New-HPSureRecoverConfigurationPayload



Summary

Creates a payload to configure HP Sure Recover

Syntax

New-HPSureRecoverConfigurationPayload [-SigningKeyFile] <FileInfo> [[-SigningKeyPassword] <String>] [[-Nonce] <UInt32>] [-BIOSFlags] {None | NetworkBasedRecovery | WiFi | PartitionRecovery | SecureStorage | SecureEraseUnit | RollbackPrevention} [-AgentFlags] {None | DRDVD | CorporateReadyWithoutOffice | CorporateReadyWithOffice | InstallManageabilitySuite | InstallSecuritySuite | RollbackPrevention} [[-OutputFile] <FileInfo>] [<CommonParameters>]

New-HPSureRecoverConfigurationPayload [-SigningKeyCertificate] <X509Certificate2> [[-Nonce] <UInt32>] [-BIOSFlags] {None | NetworkBasedRecovery | WiFi | PartitionRecovery | SecureStorage | SecureEraseUnit | RollbackPrevention} [-AgentFlags] {None | DRDVD | CorporateReadyWithoutOffice | CorporateReadyWithOffice | InstallManageabilitySuite | InstallSecuritySuite | RollbackPrevention} [[-OutputFile] <FileInfo>] [<CommonParameters>]

New-HPSureRecoverConfigurationPayload [[-Nonce] <UInt32>] [-BIOSFlags] {None | NetworkBasedRecovery | WiFi | PartitionRecovery | SecureStorage | SecureEraseUnit | RollbackPrevention} [-AgentFlags] {None | DRDVD | CorporateReadyWithoutOffice | CorporateReadyWithOffice | InstallManageabilitySuite | InstallSecuritySuite | RollbackPrevention} [[-OutputFile] <FileInfo>] [-RemoteSigningServiceKeyID] <String> [-RemoteSigningServiceURL] <String> [[-CacheAccessToken]] [<CommonParameters>]

Description

This command create a payload to configure HP Sure Recover. There are three signing options to choose from: - Signing Key File (and Password) using -SigningKeyFile and -SigningKeyPassword parameters - Signing Key Certificate using -SigningKeyCertificate parameter - Remote Signing using -RemoteSigningServiceKeyID and -RemoteSigningServiceURL parameters

Please note that using a Key File with Password in PFX format is recommended over using an X509 Certificate object because a private key in a certificate is not password protected.

This command writes the created payload to the pipeline or to the file specified in the OutputFile parameter. This payload can then be passed to the Set-HPSecurePlatformPayload command.

Security note: Payloads should only be created on secure servers. Once created, the payload may be transferred to a client and applied via the Set-HPSecurePlatformPayload command. Creating the payload and passing it to the Set-HPSecurePlatformPayload command via the pipeline is not a recommended production pattern.

Parameters

Name Argument Description
SigningKeyFile <FileInfo> Specifies the path to the Secure Platform Management signing key as a PFX file. If the PFX file is protected by a password (recommended), the SigningKeyPassword parameter should also be provided.
SigningKeyCertificate <X509Certificate2> Specifies the Secure Platform Management signing key certificate as an X509Certificate object.
SigningKeyPassword <String> Specifies the Secure Platform Management signing key file password, if required.
Nonce <UInt32> Specifies a Nonce. If nonce is specified, the Secure Platform Management subsystem will only accept commands with a nonce greater or equal to the last nonce sent. This approach helps to prevent replay attacks. If not specified, the nonce is inferred from the current local time. The current local time as the nonce works in most cases. However, this approach has a resolution of seconds, so when performing parallel operations or a high volume of operations, it is possible for the same counter to
be interpreted for more than one command. In these cases, the caller should use its own nonce derivation and provide it through this parameter.
BIOSFlags <surerecover_os_flags> Specifies the imaging flags to set. Please note that this parameter was previously named OSImageFlags.
None = 0
NetworkBasedRecovery = 1 => Enable network based recovery
WiFi = 2 => Enable WiFi
PartitionRecovery = 4 => Enable partition based recovery
SecureStorage = 8 => Enable recovery from secure storage device
SecureEraseUnit = 16 => Secure Erase Unit before recovery
RollbackPrevention = 64 => Enforce rollback prevention
AgentFlags <surerecover_re_flags_no_reserved> Specifies the agent flags to set:
None = 0 => OEM OS release with in-box drivers
DRDVD = 1 => OEM OS release with optimized drivers
CorporateReadyWithoutOffice = 2 => Corporate ready without office
CorporateReadyWithOffice = 4 => Corporate ready with office
InstallManageabilitySuite = 16 => Install current components of the Manageability Suite included on the DRDVD
InstallSecuritySuite = 32 => Install current components of the Security Suite included on the DRDVD
RollbackPrevention = 64 => Enforce rollback prevention

Please note that the Image Type AgentFlags DRDVD, CorporateReadyWithOffice, and CorporateReadyWithoutOffice are mutually exclusive. If you choose to set an Image type flag, you can only set one of the three flags.
OutputFile <FileInfo> Specifies the file to write output to instead of writing the output to the pipelineing output to the specified file, instead of writing it to the pipeline.
RemoteSigningServiceKeyID <String> Specifies the Signing Key ID to be used
RemoteSigningServiceURL <String> Specifies the (Key Management Service) KMS server URL (I.e.: https://.azurewebsites.net/)
CacheAccessToken If specified, the access token is cached in msalcache.dat file and user credentials will not be asked again until the credentials expire.
This parameter should be specified for caching the access token when performing multiple operations on the KMS server.
If access token is not cached, the user must re-enter credentials on each call of this command.

Notes

  • Requires HP BIOS with HP Sure Recover support

Examples


PS C:\> New-HPSureRecoverConfigurationPayload -SigningKeyFile sk.pfx -BIOSFlags WiFi -AgentFlags DRDVD

PS C:\> New-HPSureRecoverConfigurationPayload -SigningKeyFile sk.pfx -BIOSFlags WiFi,SecureStorage -AgentFlags DRDVD,RollbackPrevention

See also