We want our task sequences to fail as early as possible if there’s going to be a problem. One thing we’ve noticed is that if the TPM fails to activate, the task sequence will eventually fail on the ‘Enable Bitlocker’ step. What ends up happening is that the TS fails, reboots, and the system looks completely normal except that Bitlocker isn’t enabled. Our help desk ended up sending out a few machines like this, which had to be found and encrypted after the fact.
Here’s how to test for TPM actication and fail the task sequence.
- Create a CCTK Package using the instructions on my previous post: SCCM 2012 – Architecture Agnostic Dell CCTK WinPE Bios Package.
- Using the same instructions, create a TS action to install the Dell HAPI drivers.
- Optionally, use the instructions on my previous post to create a generic bios settings template: SCCM 2012 – Generic Multi-Platform Dell CCTK BIOS Settings.
- Save the following file as ‘check-tpmactivation.vbs’ in your dell-cctk package.
'if argument 'warn', set bFailIfDeactivated = True 'if argument 'fail', set bFailIfDeactivated = True Dim bWarnOnly, bArgOK, mainArg, iExitcode iExitcode = 0 bArgOK = vbFalse bWarnOnly = vbFalse If WScript.Arguments.Count = 1 Then mainArg = Wscript.Arguments(0) If mainArg = "warnonly" Then bArgOK = vbTrue bWarnOnly = vbTrue End If ElseIf Wscript.Arguments.Count = 0 Then bArgOK = vbTrue bWarnOnly = vbFalse Else bArgOK = vbFalse End If Dim msg, cmd, text, objShell, strPath, action If bArgOK = vbTrue Then Set objShell = CreateObject("Wscript.Shell") strPath = objShell.CurrentDirectory 'ref: http://stackoverflow.com/questions/5690134/running-command-line-silently-with-vbscript-and-getting-output cmd = "cmd /c " & strPath & "\cctk.cmd --tpmactivation > " & strPath & "\tpmout.txt" 'wscript.echo cmd action = objShell.Run(cmd, 0, True) 'parse result Set fso = CreateObject("Scripting.FileSystemObject") Set file = fso.OpenTextFile((strPath & "\tpmout.txt"), 1) text = file.ReadAll file.Close 'if 'deactivated' then act If InStr(text,"deactivated") Then If bWarnOnly = True Then msg = "Warning! This system's TPM is deactivated. The task sequence will now attempt to enable the TPM then reboot. If this attempt fails, the task sequence will fail. I recommend entering the BIOS after clicking OK and enabling the TPM manually." msgbox msg iExitcode = 0 Else msg = "Warning! This task sequence is failing because the TPM is deactivated and the task sequence was not able to enable it automatically." msgbox msg iExitcode = 1 End If End If Else msg = "Arguments invalid." iExitcode = 1 End If Wscript.Quit iExitcode
- Create a ‘run command-line’ action after the Install HAPI Drivers action, linked to the dell-cctk package, with the following command.
Now, the task sequence will throw a message box if the TPM is deactivated, and fail the task sequence. I recommend duplicating this task sequence action and placing one of the duplicates before your automated attempt to enable the TPM, with the following modified command:
This will throw a different message box suggesting that the user manually check the BIOS setting during the next reboot.