TPM chips can be cleared from the OS if enabled so in the bios . This can be automated via a script.
You know your TPM password ? From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On Behalf Of Miller, Todd Sent: February 17, 2016 5:03 PM To: mdt...@lists.myitforum.com Subject: RE: [MDT-OSD] Can't Do Bare Metal on Bitlockered PC - Dell BIOS Issue Hmm, well for me, when I have a NTFS partition that is encrypted, the task sequence stops when it tries to stage the WinPE boot onto the hard drive. Maybe I've modified my task sequence in some way that breaks proper formatting. If your WinPE boot disk is different from the WinPE image that your chosen Task Sequence uses, then the WinPE image has to be staged even before the Task Sequence starts - so the idea that the repartitioning/formatting is taken care of exclusively by the task sequences doesn't make 100% sense to me. SCCM Task Sequence engine might need to stage the WinPE image even before the TS really starts. - For instance maybe you boot from a 32bit WinPE image, but your Windows 7 64bit Task Sequence calls for a 64bit WinPE boot disk. The Task Sequence engine (not the task sequence itself) will try to stage WinPE 64bit and reboot into it to START the task sequence--- that happens even before the first item in your task sequence runs.... And I am pretty sure will fail if you have an unwritable NTFS partition on your hard disk. Sounds like others have it working, so I guess I will just say that it doesn't work for me and like you have experienced, I have had to run a diskpart/clean when trying to bare metal install to a previously encrypted disk. We don't use bitlocker, but the problem should be the same - maybe bitlocker is easier/different since bitlocker has that readable partition on the disk where maybe the SCCM engine can stage the WinPE image. My encryption tool (Intel Drive Encryption) only has a single encrypted partition and no separate unencrypted area. On TPM... Yes, I've tried using CCTK and the new Powershell scripts and neither can clear an owned TPM chip. I have talked to Warren about it and he did say that it is against the TPM rules for a BIOS to support clearing TPM in an automated way. I think it can be cleared from inside of Windows though so not sure about all of that. Maybe Warren will pop in with some advice and clarification soon. You can turn on TPM programmatically but clearing ownership is the trouble. If there is someone who has figured out how to clear ownership on a TPM chip on a Dell, in some automated way, please don't leave us in suspense. From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Marcum, John Sent: Wednesday, February 17, 2016 1:32 PM To: mdt...@lists.myitforum.com<mailto:mdt...@lists.myitforum.com> Subject: RE: [MDT-OSD] Can't Do Bare Metal on Bitlockered PC - Dell BIOS Issue Keith and John --- Bare metal from Configmgr. (on a side note the new XPS is amazing! I have one in my closet doing nothing. Not because it's bad but because I for the new 5510 which is even better) Thanks Todd! I thought that one of the two partition steps in the initialize phase (or the format disk in preinstall) was supposed to know that it was booted from PXE therefore no data should be saved (thus it's bare metal install) and then blow away the partitions. From what you are saying that must not be true. Seems silly to have to manually delete the partitions. :( When you say there is no way to clear it programmatically I assume you tried doing so with the Dell utility thingy? ________________________________ John Marcum MCITP, MCTS, MCSA Desktop Architect Bradley Arant Boult Cummings LLP ________________________________ [cid:image001.png@01D169B0.BE68E100] From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Miller, Todd Sent: Wednesday, February 17, 2016 10:45 AM To: mdt...@lists.myitforum.com<mailto:mdt...@lists.myitforum.com> Subject: RE: [MDT-OSD] Can't Do Bare Metal on Bitlockered PC - Dell BIOS Issue The bare metal task sequence will fail because it will have trouble staging the WinPE boot image to the hard disk. The task sequence will fail any time it detects an NTFS primary partition that is is unable to write to. The task sequence sees that there is an NTFS partition and assumes that it will be able to write to it to stage the WinPE image for reboot, but it cannot. You might need to inject a check and format into the pre-execution hook stage. The task sequence can't just blow away the partition because task sequences are also built for refresh scenarios where you would need to keep the existing NTFS partition for USMT to do its capture. You might be able to rejigger some of the rules on the partition and format section at the top of the task sequence so that it runs more frequently. But I would guess those rules are detecting that there is a reasonable NTFS partition (and there is not) Regarding the TPM, chip. Yeah, you have to clear that manually. You could check to see if it is present and cleared in a pre-execution hook and notify the user, but there is no way to clear it programmatically. Just give up on that right now. I wish I could have those two weeks back. From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Keith Garner (hotmail) Sent: Wednesday, February 17, 2016 10:00 AM To: mdt...@lists.myitforum.com<mailto:mdt...@lists.myitforum.com> Subject: RE: [MDT-OSD] Can't Do Bare Metal on Bitlockered PC - Dell BIOS Issue MDT Lite Touch or Zero Touch? >From what I recall, MDT Litetouch should be intelligent enough to just blow >away the existing Bitlockered partition and continue. Same with the TPM, but I >haven't had a Dell in a while (I get a new XPS 13 next week). From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Marcum, John Sent: Wednesday, February 17, 2016 6:05 AM To: mdt...@lists.myitforum.com<mailto:mdt...@lists.myitforum.com> Subject: [MDT-OSD] Can't Do Bare Metal on Bitlockered PC - Dell BIOS Issue Sorry if I've asked this before, it's been on my list of things to fix for a very long time and I'm just now actually getting to it..... When doing at bare metal deployment on any PC that has had the disk encrypted with bitlocker I have two issues: 1. I have to manually going into diskpart and blow away the partitions. Shouldn't the TS do that for me? 2. I have to clear the TPM in the bios manually. i. On the newer Dell laptops this in itself is a challenge. I find that I must pray to Michael Dell, hold me tongue just right and stand on my head to start with. If I do all that just right I have to clear the TPM, activate the TPM and then clear it again and then load the bios defaults in the security node or I get an error when I try to setup the BIOS in my task sequence. I see this problem on the currently shipping Latitudes, the 6400 takes one more step that I must completely power it off after doing all those steps and power it back on or it fails. Am I the only person seeing this issue? ________________________________ John Marcum MCITP, MCTS, MCSA Desktop Architect Bradley Arant Boult Cummings LLP ________________________________ [cid:image001.png@01D169B0.BE68E100] ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Notice: This UI Health Care e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete it. Thank you. ________________________________ ________________________________ Notice: This UI Health Care e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete it. Thank you. ________________________________
