CCTK 2.2.0 won't 'enable' TPM during CM OSD task sequence

Hi Mike,

I further checked on this issue.

I found that this issue can be resolved by clearing TPM.

TPM can be cleared by following steps

> Can you please go to BIOS setup screen->Security->'TPM Security' page

> Click Unlock

> Enter Setup password if Unlock button is active

> Check 'Clear' to the TPM; confirm the same in another dialog that pops up

> Click Exit to reboot

Once the above steps are done, try the TPM enablement steps through CCTK.

Hi Shrinidhi.

I have previously tried that in my troubleshooting.

It does not resolve the issue I am experiencing.

Thanks.

-Mike

Hi Mike,

I further checked with BIOS. They also tested and confirmed that by clearing TPM, they are able to resolve the issue.

Please cross check and ensure that the TPM ownership has been taken before issuing command through CCTK.

Any luck with this? I'm having exactly the same problem. 

Mike,

For my TPM activation to work, I had to reset TPM chip ownership. These are the steps I took to enable TPM and install BitLocker on my MDT server:-

• Set BIOS password (cctk.exe --setuppwd=XXXXXX).
• Enable TPM chip (cctk.exe --tpm=on --valsetuppwd=XXXXXX).
• Restart Computer.
• Reset TPM ownership (powershell.exe -executionpolicy unrestricted -command %SCRIPTROOT%\ResetTPMOwnership.ps1). Create a ps1 file called ResetTPMOwnership and save it in the scripts folder in your deployment share. The contents should be as follows

           $oTPM = gwmi -Class Win32_TPM -Namespace root\CIMV2\Security\MicrosoftTpm
 
           $oTPM.SetPhysicalPresenceRequest(10)
 
           If(!(($oTPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent)){
 
           $oTPM.CreateEndorsementKeyPair()
 
           }
 
          If(($oTPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent){
 
          $OwnerAuth=$oTPM.ConvertToOwnerAuth(“customrandompassword”)
 
         $oTPM.Clear($OwnerAuth.OwnerAuth)
 
         $oTPM.TakeOwnership($OwnerAuth.OwnerAuth)
 
         }

• Restart computer.
• Activate TPM chip (cctk.exe --tpmactivation=activate --valsetuppwd=XXXXXXX).
• Restart computer.
• Check TPM chip status (cctk.exe --tpm --tpmactivation).
• Remove temporary BIOS password (cctk.exe --setuppwd= --valsetuppwd=XXXXXXX).

I hope it helps if you haven't already figured it out.

Great info, but it doesn't seem to be working for me.  In reading Technet, it says I must provide a valid owner authorization value to clear ownership... is that the case?  My challenge is that we have a large number of laptops that our in a TPM Enabled/de-activated state and they are all remote.

If I manually clear the existing TPM info from the BIOS it works, and the cctk command enables and activates TPM from within Windows. The PowerShell script doesn't seem to be quite as successful though, but maybe i'm deploying it incorrectly. I did play about with running the script manually (bypassing MDT) and I think I got it to run correctly. After it clears the TPM it does require a reboot, at which point the system is halted before booting into the OS. It asks for confirmation on the recent changes to the system security, which you do need to manually accept this in order to the OS to continue to boot :emotion-7: Not ideal in a mass deployment scenario. So I imagine this is what TechNet is referring to

GUITAR - I am experiencing the exact same scenario although I havent been able to get the PS script to work as I run in manually, reboot and then try to activate through CCTK command prompt.  Like you, if I manually clear it in the BIOS, I can activate through CCTK.  Did you make any changes to the script that was provided.  I have also relied the question to our Dell Account Manager who is trying to get it to the right group to see if I can get some insight.

Even if the script worked, I dread the idea of all of our user sin this state having to press F10 to confirm ownership.  Cheers and good luck, I will share any info I get from Dell.

Any update on this?
I am experiencing exact the same issue with Dell Latitude E6510 with BIOS version A15.

Maybe an older CCTK can works?

Hi All,

As per the security guidelines, clearing TPM is possible in BIOS Setup screen and not through tools like CCTK and OMCI.

Regarding BIOS prompt, I will come back with answer.

I'm having the same issue on both an Optiplex 960, and 7010. Exactly as Mike mentioned, it sets the password, enables the TPM, reboots, removes the password. The odd thing is, in my case, the logs show that the "activate" step shows successful, even the successful exit code, and yet, it does not activate.
I am not, however, trying to do this in OSD, rather, I built a custom TS and push it to my test machines. It seems to work rather well, with the exception of activation of the TPM.

It's not such a big deal for new computers as we image them (we have to boot to boot media), but for the nearly 1200 computers already deployed, it's a bit of a pain. I'm hoping to see a resolution on this soon. I've been at it for a few weeks now, and glad to finally see that I'm not crazy.

Hey there,

Its a problem that is related to the TPM ownership. It has to be cleared before (re)activating the chip. On my blog i've wrote a full guide how you can achieve this with the necessary scripts included.

http://userworkspace.com/Activate_and_enable_DELL_TPM_chip_during_SCCM_tasksequence.php 

Kind regards,

Maurice