Operational Defect Database
BugZero found this defect 103 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Hewlett Packard Enterprise | a00072188en_us
Advisory: (Revision) HPE ProLiant, HPE Apollo, and HPE Synergy Gen 9 and Gen10, Gen10 Plus and Gen11 Servers Configured with a Trusted Platform Module and Running Microsoft Windows Server operating system Do Not Bind to PCR[7]
Last update date:
2/26/2024
Affected products:
HPE Apollo 2000 System
HPE Apollo 6000 DLC System
HPE ProLiant BL460c Gen10 Server Blade
HPE ProLiant BL460c Gen9 Server Blade
HPE ProLiant BL660c Gen9 Server Blade
HPE ProLiant DL120 Gen10 Server
HPE ProLiant DL120 Gen9 Server
HPE ProLiant DL160 Gen10 server
HPE ProLiant DL180 Gen10 server
HPE ProLiant DL180 Gen9 Server
HPE ProLiant DL20 Gen10 server
HPE ProLiant DL325 Gen10 server
Affected releases:
No affected releases provided.
Fixed releases:
No fixed releases provided.
Description:
Info
Document Version Release Date Details 5 February 7, 2024 Updated operating systems affected and added link to Windows Server documentation. 4 April 28, 2023 The UEFI Systems Utilities User Guide was added to the Resolution section, and the years 2022, 2019 were added to the second Note in the Resolution section. Moved the last paragraph of the Description section to the beginning of the Resolution section as an Important note. 3 March 28, 2023 Content was added in parentheses in the second paragraph of the Description section regarding HPE Certificates. Removed statement about no Resolution and removed statement about additional information being added in the Resolution section. 2 May 20, 2019 Added Microsoft Windows Server 2019 as affected HPE ProLiant, HPE Apollo, and HPE Synergy Gen 9 servers. 1 April 25, 2019 Original Document Release. This Customer Advisory is specific to HPE ProLiant, HPE Synergy and HPE Apollo Gen 9 or Gen10, gen10 plus, and Gen11 servers configured in the following state: Trusted Platform Module (TPM) set to TPM 2.0 mode Secure Boot enabled Windows Server On HPE servers with this configuration, Microsoft Windows Server will not bind to the TPM Platform Configuration Register 7 (PCR[7]). This is due to a Microsoft policy on the Secure Boot certificate database that restricts allowed certificates to only the Microsoft Windows Production PCA 2011 certificate. If any other certificates are present in the Secure Boot database (HPE servers have HPE certificates in the Secure Boot database), the OS will not use PCR[7] for platform attestation. Instead, the OS will use PCRs[0,2,4,11]. Refer to Microsoft document for further detail on PCR7 configuration. Windows Server shows PCR7 configuration as "Binding not possible" - Windows Server | Microsoft Learn
Scope
Any HPE ProLiant, HPE Synergy or HPE Apollo Gen 9 or Gen10 server, gen10 Plus, and Gen11 configured with a Trusted Platform Module (TPM), set to TPM 2.0 mode, Secure Boot enabled, and running Microsoft Windows Server Operating System.
Resolution
IMPORTANT : HPE does not recommend removing the Microsoft Corporation UEFI CA 2011 and HPE 2016 certificates from the Secure Boot database, as this will affect system functionality. Remove the HPE certificates in the Secure Boot database. PCR[7] will then be able to bind in the Windows server. Refer to the UEFI System Utilities User Guide for further details. For additional information on PCR7 binding not possible, refer to Windows Server shows PCR7 configuration as "Binding not possible" - Windows Server | Microsoft Learn for further details. NOTE : No solution exists from the HPE ROM as this is a Microsoft behavior. NOTE (1) : If any other certificates are present in the Secure Boot database, Windows Server will not use PCR[7] for platform attestation; instead, the OS will use PCRs[0,2,4,11]. Disclaimer: One or more of the links above will take you outside the HPE website. HPE is not responsible for content outside of its domain. RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively in your e-mail through HPE Support Alerts. Sign up for Support Alerts at the following URL: HPE Email Preference Center. NAVIGATION TIP: For hints on navigating HPE.com to locate the latest drivers, patches and other support software downloads, refer to the Navigation Tips document. SEARCH TIP: For hints on locating similar documents on HPE.com, refer to the Search Tips document.
