HP Quirks & Fixes

The model-specific traps that bite people during HP deployments. Read this before your first task sequence run, not at 2 AM when it breaks.

Intel VMD (Volume Management Device) — G10 and newer Intel models

The bug: Windows 11 setup says "We couldn't find any drives". The 1 TB SSD is there. Setup can't see it.

The cause: Intel VMD is enabled by default in the BIOS of every G10+ Intel HP business laptop. VMD adds a virtualization layer on the PCIe storage controller that vanilla Windows 11 setup doesn't have a driver for.

The fix: Inject the Intel Rapid Storage Technology VMD driver into both boot.wim and install.wim. From an admin PowerShell:

DISM /Mount-Wim /WimFile:C:WIMoot.wim /Index:1 /MountDir:C:Mount
DISM /Image:C:Mount /Add-Driver /Driver:C:HPDriversVMD /Recurse
DISM /Unmount-Wim /MountDir:C:Mount /Commit

Repeat the same three commands for install.wim (Index:1 will be the Pro or Enterprise edition you're deploying — check with DISM /Get-WimInfo /WimFile:install.wim).

The alternative (single laptop only): Disable VMD in BIOS. Esc → F10 → Advanced → System Options → Intel VMD = Disabled. Trade-off: you lose RAID-on-SSD, optane caching, and some performance tuning features.

BitLocker auto-encryption on Windows 11 24H2 / 25H2

The bug: Your task sequence works the first time. Re-run on the same laptop — fails at Apply Operating System with "Cannot find drive C:".

The cause: Windows 11 24H2 auto-enables BitLocker device encryption on supported hardware (TPM 2.0 + Secure Boot + Modern Standby = all G10+ HPs). The OS lays down encrypted, then a wipe-and-load can't reformat the protected partition.

The fix: Add a Disable BitLocker step at the very beginning of your task sequence:

manage-bde -off C:

And re-enable at the end after deployment (or let MBAM/Intune re-encrypt on first boot):

manage-bde -on C: -used -RecoveryPassword

HP BIOS settings via BIOS Configuration Utility (BCU)

Scripting BIOS settings (PXE on, Secure Boot on, TPM on, asset tag set) without touching each laptop:

  1. Download HP BIOS Configuration Utility from https://www.hp.com/us-en/solutions/client-management-solutions/bios-configuration-utility-bcu.html
  2. Generate a current settings file: 
    BiosConfigUtility64.exe /getconfig:current.txt
  3. Edit current.txt. Toggle *Enable/*Disable against the lines you want to change.
  4. Apply to a laptop: 
    BiosConfigUtility64.exe /setconfig:current.txt /cspwdfile:bios-password.bin
  5. Embed BCU as an early step in your MDT task sequence — applies BIOS settings before the OS even installs.

HP Wolf Security + HP Sure Click conflicts during imaging

The bug: Task sequence completes, but on first user login the laptop bluescreens, or Edge/Chrome won't launch.

The cause: HP Wolf Pro Security ships pre-installed on many HP factory images. Sure Click hooks into the browser. When you wipe and re-image, fragments of Wolf can survive in firmware/EFI and conflict with the fresh OS.

The fix: Add an early task sequence step to uninstall Wolf:

Get-AppxPackage -AllUsers *HPWolf* | Remove-AppxPackage -AllUsers

And in your reference WIM, never check the "Include HP Wolf" box during HP Image Assistant configuration.

ARM64 — HP EliteBook Ultra G1q (Snapdragon X Elite)

Everything is different. You need:

  • ARM64 Windows 11 ISOhttps://www.microsoft.com/software-download/windows11arm64
  • ARM64 driver pack from HP — listed separately in the HP driver pack matrix
  • ARM64-specific Autopilot profile — Intune lets you create one when the assigned device is detected as ARM64
  • ARM64 builds of your apps — M365, Edge, Chrome, Teams have native ARM64 builds in 2026. Legacy x86/x64 win32 apps run under Prism emulation with a ~10-15% perf hit.
  • AVD / WVD with ARM64 hosts if you're doing cloud desktops on this hardware

Microsoft Pluton TPM on AMD G11+ HP models

The toggle: Esc → F10 → Security → TPM Device → Choose between fTPM (AMD firmware TPM) or Pluton (Microsoft).

The recommendation: Pluton if your security stack is Microsoft-aligned (Defender for Endpoint, Credential Guard, Windows Hello for Business with Cloud Trust). fTPM if you have a heterogeneous environment with mixed AMD/Intel and want consistent TPM behavior.

The catch: Switching after deployment wipes BitLocker keys. Decide upfront, BIOS-script it via BCU, and stick with it.

PXE boot doesn't work over the dock

The bug: Laptop refuses to PXE boot through the HP USB-C / Thunderbolt dock NIC. Same laptop boots fine when you plug Ethernet directly.

The cause: Most HP docks have a Realtek NIC. The boot.wim shipped by MDT/SCCM doesn't include the Realtek dock NIC driver out of the box.

The fix: Either (a) inject the Realtek dock driver into boot.wim with DISM (same pattern as the VMD fix above), or (b) just plug the cable directly into the laptop for first imaging.

Why the laptop's hostname is wrong after Autopilot

The bug: New laptop completes Autopilot. The hostname is DESKTOP-XXXXXXX, not the convention you wanted.

The fix: In your Autopilot deployment profile in Intune → Device name template → enter something like HPEB-%SERIAL%. Re-assign profile, reset device, re-Autopilot.

Driver-pack version mismatches

The bug: You imaged 100 laptops last quarter. This quarter, the same task sequence is leaving Wi-Fi unsigned on the new batch.

The cause: HP refreshes driver packs every 3-6 months. The Wi-Fi card sub-vendor changed mid-cycle (often Intel AX211 → AX411). The old driver pack doesn't include the new card.

The fix: Subscribe to the HP CMS RSS feed. Build a calendar reminder to re-pull each model's driver pack every 90 days. Or automate with the included Get-HPDriverPacks.ps1 script.