CCTK --tpmactivation=activate --tpm=onsometimes fails to enable and activate TPM.
When configuring a tasksequence for unattended Operating System Deployment (OSD) of dell laptops the following challenge presented itself. Bitlocker sometimes fails on DELL laptops because of the tpmchip not being activated by the task sequence.
The tasksequence used the DELL Client Configuration Toolkit (CCTK) (which can be downloaded here) to configure the bios and enable/activate the TPM chip. In the cases where the TPM chip was previously enabled but not activated the tasksequence came back with an error "1. Setup/Admin password is not set 3. TPM must not be currently owned. 2. TPM must be in a deactivated state." Which was caused by the TPM chip being owned but not active.
In the following tasksequence I’ve made a workaround for this issue by checking the status of the TPM chip and owner and performing actions based on those values.
- Powershell must be installed in the WinPE image
- A package containing the CCTK toolkit
Set variables using my custom variables script run it while bypassing the powershell executionpolicies with this command
powershell.exe -executionPolicy Bypass -file .\setTaskSequenceVariables.ps1These variables are used to determine the correct actions in the next steps of the tasksequence.
The powershell script contains the code listed below and should be included inside a package
Install the HAPI drivers from the CCTK toolkit into the Windows PE operating system by using (a fake directory: “X:\DELL\HapiDrivers\” in) the following command
.\HAPI\hapint.exe -i -k C-C-T-K -p X:\DELL\HapiDrivers\
When you set the password for the bios, add error code 115 to the success codes, this means a BIOS password is already set (I assume it is the correct password).
Set all the options you wish to use, this can include the asset tag with for example the computername value as presented in this commandlet, don’t forget to fill in the bios password in the –vallsetuppwd variable.
.\cctk.exe --admsetuplockout=enable --wirelesslan=enable --wakeonlan=enable bootorder --sequence=hdd,embnic --asset=%OSDComputerName% --valsetuppwd %YourBIOSPassword%
Resetting the TPM chip is only necessary if the ownership of the chip is taken but the TPM is not active, in the other cases the TPM is already configured or can be configured using the CCTK commandlets.
Note: If the TPM chip ownership is reset, you will be prompted to press F10 to accept the changes at the next reboot.
Run the powershell script to claim ownership and enable the TPM chip by using the command
powershell.exe -executionPolicy Bypass -file .\resetTPMOwnerAndActivateTPM.ps1
The powershell script should be included in one of the packages and consist of the following code
Because the TPM chip is enabled and activated the custom variables script will create different variables then before, since I use them in following steps they need to be updated. The command
powershell.exe -executionPolicy Bypass -file .\setTaskSequenceVariables.ps1will run the PowerShell script for setting the custom variables from the package.
Set the conditions for the enable TPM chip commands, they should be based on an not-owned deactivated TPM chip.
When the TPM is not active (default setting) the following cctk command will enable and activate it.
.\cctk.exe --tpm=on --tpmactivation=activate –valsetuppwd %YourPassword%
When the system is restarted the normal tasksequence can continue and bitlocker activation will be successful because of the enabled and activated TPM chip.
Tags: Automation, SCCM, Dell, TPM, Chip, BIOS, CCTK, Task Sequence, Windows PE, Powershell, Scripting, Troubleshoot, Fix