Articles

Activate and enable DELL TPM chip during SCCM tasksequence

CCTK --tpmactivation=activate --tpm=on sometimes fails to enable and activate TPM.

When configuring a tasksequence for unattended Operating System Deployment (OSD) of dell laptops the following challenge presented itself. Bitlocker sometimes fails on DELL laptops because of the tpmchip not being activated by the task sequence.

The tasksequence used the DELL Client Configuration Toolkit (CCTK) (which can be downloaded here) to configure the bios and enable/activate the TPM chip. In the cases where the TPM chip was previously enabled but not activated the tasksequence came back with an error "1. Setup/Admin password is not set 3. TPM must not be currently owned. 2. TPM must be in a deactivated state." Which was caused by the TPM chip being owned but not active.

In the following tasksequence I’ve made a workaround for this issue by checking the status of the TPM chip and owner and performing actions based on those values.

Prerequirements:


  • Powershell must be installed in the WinPE image

  • A package containing the CCTK toolkit


Set variables using my custom variables script run it while bypassing the powershell executionpolicies with this command powershell.exe -executionPolicy Bypass -file .\setTaskSequenceVariables.ps1 These variables are used to determine the correct actions in the next steps of the tasksequence.


The powershell script contains the code listed below and should be included inside a package
 1
2
3
4
5
6
7
8
9
10
11
12
# create the SCCM tasksequence object
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

############# Define variables ################

# Query the wmi of the computer for the status of the TPM chip
if ((Get-WmiObject -class Win32_Tpm -namespace "root\CIMV2\Security\MicrosoftTpm").IsOwned_InitialValue){
$tsenv.Value("TPMIsOwned")="True"
}
if ((Get-WmiObject -class Win32_Tpm -namespace "root\CIMV2\Security\MicrosoftTpm").IsActivated_InitialValue){
$tsenv.Value("TPMIsActive")="True"
}


Install the HAPI drivers from the CCTK toolkit into the Windows PE operating system by using (a fake directory: “X:\DELL\HapiDrivers\” in) the following command .\HAPI\hapint.exe -i -k C-C-T-K -p X:\DELL\HapiDrivers\

When you set the password for the bios, add error code 115 to the success codes, this means a BIOS password is already set (I assume it is the correct password).



Set all the options you wish to use, this can include the asset tag with for example the computername value as presented in this commandlet, don’t forget to fill in the bios password in the –vallsetuppwd variable. .\cctk.exe --admsetuplockout=enable --wirelesslan=enable --wakeonlan=enable bootorder --sequence=hdd,embnic --asset=%OSDComputerName% --valsetuppwd %YourBIOSPassword%


Resetting the TPM chip is only necessary if the ownership of the chip is taken but the TPM is not active, in the other cases the TPM is already configured or can be configured using the CCTK commandlets.

Note: If the TPM chip ownership is reset, you will be prompted to press F10 to accept the changes at the next reboot.

Run the powershell script to claim ownership and enable the TPM chip by using the command powershell.exe -executionPolicy Bypass -file .\resetTPMOwnerAndActivateTPM.ps1


The powershell script should be included in one of the packages and consist of the following code
 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$TPM = Get-WmiObject -Class Win32_TPM -Namespace root\CIMV2\Security\MicrosoftTpm

# Enable, activate the chip, and allow the installation of a TPM owner.
$TPM.SetPhysicalPresenceRequest(10)

If(!(($TPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent)){

# Enable the TPM encryption
$TPM.CreateEndorsementKeyPair()

}

# Check if the TPM chip currently has an owner
If(($TPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent){

# Convert password to hash
$OwnerAuth=$TPM.ConvertToOwnerAuth(YourPassword)

# Clear current owner
$TPM.Clear($OwnerAuth.OwnerAuth)

# Take ownership
$TPM.TakeOwnership($OwnerAuth.OwnerAuth)
}


Because the TPM chip is enabled and activated the custom variables script will create different variables then before, since I use them in following steps they need to be updated. The command powershell.exe -executionPolicy Bypass -file .\setTaskSequenceVariables.ps1 will run the PowerShell script for setting the custom variables from the package.


Set the conditions for the enable TPM chip commands, they should be based on an not-owned deactivated TPM chip.


When the TPM is not active (default setting) the following cctk command will enable and activate it. .\cctk.exe --tpm=on --tpmactivation=activate –valsetuppwd %YourPassword%


When the system is restarted the normal tasksequence can continue and bitlocker activation will be successful because of the enabled and activated TPM chip.

Tags: Automation, SCCM, Dell, TPM, Chip, BIOS, CCTK, Task Sequence, Windows PE, Powershell, Scripting, Troubleshoot, Fix2014-03-14 06:48:54
Disabled logging still active
I noticed a large amount of transactions on the relay servers and the database. The shear volume caused many failed transactions and deadlocks in the database. After digging into the logs, I noticed they were generated by the removable disk security, which was turned off at the time.
In the images below the logging status is displayed together with a sample of the logging generated in a 10.000 seat environment.
Removable disk logging disabled.
Removable disk logging disabled.
Removable disk logging remains active while disabled.
Removable disk logging remains active.


The issue is resolved by RES in the Workspace Manager 2012 SR4 revision 8 update, which can be downloaded from the RES Website.

Tags: RES, Workspace Manager, Performance, Logging, Database, Relay Server, Fixed2014-03-10 07:30:57