Articles

Activate and enable DELL TPM chip during SCCM tasksequence

CCTK --tpmactivation=activate --tpm=on sometimes fails to enable and activate TPM.

When configuring a tasksequence for unattended Operating System Deployment (OSD) of dell laptops the following challenge presented itself. Bitlocker sometimes fails on DELL laptops because of the tpmchip not being activated by the task sequence.

The tasksequence used the DELL Client Configuration Toolkit (CCTK) (which can be downloaded here) to configure the bios and enable/activate the TPM chip. In the cases where the TPM chip was previously enabled but not activated the tasksequence came back with an error "1. Setup/Admin password is not set 3. TPM must not be currently owned. 2. TPM must be in a deactivated state." Which was caused by the TPM chip being owned but not active.

In the following tasksequence I’ve made a workaround for this issue by checking the status of the TPM chip and owner and performing actions based on those values.

Prerequirements:


  • Powershell must be installed in the WinPE image

  • A package containing the CCTK toolkit


Set variables using my custom variables script run it while bypassing the powershell executionpolicies with this command powershell.exe -executionPolicy Bypass -file .\setTaskSequenceVariables.ps1 These variables are used to determine the correct actions in the next steps of the tasksequence.


The powershell script contains the code listed below and should be included inside a package
 1
2
3
4
5
6
7
8
9
10
11
12
# create the SCCM tasksequence object
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

############# Define variables ################

# Query the wmi of the computer for the status of the TPM chip
if ((Get-WmiObject -class Win32_Tpm -namespace "root\CIMV2\Security\MicrosoftTpm").IsOwned_InitialValue){
$tsenv.Value("TPMIsOwned")="True"
}
if ((Get-WmiObject -class Win32_Tpm -namespace "root\CIMV2\Security\MicrosoftTpm").IsActivated_InitialValue){
$tsenv.Value("TPMIsActive")="True"
}


Install the HAPI drivers from the CCTK toolkit into the Windows PE operating system by using (a fake directory: “X:\DELL\HapiDrivers\” in) the following command .\HAPI\hapint.exe -i -k C-C-T-K -p X:\DELL\HapiDrivers\

When you set the password for the bios, add error code 115 to the success codes, this means a BIOS password is already set (I assume it is the correct password).



Set all the options you wish to use, this can include the asset tag with for example the computername value as presented in this commandlet, don’t forget to fill in the bios password in the –vallsetuppwd variable. .\cctk.exe --admsetuplockout=enable --wirelesslan=enable --wakeonlan=enable bootorder --sequence=hdd,embnic --asset=%OSDComputerName% --valsetuppwd %YourBIOSPassword%


Resetting the TPM chip is only necessary if the ownership of the chip is taken but the TPM is not active, in the other cases the TPM is already configured or can be configured using the CCTK commandlets.

Note: If the TPM chip ownership is reset, you will be prompted to press F10 to accept the changes at the next reboot.

Run the powershell script to claim ownership and enable the TPM chip by using the command powershell.exe -executionPolicy Bypass -file .\resetTPMOwnerAndActivateTPM.ps1


The powershell script should be included in one of the packages and consist of the following code
 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$TPM = Get-WmiObject -Class Win32_TPM -Namespace root\CIMV2\Security\MicrosoftTpm

# Enable, activate the chip, and allow the installation of a TPM owner.
$TPM.SetPhysicalPresenceRequest(10)

If(!(($TPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent)){

# Enable the TPM encryption
$TPM.CreateEndorsementKeyPair()

}

# Check if the TPM chip currently has an owner
If(($TPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent){

# Convert password to hash
$OwnerAuth=$TPM.ConvertToOwnerAuth(YourPassword)

# Clear current owner
$TPM.Clear($OwnerAuth.OwnerAuth)

# Take ownership
$TPM.TakeOwnership($OwnerAuth.OwnerAuth)
}


Because the TPM chip is enabled and activated the custom variables script will create different variables then before, since I use them in following steps they need to be updated. The command powershell.exe -executionPolicy Bypass -file .\setTaskSequenceVariables.ps1 will run the PowerShell script for setting the custom variables from the package.


Set the conditions for the enable TPM chip commands, they should be based on an not-owned deactivated TPM chip.


When the TPM is not active (default setting) the following cctk command will enable and activate it. .\cctk.exe --tpm=on --tpmactivation=activate –valsetuppwd %YourPassword%


When the system is restarted the normal tasksequence can continue and bitlocker activation will be successful because of the enabled and activated TPM chip.

Tags: Automation, SCCM, Dell, TPM, Chip, BIOS, CCTK, Task Sequence, Windows PE, Powershell, Scripting, Troubleshoot, Fix2014-03-14 06:48:54
Disabled logging still active
I noticed a large amount of transactions on the relay servers and the database. The shear volume caused many failed transactions and deadlocks in the database. After digging into the logs, I noticed they were generated by the removable disk security, which was turned off at the time.
In the images below the logging status is displayed together with a sample of the logging generated in a 10.000 seat environment.
Removable disk logging disabled.
Removable disk logging disabled.
Removable disk logging remains active while disabled.
Removable disk logging remains active.


The issue is resolved by RES in the Workspace Manager 2012 SR4 revision 8 update, which can be downloaded from the RES Website.

Tags: RES, Workspace Manager, Performance, Logging, Database, Relay Server, Fixed2014-03-10 07:30:57
pwrcache.exe preloads all icons
Users reported slow performance of their laptops especially at logon. When investigating the bottlenecks it became clear the hard disk was the cause of the degraded response times. For troubleshooting the problem I’ve used the Windows Performance Analyzer (WPA) from the Microsoft Advanced Development Kit (ADK).

Analyzing the baseline with the Windows Performance Analyzer (WPA)
Baseline measurement with WPA
When analyzing the data, a few things catched my attention:
1. The Harddisk is at 100% in the entire boot process
2. The pwrcache.exe process is quite busy in this phase
3. the pwrcache.exe process is …. preloading all the icon files…?
After providing RES with this information a new updated pwrcache.exe was created for RES Workspace Manager 2012 SR 3 fixpack 7. Now it’s time to test with the custom executable which no longer loads the unnecessary icons. The results are as displayed in the image on the right.

Analyzing the the improvements with the Windows Performance Analyzer (WPA)


Analyzing the the improvements with the Windows Performance Analyzer (WPA)
Measurement of the new situation .
The icon files are left alone which causes a good increase in the boot performance of the laptop, but still for the pfsync.exe process is loading unnecessary files. This time my eye jumps to all the .osd files. I’ve reported this issue as well and recently it has been fixed in SR 4 revision 1. The increase in performance by skipping the .osd files was not of much impact in my test setup, but i can imagine situations where this could make some difference in the performance of the system.

So if you are using RES Workspace Manager 2012 on single user computers that are shutdown and started regularly, please update to Service Release 3 fixpack 7 to enjoy shortened logon times.

Tags: boot, fix, logon, optimize, performance, pfsync, pfsync.exe, RES, revision, service release, slow, tune, Workspace Manager2014-01-31 06:25:04