+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 30
Enterprise Software Thread, TPM - I need help in Technical; Does anyone have a step by step guide to setting up and configuring TPM? I've got some laptops i want ...
  1. #1
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,622
    Thank Post
    378
    Thanked 270 Times in 222 Posts
    Rep Power
    103

    TPM - I need help

    Does anyone have a step by step guide to setting up and configuring TPM?

    I've got some laptops i want to enable it on, but they're not Dell, HP or Lenovo (and naturally 99.9% of internet advice revolves around those) Ideally i wanted to enable and configure TPM via my SCCM 2012R2 task sequence, but without a bios configuration tool like the CCTK etc that doesn't appear to be possible. I've only got to do 9 though so if need be i can do it manually once the OS is on.

    It's an Infineon chip, I've got the Infineon Security Platform Settings Tool installed. Having never used TPM until now though, i'm finding i need some sort of documentation to look through and get my head around it before i go locking myself out of something Also I've seen something about some "Trusted computing management tool" which appears to be some server based management of infineon TPM chips but i can't find anything about that either.

    Lastly as for bios options these have me confused too, once you enable TPM you get the option for "Clear TPM" "Enable Take ownership" "disable take ownership"

    Anyone able to point me in the right direction here?

  2. #2
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    763
    Thank Post
    56
    Thanked 193 Times in 128 Posts
    Rep Power
    102
    I'm working my way through this one as well, and am still testing - I think I'm nearly there.

    In BIOS I'm enabling Take Ownership, and then, in my task sequence I'm adding the following run command line switches - each a separate line, so I can see where it's breaking.
    Switch on Bitlocker:
    Code:
    cmd.exe /c manage-bde.exe -tpm -TurnOn
    Take Ownership Bitlocker
    Code:
    cmd.exe /c manage-bde.exe -tmp -takeownership <password>
    Start Encryption
    Code:
    cmd.exe /c manage-bde -on - adbackup
    Each line is set to continue on error

    Now, all this works if I run the commands on the machine once it's been added to the domain, but for the life of me, I've not yet managed to make it work fully from a task sequence. Having said that, I found a typo in my second command 30 minutes ago, so I'm running another test now. I'll let you know how it goes.

  3. Thanks to clareq from:

    mrbios (14th July 2014)

  4. #3
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,622
    Thank Post
    378
    Thanked 270 Times in 222 Posts
    Rep Power
    103
    awesome thank you!

    Can you show me what your task sequence looks like at the stages these commands are running?

  5. #4
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    763
    Thank Post
    56
    Thanked 193 Times in 128 Posts
    Rep Power
    102
    I should know whether it's worked in 30 minutes or so - I'll grab celebratory screen shots if it's worked

  6. Thanks to clareq from:

    mrbios (14th July 2014)

  7. #5
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,622
    Thank Post
    378
    Thanked 270 Times in 222 Posts
    Rep Power
    103
    Quote Originally Posted by clareq View Post
    I should know whether it's worked in 30 minutes or so - I'll grab celebratory screen shots if it's worked
    Out of interest, what laptops are you using if you're also not using HP/Lenovo or Dell? I'm trying to do this on Novatech (Clevo chassis) ones at the moment.

    EDIT: Well i've edited my task sequence for how i think it should go with your commands, running it now so we'll see
    Last edited by mrbios; 14th July 2014 at 01:36 PM.

  8. #6
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    763
    Thank Post
    56
    Thanked 193 Times in 128 Posts
    Rep Power
    102
    We have a varied bag - Dell, Samsung, Ergo, Lenovo and HP. I'm trying to get a non specific TS set up. I don't fully understand why you need a utility to manipulate BIOS if you can set it manually before running the TS. We have to go into BIOS anyway to set up admin password etc.

  9. #7
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,622
    Thank Post
    378
    Thanked 270 Times in 222 Posts
    Rep Power
    103
    Quote Originally Posted by clareq View Post
    We have a varied bag - Dell, Samsung, Ergo, Lenovo and HP. I'm trying to get a non specific TS set up. I don't fully understand why you need a utility to manipulate BIOS if you can set it manually before running the TS. We have to go into BIOS anyway to set up admin password etc.
    I was a bit lost by that as it seems like they're only setting a temporary bios password in the task sequence anyway (at least on the example i looked at) and then removing it afterwards. Didn't really make sense to me, unless the TPM chip knows if a bios password is set and it requires one to be set in order for you to enable it?

  10. #8
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    763
    Thank Post
    56
    Thanked 193 Times in 128 Posts
    Rep Power
    102
    From what I've seem some BIOS do require a password set before you can enable TMP. As we don't send any machines out without a BIOS password, that isn't an issue for us.

  11. #9
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    763
    Thank Post
    56
    Thanked 193 Times in 128 Posts
    Rep Power
    102
    It didn't work Back to the drawing board.

  12. #10

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,270
    Thank Post
    884
    Thanked 2,747 Times in 2,321 Posts
    Blog Entries
    11
    Rep Power
    785
    Quote Originally Posted by clareq View Post
    From what I've seem some BIOS do require a password set before you can enable TMP. As we don't send any machines out without a BIOS password, that isn't an issue for us.
    Quote Originally Posted by mrbios View Post
    I was a bit lost by that as it seems like they're only setting a temporary bios password in the task sequence anyway (at least on the example i looked at) and then removing it afterwards. Didn't really make sense to me, unless the TPM chip knows if a bios password is set and it requires one to be set in order for you to enable it?
    Yes, some bios s require this before any security features can be messed with like the hp ones. If you are doing it manually then you can get around this because the wizard prompts you to accept at boot time which does not require a bios password but that defeats the whole automation thing.

    As to that hp has the hp BCU http://ftp.hp.com/pub/caps-softpaq/cmit/HP_BCU.html and Dell has their variation but if you can get the BIOS settings right beforehand this should not be required. You could however use WMI to grab the manufacturer as part of your task sequence then automate the bios config for those that you can, you can even update them programmatically but this is a tad more dangerous depending on your build environment.

  13. #11
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,622
    Thank Post
    378
    Thanked 270 Times in 222 Posts
    Rep Power
    103
    Quote Originally Posted by clareq View Post
    It didn't work Back to the drawing board.
    When i image mine, this is the state it ends up in:
    TPM.png

    Are you getting similar?

  14. #12
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    763
    Thank Post
    56
    Thanked 193 Times in 128 Posts
    Rep Power
    102
    No, I get that the TPM is turned on, but ownership has not been set. i have seen that screen before (I've been working on this for about an month) If I remember rightly I had to set some permissions in AD to allow machines to write back the key. have a look here: Henk's blog: How to Enable BitLocker, Automatically save Keys to Active Directory

  15. Thanks to clareq from:

    mrbios (14th July 2014)

  16. #13
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,622
    Thank Post
    378
    Thanked 270 Times in 222 Posts
    Rep Power
    103
    ah good old henks blog, i like that guy lol. Cheers, will give that a go.

  17. #14

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,270
    Thank Post
    884
    Thanked 2,747 Times in 2,321 Posts
    Blog Entries
    11
    Rep Power
    785
    Quote Originally Posted by mrbios View Post
    When i image mine, this is the state it ends up in:
    TPM.png

    Are you getting similar?
    Does the TPM show up properly in hardware manager, do you need to integrate the driver into it. What happens if you resume protection? this should write the key back to the TPM or drop an error which may shed more light, if it will enable it may just be another command to resume protection at the end of the sequence.

  18. #15
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,622
    Thank Post
    378
    Thanked 270 Times in 222 Posts
    Rep Power
    103
    Quote Originally Posted by SYNACK View Post
    Does the TPM show up properly in hardware manager, do you need to integrate the driver into it. What happens if you resume protection? this should write the key back to the TPM or drop an error which may shed more light, if it will enable it may just be another command to resume protection at the end of the sequence.
    If i try to resume i just get an error. I'll have to check once this task sequence has finished running as to whether it shows up in device manager, certainly there wasn't any devices showing without drivers, but perhaps it wasn't appearing at all.

    Done the AD change now too so hopefully i'll see the same error that clareq is getting from this point...



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Need help to finsih script?
    By tosca925 in forum Scripts
    Replies: 1
    Last Post: 2nd November 2006, 12:08 AM
  2. nix noob needs help
    By alan-d in forum *nix
    Replies: 15
    Last Post: 24th October 2006, 09:58 PM
  3. Replies: 3
    Last Post: 17th February 2006, 12:42 PM
  4. Group Membership Woes (Need Help)
    By ICTNUT in forum Windows
    Replies: 11
    Last Post: 2nd December 2005, 04:19 PM
  5. A Few Things I Need Help With
    By Pear in forum Windows
    Replies: 11
    Last Post: 13th October 2005, 08:42 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •