Use the script here to clean the chip. Requires F10 at reboot, this is a built-in security feature of the bios itself.
http://andrewdcraig.wordpress.com/2013/02/18/enable-tpm-in-a-task-sequence-dell/ True, different versions of cctk have different anomalies. I have tested the -tpmactivation step without the = and it works for me but cannot guarantee it will work for all. I have the drive encryption running during the task sequence, using pre-provisioning, and it handles multiple drives as well. Just writing up the blog on it this week. The finished computer has encrypted drives and with the pre-provisioning it doesn't increase the running time of the TS. Von: [email protected] [mailto:[email protected]] Im Auftrag von Robert Ruh Gesendet: Dienstag, 1. Oktober 2013 18:13 An: [email protected] Betreff: RE: [mssms] Using SCCM and Dell CCTK I'm actually going through the same thing right now. We are moving away from one encryption technology to Bitlocker. I have noticed the CCTK tools are a bit inconsistent. For example, the activation of the TPM on a Dell E6510 running the latest BIOS A15 will not activate. So to get around that I downloaded Dell's Client Configuration Toolkit and setup the action to activate the TPM. It then allowed me to export it as an executable and I have that run as part of my task sequence depending on the model. Something interesting that I found was a comment made by someone who had contacted Dell and on their forums had indicated that he was told there was an error in the instructions or CCTK where it isn't an equals sign after the valsetuppwd, rather there should be a space when activating. I have not tested this yet. cctk.exe --tpmactivation=activate --valsetuppwd password I'm running into an issue though when I'm testing re-imaging a machine that has been encrypted before with Bitlocker. It does not appear that you can clear the TPM in the dell BIOS using the CCTK tools. We will be re-imaging machines in the future as break / fixes occur and if that laptop has had Bitlocker on it before, then all the TPM owner information will still be tied to the original machine and will not be to the re-imaged machine account. Even disabling TPM and enabling it will still keep the ownership information in the BIOS unless you clear it from my understanding. So has anyone been able to clear the TPM when re-imaging the machine (bare medal OS deployment) using the SCCM bootable media (so clearing the TPM when you have booted into WINPE)? This is the way I have it set up in our environment. I have it set so that the TPM is turned on, activated in the BIOS and the MBAM client installed during the imaging TS. Then once it is joined to the domain, I have a GPO setup to apply all the Bitlocker preferences to it and to instruct the machine to check into the MBAM server. Once it checks in, MBAM handles the rest and will initialize the TPM in Windows and begin the drive encryption. This automatically occurs as I use a WMI filter for the GPO to check if the Win32_TPM class exists and if so, begin the drive encryption. From: [email protected] [mailto:[email protected]] On Behalf Of Murray, Mike Sent: Thursday, September 26, 2013 5:02 PM To: [email protected] Subject: RE: [mssms] Using SCCM and Dell CCTK Well, I tried all of the following commands at the command prompt, they seemed to work OK. But when I checked BIOS, TPM was still not activated. cctk.exe --setuppwd=password cctk.exe --tpm=on --valsetuppwd=password cctk.exe --tpmactivation=activate --valsetuppwd=password cctk.exe --setuppwd= --valsetuppwd=password From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Niall Brady Sent: Thursday, September 26, 2013 2:43 PM To: [email protected]<mailto:[email protected]> Subject: Re: [mssms] Using SCCM and Dell CCTK correct as I show in the link above, (look for Remove Temporary password in the screenshot) also note that i'm doing everything in WinPE hence the cctk 'hapi' references. Most people do the tpm stuff while still in Windows. On Thu, Sep 26, 2013 at 11:37 PM, Murray, Mike <[email protected]<mailto:[email protected]>> wrote: So I could initially set the password, then remove it? From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Powell, Tom Sent: Thursday, September 26, 2013 2:31 PM To: [email protected]<mailto:[email protected]> Cc: [email protected]<mailto:[email protected]> Subject: Re: [mssms] Using SCCM and Dell CCTK Yup. Set bios password / enable tpm / other bios settings / remove bios password if not required. Kinda the same with HPs tool as well. Tom Sent from my iPhone On 26 Sep 2013, at 22:14, "Keiffer, Scott" <[email protected]<mailto:[email protected]>> wrote: I am pretty sure you have to have a bios password set in order for the activation to actually work. --------------- Scott Keiffer Senior Systems Administrator Cockrell School of Engineering - IT Group University of Texas at Austin [email protected]<mailto:[email protected]> 512-814-8872 From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Murray, Mike Sent: Thursday, September 26, 2013 3:49 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Using SCCM and Dell CCTK I created an EXE with the CCTK that should enable TPM and activate it. The log (attached) says successful in both steps, but TPM is still not activated (it is on, though). From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Murray, Mike Sent: Thursday, September 26, 2013 12:39 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Using SCCM and Dell CCTK I guess I should've clarified, I'm hoping to enable TPM on existing clients in SCCM. We will also add it to our TS when doing OSD, but we have a bunch of machines out there without it enabled. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of [email protected]<mailto:[email protected]> Sent: Thursday, September 26, 2013 12:15 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Using SCCM and Dell CCTK Glad to hear that CCTK is being put to good use! As always, let me know if you see anything that we can do to make your life easier with Dell systems management tools. Thanks, Warren Byle Dell | Business Client Systems Management Product Manager office +1 512 724 2626<tel:%2B1%20512%20724%202626> [email protected]<mailto:[email protected]> Join the conversation Dell TechCenter<http://www.delltechcenter.com/> Twitter: WarrenByle<http://twitter.com/WarrenByle> Warren From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Niall Brady Sent: Thursday, September 26, 2013 1:45 PM To: [email protected]<mailto:[email protected]> Subject: Re: [mssms] Using SCCM and Dell CCTK and here's an older post i did about the modular cctk bits in the task sequence, I use the same methodology in CM12 http://www.windows-noob.com/forums/index.php?/topic/3875-customising-windows-7-deployments-part-5/ On Thu, Sep 26, 2013 at 8:43 PM, Niall Brady <[email protected]<mailto:[email protected]>> wrote: works great, you don't have to add them to the boot wim files if you don't want to and instead you can be modular in the task sequence, this task sequence includes examples of just that:- * CM12 in a Lab -The CM12 BitLocker FrontEnd HTA - video<http://www.windows-noob.com/forums/index.php?/topic/7636-the-cm12-bitlocker-frontend-hta-video/> * CM12 in a Lab - The CM12 BitLocker FrontEnd HTA<http://www.windows-noob.com/forums/index.php?/topic/7294-the-cm12-bitlocker-frontend-hta> if only all OEM manufacturers produced tools for doing bios actions as Dell do, kudos to Dell ! On Thu, Sep 26, 2013 at 8:39 PM, Murray, Mike <[email protected]<mailto:[email protected]>> wrote: Anyone have experience deploying BIOS settings via SCCM and the Dell CCTK? I am specifically interested in enabling the TPM chip, as our security office is interested in using Bitlocker. I found this doc: http://en.community.dell.com/techcenter/extras/m/white_papers/20209083.aspx I'm just interested in hearing your stories of doing this, particularly with TPM. Any recommendations, gotchas, etc. Also, if we do enable TPM, is there more that needs to be done on the client? Best Regards, Mike Murray Desktop Management Coordinator - IT Support Services California State University, Chico 530.898.4357 [email protected]<mailto:[email protected]> ________________________________ CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you.
