Skip to main content

HPE DL Series Host TPM Attestation Alarm Remediation

 


Recently in my lab, i ran into an issue with the Host TPM Attestation Alarm being set. This was a little annoying that out of the box there are some configuration items that are not done by standard, and this guide will cover the specific BIOS / RBSU Configs that need to be made to clear this up. 

First off, we need to boot into the BIOS / System Config / RBSU, so unfortunately you need to reboot your host - none of these changes can be made through the ILO "I reboot now - Good luck everybody else" 

Next up, we need to navigate to Server Security and Secure Boot Settings 



Next up, Select "Attempt Secure Boot" and accept the warning regarding the required reboot. 

Navigate back to the main "Server Security" Menu and Select Trusted Platform Module Options 

Ensure you have the below Config: 

  • Current TPM Type: TPM 2.0 
  • Current TPM 2.0 Active PCRs: SHA256 Only 
  • TPM 2.0 Operation: No Action UNLESS your current TPM Type is not 2.0 - change to TPM 2.0 Operation 
Lastly, we need to navigate back to Server Security and Select "Intel Security Options" 


Once here, we need to enable Intel TXT Support, Accept the warning message that appears regarding processors etc. 


That Should be it! Now we just hit F12 to save and Exit and Allow the Server to Reboot. 


Once back online, you should see the TPM Attestation alarm has been resolved for this host. If not, Select Reset to Green as this will be a historical alarm only. This should now permanently resolve your Issues! 



Comments

Post a Comment

Popular posts from this blog

Removing Multiple Datastores From Single ESXI Host Via PowerCLI

This post covers removing a multiple datastores from a single host at a time in vCenter with the use of PowerCLI. In the case where you have multiple hosts which have MANY MANY Datastores attached, its important to make sure you fully unmount and detach the DS from the host before removing storage connections.  Below is the code to make this happen $datastores = 'DS1','DS2'  $startTime = Get-Date $esxName = 'vmh.local' foreach($datastoreName in $datastores){ $datastoreName  $esx = Get-VMHost -Name $esxName $ds = Get-Datastore -Name $datastoreName $canonicalName = $ds.ExtensionData.Info.Vmfs.Extent[0].DiskName $storSys = Get-View $esx.Extensiondata.ConfigManager.StorageSystem $device = $storsys.StorageDeviceInfo.ScsiLun | where {$_.CanonicalName -eq $canonicalName} if($device.OperationalState[0] -eq 'ok'){     $StorSys.UnmountVmfsVolume($ds.ExtensionData.Info.Vmfs.Uuid) } $storSys.DetachScsiLun($device.Uuid) } $endTime = Get-Date $executionTime = $endTime...
Post a Comment
Read more

Wazuh SIEM Deployment: Deploying Your First Agent

  Now that you have deployed your Wazuh server, we can get onto deploying agents to our endpoints (Windows servers, workstations, Linux boxes etc).  For housekeeping, we can create groups within the Wazuh management console, these will be used to logically group our devices.  Begin by navigating to the Wazuh drop down menu, Select Management and then Groups  Select "Add Group" and enter your desired group name(s) - i've created a number of groups for my infrastructure.  Cool! Now the groups are done, we can begin deploying our agent. I'm starting with my windows workstation that sits in the bottom of my rack.  Select the Wazuh Menu again and select "agents" as this is our first agent deployment, we are taken directly to the add agent screen.  Fill in the appropriate details.  Once we have filled in all the details, you'll be presented with a PS script to run, make sure you launch PS as an administrator to install the agent.  Copy the PS scrip...
Post a Comment
Read more