0% found this document useful (0 votes)
2K views18 pages

Implementing Microsoft Windows Server 2022 Using HPE ProLiant Servers, Storage, and Networking Options-A50003760enw

This document provides guidance on implementing Microsoft Windows Server 2022 on HPE servers. It discusses the Windows Server 2022 editions, supported HPE Gen10 and Gen10 Plus server models, how to configure secured-core settings, install Windows Server 2022 and the Service Pack for ProLiant. It also covers known issues and resources for further information.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
2K views18 pages

Implementing Microsoft Windows Server 2022 Using HPE ProLiant Servers, Storage, and Networking Options-A50003760enw

This document provides guidance on implementing Microsoft Windows Server 2022 on HPE servers. It discusses the Windows Server 2022 editions, supported HPE Gen10 and Gen10 Plus server models, how to configure secured-core settings, install Windows Server 2022 and the Service Pack for ProLiant. It also covers known issues and resources for further information.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

Technical white paper

Implementing Microsoft Windows Server


2022 using HPE ProLiant servers, storage,
and networking options

Contents
Overview ........................................................................................................................................................................................................................................................................................................................................ 2
Windows Server 2022 editions ................................................................................................................................................................................................................................................................................. 2
Windows Server diagnostic data (telemetry)......................................................................................................................................................................................................................................... 2
Service Pack for ProLiant (SPP) information ......................................................................................................................................................................................................................................... 2
Supported HPE servers ............................................................................................................................................................................................................................................................................................. 2
Configuring and validating Secured-core servers .................................................................................................................................................................................................................................... 5
Applicable products ...................................................................................................................................................................................................................................................................................................... 5
Configuring Secured-core........................................................................................................................................................................................................................................................................................ 7
Configuring UEFI/BIOS settings ......................................................................................................................................................................................................................................................................... 7
Configuring Windows Server VBS, HVCI, and System Guard .................................................................................................................................................................................................. 8
Confirm secure boot, Kernel DMA Protection, VBS, HVCI, and System Guard .................................................................................................................................................... 10
Installing Windows Server 2022 ...........................................................................................................................................................................................................................................................................11
Windows Server 2022 mitigations for Meltdown and Spectre ...........................................................................................................................................................................................11
Intel Virtual RAID on CPU (VROC) for HPE ProLiant Gen10 Plus and HPE ProLiant Gen11 servers ......................................................................................... 11
Installing the Service Pack for ProLiant (SPP) .........................................................................................................................................................................................................................................15
Installing the Service Pack for ProLiant on Windows Server Core .................................................................................................................................................................................. 15
Installing the Service Pack for ProLiant (SPP) on Windows Server 2022 with Desktop (UI) ................................................................................................................16
Known issues ..........................................................................................................................................................................................................................................................................................................................17
Resources ...................................................................................................................................................................................................................................................................................................................................18
Technical white paper Page 2

Overview
Windows Server 2022 is the next Windows Server Long Term Servicing Channel (LTSC) release from Microsoft. It features enhanced
security as well as scalability and performance improvements. This document explains how to successfully implement Windows Server 2022
on HPE servers.

Windows Server 2022 editions


Windows Server 2022 is available in both Datacenter and Standard editions. The default installation is Server Core, but a full Desktop
Experience can be optionally installed, and in this document, user guidance is available for both.

Note
You cannot convert between Windows Server 2022 installations of Server Core and Server with Desktop Experience. A change requires a
complete reinstallation.

Windows Server diagnostic data (telemetry)


To continuously improve the quality of Windows Server, Microsoft encourages customers to provide feedback and diagnostic data. This
diagnostic data is distinct from functional data, and Microsoft avoids collecting personal information wherever possible. HPE customers can
benefit from the improvements made by Microsoft via the analysis of diagnostic data from Windows Server. Hewlett Packard Enterprise
encourages our customers to enable telemetry to improve our customer support.

Service Pack for ProLiant (SPP) information


The SPP Gen10 and Gen10 Plus servers should use the latest SPP to obtain the firmware, drivers, and tools for supported
HPE ProLiant servers. It has been tested with Windows Server 2022.

For HPE ProLiant Gen11 servers, use 2023.04.03.00 SPP or newer.

Get the latest SPP here: techlibrary.hpe.com/us/en/enterprise/servers/products/service_pack/spp/index.aspx

Supported HPE servers

Note
HPE ProLiant Gen9 and older servers are not supported on Windows Server 2022

HPE ProLiant Gen10 servers


Table 1. Supported HPE ProLiant Gen10 servers
HPE server ROM family Minimum ROM version

HPE Apollo 4200 XL420 U39 2.52_07-08-2021

HPE Apollo 4510 XL450 U40 2.52_07-08-2021

HPE ProLiant DL160 U31 2.52_07-08-2021

HPE ProLiant DL560 U34 2.52_07-08-2021

HPE ProLiant DL580 U34 2.52_07-08-2021

HPE ProLiant ML110 U33 2.52_07-08-2021

HPE ProLiant ML350 U41 2.52_07-08-2021

HPE ProLiant DL385 A40 2.50_07-08-2021

HPE ProLiant DL180 U31 2.52_07-08-2021

HPE ProLiant DL325 A41 2.50_07-08-2021


Technical white paper Page 3

Table 1. Supported HPE ProLiant Gen10 servers (continued)


HPE server ROM family Minimum ROM version

HPE ProLiant DL360 U32 2.52_07-08-2021

HPE ProLiant DL380 U30 2.52_07-08-2021

HPE Superdome Flex N/A 3.40.80

HPE ProLiant ML30 U44 2.50_07-08-2021

HPE MicroServer U48 2.50_07-08-2021

HPE Synergy software releases can be found here:


techhub.hpe.com/us/en/enterprise/docs/index.aspx?doc=/eginfolib/synergy/sw_release_info/index.html

HPE ProLiant Gen10 Plus servers


Table 2. Supported HPE Gen10 Plus servers
HPE server ROM family Minimum ROM version

HPE Apollo XL220n U47 1.50_08-27-2021

HPE Apollo XL225n A46 2.50_07-29-2021

HPE Apollo XL290n U47 1.50_08-27-2021

HPE Apollo 4200 XL420 U50 1.50_08-27-2021

HPE Apollo XL645d A48 2.50_07-29-2021

HPE Apollo XL675d A47 2.50_07-29-2021

HPE ProLiant DL325 A43 2.50_08-09-2021

HPE ProLiant DL345 A43 2.58_04-28-2022

HPE ProLiant DL365 A42 2.58_04-28-2022

HPE ProLiant DL360 U46 1.50_08-27-2021

HPE ProLiant DL380 U46 1.50_08-27-2021

HPE ProLiant DL385 A42 2.50_08-09-2021

HPE Superdome Flex 280 N/A 3.40.80

HPE ProLiant DL20 U60 1.54_01-13-2022

HPE ProLiant ML30 U61 1.54_01-13-2022

HPE Synergy software releases can be found here:


techhub.hpe.com/us/en/enterprise/docs/index.aspx?doc=/eginfolib/synergy/sw_release_info/index.html
Technical white paper Page 4

HPE ProLiant Gen10 Plus v2 servers


Table 3. Supported HPE ProLiant Gen10 Plus v2 servers
HPE server ROM family Minimum ROM version

HPE ProLiant DL325 Gen10 Plus v2 A43 2.58_04-28-2022

HPE ProLiant DL385 Gen10 Plus v2 A42 2.58_04-28-2022

HPE ProLiant Gen11 servers


Table 4. Supported HPE ProLiant Gen11 servers

HPE ProLiant Gen11 servers ROM family Minimum ROM version

HPE ProLiant DL325 A56 1.20_01-06-2023

HPE ProLiant DL345 A56 1.20_01-06-2023

HPE ProLiant DL365 A55 1.20_01-06-2023

HPE ProLiant DL385 A55 1.20_01-06-2023

HPE ProLiant DL320 U63 1.22_01-18-2023

HPE ProLiant DL360 U54 1.22_01-18-2023

HPE ProLiant DL380 U54 1.22_01-18-2023

HPE ProLiant ML350 U54 1.22_01-18-2023

HPE ProLiant DL380a U58 1.22_01-18-2023

HPE ProLiant ML110 U63 1.30_03-01-2023

HPE ProLiant DL560 U59 1.30_03-01-2023

HPE Alletra servers


Table 5. Supported HPE Alletra servers

HPE Alletra ROM family Minimum ROM version

HPE Alletra 4110 U58 1.22_01-18-2023

HPE Alletra 4120 U58 1.22_01-18-2023

HPE Cray servers


Table 6. Supported HPE Cray servers

HPE Cray servers ROM family Minimum ROM version

HPE Cray XD220v CU2K 5.29_V1.11

HPE Cray XD225v CA2K 5.27_V1.11

HPE Cray XD295v CA2K 5.27_V1.11


Technical white paper Page 5

HPE Synergy servers


Table 7. Supported HPE Synergy servers
HPE Synergy servers ROM family Minimum ROM version

HPE Synergy SY480 Gen11 I45 1.22_01-18-2023


HPE Synergy SY480 Gen10 I21 2.54_09-03-2021
HPE Synergy SY660 Gen10 I43 2.54_09-03-2021
HPE Synergy SY480 Gen10 Plus I44 1.52_09-22-2021

Note
Microsoft guidance on Windows Server installation using AMD EPYC 9xx4 processors: learn.Microsoft.com/en-us/troubleshoot/windows-
server/virtualization/support-and-installation-instructions-for-amd-epyc-9004-series-server-processors

The HPE ProLiant system ROMs and other HPE software and drivers are available in the latest SPP at spp.hpe.com.
For a complete list of supported options on your server, see the HPE QuickSpecs.

Table 8. Supported HPE Alletra 5000, HPE Alletra 6000, and HPE Nimble Storage external arrays

HPE Alletra 5000 series FW: 6.1


HPE Alletra 6000 series FW: 6.0 and 6.1
HPE Nimble Storage AF/HF/CS Series FW: 6.0 and 6.1

Configuring and validating Secured-core servers


Secured-core servers use a combination of hardware features, firmware enablement, and Windows Server OS capabilities to protect against
current and future malware, and rootkit types of security exploits. In general, a Secured-core server provides:
• Comprehensive security—A suite of protection in a single enablement designed to work from boot to OS protection
– Hardware root of trust using Trusted Platform Module 2.0 (TPM 2.0)
– Firmware protection enabled by processor support for Dynamic Root of Trust of Measurement (DRTM) technology, along with
DMA protection
– Virtualization-based security (VBS) and hypervisor-based code integrity (HVCI)
• Preventative defense designed to prevent future exploits and attacks

The Secured-core server Additional Qualification (AQ) defines the additional set of requirements to support and enable the Secured-core
capabilities explained previously with Windows Server 2022. Systems that meet it are listed in the Windows Server Catalog.

Applicable products
The following platforms are Secured-core capable, using the processor families listed in the following:

AMD EPYC 9xx4 series processors (codename Genoa)


• HPE ProLiant DL325 Gen11 server
• HPE ProLiant DL345 Gen11 server
• HPE ProLiant DL365 Gen11 server
• HPE ProLiant DL385 Gen11 server
• HPE Cray XD225v Gen11 server
• HPE Cray XD295v Gen11 server
Technical white paper Page 6

AMD EPYC 7xx3 series processors (codename Milan)


• HPE ProLiant DL325 Gen10 Plus v2 server
• HPE ProLiant DL345 Gen10 Plus server
• HPE ProLiant DL365 Gen10 Plus server
• HPE ProLiant DL385 Gen10 Plus v2 server
• HPE ProLiant XL225n Gen10 Plus (HPE Apollo 2000 system)
• HPE ProLiant XL645d Gen10 Plus (HPE Apollo 6500 system)
• HPE ProLiant XL675d Gen10 Plus (HPE Apollo 6500 system)

Note
RSOD may occur when Microsoft Secured-core is enabled with microchip-based SR controllers on AMD servers. See
support.hpe.com/hpesc/public/docDisplay?docId=a00129207en_us&docLocale=en_US and
support.hpe.com/hpesc/public/docDisplay?docId=a00129300en_us&docLocale=en_US for more information. HPE recommends
that Windows Server customers only use HPE MegaRAID controllers for Secured-core scenarios.

4th Generation Intel® Xeon® Scalable processors (codename Sapphire Rapids)


• HPE ProLiant DL360 Gen11 server
• HPE ProLiant DL380 Gen11 server
• HPE ProLiant ML350 Gen11 server
• HPE Alletra 4110 Gen11 server
• HPE Alletra 4120 Gen11 server
• HPE DL320 Gen11 server
• HPE DL380a Gen11 server
• HPE DL560 Gen11 server
3rd Generation Intel Xeon Scalable processors (codename Ice Lake)
• HPE ProLiant DL360 Gen10 Plus
• HPE ProLiant DL380 Gen10 Plus
• HPE ProLiant XL220n Gen10 Plus (HPE Apollo 2000 system)
• HPE ProLiant XL290n Gen10 Plus (HPE Apollo 2000 system)
• HPE Apollo 4200 Gen10 Plus system
• HPE Synergy 480 Gen10 Plus
• HPE ProLiant DL20 Gen10 Plus
• HPE ProLiant ML30 Gen10 Plus
Technical white paper Page 7

Configuring Secured-core
This section provides guidance for steps to configure Secured-core to a fully protected state. You may also need to install additional
software from the HPE ProLiant support pack to enable the Secured-core features, such as the DRTM driver for the AMD platform.
See the “Installing the Service Pack for ProLiant (SPP)” section for more information.

Note
It is advised that Secured-core be configured in the BIOS before OS installation and that Secured-core be configured (through registry keys
or Windows Admin Center) before roles such as Hyper-V are added.

Configuring UEFI/BIOS settings


On the applicable servers listed previously, a Microsoft Secured-core support option is available in the BIOS to easily configure all the
necessary BIOS settings, as shown in Figure 1.

Figure 1. Secured-core configuration button in Gen10 Plus BIOS


Technical white paper Page 8

Configuring Windows Server VBS, HVCI, and System Guard


To enable the Secured-core feature, virtualization-based security (VBS), Hypervisor Enforced Code Integrity (HVCI), and System Guard
must be enabled in the OS. Choose one of the following three options for enabling these features and then proceed to confirm if all the
Secured-core features are properly configured and running.
1. Registry key settings
reg add “HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity” /v “Enabled” /t
REG_DWORD /d 1 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity” /v “WasEnabledBy” /t
REG_DWORD /d 0 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard” /v “Enabled” /t REG_DWORD /d 1 /f
2. For Windows Admin Center (WAC), see Figure 2.

Figure 2. Secured-core configuration in Windows Admin Center (WAC)


Technical white paper Page 9

3. Windows Security App (for Windows Server OS with Desktop Experience only), see Figures 3 and 4.

Figure 3. Secured-core configuration in Windows Security App—Device security

Set the slider switches for both “Memory integrity” and “Firmware protection” to “On”. You will be prompted for a reboot for these settings
to take effect.

Figure 4. Secured-core configuration in Windows Security App—Core isolation


Technical white paper Page 10

Confirm the Secured-core state


Confirm TPM 2.0
Run get-tpm in a PowerShell and confirm the following:

Figure 5. Confirmation of TPM 2.0 readiness for Secured-core

Confirm secure boot, Kernel DMA Protection, VBS, HVCI, and System Guard
Launch msinfo32 from the command prompt and confirm the following values:
• “Secure boot State” is On
• “Kernel DMA Protection” is On
• “Virtualization-Based Security” is Running
• “Virtualization-Based Security Services Running” contains the value Hypervisor enforced Code Integrity, Secure Launch

Figure 6. Proper state of security for Secured-core, as shown in msinfo32

At this point, roles such as Hyper-V can be added and can be verified.

Note
If Hyper-V Virtualization Enabled in Firmware appears as No, then check the event log for Event ID 124.
• Get-WinEvent -FilterHashtable @{LogName- “System”;ID=124} -MaxEvents 20
To resolve this error, it may be necessary to clear the TPM in the BIOS. See the Configuring Trusted Platform Module options on HPE.com for
more information. If BitLocker drive encryption has been enabled, it must be suspended before rebooting into BIOS and clearing the TPM.
Technical white paper Page 11

Installing Windows Server 2022


When deploying Windows Server 2022, customers have a choice of Server Core or the full Desktop version for both Standard and
Datacenter editions (another edition, Windows Server Essentials, is for small businesses and not covered here). Just as in previous versions
of Windows Server, the installation can be performed from DVD media or using the HPE iLO Virtual Media. Boot controller drivers for
HPE Smart Array controllers listed are provided in-box (included on the OS media .iso), and any other required drivers can be provided
using HPE iLO Virtual Media during the setup procedure.

The following sections also provide information on updating drivers and software with the latest Service Pack for ProLiant.

Windows Server 2022 mitigations for Meltdown and Spectre


Windows Server 2022 includes mitigations for Meltdown and Spectre vulnerabilities. However, the patches are not enabled by default and
require the following registry keys (to pass validation with the SpeculationControl Validation PowerShell Script).
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v
FeatureSettingsOverride /t REG_DWORD /d 72 /f

“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v


FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

See the KB4072698: Windows Server and Azure Stack HCI guidance to protect against silicon-based microarchitectural and speculative
execution side-channel vulnerabilities for more information.

For more information on Spectre or Meltdown mitigation, see the HPE support communication—customer bulletin

ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities (Security Advisory)


SpeculationControl Validation PowerShell script

Note that additional vulnerabilities may be discovered, and additional guidance may need to be followed along with the previously
mentioned.

Intel® Virtual RAID on CPU (VROC) for HPE ProLiant Gen10 Plus and HPE ProLiant Gen11 servers
The Intel Virtual RAID on CPU (Intel VROC) family of products provides RAID solutions for both NVMe SSD and SATA devices for
HPE servers. It is a software-based solution utilizing Intel CPU features to RAID or host bus adapter (HBA) direct connected drives. It
supports both Intel SFF SSDs and HPE SFF SSDs and can be configured within HPE ProLiant server ROM-Based Setup Utilities (RBSU).

The product family includes the following two products:


• Intel VROC (VMD NVMe RAID) provides enterprise RAID solutions on platforms that support Intel Volume Management Device
(Intel VMD) on Intel Xeon Scalable processors.
• Intel VROC (SATA RAID) provides enterprise RAID solution for SATA devices connected to SATA and sSATA Intel Platform Control Hub
(Intel PCH) configured for RAID.

Configuring UEFI/BIOS settings for Intel VROC


RAID management through the BIOS setup environment incorporates the functionality of Intel VROC and Intel VROC Pre-Operating System
(Pre-OS) management components so that RAID management and control can begin within the BIOS setup directly. This setup enables the
creation of RAID volumes that you can assemble in advance for the installation of an OS.

RAID-level options available with Intel VROC are RAID 0 (stripe), RAID 1 (mirror), RAID 5 (parity), and RAID 10 (RAID 1+0 striped mirror).
Enabling Intel VROC (SATA RAID) for SATA or sSATA on BIOS/Platform Configuration (RBSU)
Procedure
1. During POST, press the F9 option that allows you to access the BIOS setup menu.
2. Select the menu option System Configuration.
3. In the System Configuration menu, click the menu option BIOS/Platform Configuration (RBSU).
4. In the BIOS/Platform Configuration (RBSU) menu, click the menu option Storage Options.
5. In the Storage Options menu, click the menu option SATA Controller Options.
6. In the SATA Controller Options menu, click the menu option Embedded SATA Configuration.
Technical white paper Page 12

7. From the drop-down list, select Intel VROC SATA Support as shown in Figure 7.
8. Press F12 to save changes and reboot the system.

Figure 7. Intel VROC SATA support option in BIOS

Enabling Intel VMD and Intel VROC NVMe on BIOS/Platform Configuration (RBSU)
Procedure
1. During POST, press the F9 option that allows you to access the BIOS setup menu.
2. Click the menu option System Configuration.
3. In the System Configuration menu, click the menu option BIOS/Platform Configuration (RBSU).
4. In the BIOS/Platform Configuration (RBSU) menu, click the menu option Storage Options.
5. In the Storage Options menu, click the menu option NVM Express Options.
6. In the NVM Express Options menu, click the menu option Intel(R) NVMe.
7. In the Intel(R) NVMe Options menu, click the menu option Intel(R) CPU VMD Support. From the drop-down list, select Enabled All CPU
NVMe Root Ports.
8. Click the menu option Intel(R) VROC Support. From the drop-down list, select Intel VROC for HPE NVMe as shown in Figure 8.
9. Press F12 to save changes and reboot the system.
Technical white paper Page 13

Figure 8. Intel VROC NVMe support option in BIOS

Drivers for Intel VROC


Intel VROC is integrated within the HPE BIOS. The Intel VROC solution has two driver components: the pre-boot or UEFI driver, and the
OS driver. The UEFI driver is embedded in the system BIOS and is referred to as the RSTe NVMe UEFI driver while the OS driver must be
loaded at the OS installation time; both contain version numbers.

HPE provides three different drivers and a CLI tool for the Windows OS: one driver package each for Intel VROC NVMe, VROC SATA,
and VROC sSATA controllers.

Download links for Intel Virtual RAID on CPU driver Microsoft Windows Server 2019, and Microsoft Windows Server 2022:

Intel Virtual RAID on CPU With VMD Technology Driver for Microsoft Windows Server 2019 and Microsoft Windows Server 2022

Intel Virtual RAID on CPU Software for SATA SSDs for Windows Server 2019 and Windows Server 2022

Intel Virtual RAID on CPU Software for sSATA SSDs for Windows Server 2019 and Windows Server 2022
Gen11 Intel Virtual RAID on CPU Software for tSATA SSDs for Microsoft Windows Server 2019 and Microsoft Windows Server 2022

Intel Virtual RAID on CPU package VROC GUI for Windows Server 2019 and Microsoft Windows Server 2022

Intel VROC User Guide

Installing Windows Server 2019, or Windows Server 2022 on an Intel VROC RAID volume
Prerequisites
• You have enabled Intel VMD and created a volume using Intel VROC (with RAID protection strongly advised).
• You have a Windows OS image mounted and are prepared to supply the Intel VROC driver to detect the RAID volume.
(HPE NVMe driver and Intel VROC NVMe driver provided by HPE are used as examples)
Technical white paper Page 14

Procedure
• Download the driver for Windows for your Intel VROC RAID controller and extract the smart component to an empty folder on C: drive.
• Click “Virtual Drives” to mount the folder through HPE iLO.
• Click “Browse” and navigate to where you have the driver saved, and then click “Ok”.
• Highlight the selected driver and click Next to install as shown in Figure 9. It may take several minutes to complete the installation of the
selected driver.

Figure 9. Selecting Intel VROC NVMe driver during OS installation

• After installing the appropriate driver, the RAID volume appears, as shown in Figure 10. If the drive does not immediately appear, use the
Refresh tool to rescan the system for the RAID volume.

Figure 10. Selecting volume for OS installation

• Select the volume and click Next to proceed with the installation of your Windows OS.
Technical white paper Page 15

Installing the Service Pack for ProLiant (SPP)


This section describes the installation of the Service Pack for ProLiant 2021.10.0 or newer on both Server Core and Desktop Experience
versions. The Service Pack for ProLiant is available by entitlement, which means that an active warranty or HPE Support agreement is
required. The Service Pack for ProLiant provides the necessary drivers and firmware for Windows Server 2022 versions on supported
HPE servers and is available at spp.hpe.com.
The Service Pack for ProLiant can be deployed using Smart Update Manager (SUM) version 8.9.0. or later SUM has a browser-based GUI, as
well as scriptable, interactive command line, and file-driven interfaces. For more information on SUM, see the hpe.com/us/en/product-
catalog/detail/pip.5182020.html.
The Service Pack for ProLiant can be deployed through the following scenarios:
• Local deployment
• Remote deployment

Caution
When a TPM is installed and enabled on the server, data access is locked if the user fails to follow the proper procedure for updating the
system or option firmware. Microsoft recommends temporarily disabling Windows BitLocker prior to updating any system firmware. After the
firmware flash is complete, the server should be rebooted, and BitLocker can be re-enabled.

Depending on your environment, it may be necessary to perform the following optional configuration tasks: disable the firewall (temporarily),
enable Remote Management, and add the SNMP service and WMI SNMP Provider Windows features. The following PowerShell commands
perform these configuration tasks:
• netsh advfirewall set currentprofile state off
• netsh advfirewall set allprofiles settings remotemanagement enable
• Add-WindowsFeature SNMP-Service
• Add-WindowsFeature SNMP-WMI-Provider

Installing the Service Pack for ProLiant on Windows Server Core


Since Windows Server Core does not contain a full UI and a browser, it is necessary to update HPE drivers and software using SUM from the
command line. Windows Server Core provides only a command prompt for the user logged in. The Smart Update Manager (SUM) can be run
from this command prompt using the smartupdate.bat file located in the PACKAGES folder.
To apply smart updates to Server Core (without UI interaction) using CMD or Windows PowerShell:
1. Download and mount the Service Pack for ProLiant, ISO on the local system
2. Run smartupdate.bat from the PACKAGES folder of the mounted SPP .ISO, for example, E:\PACKAGES\smartupdate /s
/tpmbypass /romonly

Figure 11. Running “.\smartupdate /s /tpmbypass /romonly” from the E:\PACKAGES folder to install the Service Pack for ProLiant through PowerShell
command line

Note
This process may take up to 30 minutes to complete.
A common error message is a failed dependency, which can be due to the presence of a TPM module in the server. If this is the case, it is
necessary to run the Smart Update in two commands:
• \smartupdate /s /tpmbypass /romonly
• \smartupdate /s /tpmbypass /softwareonly

For detailed instructions on using this command-line option, see the Smart Update Manager 8.8.0 CLI Guide.
Technical white paper Page 16

Installing the Service Pack for ProLiant (SPP) on Windows Server 2022 with Desktop (UI)
Either the command-line deployment explained previously or the following Smart Update process using a browser may be used.
1. Step 1: Download and mount the Service Pack for ProLiant .ISO on the local system
2. Step 2: Install the certificate as follows:
a. Navigate to E:\packages\assets\certificates and select the CA security certificate
b. Right-click and select Open. Click Open again on the Open File—Security Warning
c. Click Install Certificate
d. Select Local Machine under Store Location and click Next
e. Select “Place all certificates in the following store” and click Browse
f. Select Trusted Root Certification Authorities and click OK
g. Click Next and then click Finish
h. Click OK twice to exit the Certificate Import Wizard
3. Navigate to E:\PACKAGES\ and double-click on the smartupdate.bat file to launch smartupdate
4. Click Localhost Guided Update
5. On the Localhost Guided Update screen, click OK
6. Once the inventory has been completed, click Next
7. On the Deployment summary screen, click Deploy
8. Once deployment has completed, click Reboot if required
Remote deployment
The procedures for remote deployment are the same for both Windows Server Core and Windows Server with Desktop (UI) since it is
performed remotely.
1. Download and mount the Service Pack for ProLiant .ISO file on the local system. Navigate to the PACKAGES folder of the mounted
SPP and run smartupdate.bat
2. You may need to add a security certificate exception or bypass the browser warning that the self-signed certificate does not
validate security
Procedure to add Baseline
1. On the SUM home screen, click Baseline Library
2. On the Baseline Library screen, click Add Baseline

Note
If you want to clear the Add Baseline screen, click Start Over.

1. SUM opens the Add Baseline screen


2. Select Browse and navigate to the mounted SPP
3. Click Add. SUM should return to Baseline successfully added message
4. Under the Smart Update Manager drop-down menu, click Nodes (under Options)
Add servers as remote nodes and install the SPP:
1. From the Nodes screen, click Add Node
2. Select Add a single node or known range of nodes
3. Enter the IP address or range
4. Enter a description for the node
5. In the Type of node to add field, select the node type, which should be Windows

Note:
Selecting the correct node type often helps SUM complete adding the node faster.
Technical white paper Page 17

6. Select the Service Pack for ProLiant 2021.10.0 (or newer) bundle as a baseline here. If the SPP has not been added, select +Add
Baseline and browse to the location where you mounted the SPP.
7. Select a group from the list (optional).
8. Select one of the following:
a. Use current credentials (requires existing trust relationship with the node). This option is for Windows nodes only.
b. Enter administrator credentials: Enter the user name and password for a user with administrator privileges on the node. Windows
users can use domain / user name if the user has administrator permission.
9. Click Add. In the Added Nodes section, SUM displays the nodes you selected.

Performing node inventory


1. From the Nodes screen, highlight the node and then select Actions -> Inventory
2. SUM displays the baseline associated with the node. If you want to reassign the baseline that SUM will use for inventory, select a baseline,
additional package, or both
3. Click Inventory. SUM displays errors to resolve before you can deploy updates

Deploying a node procedure


1. From the Nodes screen, select a node to update, and then select Actions -> Review/Deploy
2. Select the Installation Options tab to change options if necessary. You may need to select the Ignore Warnings checkbox if a TPM is
detected. Be sure to follow the instructions provided if it says to suspend BitLocker before performing firmware updates
3. Select the Reboot Options tab to set options if desired
4. Select the HPE iLO Repository Options tab to manage the HPE iLO Repository if desired
5. Select the components from the Baseline and Associated Packages tabs where you want to change any deployment selections
(2021.10.0 SPP [or newer] bundle should be ready to deploy)
6. Click Deploy. SUM verifies any changes that you made are valid and then begins deploying components.
7. In the General section of the Node screen, click View log for the node, and then click View log for the component you installed to view
the details of the installation

Known issues
Issue: Microsoft-Windows-Kernel-Boot Event ID 124 Logged
Description: On an HPE ProLiant Gen10 Plus series server, users might observe the following event error message with Event ID 124 under
Windows system event log after installing Windows Server OS or while installing a hypervisor on HPE ProLiant Gen10 Plus servers using
HPE DVD media or HPE pre-install image system event log error message:

“The Virtualization Based Security Enablement Policy Check at Phase 7 Failed with Status: unknown NTSTATUS Error Code 0xc028014b”
Resolution: To address the said issue users need to clear the Trusted Module Platform (TPM). To successfully clear the TPM, follow the steps:
1. From the Start Menu, click Start, type PowerShell, and then click Windows PowerShell run as administrator or right-click the Start
button and select Windows PowerShell (Admin).
2. At the command prompt, type Clear-TPM and hit Enter.
3. Restart the system for the change to take effect.

Issue: Enabling firmware protection (Intel TXT) without Secured-core support may cause Hyper-V role installation failure or block Hyper-V
startup if already installed.
Description: The new Secured-core BIOS feature is only available when the platform detects a supported processor. If the user chooses to
enable an individual component such as Intel TXT, then Hyper-V may be blocked. The system may log Event ID 124, Kernel-Boot, stating,
“The virtualization-based security enablement policy check at phase 0 failed with status: Virtual Secure Mode (VSM) is not initialized. The
hypervisor or VSM may not be present or enabled.”
Workaround: Do not enable firmware protection (Intel TXT) instead of Secured-core. Do not attempt to use either for Windows Server
2019 or earlier versions, especially if Hyper-V is desired.
See the Startup failure when Firmware protection is turned on—Windows Server Microsoft documentation
Technical white paper

Resources
What’s new in Windows Server 2022

Microsoft Windows Server home page

Comparison of Standard, Datacenter, and Datacenter: Azure Edition editions of Windows Server 2022
Intelligent Provisioning User Guide for HPE ProLiant Gen10, ProLiant Gen10 Plus Servers, and HPE Synergy

Installing and running Microsoft Windows Server 2019 and Windows Server 2022 on HPE Superdome Flex technical white paper

Deploying Microsoft Windows Server on HPE Superdome Flex 280 Servers technical white paper
HPE Storage—SPOCK

Learn more at
HPE.com/servers

Make the right purchase decision.


Contact our presales specialists.

Chat now (sales)

Call now

© Copyright 2023 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without
notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

AMD is a trademark of Advanced Micro Devices, Inc. Intel and Intel Xeon are trademarks of Intel Corporation or its subsidiaries in
the U.S. and/or other countries. Azure, BitLocker, Hyper-V, Microsoft, PowerShell, Windows, and Windows Server are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All third-party marks
are property of their respective owners.

a50003760ENW, Rev. 6

You might also like