HP Proliant Service Pack on usb

Building a bootable USB for HP's Service Pack for Proliant ISO is accomplished by using HP's USB Key Utility version 2.0 or beyond.

To download the Service Pack for Proliant, use this link for the 2015.06.0 edition or use search.  Currently There's an "Obtain Software" link which requires a valid support login.  Directions for building a bootable usb over 4 GB using HP's USB Key Utility for Windows are including in the HP Service Pack for Proliant Quick Start Guide, which oddly isn't listed on the download page and had to search for it separately.

The HP USB Key Utility is available for download, may need to search and then check Revision History to locate version 2.0 or beyond.  From what I understand earlier versions do not support x64 bit and/or 4 GB+.

TPM and BitLocker passwords in Active Directory

The process of configuring and save Windows 7 (and 8?) TPM and BitLocker passwords to Active Directory (2008 R2) is multi-stepped.  First Active Directory and Group Policy need to be configured, then the clients needs to be setup, and you need to know how recover the passwords from Active Directory.  Generally I use this TechNet article as a guide with a few important notes added here.

Active Directory & Group Policy Setup

• The Add-TPMSelfWriteACE.vbs script needs to be modified to reflect the correct GUIDs listed in the "TPM and FVE scheme object GUID's" mid-way through the script.  You can locate the GUIDs by using ADSIEdit and change the Action --> Settings --> Select a well known Naming Context: Schema.  From here you can look at the properties for the particular items to find the objectGUID.
•  After executing the Add-TPMSelfWriteACE.vbs the permission for the computers to write to the Active Directory attribute needs to be completed.  This needs to be done before enabling TPM on any client or the passwords won't save.  Follow the information on this TechNet blog.  Failure to do this will result in an "Access is Denied. Error 0x80070005" when initializing TPM.
• Follow the original TechNet article for setting Group Policy.

Enable TPM and BitLocker
I used the "Sample test scenario with Windows 7" from the same TechNet article as a reference instead of a step-by-step guide.  It is handy for verifying permissions are configured correctly, but I had trouble with some of the scripts so it was messy.  Plus, it's not a day-by-day guide for setting up several computers.

     TPM

1. Add the Computer to AD and make sure Group Policy is applied (gpupdate.exe & gpresult.exe /SCOPE Computer /R).  Current user needs admin rights for the entire process.
2. tpm.msc (or Control Panel > BitLocker Drive Encryption > TPM Administration)
3. Click either 'Initialize TPM' or 'Change Owner Password.  Note: To change the password, you need the old one.
4. If 'Initialize', shutdown when prompted, then upon booting acknowledge/allow the BIOS notice regarding TPM.  If  'Change', provide the current password file (if in AD, see Recovery below).
5. Log in with the same account to continue the TPM process.  You can verify the TPM Owner Password is saved to AD by using the Recovery section below.

     BitLocker via Line Command

1. This command will being the process for the C drive, repeat for others.  Run using an Elevated Prompt (run as Administrator):          manage-bde -on C: -RecoveryPassword
2. Reboot, then run the following to see the encryption process status:          manage-bde -status

     BitLocker via GUI

1. Control Panel > System and Security > BitLocker Drive Encyrption
2. Click 'Turn on BitLocker' for the desired drives and follow any prompts.

BitLocker and Updates to BIOS, Hardware, or Startup Files (e.g. OS Upgrades)
See: this article on suspending BitLocker protection before applying certain kinds of updates.  The process involves suspending protection and then resuming protection once updates are complete.

Recovery
     TPM (reference: technet blog)

1. Active Directory Users and Computers > enable 'Advnaced Features' in View.
2. Open Properties on the desired computer, then the 'Attribute Editor' tab.
3. Locate the attribute 'msTPM-OwnerInformation' and note the value.
4. Enter the following into a text editor (such as notepad), but replace the "....." with the value found in AD.  Save the file with a .tpm extension at a location accessible by the computer.

    <?xml version="1.0" encoding="UTF-8"?>
    <ownerAuth>.....</ownerAuth>
     BitLocker

1. Open Active Directory Users and Computers
2. Open Properties on the desired computer, then the BitLocker tab.
3. The BitLocker Recovery Password is in the details section.

Looback errors on SharePoint server

While testing a migration from one SharePoint server to another I was noticing several various errors that may all be attributed to the same problem.  The underlying configuration is the default zone URL is a dns alias.  Errors:

• Nintex Workflow returns "Error returned from server: The remote server returned an error: (401) Unauthorized."  The workflow is starting another workflow which saves attachments on a list item to a document library.
• In the IIS log there are several 401 errors at the time of the workflow but no username.
• The SharePoint Server Search has error ID 14 in the event log which is the SharePoint URL cannot be crawled.  The same errors can be found in the Crawl History for the Search Service Application (Central Admin --> Application Management --> Manage Service Applications).

After creating and setting the registry key DisableLoopbackCheck (DWORD) = 1 at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ (see Microsoft Support Article 926642 for specific steps):

• Search no longer errors trying to access the local SharePoint sites (there are errors trying to access specific files).
• Workflow does not error when trying to call the second workflow.