Friday, April 25, 2014

Enable TPM for BitLocker usage during OS deployment on endpoints

Last week I wrote a blogpost about "How to Enable BitLocker, Automatically save Keys to Active Directory". As mentioned in that blogpost the Trusted Platform Module (TPM) chip must be enabled and activated in BIOS. This is disabled by default, so no BitLocker by default when using functionality within ConfigMgr. This is a pre-requisite BEFORE running the deployment task sequence. But you can enable TPM during deployment also! Let's have a look.
 
Step 1. Download the CCTK from Dell HERE.
Once you've download it, install the MSI. Both CCTK and HAPI are used for doing the job.
 
Step 2. Create a CCTK package for x86 and/or x64 usage.
Just copy %ProgramFiles%\Dell\CCTK\* to a location that will be used for ConfigMgr, and create a new package.
 
Step 3. Edit your task sequence with the following changes:
Group: Enable TPM on Dell systems
Group: Prepare CCTK and HAPI
Run Command Line: xcopy CCTK
     xcopy.exe ".\*.*" "x:\CCTK\X86\" /E /C /I /Q /H /R /Y /S
Run Command Line: Enable HAPI
     x:\CCTK\X86\HAPI\hapint -i -k C-C-T-K -p X:\CCTK\X86\HAPI\
Run Command Line: Set BIOS password
     x:\CCTK\x86\CCTK.exe --setuppwd=password
Run Command Line: Enable TPM
     x:\CCTK\x86\CCTK.exe --tpm=on --valsetuppwd=password
Restart Computer
Group: Prepare CCTK and HAPI
Run Command Line: xcopy CCTK
     xcopy.exe ".\*.*" "x:\CCTK\X86\" /E /C /I /Q /H /R /Y /S
Run Command Line: Enable HAPI
     x:\CCTK\X86\HAPI\hapint -i -k C-C-T-K -p X:\CCTK\X86\HAPI\
Run Command Line: Activate TPM
     x:\CCTK\x86\CCTK.exe --tpmactivation=activate --valsetuppwd=password
Restart Computer


This must be placed between the "Partition Disk 0" and "Pre-provision BitLocker" step in the task sequence.

When using HP systems this can be done too. The BIOSConfigUtility.exe and TPMEnable.REPSET are used then. More information about that can be found HERE. The code on Dell systems are working great, on HP systems I didn't use it before.

No need to Set BIOS password, Enable TPM and Activate TPM manually anymore. Just use a single Task sequence for BIOS configuration and BitLocker at once. The ConfigMgr task sequence will take care of BitLocker furthermore. Just great!

Source: Windows-noob.com

10 comments:

  1. first of all thanks for you article ;-)

    I just don't get it where XCOPY is copying from?!
    from ".\*.*" to "x:\CCTK\X86\"

    I created a package without a program and point the package to the folder where cctk\x86 is installed but the TS is failing!

    ReplyDelete
    Replies
    1. Hi, don't know for sure, but files must be temporary copied on the RAM drive. When I use above parameters it's working great. Did you add parameters as well? Try to use is in command line first (press F8 during WinPE phase)

      Delete
    2. Thank you for your response. The trouble I am having is that I am dealing with a environment where Windows 7 enterprise is already installed. So I guess is what is called a refresh situation.

      Delete
    3. Okay, so you want to deploy the package in Windows instead of doing a full OS deployment? In that case the CCTK package can be used in Windows as well. No need to copy files because you can deploy it as default package with SCCM and commands can be copied to a CMD file. That way it should work for you.

      Delete
  2. Hello Hank,

    I have a quick question about one command:

    x:\CCTK\X86\HAPI\hapint -i -k C-C-T-K -p X:\CCTK\X86\HAPI\

    Why do you use "C-C-T-K" and not CCTK ?

    Do you actually test these commands or you just take them from the other source ?

    Thank you.

    ReplyDelete
    Replies
    1. Hello, I used them with success before! I use the command because Dell mentions it this way. You can have a look here also: http://userworkspace.com/Automate

      Hope it helps!

      Delete
  3. During activating i get the following message:
    "To Set TPM - 1. Admin password must be set , 2. TPM must not be owned and 3. TPM must be deactivated."

    ReplyDelete
    Replies
    1. All that is set but still did not work. I am getting
      Unknown error (Error: 00000106; Source: Unknown) TSManager

      Delete
  4. Thank You
    You saved the day

    ReplyDelete
  5. Step 2. Create a CCTK package for x86 and/or x64 usage.
    Just copy %ProgramFiles%\Dell\CCTK\* to a location that will be used for ConfigMgr, and create a new package.

    What does this even mean? What steps do I take in order to do so?

    ReplyDelete