribution point when needed by the running task sequence. For this option to be available for each package referenced by your task sequence, select the Data Access tab of the Properties dialog box, and select
Copy the content in this package to a package share on distribution points.
If the task sequence is deployed as
Available and not as required, the task sequence must be selected upon reboot for deployment to be continued.
•
The target client system must have the appropriate boot order set for reboots for this step to work properly. (That is, if booting via PXE, the PXE NIC should be before any other boot devices in the boot order.) To rerun a required task sequence on a target client system, clear the PXE advertisement:
A. In Configuration Manager, select Assets and Compliance workspace.
B. Select Devices.
C. Select the target client system.
D. Select
Clear Required PXE Deployments on the ribbon.
• •
If the task sequence failed to run completely, it might be necessary to clear or reset the RebootStep variable as follows:
A. Right-click the target client system and select
Properties.
B. Select the Variables tab.
C. Select the RebootStep variable, and then select the delete button with the X-like icon.
HP BIOS Configuration Utility (BCU)
BCU is a free tool that enables you to do the following:
•
Read available BIOS settings and their values from a supported desktop, workstation, or notebook computer
•
Set or reset Setup Password on a supported desktop, workstation, or notebook computer
•
Replicate BIOS settings across multiple client computers
For more information, see the HP BIOS Configuration Utility User Guide.
Note
The version of BCU included with HP MIK includes a batch file (RunBCU.cmd) that automatically detects the current operating system and runs the correct version of BCU (32- or 64-bit).
HP Password Utility
HP Password Utility is a tool for creating an encrypted password file that can be used with a BCU password file parameter.
This tool is included with BCU. For more information, see the HP BIOS Configuration Utility User Guide.
Uninstalling HP MIK
1. In Control Panel, select Programs and Features.
2. Select HP Manageability Integration Kit, and then select Uninstall.
Any imported driver packages and boot images, and task sequences created by HP MIK remain on the server. The supporting client packages and source files are deleted; however, to preserve the BIOS configuration files, the source folder for BCU is not deleted.
Appendix A—Device collection query examples
IT administrators can create device collections defined by query rules in Configuration Manager. For more information on how to create device collection and query rules, go to https://technet.microsoft.com/en-us/library/gg712295.aspx.
Note
HP recommends verifying your device collection queries in a test environment to ensure accurate software and policy deployment to supported systems before pushing the queries out to production environments.
The following are some basic HP collection queries that can be used as a starting point when working with HP systems and
HP MIK features.
All HP systems
Note
Older models might have Hewlett-Packard named as the manufacturer. The query might need to have a condition to include those systems. Be sure to check the support platform list for each HP MIK feature to create the appropriate system collections to manage the feature. select SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
45
46
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on
SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId and SMS_G_System_COMPUTER_SYSTEM.Manufacturer like 'HP%'
All HP Systems including older models
select SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId
= SMS_R_System.ResourceId where
(SMS_G_System_COMPUTER_SYSTEM.Manufacturer like 'Hewlett-Packard%' and SMS_G_System_COMPUTER_SYSTEM.Model not like '%Proliant%') or SMS_G_System_COMPUTER_SYSTEM.Manufacturer like 'HP%
HP systems with a specific model name
select SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId
= SMS_R_System.ResourceId and SMS_G_System_COMPUTER_SYSTEM.Model = 'HP EliteBook 850 G4'
Windows 10 Enterprise systems
select SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on
SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId and
SMS_G_System_COMPUTER_SYSTEM.Manufacturer like 'HP%' inner join SMS_G_System_Operating_System on SMS_R_System.ResourceID =
SMS_G_System_Operating_system.ResourceID
and SMS_G_System_Operating_System.Caption like '%Windows%10%Enterprise%'
Determining whether Device Guard can be enabled
To determine which systems can have Device Guard enabled, go to https://blogs.technet.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-withconfiguration-manager/ and follow the steps in the Determine applicable systems section.
Systems with HP Sure Start support
For all HP client computers with HP Manageability Integration Kit, HP Sure Start support information can be retrieved via the
Configuration Manager hardware inventory extension.
To add HP_SureStartPolicy BIOS Sure Start settings and Sure Start version information to the Configuration Manager default client settings:
1. In Configuration Manager, select
Administration workspace. Then, select Client Settings.
2. Right-click
Default Client Settings, and then select Properties.
3. In the Default Settings window, select Hardware Inventory and then select Set Classes.
4. In then Hardware Inventory Classes window, select Add.
5. In the Add Hardware Inventory Class window, select Connect.
6. If Configuration Manager is installed on an HP system that has the HP MIK client installed, then leave the default computer name (which is the system the console is on). Otherwise, specify the name of a system that has the HP MIK client installed.
7. Enter root\HP\InstrumentedServices\v1 for the WMI namespace.
8. Select Recursive, and enter the user name and password to connect to the WMI of the specified system.
9. Add the HP_SureStartPolicy class. Select OK to add the class to hardware inventory.
10. Select OK, and then select OK again to close all windows.
After client computers download the updated machine policy and run the hardware inventory cycle, the extended data is reported to Configuration Manager. The data then is available to create collections.
47
48
The following is the query to select all HP systems with HP Sure Start support. select SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on
SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId and
SMS_G_System_COMPUTER_SYSTEM.Manufacturer like 'HP%' inner join SMS_G_System_HP_SureStartPolicy on SMS_R_System.ResourceId =
SMS_G_System_HP_SureStartPolicy.ResourceId
and SMS_G_System_HP_SureStartPolicy.SureStartVersion like 'SS%'
TPM queries
These example TPM queries use TPM data from the
Win32_TPM class of the ROOT\cimv2\Security\MicrosoftTpm namespace from clients. Be sure that this TPM class is added to hardware inventory. When a client computer applies the latest machine policy and reports its hardware inventory data has been reported to Configuration Manager, the client must be included in the appropriate TPM collection.
Systems with TPM Version 1.2
select SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on
SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId and
SMS_G_System_COMPUTER_SYSTEM.Manufacturer like 'HP%' inner join SMS_G_System_TPM on SMS_R_System.ResourceId =
SMS_G_System_TPM.ResourceId and SMS_G_System_TPM.SpecVersion like '1.2%'
Systems with TPM Version 2.0
select SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on
SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId and
SMS_G_System_COMPUTER_SYSTEM.Manufacturer like 'HP%' inner join SMS_G_System_TPM on SMS_R_System.ResourceId =
SMS_G_System_TPM.ResourceId and SMS_G_System_TPM.SpecVersion like '2.0%'
Systems with a specified application installed
select SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId =
SMS_R_System.ResourceId and SMS_G_System_COMPUTER_SYSTEM.Manufacturer like 'HP%' and (SMS_R_System.ResourceId in (select ResourceId from
SMS_G_System_ADD_REMOVE_PROGRAMS_64 where ProdID = '<Application product ID>' and Version
>= '<Miminum supported application version>') or (SMS_R_System.ResourceId in (select ResourceId from SMS_G_System_ADD_REMOVE_PROGRAMS where ProdID = '<Application product ID>' and Version >= '<Miminum supported application version>')))
For example, the following query returns the systems with HP WorkWise version 1.3.1.1 or later installed. select SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System
inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId =
SMS_R_System.ResourceId and SMS_G_System_COMPUTER_SYSTEM.Manufacturer like 'HP%' and (SMS_R_System.ResourceId in (select ResourceId from
SMS_G_System_ADD_REMOVE_PROGRAMS_64 where ProdID = '{56051A5A-7A04-4CD4-A5CD-
781F1AC10112}' and Version >= '1.3.1.1') or (SMS_R_System.ResourceId in (select ResourceId from SMS_G_System_ADD_REMOVE_PROGRAMS where ProdID = '{56051A5A-7A04-4CD4-A5CD-781F1AC10112}' and Version >= '1.3.1.1') ))
Systems with Intel Authenticate or a valid Intel Authenticate policy enforced for HP
Client Security
For all HP systems that have HP Client Security (with HP MIK support) installed, the WMI class CM_IntelAuthenticatePolicies with the properties State and IsValidPolicyInstalled can be retrieved via the Configuration Manager hardware inventory extension.
To add CM_IntelAuthenticatePolicies to the Configuration Manager default client settings:
1. In Configuration Manager, select Administration workspace. Then, select Client Settings.
2. Right-click
Default Client Settings, and then select Properties.
3. In the Default Settings window, select
Hardware Inventory and then select Set Classes.
4. In then Hardware Inventory Classes window, select
Add.
5. In the Add Hardware Inventory Class window, select Connect.
6. If Configuration Manager is installed on an HP system that has the HP MIK client and HP Client Security installed, then leave the default computer name (which is the system the console is on). Otherwise, specify the name of a system that has the HP MIK client and HP Client Security installed.
7. Enter root\HP\InstrumentedServices\v1 for the WMI namespace.
8. Select
Recursive, and enter the user name and password to connect to the WMI of the specified system.
9. Add the CM_IntelAuthenticatePolicies class. Select OK to add the class to hardware inventory.
49
10. Select
OK, and then select OK again to close all windows.
After a client computer downloads the updated machine policy and runs the hardware inventory cycle, the extended data is reported to Configuration Manager. The data then is available to create collections.
The following image shows the CM_IntelAuthenticatePolicies WMI Class on a client computer.
50
The following query selects all HP systems that are ready to receive a valid Intel Authenticate policy for HP Client Security. select SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on
SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId and
SMS_G_System_COMPUTER_SYSTEM.Manufacturer like 'HP%' inner join SMS_G_System_CM_IntelAuthenticatePolicies on SMS_R_System.ResourceId =
SMS_G_System_CM_IntelAuthenticatePolicies.ResourceId
and SMS_G_System_CM_IntelAuthenticatePolicies.State = 'Active'
If a system does not have Intel Authenticate installed, its State returns NotInstalled, meaning that Intel Authenticate has either not been installed or failed to install. Install Intel Authenticate and restart the client computer to enable HP Client
Security to detect the status change.
Similarly, the query to select all HP systems that have a valid Intel Authenticate policy for HP Client Security enabled is as follows: select SMS_R_SYSTEM.ResourceID,
SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client
from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on
SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId and
SMS_G_System_COMPUTER_SYSTEM.Manufacturer like 'HP%' inner join SMS_G_System_CM_IntelAuthenticatePolicies on SMS_R_System.ResourceId =
SMS_G_System_CM_IntelAuthenticatePolicies.ResourceId and SMS_G_System_CM_IntelAuthenticatePolicies.IsValidPolicyInstalled ='True'
If a system does not have a valid Intel Authenticate policy for HP Client Security, the IsValidPolicyInstalled property returns
False.
Appendix B—Troubleshooting
HP MIK installation issues
An error occurred while installing a supporting package (HP Client BIOS Configuration Utility or HP Client Support
Tools)
Verify that the user account running the installer has permission to access the Configuration Manager server and modify the data, or log on as a user that has those permissions.
HP MIK did not completely uninstall
Imported driver packs, created boot images, and task sequences created via HP MIK are not removed when the product is uninstalled. If they are no longer needed, they can be deleted from Configuration Manager.
A task sequence fails to run after reinstalling and/or repairing the installation
When reinstalling and/or repairing the installation, existing task sequences using packages installed by HP MIK are not
Driver pack issues
Configuration Manager reports that the SoftPaq is not a valid driver pack
Only driver packs under the category Manageability – Tools can be imported with HP MIK. Other driver packs listed under other categories (such as
Software – System Management) cannot be used with HP MIK.
HP MIK fails to complete the driver pack import process while processing driver INFs
This might happen if an existing driver is detected but the driver source is missing. Verify that the existing driver’s source is present. If not, either delete the driver and reimport the driver pack or restore the missing driver source.
51
52
WinPE image creation issues
Some available boot images are not selectable as base boot images
Because each version of Configuration Manager supports the customization or adding drivers and components to a specific version of WinPE only, the HP MIK Create Boot Image feature can provide only limited support. For more information about the specific requirements for WinPE customization, go to http://technet.microsoft.com/en-us/library/dn387582.aspx.
If ADK and the operating system of your site server fail to appropriately verify the signature of some drivers during the boot image creation, you might get this HP MIK error:
Object version mismatch error; a ConfigMgr object has been modified or updated before changes could have been saved. Please try the operation again.
If a retry attempt fails, manually customize or add the drivers to your boot image.
Before troubleshooting a task sequence
•
Verify your task sequence settings. The primary cause of task sequence failures is related to the settings you provided in the task sequence steps. Be sure to check the task sequence steps for the following:
– Valid environment or task sequence variable references.
•
– Valid package references—You must make sure that all packages referenced in the task sequence are available from the distribution points and are up to date.
Verify that the task sequence was created with the currently installed kit or a previously installed version that was updated. If the kit was uninstalled and then reinstalled, or an HP Client Support Package was removed but reinstalled via setup, the HP packages need to be selected again for the task sequence steps that use them. See this document for more information on updating task sequences with new package references.
•
Verify that the downloaded driver packs are removed properly by HP MIK.
– Driver packs downloaded by HP MIK are stored in
%TEMP%\hpdriverpack, where %TEMP% is the environment variable defining the default application temporary location for the currently logged on user. HP MIK attempts to remove the downloaded driver packs after a successful import.
•
Verify and examine log files.
– Configuration Manager Console log files are located in the
AdminUILog folder. This folder is located in the install directory of the Configuration Manager Console.
– Log files generated by HP MIK are stored in %TEMP%\hpclient, where %TEMP% is the environment variable defining the default application temporary location for the currently logged on user.
Extended logging information can be added to the kit log files by adding a debug flag to the registry. In the registry, add a DWORD value named DebugLogging and set the value to 1 for the applicable registry key:
HKLM\Software\Wow6432Node\HP\Client\ConfigMgr Integration Kit
– Additional applicable log files may be available in the Configuration Manager log folder (typically located at
%ProgramFiles%\Microsoft Configuration Manager\Logs
).
Common task sequence problems
The following are some common problems that might be encountered. If an issue is not listed here, the subsequent troubleshooting sections might provide answers.
Some drivers fail to be injected into the boot image
This might occur when a driver is signed with a newer driver signing method than what DISM and the operating system support. In that case, the driver is treated as an unsigned driver and is not injected into the boot image. For example, when running SCCM 2012 SP1 on Windows Server 2008 R2, some Windows 8/8.1 drivers cannot be injected into a Windows
Preinstallation Environment boot image. If the driver in question is not required for your environment, remove the driver from the boot image driver list, and then manually reinject the remaining drivers. For more information, go to https://technet.microsoft.com/en-us/library/hh825070.aspx.
Task sequence fails to start after target platform boots to Windows Preinstallation Environment
There are several possible causes, as follows:
•
•
There is no network connection because the network adapter is unsupported.
There is no network connection because the boot image does not contain the necessary network driver.
•
Configuration Manager does not recognize the target HP client platform.
•
One or more of the packages referenced by the task sequence are not available.
To resolve this issue:
1. Install a supported network adapter and set it as the PXE NIC.
2. Use an HP Client WinPE image containing the appropriate HP WinPE driver pack.
3. Verify that the target HP client platform was imported into Configuration Manager with the correct identification information.
4. Open the task sequence and fix any errors that might be present.
Updated or new BIOS configuration input files were not used or available during task sequence execution
Verify that the
HP Client BIOS Configuration Utility package was pushed to the appropriate distribution points.
Task sequence starts, but fails to continue
There are several possible causes, as follows:
•
A BIOS setting or BIOS configuration change prevents the system from correctly starting.
•
The incorrect driver package was selected for the target platform.
To resolve this issue:
1. Verify that the correct driver package was selected for the given target platform.
2. Verify that all dependencies of the task sequence were distributed to distribution points or groups that the target clients or collections can access.
Task sequence fails to open for editing, or error messages appear when viewing certain task sequence steps
There are several possible causes:
•
The plugin has been uninstalled. (Error messages such as “There may be too many steps in the task sequence object” might appear.)
•
The plugin is corrupted.
•
HP MIK has not been installed on the primary site server.
To resolve this issue:
1. Reinstall the plugin to verify that all necessary files are present and registered.
2. Install HP MIK on the primary site server.
3. Repair the plugin installation. This can be done either by running the setup again and selecting Repair or by selecting the
Repair option in Programs and Features in Control Panel.
4. Recreate the task sequence in a new task sequence.
5. Reselect the packages for some task sequence steps (see Refreshing task sequence references).
Task sequence creation and management issues
The error “There may be too many steps in the task sequence object” appears when attempting to edit a task sequence created by HP MIK
This error generally appears when HP MIK has been uninstalled from the server. HP MIK must be reinstalled to the server before the task sequence can be viewed or edited.
The Remove Disk Partitions (diskpart clean) step is needed, but I cannot use the Access Content Directly option
There are a number of workarounds that are possible, including the following:
•
•
Use the
Connect to Network Folder task sequence step to connect to the network share containing the package files, and use a Run Command Line task to run the step from the network share.
Add the package files to the boot image and use a Run Command Line task to run the step, referencing the files in the boot image.
See the Configuration Manager documentation for details about how to perform these actions.
Task sequence execution issues
System fails to boot using PXE
If the client machine is EFI x86 (IA-32), such as the HP ElitePad 900, then Cumulative Update 1 for Configuration Manager
2012 SP1 (KB2817245) must be installed for PXE boot to work successfully. Configuration Manager 2012 R2 does not need this update.
PXE is an extension of DHCP, which uses a broadcast type of communication. Broadcast communication uses standard timeout values that are not readily changeable. As a result, a computer waits for a default timeframe to receive a DHCP or
53
54
PXE response before timing out and causing a failure condition. Each time a computer is rebooted, it must renegotiate the connection to the switch. Some network switches arrive configured with default settings that might cause connectivity delays. The settings on the switch might cause a DHCP or PXE timeout because they fail to negotiate a connection in time.
The following features might be affected by negotiation timeouts:
•
•
Spanning Tree Protocol (STP)—STP is a protocol that prevents loops and provides redundancy within a network. A networking device using this algorithm might experience some latency as it collects information about other network devices. During this period of information collection, servers might boot to PXE and time out while waiting for a response from Windows Deployment Services. To prevent these issues, disable the STP or enable PortFast on end-node ports for the target server. For further information, see the manufacturer's documentation.
EtherChannel or Port Aggregation Protocol (PAgP)—EtherChannel enables multiple links between devices to act as one fast link and share the load between the links. Running the EtherChannel Protocol in automatic mode might cause a connectivity delay of up to 15 seconds. To eliminate this delay, switch to a manual mode or turn off this feature.
•
Speed and duplex negotiation—If auto-negotiation on the switch is set to off and the server is not configured to that speed and duplex setting, then the switch does not negotiate with that server.
Verify that PXE is also running properly on the server. The system must be set to boot off PXE before any other bootable devices are present in the system.
System booted PXE, but timed out waiting for the PXE server to respond
Verify that the WinPE boot images are pushed to the appropriate distribution point. In addition, the distribution points used must have PXE enabled.
To verify this setting:
1. Select
Administration, select Site Configuration, and then select Server and Site System Roles.
2. Select the appropriate distribution point.
3. Right-click the Distribution Point role, select Properties, and then select PXE.
WinPE never starts the task sequence
See the SMSTS.LOG file at X:\windows\temp\smstslog\smsts.log. If a package does not download or cannot be accessed, you might not have the appropriate network drivers installed. You might need to update the WinPE image with newer WinPE drivers for the target platform. Verify that all packages referenced in the task sequence are available from the distribution point. WinPE validates all packages to make sure they are available before processing the task sequence.
A task sequence reports “Failed to resolve task sequence dependencies”, with the driver pack imported by HP MIK as the dependency at fault, even though the content status says “Distributed”
There is an issue with Configuration Manager where sometimes the hashes for a package are not generated, which results in the device being unable to locate the content since the hashes are used for those purposes.
To resolve this issue:
1. Select the driver pack.
2. Right-click and select
Update Distribution Points.
3. Select
Yes on the dialog box that appears.
After the process completes, the driver pack can be located and resolved by the task sequence.
Target system failed to run or use an updated BCU file
You must update the distribution points containing the BCU package when you modify, add, or remove a configuration file.
The default boot order does not enable PXE to boot when a valid drive exists
When an active partition is created on a hard drive, it automatically becomes a bootable device if a valid operating system has been installed. If the PXE NIC is after the hard drive in the boot order, then the hard drive boots to Windows before PXE or causes an “Invalid System Partition” error if Windows is not installed.
To resolve this issue:
1. Verify that PXE is placed before the hard drive in the boot order.
2. If necessary, set the boot order using HP Client BIOS Configuration Utility in a task step.
– or –
Set the boot order in the BIOS on the target platform. See the platform documentation for specific instructions on how to do this.
If PXE is first in the boot order, the computer does not actually boot to PXE unless Configuration Manager has a mandatory task sequence for it to run.
Task sequence fails with the error “Failed to Download Policy”
This error code (0x80093102 or 0x80004005) refers to a certificate validation issue. The SMSTS.LOG file displays an entry with any of the following text:
CryptDecryptMessage ( &DecryptParams, pbEncrypted, nEncryptedSize,0, &nPlainSize,
0 ), HRESULT=80093102 no cert available for policy decoding
The following are possible causes:
•
A misconfiguration of your domain or site server, such as the DNS not pointing to the site server or the site server not specifying a valid FQDN (which is referred to by the DNS listing), can cause this error. If your site server does not specify a
FQDN and only specifies the NETBIOS name, and your DNS server tries to refer to the FQDN, an incorrect lookup might cause this error.
•
The certificate being used for PXE and boot media is blocked or missing. Verify whether any of the certificates under the
Site Settings node are blocked or missing. Open the certificates to verify that they are actually installed into the certificate store. If not, install them.
If the task sequence still fails, remove the package from the distribution points and/or groups, and then add it back. This causes the package hash to be regenerated.
A task sequence does not run again even after clearing the PXE advertisement
You must make sure that the deployment is set to allow a rerun so that the advertisement is applied to the computer regardless of whether it previously ran the task sequence.
To resolve this issue:
1. On the properties page of the deployment, select
Scheduling.
2. Select Rerun behavior.
Task sequence fails at Apply Operating System step with “Failed to make volume X:\bootable” error message
This issue is indicated by log content similar to the following message:
MakeVolumeBootable( pszVolume ), HRESULT=80004005
(e:\nts_sms_fre\sms\client\osdeployment\applyos\installcommon.cpp,759)
Failed to make volume E:\ bootable. Please ensure that you have set an active partition on the boot disk before installing the operating system.
Unspecified error (Error: 80004005; Source: Windows)
ConfigureBootVolume(targetVolume), HRESULT=80004005
(e:\nts_sms_fre\sms\client\osdeployment\applyos\applyos.cpp,326)
Process completed with exit code 2147500037
To resolve this issue if you are using a Format & Partition action in your task sequence to partition the hard drives for MBR systems:
•
Select the Make this the boot partition option. If you do not select this option and the computer has a single hard drive, then the task sequence engine automatically makes one of the partitions the boot partition. If there are multiple drives, it cannot automatically determine which boot partition must be bootable.
System environment variables are not carried over to the next action in the task sequence
When a task sequence runs, commands are executed in a command shell. When that task ends, so does that command shell environment, causing the loss of any system variables defined within that task. Verify that variables that pass between tasks are set as Task Sequence variables, Collection variables, or Machine variables.
Task sequence reported an error while executing
Although there can be a wide variety of reasons why a task sequence fails to fully execute, there are a number of common reasons that might need to be resolved to fix the task sequence execution issue:
•
Verify that the DNS and WINS servers are working properly and are stable.
55
56
•
•
Verify that the supplied credentials in the task sequence steps have the necessary access rights to the SCCM server to clear and set task sequence variables and PXE flags.
If attempting to apply BIOS settings via the BCU while in WinPE, the disk must already be partitioned and formatted to allow downloading of the package to the system.
the reason for failure.
Diagnosing driver pack or task sequence errors
1. Export the task sequence by right-clicking the task sequence and selecting Export.
2. If the issue appears, collect screen captures of the relevant portions.
3. If the issue is related to the installation of the product or occurs soon after installation:
A. Copy the MSI installation log located in the temporary files directory (locate using the %TEMP% environment variable). This file is usually located in a "1" directory and has a random name that is formatted as follows:
MSI<RandomCharacters>.LOG.
B. Copy the support packages installation log located in the temporary files directory (locate using the %TEMP% environment variable). The file name is HPClientSCCM2012Kit-setup.log.
4. If the issue occurred while using the console, copy the HP MIK log files located in %TEMP%\hpclient. In addition, the
Configuration Manager console log files located in the AdminUILog folder of the Configuration Manager console should be copied as well.
5. If the issue occurred while running a task sequence, the following files should be copied from the WinPE environment.
These files can be accessed during task sequence execution by pressing
F8 to open the command prompt. To use the command prompt in WinPE, select the Enable command support option for the boot image. This option can be found by right-clicking the boot image and selecting
Properties, and then selecting Windows PE.
A. Copy the SMSTS.LOG file from where WinPE might be stored:
•
For PXE boot: X:\Windows\Temp\Smstslog
•
On a local (for example, C: or D:) drive under \Smstslog
•
SMSTSLOG<Time-Based-Name>.LOG
B. Copy the files used as input to the configuration task, such as configuration INI or XML files.
C. Copy SetupAPI.APP.LOG and SetupAPI.DEV.LOG from WinPE stored in X:\Windows\inf for PXE boot.
6. If the error relates to baselines and policies, capture the following log files:
A. HP MIK console log files located in %PROGRAMDATA%\HP\HP MIK\Logs
B.
All HP MIK client side log files located in %PROGRAMDATA%\HP\HP MIK\Logs and
%\SYSTEMROOT%\System32\config\systemprofile\AppData\Roaming\hpqLog\com.hp.si
am.log
7. If examining these log files does not help you resolve the issue and you need to contact HP, prepare a complete, detailed explanation of the issue, including the following:
– The exact point of failure (for example, the action running when the process failed, a description or screen captures of error messages and error codes)
– A detailed description of the computers being configured (model, hardware configuration, and NIC details)
– A description of other circumstances, such as the following:
•
•
Has this task sequence or action ever worked? When did it stop working?
If it had worked before, what is different now? Is the task sequence being applied to different computer types, is it using different configuration files or different task sequence variables, or has something else been modified?
57
For more information
For all your client manageability needs, go to the HP Client Management Solutions website: http://www.hp.com/go/clientmanagement. For all HP client tools and driver packs, select
HP Download Library on the HP
Client Management Solutions home page.
Sign up for updates hp.com/go/getupdated
© Copyright 2017 HP Development Company, L.P.
BitLocker, Microsoft, Windows, Windows Vista, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United
States and/or other countries. Bluetooth is a trademark owned by its proprietor and used by HP Inc. under license. Intel and Intel Authenticate are trademarks of Intel Corporation in the U.S. and other countries.
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial
Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Document Part Number: 925167-001
First Edition: January 2017
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project