TPM Check Readiness for Task Sequence New Operating System Installation

Question

TPM Check Readiness for Task Sequence New Operating System Installation

Vid3al 186

Hi All,

During OSD (New Computer or Reinstall Computer), can I notify the operator that the TPM is not enabled or configured ?

This is because, during the Bitlocker Pre-Provisioning step, if the TPM is not active, the operator receives an error warning but does not understand that the problem is the TPM.

No Task Sequence Upgrade, but Task Sequence Bare Metal from Network Boot, so even if the hdd disk is completely empty.

Practically a Check Readiness for new operating system installation.

I don't think this works for my scenario. I am not using a Task Sequence of Upgrade but a Task Sequence From Network Boot.

https://www.prajwaldesai.com/enable-tpm-2-0-check-in-sccm-task-sequence/

Thank you all for your support.

CherryZhang-MSFT 6,496 Reputation points

2022-09-20T06:07:31.603+00:00

Hi，

May we know the current status of the question? If there is any other assistance we can provide, please feel free to let us know, we will do our best to help you.

Best regards,
Cherry
Vid3al 186 Reputation points

2022-09-21T09:27:12.12+00:00

Actually I did some tests, and the built-in Step "Check Readiness" in WinPE Boot PXE environment also works.

What does not allow you to filter, however, is the version of the TPM. Control is only "TPM 2.0 or above is enabled" and "TPM 2.0 or above is activated".

I would like to find a solution that fits version 1.2 or later of the TPM.

For the time being, the suggestion https://uiplusplus.configmgrftw.com/ , seems to me too extensive for the small objective I would like to achieve.

Thank you all for your support.

8 answers

Your answer

CherryZhang-MSFT 6,496 Reputation points

2022-09-20T06:07:31.603+00:00

Hi，

May we know the current status of the question? If there is any other assistance we can provide, please feel free to let us know, we will do our best to help you.

Best regards,
Cherry
Vid3al 186 Reputation points

2022-09-21T09:27:12.12+00:00

Actually I did some tests, and the built-in Step "Check Readiness" in WinPE Boot PXE environment also works.

What does not allow you to filter, however, is the version of the TPM. Control is only "TPM 2.0 or above is enabled" and "TPM 2.0 or above is activated".

I would like to find a solution that fits version 1.2 or later of the TPM.

For the time being, the suggestion https://uiplusplus.configmgrftw.com/ , seems to me too extensive for the small objective I would like to achieve.

Thank you all for your support.

Answer 1

Same answer, it's not. You need to do something custom for this. You can build your own frontend to do this, you just won't be able to use PowerShell to do this to my knowledge per the shortcomings you called out although have you attempted to use WMI directly via PowerShell to check TPM Readiness? A quick web search will get some hits on how to do this with WMI. The key is to directly use the Win32_TPM class: https://learn.microsoft.com/en-us/windows/win32/secprov/win32-tpm

As for implementing UI++, you can pick and choose exactly what you want, and it can be as simple as you want it to be. It's totally up to you what you want to do.

Answer 2

Jason Sandys 31,406 Microsoft Employee Moderator

There's nothing built-in for this no, but that doesn't mean you can't do something custom using a simple script. There are community tools that can help with this depending on your requirements and desires. One such tool is UI++: https://uiplusplus.configmgrftw.com.

Answer 3

Actually I did some tests, and the built-in Step "Check Readiness" in WinPE Boot PXE environment also works.

What does not allow you to filter, however, is the version of the TPM. Control is only "TPM 2.0 or above is enabled" and "TPM 2.0 or above is activated".

I would like to find a solution that fits version 1.2 or later of the TPM.

For the time being, the suggestion https://uiplusplus.configmgrftw.com/ , seems to me too extensive for the small objective I would like to achieve.

Thank you all for your support.

Answer 4

The built-in Step "Check Readiness" for check TPM, does not perform the "TpmReady" status check. This information does not seem to be traceable through WMI queries, but only with Powershell. in the winpe environment the command "get-tpm" is not recognized, although in the boot image, in addition to the standard components, I have also added the following

If "TpmReady" is False, "Pre-Provisioning Bitlocker" and "Enable Bitlocker" steps fail. How is it possible to make the Step "Check Readiness", also check the status of the "TpmReady"?

Thank you all for your support.

Answer 5

Vid3al 186

From WinPE, even with the Powershell component enabled in the boot image, the "Get-Tpm" command is not recognized.

From WinPE, with the command "wmic /namespace:\root\CIMV2\Security\MicrosoftTpm path Win32_Tpm get /value", the "TpmReady" is not queried.

From Windows Operating System installed, the command "Get-Tpm", shows the status of the "TpmReady".

From Windows Operating System installed, the "wmic /namespace:\root\CIMV2\Security\MicrosoftTpm path Win32_Tpm get /value", the "TpmReady" is not queried.

From the tests I carried out, the "Check Readiness" Step, both in a Windows PE environment and in an installed Operating System environment, is not 100% functional for the control of the TPM. Even if "TpmReady" is "FALSE", it still ends with "Check successfully". The TPM control of the "Check Readiness" Step does not check the "TpmReady" status, this causes the Task Sequence to stop with an error for the "Enable Bitlocker" step.

From the tests I carried out, the step "Pre-Provisioning Bitlocker", is not 100% functional for the control to enable the Bitlocker. Even if "TpmReady" is "FALSE", it still ends with "Check successfully". The "Bitlocker Pre-Provisioning" step does not check the "TpmReady" status, this causes the Task Sequence to stop with an error for the "Enable Bitlocker" step.

I need to find a method that shows a warning if "TpmReady" is "FALSE".

Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2022-10-06T16:19:17.417+00:00

From WinPE, with the command "wmic /namespace:\root\CIMV2\Security\MicrosoftTpm path Win32_Tpm get /value", the "TpmReady" is not queried.

TpmReady is not an attribute of the Win32_TPM class so looking for that is invalid. The docs on the class I linked to give you the info you need on the class.

WMIC is also deprecated so I don't recommend using it. As noted, have you tried querying the Win32_TPM class directly with PowerShell using Get-CimInstance (or Get-WMIObject)? Checking the three Boolean attributes should get you what you want.

Here's a VBScript that should get you what you want: https://stackoverflow.com/questions/25209390/checking-for-tpm-readiness-with-wmi-and-vbscript

Alternatively, here's a way to use conditions within the task sequence to do this: https://www.prajwaldesai.com/enable-tpm-2-0-check-in-sccm-task-sequence/
It all depends on exactly what you want.
Vid3al 186 Reputation points

2022-10-06T17:49:45.897+00:00

TpmReady is not an attribute of the Win32_TPM class so looking for that is invalid. The docs on the class I linked to give you the info you need on the class.

WMIC is also deprecated so I don't recommend using it. As noted, have you tried querying the Win32_TPM class directly with PowerShell using Get-CimInstance (or Get-WMIObject)? Checking the three Boolean attributes should get you what you want.

from winpe powershell the only commands I tried are the following, but they always return that the command is not recognized

"get-tpm | select TpmReady" or "get-tpm"

Here's a VBScript that should get you what you want: https://stackoverflow.com/questions/25209390/checking-for-tpm-readiness-with-wmi-and-vbscript

this script queries WMI Win32_TPM. In Win32_TPM there is no "TPMReady" information.

Alternatively, here's a way to use conditions within the task sequence to do this: https://www.prajwaldesai.com/enable-tpm-2-0-check-in-sccm-task-sequence/
It all depends on exactly what you want.

in task sequences the conditions with VBScript language do not seem to me to be able to be used.

what escapes me of your suggestions? possible they did not provide for the control of the "TPMReady". I have many computers that if the operators do not enable the one highlighted in red, the bitlocker does not enable. the option highlighted in red corresponds to the value "TPMReady".
Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2022-10-06T19:03:24.163+00:00

the option highlighted in red corresponds to the value "TPMReady"

This is not a correct statement. Just because the wording looks similar doesn't make it the same. Also, yes, it's nice that the PowerShell cmdlet provides something that works, but if that's working you now need to go research exactly what you need based on what's available to you in WMI per the documentation. I know you're looking for an easy button solution here, but it doesn't specifically exist, so you need to do some customization and learning to get there. In this case, that means what is available to you in the Win32_TPM class, which as noted, won't match verbatim to what you're used to because the PowerShell cmdlet is adding a layer of "intelligence" that you need to now provide with the lower-level constructs. The two examples I gave you do just that.

As for VBScript within a task sequence, yes, you absolutely can use VBScript using a Run Command line task. Is this just a simple point and click operation? No. You'll need to dig into the details of custom operations using a task sequence. The second example I gave gives you a complete walk through for doing all of this using a built-in construct though.
Vid3al 186 Reputation points

2022-10-07T07:58:36.417+00:00

I looked at the script you suggested, but I don't see in which part of the code there is control of the "TPMReady". The "VB" seems to check only the following "Win32_Tpm" information: "IsActivated_InitialValue" - "IsEnabled_InitialValue" - "IsOwned_InitialValue".

As for using a "VB" in a TS, I know the "Run Command Line" Step, but I wasn't referring to that. I was referring to the conditions for a certain Step of the TS to be executed or not.

Since in "Win32_Tpm" "WMI", there is no "TPMReady" parameter, so I was looking for a solution with powershell. I do not care that it is beautiful or that there is an ugly button, I am interested in finding a solution that works : Warn the operator that if one of the following is FALSE, he must check the BIOS options before installing or reinstalling the computer :

[ WMI ] IsActivated_InitialValue
[ WMI ] IsEnabled_InitialValue
[ PS ] TPMReady

for the first two I had solved with the conditions "WMI" in a STEP, "Run PowerShell Script", which shows a warning message and ends the TS.
For the last, the "TPMReady", noting that it is a "PS" parameter, I was trying to implement a control with "PS" directly in the script. But if "PS" in the "PE" environment does not recognize the parameters, how do I do this check?

Thank you for your support and patience.
Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2022-10-07T14:26:56.627+00:00

OK, probably my last post here. My point is that you need to use what is available and the TPMReady value returned from the Get-TPM cmdlet is not only not available, but also not what you think it is and not the right choice for the task you are looking to accomplish here.

From the Get-TPM docs, TPMReady means "Whether a TPM complies with Windows Server 2012 standards." I heavily doubt that's truly useful. What you really want is to check exactly what's called in Prajwal's blog post and that's checking whether the TPM is activated and enabled.

Share via

TPM Check Readiness for Task Sequence New Operating System Installation

8 answers

Your answer