HP Sure Recover Custom Setup – Part 6 – Deploy HP Secure Platform Payload Files

Alright, so the hard work is behind, time to test and make sure it all works.

Test System: HP EliteDesk 800 G8 Mini

I’ve already gone into the BIOS and turned off PPI (Physical Presence), so I don’t get prompts to accept these changes. I also confirmed the Secure Platform isn’t provisioned. already.

[Insert Images from BIOS at later time]

At this point, you’ll need to be at the endpoint. If you have an OS installed, just make sure HPCMSL is installed, and run the commands (I’ll show later). I however don’t have an OS, so I’m booting into WinPE (either a completely custom WinPE, or I’m just using a ConfigMgr boot image, that has PowerShell added).

Once in WinPE, I open a PowerShell prompt and run “iex (irm sandbox.osdcloud.com)”

This will leverage a process (Sandbox) David Segura created that will configure powershell, and install HPCMSL on an HP Business class device (while in WinPE).

Once you have HPCMSL, you just have to run the command to set the payload file:
Set-HPSecurePlatformPayload -PayloadFile … path to file.
In my example below, you can see before I run the payload files, that Sure Recover is using the defaults.
After, it has updated the Agent URL…… BUT not the OS Image URL. That’s odd…

I reboot, and try again… then it seems to stick…

The URLs are both updated, and now I can reboot and press F11 to run Sure Recover!

Look for upcoming videos of the process.
Here is one using a custom agent (not the Sure Recover Agent, but OSDCloud WinPE instead).
Win11 Deploy with OSDCloud & Sure Recover – YouTube

So now that you have all of this figured out, you can deploy custom images with Sure Recover, or replace the agent with your own custom WinPE (like OSDCloud WinPE) and create a completely custom OS Restore Process that pulls all content from the cloud and doesn’t require a USB Flash drive or other boot media.

  1. Overview
  2. HP Connect – Create 2 of the needed certificates.
  3. Certs, Manifests & Signatures
  4. Azure Blob Storage Container to host your Agent & OS Images
  5. Creating your HP Secure Platform Payload files
  6. Deploy Payload Files


2 thoughts on “HP Sure Recover Custom Setup – Part 6 – Deploy HP Secure Platform Payload Files”

  1. Thanks for a really amazing series! If we would like to use this method on a couple of thousand Intune devices, what would be the best way to deploy it in your opinion? I’m specifically thinking about PPI and activation of Sure Recovery.

    • Today I’m using HP Connect to setup SPM and Secure Admin on my devices. This does prompt users for PPI. It’s a train the user situation.
      The other option you have is to deploy via Intune / CM using something like PSADT wrapper which would include details instructions when the deployment is triggered.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.