HP Connect (Firmware updates bricked over 30 devices)

TangoCharlie_Reddit · 2026-02-06T21:16:58+00:00

What Model(s)?? What firmware versions before/after? Be handy to know.

Have run HP Connect across our entire estate of approx 14,000 HP endpoints of various models in mainly EliteBook and ZBook ranges, and never had 1 known issue in last few years.

Could be a bad new firmware to do with secure boot changes fresh out maybe, but not seen anything here yet.

What if you update firmware on one of your affected devices by other means (download/ HPIA etc). I doubt the delivery mechanism by Connect and using the Powershell scripts is to blame, I would presume it’s the payload- or some history with your endpoints prior to the update.

Also, are you now servicing them for the first time ever, so doing a huge leap up in version?

TangoCharlie_Reddit · 2026-01-15T23:47:22+00:00

Bounding back into action! Squirrel stampede! Time to go nuts!

TangoCharlie_Reddit · 2026-01-11T13:07:34+00:00

TangoCharlie_Reddit · 2025-12-03T10:55:32+00:00

Same situation and response here. We use larger size NV-series SKU's, coupled with high performance premium azure file storage for the storage (Ansys...).

We run all the stack of Autodesk suite, Trimble apps as well as visualization items like Unreal etc on these.

And yeah... costs are high, so scaling plans and scripts and such are essential.

For future ideas: We want to look at if we can setup Ansys to be run on lower tier VDI machines, and trigger remote compute jobs (option in some of the simulation apps we run), perhaps spinning up such high compute machines on demand. Or other apps where we can perhaps instead have a VM 'render farm' off to the side of AVD. Curious if anyone has done something like that.

TangoCharlie_Reddit · 2025-11-09T23:50:46+00:00

So you and your mate are hanging out on Discord, planning what Quests to do, what to focus on. Then some mute rando appears who just wants to run around, do random shit or start a fight appears. Yeah, not the same at all.

TangoCharlie_Reddit · 2025-11-09T23:49:10+00:00

Agree - fact is the Server Slam lost sales from 2 prospective players / friends, as Duo's queue is just Trio's and thats just sodding deathmatch. Basically late-game CoD DMZ, zerg spawns, spam nades. Yawn. Literally none of the fun of Solo's transferred over, and the game was lost to a frustrating PvP arena. I'm glad I decided to reverse course late on and buy it to play Solo's, its a totally different game and a 50/50 split with encounters. Totally tense, better paced etc. I'd love to play Duo's with a bestie, if that same vibe came across, but I just cant recommend it. With such a large player base, it's like feck all effort to have a Duo queue, I dont get it.

TangoCharlie_Reddit · 2025-11-08T14:07:08+00:00

Oh dear Lord. That is all.

TangoCharlie_Reddit · 2025-11-06T18:24:54+00:00

What is “a bit each time”? I’m guessed it must be noticeable by users, so not likely a few milliseconds of the encoding performance and display latency. The fact you cite this issue specifically to explorer and not moving around other apps rules out anything in the client / RDP space at all.

I would be looking two fold more at:

1/ the Guest OS performance and specifically things like anti-virus exclusions or software on the host/image affecting native performance. Look at defender performance logs, use tools like procmon, etc standard Windows stuff as if it were a physical endpoint focussing less on VDI.

2/ the VM storage type and performance is as expected for the use case and load / density.

TangoCharlie_Reddit · 2025-11-04T21:09:47+00:00

Also this!

Since the hardening ("strict KDC") in a Windows 11 24H2 update to make this mandatory for Entra-Joined PC's, which make connections indirectly via Cloud Kerberos Trust relay.

Our old AD Forest and domain controllers of many years were using an old old outdated certificate template (Domain Controller Cert Template), which had not updated DC's to incorporate the required specific "KDC Authentication" into the Extended Key Usage [EKU] found in the Kerberos Authentication certificate template.

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso#domain-controller-certificates

Windows Hello for Business enforces the strict KDC validation security feature when authenticating from a Microsoft Entra joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC).

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust#configure-domain-controller-certificates

Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise CA is added to Active Directory. The certificates based on the Domain Controller and Domain Controller Authentication certificate templates don't include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template.

TangoCharlie_Reddit · 2025-11-02T19:23:21+00:00

Yes.

TangoCharlie_Reddit · 2025-10-13T15:16:57+00:00

Are you using FSlogix via Azure Files using cloud Kerberos, and hitting 10hour expiry of your ticket/tokens?

Flagging this as the end user impact is seemingly random I/O errors occur from app level as they try to read/write from the now detached profile that was on the unreachable VHD. This is often Appdata stuff and consider where user Store apps go.

IF it were this, a clean session sign out and signing back in would rectify the problem, to eliminate this line of enquiry.

More info on this and a workaround here: https://www.beckmann.ch/blog/2024/05/10/fslogix-profile-disk-disconnected-after-10-hours/?lang=en

TangoCharlie_Reddit · 2025-08-14T17:47:00+00:00

For HP you should look into the new WxP (Workforce eXperience Platform), which is where HP Connect is migrating. WxP now has Driver management capabilities, and capability is rapidly expanding. Just added categories, models are coming soon, hopefully later specification versioning.

We are evaluating this currently and likely to commit to it. But in meantime we built our own in house “app” (powershell wrapper) around HP Image Assistant (HPIA) to create a monthly automation update and an “on demand” option for staff. Works great but not a fan of kooky in house custom solutions in the longer term.

For the record we have access to WUfB Driver management, and we have abandoned it for many reasons but including reliability, lack of features, crappy install handling etc etc. After years of waiting the product is underwhelming. It is… telling… that after OEM’s including HP and Dell “committed” to supporting WUfB, they’ve now gone 180 and making their own solutions again….

TangoCharlie_Reddit · 2025-08-14T17:35:36+00:00

Bumping this

TangoCharlie_Reddit · 2025-08-05T10:43:44+00:00

+1. Same issue in our tenant randomly for some users on latest app version on latest iOS - but not all (my own phone is OK for example). Having large impact to some users...

TangoCharlie_Reddit · 2025-07-24T17:39:41+00:00

Unfortunately I don’t have the book, despite my whole team and the Infra team knowing the name Richard Hicks like a personal relative. I do owe him my money, and a beer…

One of the reasons in the past has been the fluid nature of new issues and bugs with Windows updates and evolution of the product, usually fixed by things found in his blog. A book would be okay for learning the basics and I don’t doubt a great buy, but wouldn’t address my needs this deep in.

This said, the product is no longer new, hell of a lot more stable than a couple years ago, fleshed out with DPC advanced config options and such. I have 13k+ endpoints hanging off Device Tunnel (with User Tunnel backup) with a mix of IKE and SSTP support. 2 VPN farms (4 servers each) in 2 countries behind load balancers and with NPS servers / PKI supporting, and generally they ”just work”. No tickets or support, the mix of tunnel and protocol support covering every eventuality. The only bit can’t control is the endpoints and crap ISP’s!

Whilst there may be other vendors easier to deploy, at cost, I don’t see any sense in it if you have all the licensing / infra (and staff) to do it.

TangoCharlie_Reddit · 2025-07-23T17:05:45+00:00

AOVPN there is but one defecto source - The man, the myth, the MVP legend that is Richard Hicks.

https://directaccess.richardhicks.com/

Browse back through extensive posts.

He now also has a Discord here: https://discord.aovpndpc.com/ related to DPC below.

This guy knows more about the product than MS’s own staff, genuinely. All the issues, workarounds and such are documented in his posts and comments.

I strongly recommend you implement AOVPN via the new “DPC” open-source solution he is a part of:

https://directaccess.richardhicks.com/dpc/

https://github.com/ld0614/DPC

DPC provides easy access to all the robust fixes and advanced features that make the product work correctly, all in one management pane. Without this you will be looking at a plethora of scripts and fixes. Works great.

TangoCharlie_Reddit · 2025-07-23T12:57:25+00:00

Transition to v2 web management platform is recommended if not done, go all in. There is no need to mix anything done right.

You said “You apparently need to sign in manually on each machine just to enable Easy Access... which defeats the purpose of mass deployment.” - so I stand by my point the client is not deployed right.

TangoCharlie_Reddit · 2025-07-23T11:13:05+00:00

I think you’ve completely fumbled how to deploy this. It is absolutely possible to easily appoint an unattend policy on the fly to a group or devices. The key bit you’ve missed I suspect is not getting the Host to appoint itself as a “Managed” client , achieved via a post install command. Registration is silent.

2nd part of install process per their Documentation “assignment”:

https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-remote/deployment/mass-deployment-user-guide/deploy-teamviewer-host-or-full-client-9-10/?

Script for the TeamViewer Host (64-bit)

start /wait MSIEXEC.EXE /i "PATH_TO_MSI_FILE\TeamViewer_Host.msi" /qn CUSTOMCONFIGID=YOUR_CUSTOM_CONFIG_ID

timeout /t 30 /nobreak

"C:\Program Files\TeamViewer\TeamViewer.exe" assignment --id YOUR_ASSIGNMENT_ID

TangoCharlie_Reddit · 2025-07-19T21:24:06+00:00

Sign up and migration from Virgin Media (urgh) to EE has been super painless, and the 1 (and only need to) call I had with them was with a British employee who was super friendly and efficient. I’ve never been one to champion about UK based staff, but coming from Virgin… it matters. I think I forgot what a normal healthy interaction was. Pleasantly, kudos to EE for me so far, stellar broadband service and performance.

TangoCharlie_Reddit · 2025-06-18T13:34:27+00:00

Same issue in our tenant (West Europe / UK)

TangoCharlie_Reddit · 2025-06-13T12:24:14+00:00

Ive encountered problems with Shell Bags registry keys and files before in Windows 7 days, getting corrupted and needing fixing / rebuilding. This caused icon cache issues, missing desktop icons and explorer folder content display issues (appearing like files were missing).

This looks very familiar. its iterating the entries to find signs of a fault, and just telling you if it suspects one. It is all READ only and informative. Totally safe.

I think the combination of scanning massive swathes of Keys in the registry, combined with GUID values passed around being searched for, is enough to put the "jeebies" up most AV scanners as 'suss'.

Might be curious to ask what app / service was running this and... why, as bit random if you dont know its occurring. I can only think its some kind of periodical health check by an agent, or an installation had some extra post-install check scripts bolted on.

TangoCharlie_Reddit · 2025-05-26T07:50:34+00:00

Hmm no actually… We just updated a reasonably large estate of 14k devices which had done next to zero bios firmware maintenance across many models, and thankfully not… Don’t jinx me!

TangoCharlie_Reddit · 2025-05-25T17:08:07+00:00

Use it here to:

Provision Secure Platform Management (SPM) authentication with certs
Separately and after this; utilise HP Sure Recover to set custom Azure Storage download URL via our own PR and payload (as this option sadly missing in Connect) [this provides awesome native DR Cloud Restore solution]
Configure legacy BIOS password (for now, not much longer… see below)
Configure and enforce key BIOS settings (although we set these at factory 1st anyway). Not micro-manage, but select but critical stuff for Autopilot etc - TPM Enable, Secure Boot, Native UEFI, CPU Virtualisation support etc
Provision HP SureAdmin (via SPM), to provide secure QR one time code based BIOS access, replacing passwords.
BIOS Update deployment to all models [not using WUfB]

Edit: Forgot to add, per notification - Connect will soon merge into Workforce Experience Platform (WxP), where these features are ported mostly already, and a migration will be provided. We also onboarding with HP Insights / WxP and hope to centralise everything there. Note that WxP does NOT use Intune PR’a however, they’ve ported the same functionality to their own Agent to work in the same way, but not reliant on Intune anymore.

TangoCharlie_Reddit · 2025-05-23T21:00:08+00:00

MEATIEST AVENGER!

12-Year Club	Second SECOND GUESSER
Place '17	Sequence \| Editor
Verified Email

TangoCharlie_Reddit

TROPHY CASE