texhex / biossledgehammer Goto Github PK

I have now at least three devices (G1/G2) where UUID is perfectly visible inside BIOS, but BCU fails to read the value and returns an empty string. BIOS bug?

In this case we should check for the value "Serial Number" which seems to be also present on all systems. Only if this is also empty, we should issue an error.

And while we are there, we should also issue an exact error message while the BIOS communication does not work.

Regarding the issue that Windows/ Windows WMI does not provide the full TPM Firmware Version at least for Infineon TPM chips. The following code can be used to fix this:
(BiosSledgehammer.ps1 / Function: Update-TPMFirmware / Line: 1581)

[regex]$regex = "(?'Name'Firmware\WVersion)\W(?'Version'[0-9|.]+)\W(?'Info'.+)"
(& ".\IFXTPMUpdate_TPM12_v0443.com" "/info")[6] -match $regex | Out-Null
$tpmFirmwareVersion = $Matches.Version

Programm from HP "sp82133" (ftp://ftp.hp.com/pub/softpaq/sp82001-82500/sp82133.exe)

The script is looking for the folder with the new version "ISA75DT-1.0.3.215".

https://support.hp.com/us-en/document/c05869091

Let's shorten that URL...

If a log file is found after an EXE start, but has no content, an error appears. It needs to be checked not only if a LOG file exists, but also if it has any content.

 /app silent.bat /hide
 Done, return code is 0
--- Output ---
--------------
 Waiting 10 seconds before checking if the process is still running...
  [CallInst] is no longer running, waiting 5 seconds to allow cleanup...
 Start of [C:\Users\Administrator\AppData\Local\Temp\ME-8.1.72.3002\CallInst.exe] done
Checking for first file matching [*.log] in [C:\Users\Administrator\AppData\Local\Temp\ME-8.1.72.3002]...
PS>TerminatingError(Write-HostOutputFromProgram): "Cannot bind argument to parameter 'Content' because it is an empty string."
Write-HostOutputFromProgram : Cannot bind argument to parameter 'Content' because it is an empty string.
At Z:\Scripts\BiosSledgehammer\BiosSledgehammer.ps1:2249 char:57
+    Write-HostOutputFromProgram -Name $filename -Content $content
+                                                         ~~~~~~~~
   + CategoryInfo          : InvalidData: (:) [Write-HostOutputFromProgram], ParameterBindingValidationException
   + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Write-HostOutputFromProgram
Write-HostOutputFromProgram : Cannot bind argument to parameter 'Content' because it is an empty string.
At Z:\Scripts\BiosSledgehammer\BiosSledgehammer.ps1:2249 char:57
+    Write-HostOutputFromProgram -Name $filename -Content $content
+                                                         ~~~~~~~~
   + CategoryInfo          : InvalidData: (:) [Write-HostOutputFromProgram], ParameterBindingValidationException
   + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Write-HostOutputFromProgram

::: Launching update executable finished :::

Hello!

Trying to run the script in a SCCM TS but i get this error when it runs:

Start-TranscriptIfSupported: A parameter cannot be found that matches parameter name 'File'.
\MPSXM.psm1: 552 char:5
Start-TranscpritIfSupported -Path $logPath -Name $logName -NewLog
CategoryInfo : AnvalidArgument: (:) [Start-TranscpirtIfSupported]. ParameterBindigException
FullyQualifiedErrorId : NamedParameterNotFound,Start-TranscpirtIfSupported

I've checked the code but cant find why i get this error, have any idea of what it could be?

Wow this is a great piece of engineering. Thanks for sharing!
Does anyone knows how to set boot order? I can not find this in the examples.

Kind regards

It says Runing while it should say Running ...

Incorrect use of \sysnative.

Hello!

Have another error when i run the script in a TS, i've moved the steps so it runs in the current OS and not in WinPE, this is the error i get:

Newer HP's handle version 1.0.0.0.5

But those wont work with "function ConvertTo-Version()"
MPSXM.psm1

Is there a simple way to make longer Versions Compatible with [System.Version]?

I tested on our own laptops.

BIOS-Settings.txt
BIOS-Update.txt
ME-Update.txt
folders.zip

Hi,
I downloaded the latest version of INTEL-SA-00075 version 1.0.3.215. There have been some changes since the version 1.0.1.39, the name of the .XML file and the content in the XML, these both caused fatal errors for me. I also found an issue with machines that do not have Bitlocker enabled.

I have updated the code please see the changes in my fork of you project. https://github.com/GregoryMachin/BiosSledgehammer/tree/ISA75-update-and-other-fixes

Please let me know what your opinion is on these changes.

Regards
Greg

In 2017-11 another ME security bug was found: Intel SA 00086 / HPSBHF03571 (aka CVE-2017-5705, CVE-2017-5706, CVE-2017-5707, CVE-2017-5708, CVE-2017-5709, CVE-2017-5710, CVE-2017-5711)

• HP Inc. Advisory HPSBHF03571
• Intel Security Advisory
• Intel Support Document
• Intel Detection Tool

Given that this bug is newer then the one noted in HPSBHF03557/ Intel SA 00075, we believe a system that is secured against SA 00086 is also secured against SA 00075.

We should therefore replace the SA-75 detection tool with the SA-86 detection tool and update the ME firmwares with new firmware files.

Most of the devices have a single BIOS family, so BIOS-Update.txt does not allow to specify a firmware family and instead just starts the update process in the hope the Update EXE is smart enough to figure out which ROM file to use.

At least for the ProBook 6570b, this fails. This device has two separate BIOS families and the firmware update requires the file to be named ROM.CAB if no firmware parameter is given.

Right now the only solution is to rename one of the files to ROM.CAB and hope for the best.

Given that BIOS Sledgehammer has the BIOS family already, the question is if BIOS updates should support to define a firmware update file and then throw it at the Update EXE.

In case someone is using the same model but with two different configurations, the current model detection by name can not handle this.

For example, the EliteBook 840 G4 as non-vPro device could be SKU Z2V60EA#ABV but the same model with vPro could be X3V00AV. Because the non-vPro device is missing several BIOS settings (e.g. Intel TXT) and some configuration items are named differently (e.g. HBMA Network card names), trying to use the same configuration both items will not work.

The SKU check should be performed before the name check to allow a special configuration where the SKU matches.

Isn't it enough just to suspend bitlocker for the TPM firmware update?
According to MS it is okay: https://technet.microsoft.com/en-us/library/hh831507(v=ws.11).aspx

To fix the Infineon TPM vulnerability (ADV170012.), also a Bitlocker suspend and Clear TPM is needed after the TPM firmware update (for Bitlocker only TPM 1.2 is affected):
https://support.microsoft.com/en-us/help/4046783/bitlocker-mitigation-plan-for-vulnerability-in-tpm

I know these quotes were already mentioned before (Issue: "3.1.2 quote") but the comment sais it is resolved. However, for me it is not working:

Line 463 and 464 in BiosSledgehammer.ps1:
#$output=&$BCU_EXE -getvalue $Name | Out-String
$output=&$BCU_EXE /GetValue:"$Name" | Out-String

BCU command works when inversing the comments of the two lines.

Verifying BIOS Configuration Utility (BCU) can communicate with BIOS.
Trying to read Universally Unique Identifier (UUID)...
VERBOSE: Reading BIOS setting using different setting names
VERBOSE: Trying using setting name [Universally Unique Identifier (UUID)]...
VERBOSE: Read BIOS value: Result from BCU =============
VERBOSE:





VERBOSE: ==============================================
VERBOSE: Value:
VERBOSE: Return code: 20
VERBOSE: Trying using setting name [Enter UUID]...
VERBOSE: Read BIOS value: Result from BCU =============
VERBOSE:





VERBOSE: ==============================================
VERBOSE: Value:
VERBOSE: Return code: 20
VERBOSE: Trying using setting name [Universal Unique Identifier(UUID)]...
VERBOSE: Read BIOS value: Result from BCU =============
VERBOSE:





VERBOSE: ==============================================
VERBOSE: Value:
VERBOSE: Return code: 20
Failed.
Trying to read Serial Number (S/N)...
VERBOSE: Reading BIOS setting using different setting names
VERBOSE: Trying using setting name [Serial Number]...
VERBOSE: Read BIOS value: Result from BCU =============
VERBOSE:





VERBOSE: ==============================================
VERBOSE: Value:
VERBOSE: Return code: 20
VERBOSE: Trying using setting name [S/N]...
VERBOSE: Read BIOS value: Result from BCU =============
VERBOSE:





VERBOSE: ==============================================
VERBOSE: Value:
VERBOSE: Return code: 20
Failed.
\gva\DfsData\GVA\Data\Common\24h\euc\BiosSledgehammer\BiosSledgehammer.ps1 :
Unable to communicate with BIOS. Can't continue.
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorExcep
tion
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio
n,BiosSledgehammer.ps1

\gva\DfsData\GVA\Data\Common\24h\euc\BiosSledgehammer\BiosSledgehammer.ps1 :
Unable to start (see previous errors)
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorExcep
tion
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio
n,BiosSledgehammer.ps1

BIOS Sledgehammer finished, return code 666.

I've been using this for a while (obtained from here: https://sites.google.com/site/eneerge/home/BatchGotAdmin) that automatically calls a UAC prompt and runs the batch as an admin:

@echo off

:: BatchGotAdmin
:-------------------------------------
REM  --> Check for permissions
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
    echo Requesting administrative privileges...
    goto UACPrompt
) else ( goto gotAdmin )

:UACPrompt
    echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
    echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"

    "%temp%\getadmin.vbs"
    exit /B

:gotAdmin
    if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
    pushd "%CD%"
    CD /D "%~dp0"
:--------------------------------------

write-host "BIOS setting applied. A restart is recommended to activated them."

@texhex
Hi, I trust you are well.

I was looking to make the script a bit more dynamic by having parameters for the various resources
-BCUpath
-IAS75Path
-PwdFilesPath
-ModulesPath
As I don't have an HP machine at home this weekend so I cant test the changes so they are staged on a branch for now. I'll try and get the testing done on Monday
https://github.com/GregoryMachin/BiosSledgehammer/tree/Add-paramters

Let me know if this is something you are willing to incorporate into the script, if so I'll also ammend the documentaion.

Regards

Right now, this scripts downloads and processed every SPDownload.txt file separately. As we now often have the same download file (TPM, ME) for several models, we should try to download the files only once to save bandwidth and time.

Right now, we do not check the return code of a successful run, which means a "BAD COMMAND LINE" error is undetected. This should change and only 0 and 3010 should be considered "OK".

::: Preparing launch of update executable :::
Copy from [\\xxxxxx\Share\MDT\Scripts\BiosSledgehammer\Models\HP ProDesk 600 G1\BIOS-2.70\]
       to [C:\Users\Administrator\AppData\Local\Temp\BIOS-2.70\] ...
Trying to delete [*.log] in target folder
Starting:
  C:\Users\Administrator\AppData\Local\Temp\BIOS-2.70\HPQFlash\hpqFlash.exe
  -s -r
  Done, return code is 259
--- Output ---
--------------
  Waiting 10 seconds before checking if the process is still running...
   [hpqFlash] is no longer running, waiting 5 seconds to allow cleanup...
  Start of [C:\Users\Administrator\AppData\Local\Temp\BIOS-2.70\HPQFlash\hpqFlash.exe] done
Checking for first file matching [*.log] in [C:\Users\Administrator\AppData\Local\Temp\BIOS-2.70]...
***** ::BEGIN:: C:\Users\Administrator\AppData\Local\Temp\BIOS-2.70\HPQFlash\hpqFlash.log *****
2017/05/29 07:10:31.367|00000420|Information|ChpqFlashApp::InitInstance|
2017/05/29 07:10:31.367|00000420|Information|ChpqFlashApp::InitInstance|--- START NEW HPQFLASH SESSION, HPQFLASH version 4.50.1.1 ---
2017/05/29 07:10:31.367|00000420|Information|ChpqFlashApp::CPQFProcessCmdLineArgs|Command line = -s -r
2017/05/29 07:10:31.367|00000420|Information|CPQMessageBox|Error Code  0x00000115  INVALID_CMDLINE_PARAMETERS

2017/05/29 07:10:31.383|00000420|Information|ChpqFlashApp::ExitInstance|Exit hpqFlash:  Return Code = 0x103
2017/05/29 07:10:31.383|00000420|Information|ChpqFlashApp::ExitInstance|--- END HPQFLASH SESSION ---
***** ::END:: C:\Users\Administrator\AppData\Local\Temp\BIOS-2.70\HPQFlash\hpqFlash.log *****
::: Launching update executable finished :::

(Adding another model for the cause!)

Here is a working config for another model: the HP EliteBook Folio 9480m. This includes:

• BIOS Update 1.42 (SP85010)
• Intel ME 9.5.62.3002 (SP82540)

BIOS-Update.txt
ME-Update.txt
BIOS-Settings.txt
HP EliteBook Folio 9480m.zip

For LAN / WLAN Auto Switching, the ON setting is called Enable not EnableD

Correct:

LAN / WLAN Auto Switching==Enable

If the CIM query for the MicrosoftTpm class fails, the error is cought and the error description should be written using write-verbose.

However, this call is incorrect formatted and causes an exception itself.

According to a discussion on the HP forums there is now a setting in newer BIOS versions that can disable the extra "Press F1 to confirm" messages during TPM update.

The setting seems to be

Physical Presence Interface

With Disable or Enable setting.

This could be added to TPM-BIOS-Settings.txt

Some devices require a two-step process to update. For example the HP Compaq Pro 6300 BIOS 3.03 requires the user first to update to 2.99 (if current version < 3.00) and then install 3.04. If trying to flash directly from anything below 2.99 to 3.xxx, the update fails.

Given that only this device seems to behave like this, it's questionable if this should be supported.

This adds a lot of clutter to the output.

Desired TPM Spec is 1.2 but the chosen upgrade file is to version 2.0:

***** TPM Update ************************************************
Reading TPM update information from [C:\Temp\BiosSledgehammer\Models\HP EliteBook 840 G3\TPM-Update.txt]...
VERBOSE: Reading hashtable from C:\Temp\BiosSledgehammer\Models\HP EliteBook 840 G3\TPM-Update.txt
TPM manufacturer ID of this device: 1229346816
TPM manufacturer ID required......: 1229346816
TPM manufacturer IDs match
Current TPM Spec: 1.2 (Numerical: 1.2)
Desired TPM Spec: 1.2 (Numerical: 1.2)
TPM Spec version matches
Current TPM firmware: 6.40 (Numerical: 6.40)
Desired TPM firmware: 7.62 (Numerical: 7.62)
Firmware version is lower than desired, update required
Update required result:
Update required because of TPM Spec....: False
Update required because of TPM firmware: True
TPM update required!
Searching firmware file entry for [6.40]...
Firmware file found:
[Firmware\TPM12_6.40.190.0_to**_TPM20**_7.62.3126.0.BIN]

Newer BIOS version for the G3 (and most likely also for the G4) do not allow TPM updates when either Software Guard Extensions aka SGX or Trusted Execution Technology aka TXT is turned on.

Either this dependency was introduced, or new devices have one of these options turned on by default.

To perform a TPM update, these need to be turned off but without messing with the normal BIOS settings (e.g. a company want to have them turned ON, we can assume they will turn it off just because a TPM update is maybe needed)

If a computer has a BIOS setting that disables Intel AMT/vPro/ME, the Intel SA detection tool reports that a ME is not found. This in turns causes BIOS Sledgehammer to throw an error if there is a ME-Update.txt file in place; as the ME version is unknown but an update should be performed.

The only solution right now is to disable ME-Update.txt, so no update will take place even if ME is first ON. This could mean that the system is later on enrolled into AMT with an outdated ME firmware.

A proposed solution could be:

• "Unknown" ME Version are no longer considered an error
• If the ME version can be retrieved, an update is performed if it is required
• If the ME version is "Unknown" AND a file ME-BIOS-Settings.txt exists, BIOS Sledgehammer will execute the BIOS changed in that file, requests a restart and try to read the ME Version again.
• If after the restart the ME version is still UNKNOWN, this will be considered an error.
• If the ME version can be read, the system behaves as of today.

In case the BIOS update executable is not in the main path (e.g. BIOS-2.04), but in a child folder (BIOS-2.04\HPBIOSUPDREC), the log file after an update is not found by BIOS Sledgehammer.

When a direct search does not work, we should do a recursive search for any file matching LOG.

• First, search for any *.log file in main path of the BIOS
• Next, search for COMMAND (without .EXE) .log in any sub folder
• If we still have nothing, search for *.log in any sub folder

Hi and thank you for a great tool :)

I´m hoping anyone here can help me. I´m using mdt to deploy Windows 10. After mdt deploys bios settings, it reboots and goes straight to network boot. I have no idea why. Any ideas?

The fix list of this BIOS version is so long, it should have been called 2.0

http://ftp.hp.com/pub/softpaq/sp82001-82500/sp82278.html

This issue isn't a fault of BiosSledgehammer, but on our corporate network we have a GPO that prevents execution of programs from a user's local temp folder. This causes an error for us, which of course stops the entire thing from working:

'BiosConfigUtility64.exe' failed to run: This program is blocked by group policy.

I tried a quick fix by swapping out entries of Get-TempFolder with "c:\temp" and it worked.

Would you do something like with the download script (c:\somefolder) or would it be reasonable to have a configurable temp folder location?

HP has released a new BIOS (1.06) for all EliteBook 8x0 G4 models that also changes the ON value for the LAN / WLAN Auto Switching back to Enable.

https://ftp.hp.com/pub/softpaq/sp81001-81500/sp81401.html

Hangs when attempting to install ME Firmware if ME Device Driver is not found.

results from manual attempt

C:\Users\<user>\AppData\Local\Temp\ME-9.5.61.3012\FW64>FWUpdLcl64.exe -f ../ME/ME9.5_5M_Production.bin -allowsv -y

Intel (R) Firmware Update Utility Version: 9.5.61.3012
Copyright (C) 2007 - 2017, Intel Corporation.  All rights reserved.


Error 8193: Intel (R) ME Interface : Cannot locate ME device driver

C:\Users\<user>\AppData\Local\Temp\ME-9.5.61.3012\FW64>xcopy "MEFWDetailFile.exe" "C:\Program Files\Intel\Intel(R) Management Engine Components\" /y
C:MEFWDetailFile.exe
1 File(s) copied

Truncated output from BiosSledgehammer.ps1 -Verbose

Processing XML output (C:\Users\<user>\AppData\Local\Temp\*_System_Summary.xml)...
Reading finished
Management Engine information:

  Firmware Version ..: 9.5.15.1730
  Feature Level .....: Consumer
  Provisioned .......: Not Provisioned

Current ME firmware version: 9.5.15.1730  (Numerical: 9.5.15.1730)
Desired ME firmware version: 9.5.61.3012  (Numerical: 9.5.61.3012)
  ME update required!
The ME update will take some time, please be patient.
VERBOSE: Invoke-UpdateProgram() started
Checking if system is on AC or DC (battery) power...
VERBOSE: Perform operation 'Enumerate CimInstances' with following parameters, ''namespaceName' = root\cimv2,'className' = Win32_Battery'.
VERBOSE: Operation 'Enumerate CimInstances' complete.
  Battery status is OK or system has no battery.
::: Preparing launch of update executable :::
Copy from [\\<server>\e$\DeploymentShare\Scripts\custom\BiosSledgehammer\Models\HP ZBook 14\ME-9.5.61.3012\]
       to [C:\Users\<user>\AppData\Local\Temp\ME-9.5.61.3012\] ...
VERBOSE: Copy done
Trying to delete [*.log] in target folder
Starting:
  C:\Users\<user>\AppData\Local\Temp\ME-9.5.61.3012\CallInst.exe
  /app Update.bat /hide
VERBOSE: StdOut and StdError redirection disabled

I tried running StartExampleDownloads.bat and got this error...

Start-DownloadFile : Exception calling "DownloadFile" with "2" argument(s): "The underlying connection was closed: An unexpected error occurred on a send." At C:\temp\BiosSledgehammer_v3.3.2\StartExampleDownloads.ps1:175 char:19

• ... $tempFile=Start-DownloadFile -URL $URL -DownloadPath $DownloadPath

•           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

• CategoryInfo : NotSpecified: (:) [Start-DownloadFile], MethodInvocationException
• FullyQualifiedErrorId : WebException,Start-DownloadFile

• I tried on another PC and on a VM and got the same.
• I got one download to work by changing the download URL from HTTPS to HTTP.
• I got HTTPS to work by adding the below code right before $webClient.DownloadFile($URL, $tempFile)

System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Tls,Tls11,Tls12'

Thoughts?
BTW I'm new to GitHub, sorry if I'm not not using good form or something.

When running BIOS Sledgehammer, the above mentioned files suddenly appear in the working directory.

This comes from the fact that HP has changed the meaning of the BCU parameter /GetValue in 4.0.21:

VERSION: 4.0.21.1 REV: A PASS: 1
ENHANCEMENTS:
- Supports single value get (/getvalue) and save it to a file

(https://ftp.hp.com/pub/softpaq/sp79501-80000/sp79520.html)

BCU version 4.0.18 does not have this strange behavior.

To get around it, we might need to switch the current location with Set-Location to TEMP before running the command (see https://msdn.microsoft.com/en-us/powershell/scripting/getting-started/cookbooks/managing-current-location)

The original TPM firmware files from HP (from SoftPaq 76423 - ftp://ftp.hp.com/pub/softpaq/sp76001-76500/sp76423.html) listed only one file for the upgrade from TPM 1.2/FW 6.41 to TPM 2.0:

TPM12_6.41.197.0_to_TPM20_7.41.2375.0.BIN

However, the TPM firmware files update from January 2017 (SoftPaq 78910 - ftp://ftp.hp.com/pub/softpaq/sp78501-79000/sp78910.html) now lists two different files for TPM 1.2/FW 6.41 to TPM 2.0:

TPM12_6.41.197.0_to_TPM20_7.61.2785.0.BIN
TPM12_6.41.198.0_to_TPM20_7.61.2785.0.BIN

Note that these two files are only different in the BUILD part of the version: 6.41.197 vs. 6.41.198. It seems .198 is only used when downgrading TPM 2.0/FW 7.61 to TPM 1.2 again as the archive contains on file for this: TPM20_7.61.2785.0_to_TPM12_6.41.198.0.BIN.

The problem is that the Win32_TPM CIM class does not provide the BUILD part in the ManufacturerVersion field, only MAJOR.MINOR.

As we depend on this class, we can never detect if 6.41.197 vs. 6.41.198 is installed. This can lead to an error during the upgrade process.

Having issue updating TPM 1.2 to 2.0 on HP EliteBook 840 G3 in SCCM OSD.
First I format the disk with UEFI, also add a HP_TOOLS partition.

After updating TPM and the computer restarts and I press F1 to continue the update, I get "TPM Firmware Image is Missing".

This works fine when running legacy BIOS and not UEFI.

Hello!

Have another issue on some models during the TPM upgrade step, i get the PTPMFWUpdate Return Code = 262 error, the drives are using GPT so i don't get it why the log says it cannot find it.
TPMConfig64.log

Any idea what it could be?
During OSD we create the regular OS partition, we get the BDE Partition and use a custom Recovry partition. Also i'm running the tool after the OS has been installed so its not running in WinPE

Hi,
I had an error stating that BCU cannot communicate with the BIOS when getting UUID.
The "error" was on line 422. I deleted the single quote and left only double quotes.
$output=&BCU_EXE /GetValue:"$Name" | Out-String
With this correction it works now fine.
Let me know if u want more infos and thanks for your Work

D'oh!

The user is most likely aware that a BIOS value is changed because this is already on the screen. Remove "BIOS value" there.

DISREGARD - This post can be deleted.

Lots of fixes.

http://ftp.hp.com/pub/softpaq/sp82001-82500/sp82282.html

This is an update of the EliteBook 840 G4 model config released in BiosSledgehammer 3.4.0

Tested on three EliteBook 840 G4 machines, each running Win10 1709 (FCU).

• BIOS 01.15 REV: A PASS: 1 (SP85231)
• Intel ME Firmware Component 11.8.50.3425 A 2 (SP82486)
• TPM 7.62 (SP81900) UNCHANGED from the 3.4.0 release and included here for completion's sake

HP EliteBook 840 G4 (updated 23 Mar 2018).zip
TPM-BIOS-Settings.txt
TPM-Update.txt
BIOS-Settings.txt
BIOS-Update.txt
ME-Update.txt

An error is shown when the script tries to access the TPM ManufacturerID on a ZBook 15 G2 (newest BIOS). This shouldn't happen