Implementing Microsoft Windows Server 2022 Using HPE ProLiant Servers, Storage, and Networking Options-A50003760enw
Implementing Microsoft Windows Server 2022 Using HPE ProLiant Servers, Storage, and Networking Options-A50003760enw
Contents
Overview ........................................................................................................................................................................................................................................................................................................................................ 2
Windows Server 2022 editions ................................................................................................................................................................................................................................................................................. 2
Windows Server diagnostic data (telemetry)......................................................................................................................................................................................................................................... 2
Service Pack for ProLiant (SPP) information ......................................................................................................................................................................................................................................... 2
Supported HPE servers ............................................................................................................................................................................................................................................................................................. 2
Configuring and validating Secured-core servers .................................................................................................................................................................................................................................... 5
Applicable products ...................................................................................................................................................................................................................................................................................................... 5
Configuring Secured-core........................................................................................................................................................................................................................................................................................ 7
Configuring UEFI/BIOS settings ......................................................................................................................................................................................................................................................................... 7
Configuring Windows Server VBS, HVCI, and System Guard .................................................................................................................................................................................................. 8
Confirm secure boot, Kernel DMA Protection, VBS, HVCI, and System Guard .................................................................................................................................................... 10
Installing Windows Server 2022 ...........................................................................................................................................................................................................................................................................11
Windows Server 2022 mitigations for Meltdown and Spectre ...........................................................................................................................................................................................11
Intel Virtual RAID on CPU (VROC) for HPE ProLiant Gen10 Plus and HPE ProLiant Gen11 servers ......................................................................................... 11
Installing the Service Pack for ProLiant (SPP) .........................................................................................................................................................................................................................................15
Installing the Service Pack for ProLiant on Windows Server Core .................................................................................................................................................................................. 15
Installing the Service Pack for ProLiant (SPP) on Windows Server 2022 with Desktop (UI) ................................................................................................................16
Known issues ..........................................................................................................................................................................................................................................................................................................................17
Resources ...................................................................................................................................................................................................................................................................................................................................18
Technical white paper Page 2
Overview
Windows Server 2022 is the next Windows Server Long Term Servicing Channel (LTSC) release from Microsoft. It features enhanced
security as well as scalability and performance improvements. This document explains how to successfully implement Windows Server 2022
on HPE servers.
Note
You cannot convert between Windows Server 2022 installations of Server Core and Server with Desktop Experience. A change requires a
complete reinstallation.
Note
HPE ProLiant Gen9 and older servers are not supported on Windows Server 2022
Note
Microsoft guidance on Windows Server installation using AMD EPYC 9xx4 processors: learn.Microsoft.com/en-us/troubleshoot/windows-
server/virtualization/support-and-installation-instructions-for-amd-epyc-9004-series-server-processors
The HPE ProLiant system ROMs and other HPE software and drivers are available in the latest SPP at spp.hpe.com.
For a complete list of supported options on your server, see the HPE QuickSpecs.
Table 8. Supported HPE Alletra 5000, HPE Alletra 6000, and HPE Nimble Storage external arrays
The Secured-core server Additional Qualification (AQ) defines the additional set of requirements to support and enable the Secured-core
capabilities explained previously with Windows Server 2022. Systems that meet it are listed in the Windows Server Catalog.
Applicable products
The following platforms are Secured-core capable, using the processor families listed in the following:
Note
RSOD may occur when Microsoft Secured-core is enabled with microchip-based SR controllers on AMD servers. See
support.hpe.com/hpesc/public/docDisplay?docId=a00129207en_us&docLocale=en_US and
support.hpe.com/hpesc/public/docDisplay?docId=a00129300en_us&docLocale=en_US for more information. HPE recommends
that Windows Server customers only use HPE MegaRAID controllers for Secured-core scenarios.
Configuring Secured-core
This section provides guidance for steps to configure Secured-core to a fully protected state. You may also need to install additional
software from the HPE ProLiant support pack to enable the Secured-core features, such as the DRTM driver for the AMD platform.
See the “Installing the Service Pack for ProLiant (SPP)” section for more information.
Note
It is advised that Secured-core be configured in the BIOS before OS installation and that Secured-core be configured (through registry keys
or Windows Admin Center) before roles such as Hyper-V are added.
3. Windows Security App (for Windows Server OS with Desktop Experience only), see Figures 3 and 4.
Set the slider switches for both “Memory integrity” and “Firmware protection” to “On”. You will be prompted for a reboot for these settings
to take effect.
Confirm secure boot, Kernel DMA Protection, VBS, HVCI, and System Guard
Launch msinfo32 from the command prompt and confirm the following values:
• “Secure boot State” is On
• “Kernel DMA Protection” is On
• “Virtualization-Based Security” is Running
• “Virtualization-Based Security Services Running” contains the value Hypervisor enforced Code Integrity, Secure Launch
At this point, roles such as Hyper-V can be added and can be verified.
Note
If Hyper-V Virtualization Enabled in Firmware appears as No, then check the event log for Event ID 124.
• Get-WinEvent -FilterHashtable @{LogName- “System”;ID=124} -MaxEvents 20
To resolve this error, it may be necessary to clear the TPM in the BIOS. See the Configuring Trusted Platform Module options on HPE.com for
more information. If BitLocker drive encryption has been enabled, it must be suspended before rebooting into BIOS and clearing the TPM.
Technical white paper Page 11
The following sections also provide information on updating drivers and software with the latest Service Pack for ProLiant.
See the KB4072698: Windows Server and Azure Stack HCI guidance to protect against silicon-based microarchitectural and speculative
execution side-channel vulnerabilities for more information.
For more information on Spectre or Meltdown mitigation, see the HPE support communication—customer bulletin
Note that additional vulnerabilities may be discovered, and additional guidance may need to be followed along with the previously
mentioned.
Intel® Virtual RAID on CPU (VROC) for HPE ProLiant Gen10 Plus and HPE ProLiant Gen11 servers
The Intel Virtual RAID on CPU (Intel VROC) family of products provides RAID solutions for both NVMe SSD and SATA devices for
HPE servers. It is a software-based solution utilizing Intel CPU features to RAID or host bus adapter (HBA) direct connected drives. It
supports both Intel SFF SSDs and HPE SFF SSDs and can be configured within HPE ProLiant server ROM-Based Setup Utilities (RBSU).
RAID-level options available with Intel VROC are RAID 0 (stripe), RAID 1 (mirror), RAID 5 (parity), and RAID 10 (RAID 1+0 striped mirror).
Enabling Intel VROC (SATA RAID) for SATA or sSATA on BIOS/Platform Configuration (RBSU)
Procedure
1. During POST, press the F9 option that allows you to access the BIOS setup menu.
2. Select the menu option System Configuration.
3. In the System Configuration menu, click the menu option BIOS/Platform Configuration (RBSU).
4. In the BIOS/Platform Configuration (RBSU) menu, click the menu option Storage Options.
5. In the Storage Options menu, click the menu option SATA Controller Options.
6. In the SATA Controller Options menu, click the menu option Embedded SATA Configuration.
Technical white paper Page 12
7. From the drop-down list, select Intel VROC SATA Support as shown in Figure 7.
8. Press F12 to save changes and reboot the system.
Enabling Intel VMD and Intel VROC NVMe on BIOS/Platform Configuration (RBSU)
Procedure
1. During POST, press the F9 option that allows you to access the BIOS setup menu.
2. Click the menu option System Configuration.
3. In the System Configuration menu, click the menu option BIOS/Platform Configuration (RBSU).
4. In the BIOS/Platform Configuration (RBSU) menu, click the menu option Storage Options.
5. In the Storage Options menu, click the menu option NVM Express Options.
6. In the NVM Express Options menu, click the menu option Intel(R) NVMe.
7. In the Intel(R) NVMe Options menu, click the menu option Intel(R) CPU VMD Support. From the drop-down list, select Enabled All CPU
NVMe Root Ports.
8. Click the menu option Intel(R) VROC Support. From the drop-down list, select Intel VROC for HPE NVMe as shown in Figure 8.
9. Press F12 to save changes and reboot the system.
Technical white paper Page 13
HPE provides three different drivers and a CLI tool for the Windows OS: one driver package each for Intel VROC NVMe, VROC SATA,
and VROC sSATA controllers.
Download links for Intel Virtual RAID on CPU driver Microsoft Windows Server 2019, and Microsoft Windows Server 2022:
Intel Virtual RAID on CPU With VMD Technology Driver for Microsoft Windows Server 2019 and Microsoft Windows Server 2022
Intel Virtual RAID on CPU Software for SATA SSDs for Windows Server 2019 and Windows Server 2022
Intel Virtual RAID on CPU Software for sSATA SSDs for Windows Server 2019 and Windows Server 2022
Gen11 Intel Virtual RAID on CPU Software for tSATA SSDs for Microsoft Windows Server 2019 and Microsoft Windows Server 2022
Intel Virtual RAID on CPU package VROC GUI for Windows Server 2019 and Microsoft Windows Server 2022
Installing Windows Server 2019, or Windows Server 2022 on an Intel VROC RAID volume
Prerequisites
• You have enabled Intel VMD and created a volume using Intel VROC (with RAID protection strongly advised).
• You have a Windows OS image mounted and are prepared to supply the Intel VROC driver to detect the RAID volume.
(HPE NVMe driver and Intel VROC NVMe driver provided by HPE are used as examples)
Technical white paper Page 14
Procedure
• Download the driver for Windows for your Intel VROC RAID controller and extract the smart component to an empty folder on C: drive.
• Click “Virtual Drives” to mount the folder through HPE iLO.
• Click “Browse” and navigate to where you have the driver saved, and then click “Ok”.
• Highlight the selected driver and click Next to install as shown in Figure 9. It may take several minutes to complete the installation of the
selected driver.
• After installing the appropriate driver, the RAID volume appears, as shown in Figure 10. If the drive does not immediately appear, use the
Refresh tool to rescan the system for the RAID volume.
• Select the volume and click Next to proceed with the installation of your Windows OS.
Technical white paper Page 15
Caution
When a TPM is installed and enabled on the server, data access is locked if the user fails to follow the proper procedure for updating the
system or option firmware. Microsoft recommends temporarily disabling Windows BitLocker prior to updating any system firmware. After the
firmware flash is complete, the server should be rebooted, and BitLocker can be re-enabled.
Depending on your environment, it may be necessary to perform the following optional configuration tasks: disable the firewall (temporarily),
enable Remote Management, and add the SNMP service and WMI SNMP Provider Windows features. The following PowerShell commands
perform these configuration tasks:
• netsh advfirewall set currentprofile state off
• netsh advfirewall set allprofiles settings remotemanagement enable
• Add-WindowsFeature SNMP-Service
• Add-WindowsFeature SNMP-WMI-Provider
Figure 11. Running “.\smartupdate /s /tpmbypass /romonly” from the E:\PACKAGES folder to install the Service Pack for ProLiant through PowerShell
command line
Note
This process may take up to 30 minutes to complete.
A common error message is a failed dependency, which can be due to the presence of a TPM module in the server. If this is the case, it is
necessary to run the Smart Update in two commands:
• \smartupdate /s /tpmbypass /romonly
• \smartupdate /s /tpmbypass /softwareonly
For detailed instructions on using this command-line option, see the Smart Update Manager 8.8.0 CLI Guide.
Technical white paper Page 16
Installing the Service Pack for ProLiant (SPP) on Windows Server 2022 with Desktop (UI)
Either the command-line deployment explained previously or the following Smart Update process using a browser may be used.
1. Step 1: Download and mount the Service Pack for ProLiant .ISO on the local system
2. Step 2: Install the certificate as follows:
a. Navigate to E:\packages\assets\certificates and select the CA security certificate
b. Right-click and select Open. Click Open again on the Open File—Security Warning
c. Click Install Certificate
d. Select Local Machine under Store Location and click Next
e. Select “Place all certificates in the following store” and click Browse
f. Select Trusted Root Certification Authorities and click OK
g. Click Next and then click Finish
h. Click OK twice to exit the Certificate Import Wizard
3. Navigate to E:\PACKAGES\ and double-click on the smartupdate.bat file to launch smartupdate
4. Click Localhost Guided Update
5. On the Localhost Guided Update screen, click OK
6. Once the inventory has been completed, click Next
7. On the Deployment summary screen, click Deploy
8. Once deployment has completed, click Reboot if required
Remote deployment
The procedures for remote deployment are the same for both Windows Server Core and Windows Server with Desktop (UI) since it is
performed remotely.
1. Download and mount the Service Pack for ProLiant .ISO file on the local system. Navigate to the PACKAGES folder of the mounted
SPP and run smartupdate.bat
2. You may need to add a security certificate exception or bypass the browser warning that the self-signed certificate does not
validate security
Procedure to add Baseline
1. On the SUM home screen, click Baseline Library
2. On the Baseline Library screen, click Add Baseline
Note
If you want to clear the Add Baseline screen, click Start Over.
Note:
Selecting the correct node type often helps SUM complete adding the node faster.
Technical white paper Page 17
6. Select the Service Pack for ProLiant 2021.10.0 (or newer) bundle as a baseline here. If the SPP has not been added, select +Add
Baseline and browse to the location where you mounted the SPP.
7. Select a group from the list (optional).
8. Select one of the following:
a. Use current credentials (requires existing trust relationship with the node). This option is for Windows nodes only.
b. Enter administrator credentials: Enter the user name and password for a user with administrator privileges on the node. Windows
users can use domain / user name if the user has administrator permission.
9. Click Add. In the Added Nodes section, SUM displays the nodes you selected.
Known issues
Issue: Microsoft-Windows-Kernel-Boot Event ID 124 Logged
Description: On an HPE ProLiant Gen10 Plus series server, users might observe the following event error message with Event ID 124 under
Windows system event log after installing Windows Server OS or while installing a hypervisor on HPE ProLiant Gen10 Plus servers using
HPE DVD media or HPE pre-install image system event log error message:
“The Virtualization Based Security Enablement Policy Check at Phase 7 Failed with Status: unknown NTSTATUS Error Code 0xc028014b”
Resolution: To address the said issue users need to clear the Trusted Module Platform (TPM). To successfully clear the TPM, follow the steps:
1. From the Start Menu, click Start, type PowerShell, and then click Windows PowerShell run as administrator or right-click the Start
button and select Windows PowerShell (Admin).
2. At the command prompt, type Clear-TPM and hit Enter.
3. Restart the system for the change to take effect.
Issue: Enabling firmware protection (Intel TXT) without Secured-core support may cause Hyper-V role installation failure or block Hyper-V
startup if already installed.
Description: The new Secured-core BIOS feature is only available when the platform detects a supported processor. If the user chooses to
enable an individual component such as Intel TXT, then Hyper-V may be blocked. The system may log Event ID 124, Kernel-Boot, stating,
“The virtualization-based security enablement policy check at phase 0 failed with status: Virtual Secure Mode (VSM) is not initialized. The
hypervisor or VSM may not be present or enabled.”
Workaround: Do not enable firmware protection (Intel TXT) instead of Secured-core. Do not attempt to use either for Windows Server
2019 or earlier versions, especially if Hyper-V is desired.
See the Startup failure when Firmware protection is turned on—Windows Server Microsoft documentation
Technical white paper
Resources
What’s new in Windows Server 2022
Comparison of Standard, Datacenter, and Datacenter: Azure Edition editions of Windows Server 2022
Intelligent Provisioning User Guide for HPE ProLiant Gen10, ProLiant Gen10 Plus Servers, and HPE Synergy
Installing and running Microsoft Windows Server 2019 and Windows Server 2022 on HPE Superdome Flex technical white paper
Deploying Microsoft Windows Server on HPE Superdome Flex 280 Servers technical white paper
HPE Storage—SPOCK
Learn more at
HPE.com/servers
Call now
© Copyright 2023 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without
notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
AMD is a trademark of Advanced Micro Devices, Inc. Intel and Intel Xeon are trademarks of Intel Corporation or its subsidiaries in
the U.S. and/or other countries. Azure, BitLocker, Hyper-V, Microsoft, PowerShell, Windows, and Windows Server are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All third-party marks
are property of their respective owners.
a50003760ENW, Rev. 6