Unsolved
This post is more than 5 years old
5 Posts
0
367356
"CCTK --tpmactivation=activate" sometimes fails to enable TPM
I am creating an SCCM Task Sequence to deploy Windows 7 with BitLocker encryption.
I have the command "CCTK.exe --tpmactivation=activate --valsetuppwd=password" in the Task Sequence, but I find that often, this does not work. After the command has executed, I issue a "reboot" task sequence step so that I can manually check in the BIOS to verify the TPM is active, and often I find that it is not. Other times it is sucessfully activated, even on the same computer.
I have made the Task Sequence execution pause after the above command has been issued, and opened a command prompt by pressing "F8" and if I issue the same command manually then reboot, TPM is activated.
I have also made the Task Sequence execution pause and opened a command prompt by pressing "F8" then copied the smsts.log file locally so I can examine the log file, and I find that it appears to state that TPM was activated, as can be seen in this log extract:
Executing command line: smsswd.exe /run: x:\CCTK\X86_64\CCTK.exe --tpmactivation=activate --valsetuppwd=password
=======================[ smsswd.exe ] =======================
PackageID = ''
BaseVar = '', ContinueOnError=''
SwdAction = '0001'
Command line for extension .exe is "%1" %*
Set command line: Run command line
Working dir 'not set'
Executing command line: Run command line
Process completed with exit code 0
tpmactivation=activate
Command line returned 0
Process completed with exit code 0
!--------------------------------------------------------------------------------------------!
Successfully complete the action (Activate TPM) with the exit win32 code 0
However, rebooting and going into the BIOS, i find that TPM is not activated.
Does anyone have any ideas why this is so unreliable?
I have the command "CCTK.exe --tpmactivation=activate --valsetuppwd=password" in the Task Sequence, but I find that often, this does not work. After the command has executed, I issue a "reboot" task sequence step so that I can manually check in the BIOS to verify the TPM is active, and often I find that it is not. Other times it is sucessfully activated, even on the same computer.
I have made the Task Sequence execution pause after the above command has been issued, and opened a command prompt by pressing "F8" and if I issue the same command manually then reboot, TPM is activated.
I have also made the Task Sequence execution pause and opened a command prompt by pressing "F8" then copied the smsts.log file locally so I can examine the log file, and I find that it appears to state that TPM was activated, as can be seen in this log extract:
Executing command line: smsswd.exe /run: x:\CCTK\X86_64\CCTK.exe --tpmactivation=activate --valsetuppwd=password
=======================[ smsswd.exe ] =======================
PackageID = ''
BaseVar = '', ContinueOnError=''
SwdAction = '0001'
Command line for extension .exe is "%1" %*
Set command line: Run command line
Working dir 'not set'
Executing command line: Run command line
Process completed with exit code 0
tpmactivation=activate
Command line returned 0
Process completed with exit code 0
!--------------------------------------------------------------------------------------------!
Successfully complete the action (Activate TPM) with the exit win32 code 0
However, rebooting and going into the BIOS, i find that TPM is not activated.
Does anyone have any ideas why this is so unreliable?
Bill Campbell M
4 Posts
0
February 1st, 2013 06:00
It is almost certainly because your BIOS version is too old. Try flashing to the latest BIOS rev for that model, which I think is A11?
The CCTK commands for tpm manipulation are not supported on many older BIOS revisions. CCTK seems to detect that, so when you run the same version of CCTK on two different machines with different BIOS versions, cctk --help produces different results (one may offer --tpm and --tpmactivate, the other not).
daov
18 Posts
0
February 27th, 2014 09:00
daov
18 Posts
0
February 27th, 2014 09:00
Shrinidhi Katte
77 Posts
0
February 27th, 2014 09:00
Hi Daov,
It is possible to enable and activate TPM using CCTK. For the right steps, please check this video.
This step should work unless there are any issues in underlying version of BIOS.
maurice.gaikema
3 Posts
0
March 14th, 2014 04:00
Hey there,
I've been troubleshooting this same issue for a while and came to the concluseion that when the TPM chip is enabled but not activated the cctk toolkit will not be able to activate the chip because of the ownership. The ownership should be cleared using a powershell script i've described in my blogpost @ http://userworkspace.com/Optimize/Activate%20and%20enable%20DELL%20TPM%20chip%20during%20SCCM%20tasksequence.php
Hope this helps!
Maurice
daov
18 Posts
0
March 14th, 2014 06:00
maurice.gaikema
3 Posts
0
March 14th, 2014 07:00
That is correct, but only if the TPM chip owners ship had to be reset (meaning the chip was enabled but not activated). If the chip is disabled it will only enable and activate it as you would expect :)
Keerthan_Kumar
16 Posts
0
March 27th, 2014 01:00
Hi,
I have tried TPM activation on E6410ATG, it is working fine and whatever we are set using CCTK for TPM same is reflecting in BIOS screen as well. system BIOS is A06.
Let me know the BIOS version of the system where you are trying and also let me know the model is E6410 or E6410ATG.
Thanks.
Keerthan
sccmrfrancis
1 Message
0
June 5th, 2015 16:00
I had the same problems with activating the TPM chip (though enabling it was fine using the CCTK). I ended up using a separate step to activate, which called the script below. This appears to work on all of my Dell models once the TPM is active and therefore available to manipulate via WMI.
$TPM = Get-WmiObject -Class Win32_TPM -Namespace root\CIMV2\Security\MicrosoftTpm
# Enable, activate the chip, and allow the installation of a TPM owner.
$TPM.SetPhysicalPresenceRequest(10)
If(!(($TPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent))
{
# Enable the TPM encryption
$TPM.CreateEndorsementKeyPair()
}
# Check if the TPM chip currently has an owner
If(($TPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent)
{
# Convert password to hash
$OwnerAuth=$TPM.ConvertToOwnerAuth("S3curit3")
# Clear current owner
$TPM.Clear($OwnerAuth.OwnerAuth)
# Take ownership
$TPM.TakeOwnership($OwnerAuth.OwnerAuth)
}
daov
18 Posts
0
June 8th, 2015 13:00
I started using Dell's PowerShell cmdlet for BIOS manipulation and it is working pretty well. It can accommodate all of the above requests using 'set-item'.
Just search Dell Command | PowerShell Provider. It may accommodate your needs more easily?