-
×InformationNeed Windows 11 help?Check documents on compatibility, FAQs, upgrade information and available fixes.
Windows 11 Support Center. -
-
×InformationNeed Windows 11 help?Check documents on compatibility, FAQs, upgrade information and available fixes.
Windows 11 Support Center. -
- HP Community
- Desktops
- Business PCs, Workstations and Point of Sale Systems
- Cannot enable the Embedded Security Device on a Z230

Create an account on the HP Community to personalize your profile and ask a question
08-22-2022 04:09 AM - edited 08-22-2022 06:29 AM
Hello everyone,
A weird issue is affecting my Z230 MT (BIOS L51 v01.63): while the Embedded Security Device (Infineon SLB9656 TPM 1.2 updated to ver. 4.34.1011.0 as recommended in HPSBHF03568 rev. 11) is listed as “Device available” in “Security” > “Device Security” is disabled (and greyed out, although a Setup Passwords has been set as stated at page 40 of HP Z230 Workstation Maintenance and Service Guide c04658261) in “System Security” > “Embedded Security Device” – it goes without saying that while said TPM is correctly recognized by the operating system (regardless of that being Linux or Microsoft), the two do not communicate. On a side note, a “Management Platform (ME) in Manufacturing Mode” message is displayed at boot (ME Firmware 9.1.45.3000), however I do not think it is related (let alone the fact that AMT is disabled: alternatively, by shorting the ME/AMT Flash override, the message disappears). It worth mentioning that I also have a Z230 SFF (identical configuration, same firmware level of the aforementioned components, etc.) which is does not have this issue (“System Security > “Embedded Security Device” can be modified).
What I have attempted so far: Reflashing the BIOS (no effect), reflashing the TPM (not possible to reflash the same version), various CMOS reset (15 second CMOS clear, pulling the battery off, etc.) and… well, reflashing the ME (no effect/downgrade non possible) or "fptW64 -rewrite -ME -f L51_0163.BIN".
EDIT: Dumping a "Replicated setup" from the Z230 SFF also did not solve the issue.
Any suggestion before I throw in the towel?
Cheers,
Jim
Solved! Go to Solution.
Accepted Solutions
08-23-2022 03:52 AM - edited 08-23-2022 03:54 AM
Solved: I managed to force the greyed-out settings using BiosConfigUtility (sp57450). For posterity, the configuration passed through /SetConfig contains the following:
Activate Embedded Security On Next Boot
Disable
*Enable
Embedded Security Activation Policy
F1 to Boot
*Allow user to reject
No prompts
OS management of Embedded Security Device
*Enable
Disable
Reset of Embedded Security Device through OS
Disable
*Enable
Tpm PPI policy changed by OS allowed
Disable
*Enable
Tpm measure boot variables/devices to PCR1
*Disable
Enable
Tpm No PPI provisioning
Disable
*Enable
Tpm No PPI maintenance
*Disable
Enable
The following reboot was greeted by “A configuration change was requested to enable (…) the TPM, etc.” while the according settings in "System Security" can now be changed as needed.
Jim
08-23-2022 03:52 AM - edited 08-23-2022 03:54 AM
Solved: I managed to force the greyed-out settings using BiosConfigUtility (sp57450). For posterity, the configuration passed through /SetConfig contains the following:
Activate Embedded Security On Next Boot
Disable
*Enable
Embedded Security Activation Policy
F1 to Boot
*Allow user to reject
No prompts
OS management of Embedded Security Device
*Enable
Disable
Reset of Embedded Security Device through OS
Disable
*Enable
Tpm PPI policy changed by OS allowed
Disable
*Enable
Tpm measure boot variables/devices to PCR1
*Disable
Enable
Tpm No PPI provisioning
Disable
*Enable
Tpm No PPI maintenance
*Disable
Enable
The following reboot was greeted by “A configuration change was requested to enable (…) the TPM, etc.” while the according settings in "System Security" can now be changed as needed.
Jim