SCCM 2012 OSD Driver Management – Advanced Tips

I’ve got a few tips for working with OSD drivers in SCCM. Here we go:

Finding the Model Name in WinPE

In task sequence actions, I use a WMI filter to target my ‘Apply Driver Package’ actions. Sometimes the target device is new and doesn’t have an OS yet. Since WinPE doesn’t run powershell, I can’t use my regular command to find the model.

Instead, try this. It’ll return the model.

wmic computersystem get model

Testing the Driver Package for Completion

Sure, you can wait until the OS is fully deployed, then run control panel -> system -> device manager, etc. You can also do this _during_ the task sequence :).

Anytime after the step named ‘Setup Windows and ConfigMgr’, press F8 to launch the command prompt, and then run the following command.

mmc devmgmt.msc

Driver Source Folder Organization

When importing new drivers, there’s a couple things to keep in mind.

  1. Keep your drivers organized. Create subfolders for the driver classes (model\net, model\sata, model\audio, model\graphics, etc.).
  2. Don’t put .exe files or .zip files in the driver source folders.
  3. If you extract an .exe or .zip file into the driver source folder, and the extracted contents don’t contain .inf files (autorun.inf doesn’t count), then delete that driver and try to work without it. Only drivers with .inf files are imported. If your driver doesn’t have any .inf files, you’ll need to treat it like you would an application or package.

SCCM Vendor Plugins

Look into the Dell DCIP and Lenovo Thin Installer. They can automate a lot of the driver\bios work.

Advertisements

SCCM 2012 – Importing and Managing Drivers for OSD

There are two main sets of drivers to worry about. WinPE drivers, and the target OS drivers. If your computer can’t boot WinPE, or WinPE can’t talk to the disk or network card, not much will get done. Conversely if WinPE lays down an image and reboots to it and the OS doesn’t have disk or network drivers, any subsequent task sequence steps will fail because your PC won’t be able to contact the SCCM server.

Here’s how to manage drivers in SCCM:

Driver Organization

We need two folders: first, a place to put drivers downloaded from the OEM’s website and second, a place for SCCM to store it’s driver databases (called ‘Driver Packages’).

I created the following folder structure on my SCCM site server:

  • source$\
    • driversource
    • driverpackages
    • applications
    • images
    • ossource
    • …etc

Driversource is where we will put downloaded OS drivers. For example:

  • source$\driversource\
    • Win7\
      • Dell Optiplex 9010
        • <a bunch of folders, INF files, etc.>
      • Dell Optiplex 990
        • <a bunch of folders, INF files, etc.>
      • Lenovo X1C
        • <a bunch of folders, INF files, etc.>
    • WinXP\
      • HP xw4300
        • <a bunch of folders, INF files, etc.>
      • HP xw4600
        • <a bunch of folders, INF files, etc.>

Driverpackages is a folder that SCCM will manage. Messing with stuff in this folder will break things. SCCM will make folders subfolders with GUID’s for each driver included in the package.

In the following example folder structure, I would have created the source$ share, the driverpackages folder, the OS folders, and the make\model folders. However, SCCM creates and manages the GUID-named folders.

  • source$\driverpackages
    • Win7
      • Dell Optiplex 9010
        • {idsfbsg-srgsrtg-4564w65mklsfsfgs}
    • WinXP
      • Dell Optiplex 990
        • {83453q-efsdfgsgs-45545yerthdfgssdfg}

Step-By-Step – OS Drivers

  1. Create a folder in .\source$\driverpackages\<os>\<model>.
  2. Create a folder in .\source$\driversource\<os>\<model>.
  3. Download the OEM drivers, extract them, and put the extracted files in the .\driversource\… folder.
  4. Open SCCM Console -> Software Library -> Operating Systems -> Drivers.
  5. Right-click ‘Drivers’ and choose ‘Import Driver’.
  6. On the ‘Locate Driver’ screen, enter the unc of your downloaded source drivers. This should look like: \\sccm-server\source$\driversource\<os>\<model>.
  7. On the ‘Driver Details’ screen, add a category to make it easier to clean up after bad or accidental imports later. I always use the Make + Model + OS (ex: “Dell Optiplex 9010 Win7”).
  8. On the ‘Add Driver to Driver Packages’ screen, click ‘New Package’.
  9. On the ‘Create Driver Package’ screen, enter a name and path. The name of the driver package should match the category for clarity. The path of the driver package should be the folder .\source$\driverpackages\<os>\<model> created in a previous step.
  10. On the ‘Add Driver to Boot Images’ screen, do not choose to add any drivers to the boot image at this time.
  11. Finish the import wizard. It will take some time for the drivers to finish importing.

Step-By-Step – Boot Image Drivers

Next, we need to add the network and sata drivers to the boot images so that WinPE can access the HDD and NIC. Without this step, it’s likely that WinPE will attempt to load then immediately reboot because it cannot reach the SCCM server.

  1. Navigate to SCCM Console -> Software Library -> Operating Systems -> Driver Packages.
  2. Right-click your new driver package and choose ‘Show Members’.
  3. Right-click the headers of the viewing pane (The bar showing column names like “Icon”, “Name”, “Provider”, etc.) and add the ‘Content Source Path’ field.
  4. Sort the list by driver ‘class’, then highlight all drivers with the classes ‘SCSIAdapter’, ‘Net’, and ‘hdc’, but only those which are for the x86 architecture. You can usually tell the architecture by the content source path.
  5. Right-click the highlighted drivers -> Edit -> Boot Images.
  6. Add your selected drivers to the x86 boot images listed. Be careful, because adding x86 drivers to an x64 boot image, or vice versa can break the boot image. Also, ensure that the checkbox labeled ‘Update the distribution points’ is checked before hitting ‘OK’.

Now, you should be able to PXE boot your target computer. You can verify that the nic drivers work by pressing F8 in WinPE to open a command prompt, then trying to ping an ip address. To verify disk drivers, in the WinPE command prompt run the command ‘diskpart’ then enter ‘List Disk’.

Step-By-Step for Win7+

Next, we need to get the OS drivers into the task sequence.

First, we need to find out what your target computer thinks it’s model name is.

  1. Open PowerShell on the target system.
  2. Execute the following command, and copy down the answer somewhere safe. We need the response that this command gives to properly form the WMI query in the Task Sequence.
    (gwmi win32_ComputerSystem).Model

Next, let’s actually edit the task sequence.

  1. Navigate to SCCM Console -> Software Library -> Operating Systems -> Task Sequences.
  2. Right-click your desired task sequence and choose ‘Edit’.
  3. Select a position after ‘Apply OS Image’ but before ‘Setup Windows and ConfigMgr’ and choose Add -> Drivers -> Apply Driver Package.
  4. On the new TS action, click ‘Browse’ and select the driver package that was just created in the previous section.
  5. Click the ‘Options’ tab of the new TS action.
  6. Click ‘Add Condition’ -> Query WMI.
  7. On the ‘WMI Query Properties’ screen, add the following WMI query. Replace the words ‘Latitude e4300’ from the example query below with the output of the GWMI command in powershell from a previous step. The quotes and % sign should -stay in- the query.
    select * from Win32_ComputerSystem where Model like "Latitude e4300%"
  8. Click OK to close the TS Edit Window and save the TS.
  9. Right-click the TS and choose, ‘Distribute Content’, then complete the wizard to distribute the driver package to your distribution points.

For Win7, you should now be good to go! For XP, there are a couple more steps.

Step-By-Step for WinXP

XP Requires 3 sets of drivers: WinPE, OS Drivers, and OS Mass Storage drivers. The above steps will walk you through completing WinPE and OS Drivers. The subsequent steps will cover mass storage drivers.

  1. Follow the instructions for the WinPE and Win7 sections, then come back here.
  2. Complete the instructions at the following blog post. It is an excellent write-up of the process for finding the correct mass-storage driver and including it in the task sequence. Identifying Windows XP Mass Storage Drivers in Windows PE with Devcon

And that’s it! Good luck out there.

Installing All Software Updates in a XP in Build and Capture TS

I had a hell of a time getting software updates to work in an XP Build and Capture Task Sequence. Things would work okay if I used ZTIUpdates, but not the ‘Install Software Updates’ TS action. A lot of people online seem to have given up, but I think I found the keys to getting things going.

The Problem

When you run an XP Task Sequence with ‘Install Software Updates’, the updates don’t actually install.

The Cause

  1. SCCM can’t scan with the XP SP3 default WUAgent because it’s too old.
  2. SCCM can’t scan for updates with IE 6 installed, which is the XP SP3 default.
  3. SCCM can’t scan for updates without the WSUS patch KB898461 installed.
  4. SCCM can’t download updates with XP SP3 unless joined to the domain.
  5. SCCM can’t communicate with the client once joined to the domain unless the XP certificate hotfix is installed.
  6. Once a software scan action is completed with the ‘install Software Updates’ step, subsequent updates are not detected because it doesn’t re-scan for new updates after every set of updates is installed.

We’ll resolve these issues below.

The Fix

Packages and Prep

This post assumes that you have MDT Integrated and can use the ZTIWindowsUpdates script.

  1. Download the IE 7 installer here: Windows Internet Explorer 7 for Windows XP.
  2. Make a package for the IE7 installer using the following command-line action.
    IE7-WindowsXP-x86-enu.exe /NoRestart /NoBackup /UpDate-No /Quiet
  3. Download the WUAgent 7.4 Installer here: Windows Update Agent 7.4.7600.226. I found the link here: Forum Post – Windows Update Agent.
  4. Create a package for the WUAgent 7.4.7600.226 installer using the following command-line action.
    WindowsUpdateAgent30-x86.exe /quiet /norestart /wuforce
  5. Download the Windows XP Certificate Enrollment hotfix here: Windows Server 2003 and Windows XP clients cannot obtain certificates
  6. Create a package for the hotfix using the following command-line action.
    WindowsXP-KB968730-x86-ENU.exe /quiet

Task Sequence Changes

  1. Open the XP Build and Capture Task Sequence.
  2. On the ‘apply network settings’ action, join a workgroup instead of a domain.
  3. Directly after the ‘Setup Windows and ConfigMgr Step’, add ‘Install Package’ actions for IE 7, WUAgent 7.4, then the Certificate Hotfix.
  4. Next, right after the certificate hotfix install, add join domain and reboot actions.
  5. Next, add a ‘set task sequence variable’ action with the variable ‘WSUSServer’ set to your site server’s WSUS URL (ex: https://sccm.domain.local:8531″).
  6. Next, add the ‘Use Toolkit Package’ and ‘ZTIUpdates’ steps. This will install the WSUS patch and update WUAgent to the latest version.
  7. Next, create an ‘Install Software Updates’ action.
  8. After that, create a new ‘Run Command-Line Action’ with the following command. This will re-scan for new updates.
    WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE
  9. Repeat the Install Software Updates and Re-Scan command line actions. This will ensure that all updates are installed, since each Install Software Updates action is hard-coded to time out after 30mins.

Here’s a screenshot of my final task sequence.

XPBuildAndCapUpdates

Enjoy!

[SCCM 2012] XP Task Sequence – Removing Windows Tour, MSN, etc.

We have an XP Task Sequence for a couple of really old applications. Here’s how I pull some of the older and unused features out with my build and capture task sequence.

The Goal

Remove the following features from an XP Deploy.

  • MSN Messenger
  • MSN Exploder
  • Windows Tour
  • Outlook Express

The Process

Unattend.txt and the Build and Capture

  1. Create a file named unattend.txt with the following contents, place it in a package, and distribute the package to your distribution points.
    [Components]
    msnexplr=off
    oeaccess=off
    zonegames=off
    msmsgs=off
  2. Check this list to remove any other features you don’t want.
    XP Components
  3. Edit your XP Build and Capture Task Sequence, and choose to use the unattend.txt file \ package created in step 1.
  4. Run the Build and Capture to pull an image without Outlook Express or MSN.

The Deploy

  1. Create a batch file named remove-windowstour.cmd with the following contents, place it in a package, and distribute the package to your distribution points

    REM Loading Default User's HKCU hive
    REG LOAD HKLM\temp "C:\Documents and Settings\Default User\NTUser.Dat"
    
    REM Adding Config-NewUser.cmd to default user's HKCU\Runonce
    REG IMPORT Remove-WindowsTour.reg
    
    REM Unloading Default User's HKCU hive
    REG UNLOAD HKLM\Temp
  2. Create a reg file named remove-windowstour.reg with the following contents, place it in the same package as remove-windowstour.cmd, and update the distribution points.
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\temp\Software\Microsoft\Windows\CurrentVersion\Applets\Tour]
    "RunCount"=dword:00000000
    
  3. Add a ‘Run Command-Line Action’ in your task sequence to run the batch file.
  4. Test the task sequence. It shouldn’t ask to run the Tour, and shouldn’t show the features we removed.

Technically, Outlook Express and Windows Tour aren’t ‘removed’, they’re just hidden. I’m okay with this though.

[SCCM 2012] Task Sequence Hangs on Install Package During OSD (part 2)

So, in my previous post on the issue, I described a complicated series of hotfixes and WMI rebuild scripts which fix this serious issue. After a whole lot of trial and error, I recently found an easier workaround.

The Problem

Task sequences hang indefinitely on the ‘Install Package’ task sequence action.

The Solution

  1. In the ‘Apply Network Settings’ action, join a workgroup instead of a domain.
  2. Add a ‘Join Domain’ action later in the task sequence, but before any ‘Install Software Updates’ actions.

I have no idea why this works :(. However, it really does seem to work for me at least. Yay!

 

 

SCCM 2012 – Optimizing Dell CCTK OSD Actions into WinPE

We wanted all of our CCTK actions to happen before the disk gets partitioned. To do this, everything needs wrapped into WinPE. This involves some customization of our various scripts, cctk package folder structures, and boot images. On the plus side, the actions all run much quicker since there’s no need to download a full CCTK package on every step.

The Parts

  1. Folder Structure and CCTK Files
  2. Supporting Files
  3. Modifying the Supporting Files
  4. Making the WinPE Changes
  5. Making the TS Changes

Folder Structure and CCTK Files

  1. On your site server, create the following folder structure:
     * C:\Program Files\Microsoft Configuration Manager\OSD\Extras\CCTK32
     * C:\Program Files\Microsoft Configuration Manager\OSD\Extras\CCTK32\HAPI
     * C:\Program Files\Microsoft Configuration Manager\OSD\Extras\CCTK64
     * C:\Program Files\Microsoft Configuration Manager\OSD\Extras\CCTK64\HAPI
     * C:\Program Files\Microsoft Configuration Manager\OSD\Extras\CCTKShared
  2. Place the CCTK executable and HAPI drivers in their respective locations from the previous step.

Supporting Files

  1. Using the instructions in the following blog post, create the following files and place them in .\CCTKShared.
  2. SCCM 2012 – Generic Multi-Platform Dell CCTK BIOS Settings
    1. Dell-CustomSettings.cctk
    2. CCTK-Generic.cmd
    3. Show-CCTKErrors.vbs
  3. Using the instructions in the following blog post, create the following file and place it in .\CCTKShared.
    SCCM 2012 – Testing for Dell TPM Activation in a Task Sequence

    1. Check-TPMActivation.vbs

Modifying the Supporting Files

Some of the script files need modified since we will no longer be using the cctk.cmd wrapper to select the appropriate cctk executable for the running architecture. Instead, we will only include the 32-bit cctk on the 32-bit WinPE, and vice-versa.

CCTK-Generic.cmd

In this file, make the following changes.

  1. Remove lines 16 through 29 since we don’t need to select architecture.
  2. Replace all instances of “%CCTKPath%\”  with “%~dp0”. See this example:
    %CCTKPath%\cctk.exe --tpmactivation=activate !ARG1! !ARG2!
    --should turn into--
    %~dp0cctk.exe --tpmactivation=activate !ARG1! !ARG2!
    
  3. Before every instance of Show-CCTKErrors.vbs, add “%~dp0”. For example:
    cscript.exe //nologo Show-CCTKErrors.vbs %errorlevel%
    --should turn into--
    cscript.exe //nologo %~dp0Show-CCTKErrors.vbs %errorlevel%
    

check-tpmactivation.vbs

In this file, make the following changes:

  1. Replace all instances of ‘cctk.cmd’ with ‘cctk.exe’.
  2. Delete line 23 (strPath) and replace it with the following code:
    strPath = Wscript.ScriptFullName
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objFile = objFSO.GetFile(strPath)
    strPath = objFSO.GetParentFolderName(objFile)

HAPIInstall.cmd

Replace this entire file with the following code:

@echo off
%~dp0hapi\hapint.exe -i -k C-C-T-K -p "hapint.exe"

Making the WinPE Changes

  1. Open the following file from your site server in a decent editor: “C:\Program Files\Microsoft Configuration Manager\bin\x64\osdinjection.xml”.
  2. Find the section for i386\SCCM, and add the following lines of code:
    <File name="hapint.exe">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK32\HAPI</Source>
            <Destination>windows\system32\HAPI</Destination>
    	  </File>
    	  <File name="dcmdev32.exe">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK32\HAPI</Source>
            <Destination>windows\system32\HAPI</Destination>
    	  </File>
    	  <File name="dchipm32.dll">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK32\HAPI</Source>
            <Destination>windows\system32\HAPI</Destination>
    	  </File>
    	  <File name="dchcfg32.exe">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK32\HAPI</Source>
            <Destination>windows\system32\HAPI</Destination>
    	  </File>
    	  <File name="dchbas32.dll">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK32\HAPI</Source>
            <Destination>windows\system32\HAPI</Destination>
    	  </File>
    	  <File name="dchapi32.dll">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK32\HAPI</Source>
            <Destination>windows\system32\HAPI</Destination>
    	  </File>
    	  <File name="dcdbas32.sys">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK32\HAPI</Source>
            <Destination>windows\system32\HAPI</Destination>
    	  </File>
    	  <File name="dcdbas32.inf">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK32\HAPI</Source>
            <Destination>windows\system32\HAPI</Destination>
    	  </File>
    	  <File name="dcdbas32.cat">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK32\HAPI</Source>
            <Destination>windows\system32\HAPI</Destination>
    	  </File>
    	  <File name="pci.ids">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK32</Source>
            <Destination>windows\system32</Destination>
    	  </File>
    	  <File name="CCTK.exe">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK32</Source>
            <Destination>windows\system32</Destination>
    	  </File>
    	  <File name="mxml1.dll">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK32</Source>
            <Destination>windows\system32</Destination>
    	  </File>
    	  <File name="show-cctkerrors.vbs">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTKShared</Source>
            <Destination>windows\system32</Destination>
    	  </File>
    	  <File name="dell-customsettings.cctk">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTKShared</Source>
            <Destination>windows\system32</Destination>
    	  </File>
    	  <File name="HAPIInstall.cmd">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTKShared</Source>
            <Destination>windows\system32</Destination>
    	  </File>
    	  <File name="check-tpmactivation.vbs">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTKShared</Source>
            <Destination>windows\system32</Destination>
    	  </File>
    	  <File name="CCTK-Generic.cmd">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTKShared</Source>
            <Destination>windows\system32</Destination>
    	  </File>
  3. Find the section for x64\SCCM, and add the following lines of code:
    <File name="hapint.exe">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK64\HAPI</Source>
            <Destination>windows\system32\HAPI</Destination>
    	  </File>
    	  <File name="dcmdev32.exe">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK64\HAPI</Source>
            <Destination>windows\system32\HAPI</Destination>
    	  </File>
    	  <File name="dchipm32.dll">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK64\HAPI</Source>
            <Destination>windows\system32\HAPI</Destination>
    	  </File>
    	  <File name="dchcfg32.exe">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK64\HAPI</Source>
            <Destination>windows\system32\HAPI</Destination>
    	  </File>
    	  <File name="dchbas32.dll">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK64\HAPI</Source>
            <Destination>windows\system32\HAPI</Destination>
    	  </File>
    	  <File name="dchapi32.dll">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK64\HAPI</Source>
            <Destination>windows\system32\HAPI</Destination>
    	  </File>
    	  <File name="dcdbas32.sys">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK64\HAPI</Source>
            <Destination>windows\system32\HAPI</Destination>
    	  </File>
    	  <File name="dcdbas32.inf">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK64\HAPI</Source>
            <Destination>windows\system32\HAPI</Destination>
    	  </File>
    	  <File name="dcdbas32.cat">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK64\HAPI</Source>
            <Destination>windows\system32\HAPI</Destination>
    	  </File>
    	  <File name="pci.ids">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK64</Source>
            <Destination>windows\system32</Destination>
    	  </File>
    	  <File name="CCTK.exe">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK64</Source>
            <Destination>windows\system32</Destination>
    	  </File>
    	  <File name="mxml1.dll">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTK64</Source>
            <Destination>windows\system32</Destination>
    	  </File>
    	  <File name="show-cctkerrors.vbs">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTKShared</Source>
            <Destination>windows\system32</Destination>
    	  </File>
    	  <File name="dell-customsettings.cctk">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTKShared</Source>
            <Destination>windows\system32</Destination>
    	  </File>
    	  <File name="HAPIInstall.cmd">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTKShared</Source>
            <Destination>windows\system32</Destination>
    	  </File>
    	  <File name="check-tpmactivation.vbs">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTKShared</Source>
            <Destination>windows\system32</Destination>
    	  </File>
    	  <File name="CCTK-Generic.cmd">
            <LocaleNeeded>false</LocaleNeeded>
            <Source>extra\CCTKShared</Source>
            <Destination>windows\system32</Destination>
    	  </File>
  4. Update the distribution points of your boot image. If this fails, double-check that all the files added to osdinjection.xml actually exist.

Making the TS Changes

Now that all the leg-work is done; let’s use it!

  1. Open your task sequence, and create the following actions.
    1. Name: Install Dell HAPI Drivers
      Command: X:\Windows\System32\HAPIInstall.cmd
      Package: None
    2. Name: Check TPM Activation
      Command: X:\Windows\System32\Check-TPMActivation.vbs warnonly
      Package: None
    3. Name: Set Default Dell BIOS Settings
      Command: X:\Windows\System32\CCTK-Generic.cmd
      Package: None
    4. Name: Reboot (HD)
    5. Name: Check TPM Activation (force)
      Command: X:\Windows\System32\Check-TPMActivation.vbs
      Package: None

You should now be in business!

SCCM 2012 – Testing for Dell TPM Activation in a Task Sequence

We want our task sequences to fail as early as possible if there’s going to be a problem. One thing we’ve noticed is that if the TPM fails to activate, the task sequence will eventually fail on the ‘Enable Bitlocker’ step. What ends up happening is that the TS fails, reboots, and the system looks completely normal except that Bitlocker isn’t enabled. Our help desk ended up sending out a few machines like this, which had to be found and encrypted after the fact.

Here’s how to test for TPM actication and fail the task sequence.

  1. Create a CCTK Package using the instructions on my previous post: SCCM 2012 – Architecture Agnostic Dell CCTK WinPE Bios Package.
  2. Using the same instructions, create a TS action to install the Dell HAPI drivers.
  3. Optionally, use the instructions on my previous post to create a generic bios settings template: SCCM 2012 – Generic Multi-Platform Dell CCTK BIOS Settings.
  4. Save the following file as ‘check-tpmactivation.vbs’ in your dell-cctk package.
    'if argument 'warn', set bFailIfDeactivated = True
    'if argument 'fail', set bFailIfDeactivated = True
    Dim bWarnOnly, bArgOK, mainArg, iExitcode
    iExitcode = 0
    bArgOK = vbFalse
    bWarnOnly = vbFalse
    If WScript.Arguments.Count = 1 Then
    	mainArg = Wscript.Arguments(0)
    	If mainArg = "warnonly" Then
    		bArgOK = vbTrue
    		bWarnOnly = vbTrue
    	End If
    ElseIf Wscript.Arguments.Count = 0 Then
    	bArgOK = vbTrue
    	bWarnOnly = vbFalse
    Else
    	bArgOK = vbFalse
    End If
    
    Dim msg, cmd, text, objShell, strPath, action
    If bArgOK = vbTrue Then
    	Set objShell = CreateObject("Wscript.Shell")
    	strPath = objShell.CurrentDirectory
    
    	'ref: http://stackoverflow.com/questions/5690134/running-command-line-silently-with-vbscript-and-getting-output
    	cmd = "cmd /c " & strPath & "\cctk.cmd --tpmactivation > " & strPath & "\tpmout.txt"
    	'wscript.echo cmd
    	action = objShell.Run(cmd, 0, True)
    
    	'parse result
    	Set fso  = CreateObject("Scripting.FileSystemObject")
    	Set file = fso.OpenTextFile((strPath & "\tpmout.txt"), 1)
    	text = file.ReadAll
    	file.Close
    
    	'if 'deactivated' then act
    	If InStr(text,"deactivated") Then
    		If bWarnOnly = True Then
    			msg = "Warning! This system's TPM is deactivated. The task sequence will now attempt to enable the TPM then reboot. If this attempt fails, the task sequence will fail. I recommend entering the BIOS after clicking OK and enabling the TPM manually."
    			msgbox msg
    			iExitcode = 0
    		Else
    			msg = "Warning! This task sequence is failing because the TPM is deactivated and the task sequence was not able to enable it automatically."
    			msgbox msg
    			iExitcode = 1
    		End If
    	End If
    Else
    	msg = "Arguments invalid."
    	iExitcode = 1
    End If
    
    Wscript.Quit iExitcode
  5. Create a ‘run command-line’ action after the Install HAPI Drivers action, linked to the dell-cctk package, with the following command.
    check-tpmactivation.vbs

Now, the task sequence will throw a message box if the TPM is deactivated, and fail the task sequence. I recommend duplicating this task sequence action and placing one of the duplicates before your automated attempt to enable the TPM, with the following modified command:

check-tpmactivation.vbs warnonly

This will throw a different message box suggesting that the user manually check the BIOS setting during the next reboot.

Have fun!