• ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
We have new content about Hotkey issue, Click here to check it out!
Locked

‎08-22-2022 04:09 AM - edited ‎08-22-2022 06:29 AM

HP Recommended
Product: Z230 MT
Operating System: Other

Hello everyone,

A weird issue is affecting my Z230 MT (BIOS L51 v01.63): while the Embedded Security Device (Infineon SLB9656 TPM 1.2 updated to ver. 4.34.1011.0 as recommended in HPSBHF03568 rev. 11) is listed as “Device available” in “Security” > “Device Security” is disabled (and greyed out, although a Setup Passwords has been set as stated at page 40 of HP Z230 Workstation Maintenance and Service Guide c04658261) in “System Security” > “Embedded Security Device” – it goes without saying that while said TPM is correctly recognized by the operating system (regardless of that being Linux or Microsoft), the two do not communicate. On a side note, a “Management Platform (ME) in Manufacturing Mode” message is displayed at boot (ME Firmware 9.1.45.3000), however I do not think it is related (let alone the fact that AMT is disabled: alternatively, by shorting the ME/AMT Flash override, the message disappears). It worth mentioning that I also have a Z230 SFF (identical configuration, same firmware level of the aforementioned components, etc.) which is does not have this issue (“System Security > “Embedded Security Device” can be modified).


What I have attempted so far: Reflashing the BIOS (no effect), reflashing the TPM (not possible to reflash the same version), various CMOS reset (15 second CMOS clear, pulling the battery off, etc.) and… well, reflashing the ME (no effect/downgrade non possible) or "fptW64 -rewrite -ME -f L51_0163.BIN".
EDIT:  Dumping a "Replicated setup" from the Z230 SFF also did not solve the issue.


Any suggestion before I throw in the towel?

Cheers,

Jim

Tags (2)
Category:
1 ACCEPTED SOLUTION

Accepted Solutions

‎08-23-2022 03:52 AM - edited ‎08-23-2022 03:54 AM

HP Recommended

Solved: I managed to force the greyed-out settings using BiosConfigUtility (sp57450). For posterity, the configuration passed through /SetConfig contains the following:

 

Activate Embedded Security On Next Boot

               Disable

               *Enable

Embedded Security Activation Policy

               F1 to Boot

               *Allow user to reject

               No prompts

OS management of Embedded Security Device

               *Enable

               Disable

Reset of Embedded Security Device through OS

               Disable

               *Enable

Tpm PPI policy changed by OS allowed

               Disable

               *Enable

Tpm measure boot variables/devices to PCR1

               *Disable

               Enable

Tpm No PPI provisioning

               Disable

               *Enable

Tpm No PPI maintenance

               *Disable

               Enable

 

The following reboot was greeted by “A configuration change was requested to enable (…) the TPM, etc.” while the according settings in "System Security" can now be changed as needed.

 

Jim

View solution in original post

Tags (2)
Was this reply helpful? Yes No
1 REPLY 1

‎08-23-2022 03:52 AM - edited ‎08-23-2022 03:54 AM

HP Recommended

Solved: I managed to force the greyed-out settings using BiosConfigUtility (sp57450). For posterity, the configuration passed through /SetConfig contains the following:

 

Activate Embedded Security On Next Boot

               Disable

               *Enable

Embedded Security Activation Policy

               F1 to Boot

               *Allow user to reject

               No prompts

OS management of Embedded Security Device

               *Enable

               Disable

Reset of Embedded Security Device through OS

               Disable

               *Enable

Tpm PPI policy changed by OS allowed

               Disable

               *Enable

Tpm measure boot variables/devices to PCR1

               *Disable

               Enable

Tpm No PPI provisioning

               Disable

               *Enable

Tpm No PPI maintenance

               *Disable

               Enable

 

The following reboot was greeted by “A configuration change was requested to enable (…) the TPM, etc.” while the according settings in "System Security" can now be changed as needed.

 

Jim

Tags (2)
Was this reply helpful? Yes No
Warning
Be alert for scammers posting fake support phone numbers and/or email addresses on the community.
If you think you have received a fake HP Support message, please report it to us by clicking on "Flag Post".
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.

Didn't find what you were looking for? Ask the community

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.