TPM Check Readiness for Task Sequence New Operating System Installation

Question

Hi All,

During OSD (New Computer or Reinstall Computer), can I notify the operator that the TPM is not enabled or configured ?

This is because, during the Bitlocker Pre-Provisioning step, if the TPM is not active, the operator receives an error warning but does not understand that the problem is the TPM.

No Task Sequence Upgrade, but Task Sequence Bare Metal from Network Boot, so even if the hdd disk is completely empty.

Practically a Check Readiness for new operating system installation.

I don't think this works for my scenario. I am not using a Task Sequence of Upgrade but a Task Sequence From Network Boot.

https://www.prajwaldesai.com/enable-tpm-2-0-check-in-sccm-task-sequence/

Thank you all for your support.

Answer 1

if "TPMReady" is "FALSE" :

• "Check Readiness" does not find out is continuous without error or warning.
• "Pre-Provisioning Bitlocker" does not find out is continuous without error or warning.
• "Enable Bitlocker", if "Check Readiness" and "Pre-Provisioning Bitlocker", they have not reported errors, it should enable the bitlocker, instead it does not enable it, reporting error, because none of the previous steps checks the "TPMReady" which is controllable only by Powershell with "Get-Tpm".

Answer 2

I was troubleshooting an issue with BitLocker pre-provisioning using MDT deployment on Hyper-V with a vTPM. My problem was that on first reboot the volume was unmountable (still not sure on the resolution for that yet). However, in doing so I found a way to use the TPM PowerShell commands in WinPE. You basically just have to copy the files from the same version of Windows into the same paths for WinPE. I used MDT's extra files setting to have it automatically include the files into the appropriate path when generating the WinPE boot image.

I found this thread in researching my issue, so I thought I'd share. Here are the files you need copied to get the Trusted Platform Module (TPM PowerShell commands) to work in WinPE (this is for x64; x86 would be similar but obviously adjust for the different architecture):

%WINDIR%\Microsoft.NET\assembly\GAC_32\Microsoft.Tpm.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Tpm.Commands.dll

%WINDIR%\Microsoft.NET\assembly\GAC_32\Microsoft.Tpm.Commands\v4.0_10.0.0.0__31bf3856ad364e35\TrustedPlatformModule.psd1

%WINDIR%\Microsoft.NET\assembly\GAC_32\Microsoft.Tpm.Commands.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\Microsoft.Tpm.Commands.Resources.dll

%WINDIR%\Microsoft.NET\assembly\GAC_64\Microsoft.Tpm.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Tpm.Commands.dll

%WINDIR%\Microsoft.NET\assembly\GAC_64\Microsoft.Tpm.Commands\v4.0_10.0.0.0__31bf3856ad364e35\TrustedPlatformModule.psd1

%WINDIR%\Microsoft.NET\assembly\GAC_64\Microsoft.Tpm.Commands.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\Microsoft.Tpm.Commands.Resources.dll

%WINDIR%\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Tpm\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Tpm.dll

%WINDIR%\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Tpm.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\microsoft.tpm.resources.dll

%WINDIR%\System32\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\TrustedPlatformModule.psd1

%WINDIR%\SysWOW64\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\TrustedPlatformModule.psd1

You, of course, still need to include the Windows PowerShell, .NET Framework, and possibly Microsoft Data Access Components & Secure Boot Cmdlets (not 100% sure on those as I have them already included for other reasons).

Answer 3

If you want a deeper dive into dealing with TPM with a Task Sequence, you can check out this PowerPoint and Task Sequence Export
https://mms2023atmoa.sched.com/event/1LS3A/tpm-provisioning-and-management

That task sequence will automate updating your TPM to 2.0 and ensure everything is set to support Bitlocker.