Configuring HP PCs for booting your favorite Boot Image directly from BIOS

I happen to like HP computers quite a bit, and the HP computers that happen to support HP Sure Recover are extra shiny. These machines, primarily models from 2018 and newer, have an extra flash drive on those machines that you can modify with your own payload. This extra flash drive, named embedded multi-media card (eMMC), is for security reasons not accessible from Windows. The disk can be accessed at specific (service) times, and/or by pressing F11 during boot to enter the Factory Recovery mode.

Downloading your own content to the HP Sure Recover platform

What I absolutely love about HP is that they made they Sure Recover platform customizable, allowing anyone to add their own payload to the platform. Other vendors, that have the same capabilities in their hardware, are typically blocking customers from making any changes.

HP firmware supports both ftp and https to downloads of boot images, and while the ftp option does offer username and password protection – which the https download option does not – I opted in for a simple https download.

In this example I will show you how to configure an HP machine to download an MDT/PSD boot image from a web server, stage it on the eMMC disk, and then boot from it. In this example I was using a HP Firefly 14 G7.

Note: You can also use the Sure Recover download agent to add images to the eMMC disk. This is part of the HP Sure Recover software, which in turns require the HP Client Security Manager 9.3 or later. There is also support for ConfigMgr via HP Manageability Integration Kit (MIK) for Microsoft System Center Configuration Manager.

Provisioning HP Sure Recover

In order to setup provisioning, you need to have the HP Client Management Script Library installed. You also need to create a few certificates for the endorsement and signing key pairs. In my lab I used OpenSSL to create that. I stored my keys in the C:\Setup\HPKeys folder, and installed SSL in the C:\Program Files\OpenSSL-Win64\bin folder. Here are the commands I used:

# Import HP Module
Import-Module HP.Firmware

# Generate the endorsement and signing key pairs, using the same password for both
$KeyPath = "C:\Setup\HPKeys"
$CertPswd = "SecretPassword"
$OpenSSLPath = "C:\Program Files\OpenSSL-Win64\bin"
Set-Location $OpenSSLPath

.\openssl req -x509 -nodes -newkey rsa:2048 -keyout "$KeyPath\kek-key.pem" -out "$KeyPath\kek-cert.pem" -days 3650 -subj "/C=US/ST=Illinois/L=Chicago/O=ViaMonstra/OU=IT/"
.\openssl pkcs12 -inkey "$KeyPath\kek-key.pem" -in "$KeyPath\kek-cert.pem" -export -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -out "$KeyPath\kek.pfx" -name "HP Secure Platform Key Endorsement Certificate" -passout "pass:$CertPswd"

.\openssl req -x509 -nodes -newkey rsa:2048 -keyout "$KeyPath\sk-key.pem" -out "$KeyPath\sk-cert.pem" -days 3650 -subj "/C=US/ST=Illinois/L=Chicago/O=ViaMonstra/OU=IT/"
.\openssl pkcs12 -inkey "$KeyPath\sk-key.pem" -in "$KeyPath\sk-cert.pem" -export -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -out "$KeyPath\sk.pfx" -name "HP Secure Platform Signing Key Certificate" -passout "pass:$CertPswd"

# Apply the SK, using the pipe approach
$p = New-HPSecurePlatformEndorsementKeyProvisioningPayload -EndorsementKeyFile "$KeyPath\kek.pfx" -EndorsementKeyPassword $CertPswd 
$p | Set-HPSecurePlatformPayload

$p = New-HPSecurePlatformSigningKeyProvisioningPayload -EndorsementKeyFile "$KeyPath\kek.pfx" -EndorsementKeyPassword $CertPswd -SigningKeyFile "$KeyPath\sk.pfx" -SigningKeyPassword $CertPswd 
$p | Set-HPSecurePlatformPayload

# Then run the below, should show State: ProvisioningInProgress

# Reboot the machine
Restart-Computer -Force

# After reboot + code, run the below, should show State: Provisioned

Configure the HP Sure Recover Payload

Once the initial provisioning is done, you can now instruct the firmware to download your boot image.

# Generate an X509 public key pem from the pfx 
# Unlike suggested in HP Sure Recover documentation for other tools, the 1.4.x library does not accept RSA public keys for the PublicKeyFile parameter currently.
$KeyPath = "C:\Setup\HPKeys"
$CertPswd = "SecretPassword"
$OpenSSLPath = "C:\Program Files\OpenSSL-Win64\bin"
Set-Location $OpenSSLPath

.\openssl req -sha256 -nodes -x509 -newkey rsa:2048 -keyout "$KeyPath\ca.key" -out "$KeyPath\ca.crt" -subj "/C=US/ST=Illinois/L=Chicago/O=ViaMonstra/OU=IT/"

.\openssl req -sha256 -nodes -newkey rsa:2048 -keyout "$KeyPath\os.key" -out "$KeyPath\os.csr" -subj "/C=US/ST=Illinois/L=Chicago/O=ViaMonstra/OU=IT/"
.\openssl x509 -req -sha256 -in "$KeyPath\os.csr" -CA "$KeyPath\ca.crt" -CAkey "$KeyPath\ca.key" -CAcreateserial -out "$KeyPath\os.crt"
.\openssl pkcs12 -inkey "$KeyPath\os.key" -in "$KeyPath\os.crt" -export -out "$KeyPath\os.pfx"  -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -passout "pass:$CertPswd"

.\openssl req -sha256 -nodes -newkey rsa:2048 -keyout "$KeyPath\re.key" -out "$KeyPath\re.csr" -subj "/C=US/ST=Illinois/L=Chicago/O=ViaMonstra/OU=IT/"
.\openssl x509 -req -sha256 -in "$KeyPath\re.csr" -CA "$KeyPath\ca.crt" -CAkey "$KeyPath\ca.key" -CAcreateserial -out "$KeyPath\re.crt"
.\openssl pkcs12 -inkey "$KeyPath\re.key" -in "$KeyPath\re.crt" -export -out "$KeyPath\re.pfx"  -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -passout "pass:$CertPswd"

$BootImageURL = ""
Write-host 'Provisioning agent URL and agent validation key'
	$p = New-HPSureRecoverImageConfigurationPayload `
		-SigningKeyPassword $CertPswd `
		-SigningKeyFile "$KeyPath\sk.pfx" `
		-Image agent `
		-ImageKeyFile "$KeyPath\re.pfx" `
        -ImageCertificatePassword $CertPswd `
		-url $BootImageURL
	$p  | Set-HPSecurePlatformPayload 

Generate and sign HP Sure Recover Manifest for the Boot image

The final step is to generate and sign the HP Sure Recover Manifest for the boot image. In this example I was storing the original boot image files in the C:\Setup\PSDBootImage folder. Just the content of an MDT/OSD boot image ISO.

$PSDBootImagePath = "C:\Setup\PSDBootImage"
$KeyPath = "C:\Setup\HPKeys"
$CertPswd = "SecretPassword"
$OpenSSLPath = "C:\Program Files\OpenSSL-Win64\bin"
Set-Location $PSDBootImagePath

$ManifestPath = "$PSDBootImagePath\Recovery.mft" 
$imageVersion = 1903 # Note: This can be any 16-bit integer

# mft_version is used to determine the format of the image file and must currently be set to 1.
$header = "mft_version=1, image_version=$imageVersion" 
Out-File -Encoding UTF8 -FilePath $ManifestPath -InputObject $header

$PSDBootImageFiles = "boot\boot.sdi","efi\boot\bootx64.efi","efi\microsoft\boot\bcd","sources\boot.wim"

ForEach ($File in $PSDBootImageFiles){
    $FileObject = Get-ChildItem $File
    $hashObject = Get-FileHash -Algorithm SHA256 -Path $FileObject.FullName
    $fileHash = $hashObject.Hash.ToLower()
    $filePath = $hashObject.Path.Replace($PSDBootImagePath, '')
    $fileSize = (Get-Item $FileObject.FullName).length
    $manifestContent = "$fileHash $filePath $fileSize" 
    Out-File -Encoding utf8 -FilePath $ManifestPath -InputObject $manifestContent -Append

# Manifests for HP Sure Recover cannot include a BOM (Byte Order Mark)
# The following commands rewrite the file as UTF8 without BOM.
$content = Get-Content $ManifestPath
$encoding = New-Object System.Text.UTF8Encoding $False
[System.IO.File]::WriteAllLines($ManifestPath,$content, $encoding)

# -----------------------
# Sign the HP Sure Recover Manifest
# -----------------------
Set-Location $OpenSSLPath

# You can sign the agent manifest with this command
# Run below in cmd prompt (will figure out the PowerShell syntax soon)
openssl dgst -sha256 -sign C:\Setup\HPKeys\re.key -passin pass:SecretPassword -out C:\Setup\PSDBootImage\recovery.sig C:\Setup\PSDBootImage\recovery.mft

# Verify the signature file, using your public key from the previous step, using the following command:
.\openssl pkcs12 -in "$KeyPath\re.pfx" -clcerts -nokeys -out "$KeyPath\re_public.pem" -passin "pass:$CertPswd"
.\openssl dgst -sha256 -verify "$KeyPath\re_public.pem" -signature C:\Setup\PSDBootImage\recovery.sig C:\Setup\PSDBootImage\recovery.mft

Adding boot image to the Web Server

After this you simply copy the boot image content to your web server, in my case

Booting via F11

Once all the above steps are performed, you can now reboot your HP computer, press F11 to enter Factory Recovery, and then select


Below you find some good link for additional reading on the HP firmware platform

About the author

Johan Arwidmark

5 1 vote
Article Rating
Notify of
1 Comment
Oldest Most Voted
Inline Feedbacks
View all comments
adam strick
2 years ago

Excellent Post! Points mentioned here are very useful and very informative