Enable TPM in a Task Sequence (DELL)

It took a while but I found a way to enable the TPM in the BIOS, then activate.

At first glance it should have been easy. Using the CCTK from Dell, set the TPM to enable from a command line and then a reboot and finally activate and a further reboot. But it would always only enable and never activate.

This is because the TPM would create an ownership on the chip itself and while the chip is ‘owned’ it cannot be activated. At least not by the CCTK.

In the end, after a lot of trial and error, I found a way to guarantee the chip is enabled and activated and ready for BitLocker, so here are the steps:

1. Set BIOS password with CCTK: Create a package from the Dell CCTK in ConfigMgr. Use this Package witha Command Line Step in the Task Sequence to set a setup password “cctk –setuppwd=password”

2. Enable TPM with CCTK: Using the Package again, run CCTK to enable TPM “cctk –tpm=on –valsetuppwd=password”

3. Restart Computer – if you perform these actions in the BIOS itself then you don’t need to restart. But here in a Task Sequence the WMI Classes need to be reloaded in order that we can see the Win32_TPM class.

4. Clean the chip ownership: I use a powershell script here but you can use vbscript. If you use powershell then you need to first set the Execution Policy with a command line step: “powershell.exe -noprofile -command “&{set-executionpolicy unrestricted -force}” then call the following script:

$oTPM = gwmi -Class Win32_TPM -Namespace root\CIMV2\Security\MicrosoftTpm

$oTPM.SetPhysicalPresenceRequest(10)

If(!(($oTPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent)){

$oTPM.CreateEndorsementKeyPair()

}

If(($oTPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent){

$OwnerAuth=$oTPM.ConvertToOwnerAuth(“customrandompassword”)

$oTPM.Clear($OwnerAuth.OwnerAuth)

$oTPM.TakeOwnership($OwnerAuth.OwnerAuth)

}

5. Restart again, this time you will get a prompt at the BIOS to press F10 to accept the chip changes

6. Activate the TPM with CCTK: “cctk –tpmactivation=activate –valsetuppwd=password”

7. Restart again.

That’s it.

Advertisement

8 thoughts on “Enable TPM in a Task Sequence (DELL)

  1. Wade August 30, 2013 / 7:18 pm

    Very nice write up on TPM chips on Dell systems. Do you know if there is a way to work around step 5? Having the prompt wait for user input (mainly end user), may stomp many users.

    • andrewdcraig September 2, 2013 / 6:50 pm

      The input is a stumbling block. With help from dell, there is way to do it better. I don’t have the exact command line yet, but will post it ASAP.

      • andrewdcraig September 9, 2013 / 11:09 am

        There is an error in cctk. Use following instead:
        “cctk –tpmactivation=activate –valsetuppwd password”
        That is a space instead of = at valsetuppwd and it works without cleaning, therefore no f10.
        Dell told us about this, and it is only this command affected. No promises as I haven’t tested yet myself.

  2. Jason September 11, 2013 / 5:33 pm

    I followed this process http://media.community.dell.com/en/dtc/attach/enabling_tpm_with_cctk_sce.pdf
    Then I took the package created in cctk as an exe and deployed it using SCCM. no reboot needed. Checked bios on reboot and it was enabled and activated. This is of course with a bios that the TPM was not owned yet.

    I created 2 packages when I did this. One for setting the bios setup password and one for turning TPM on. I had deployed the TPM package and within the package settings set the set setuppassword to run first before it turned on tpm and activated. that way it will work.

    Good luck. I’m sure there are better ways to do this but it worked for me. At least on the few pc’s I tested.

  3. Gordon February 12, 2014 / 9:41 pm

    Not being well versed in PowerShell or VB, do you have a vbscript version of your script above?

  4. bluej April 28, 2014 / 3:18 pm

    I am curious about how to bypass the TPM confirmation page in step 5. andrewdcraig, using cctk with –tpmactivation=on swith can enable the TPM however you will end up with a TPM set with a random generated owner password. If you back up the password hash in AD, then you can fake an owner authentication file otherwise you won’t be able to turn off the bitlocker on that computer also you might not perform any TPM related administration work since you don’t have the owner password.
    Using this script is for sure you can set the password you selected. But that confirmation page waitting for F10 button to be pressed really makes the sequence not perfect.

    • andrewdcraig April 28, 2014 / 8:12 pm

      Hi, i couldnt find a way around the f10. It is a security feature of the chip, when you clear an ownership. I also don’t see how you would apply the fake owner, can you perhaps explain that? Getting the keys etc from wmi and AD is something I did already. Thanks for your feedback

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s