I recently did some work on a project where the client wanted to enable Bitlocker as part of the build process, as part of this process the TPM chip also needed to be enabled as by default it is switched off.  The enabling of Bitlocker and the TPM chip as part of the build process is relatively straight forward and there are plenty of examples of how to do this already available.  However one thing that has caused problems in the past is what happens if the TPM chip is already enabled?  Past experience has shown that if the TPM chip is already enabled then the step to enable the TPM chip will fail and if the option to continue on failure is not checked the task sequence will exit.

Tim over at the deployment guys blog has written a script that checks the TPM status and sets two variables based on the results, these variables can then be used as conditions in the next step of the task sequence.  Tim’s post can be found here: http://blogs.technet.com/b/deploymentguys/archive/2010/12/22/check-to-see-if-the-tpm-is-enabled.aspx.

As a brief overview Tim’s script is placed in the task sequence prior to the steps to enable the TPM chip.  When the script runs, it checks the status of the TPM chip and if it is enabled and activated two variables are set as TPMEnabled=TRUE and TPMActivated=TRUE and if it is not the two variables are set as False.  The step to enable the TPM chip would then have a condition set to look at these variables and if they were set to FALSE the step to enable to the TPM would run.

This is a great solution to the problem that I wanted to overcome however I was seeing mixed results with the script.  In some cases it would incorrectly see the chip as enabled and activated when it wasn’t, I couldn’t find a  reason for this other than sometimes it worked other times it didn’t.  Now that I had a good grounding on what could be done I set about writing a powershell script that would do the same as Tim’s script, the end result was the script below.

As part of my script I took advantage of the brilliant Windows PowerShell Script Library for MDT created by Aaron Czechowski details of this can be found at http://blogs.technet.com/b/aaronczechowski/archive/2011/06/29/windows-powershell-script-library-for-mdt.aspx.  In a nutshell Aaron has created a Windows PowerShell library similar to the ZTIUtility.vbs script library in MDT.  It’s not complete and I’m not sure if anything more will be done on it, but the bit that I was interested in was the logging aspect.

My script works in the same way as Tim’s in that it checks the TPM status and then sets two variables which then determine if the next step of the Task Sequence runs or not.  The script should be copied to the MDT script root and then called using a run command line step in the task sequence.

 

# //****************************************************************************
# // ***** Script Header *****
# //
# // File:      CheckTPMStatus.ps1
# //
# // Purpose:   Check to see if the TPM chip is enabled and activated.  Depending
#//             on the status of the chip two Task Sequence variables are created.
#//             This script uses the Common Windows PowerShell Libraries for MDT
#//             Framework created by Aaron Czechowski and can be found at
#//             http://blogs.technet.com/b/aaronczechowski/archive/2011/06/29/windows-powershell-script-library-for-mdt.aspx
#//
# //
# // File Version:   1.0
# //
# // History:
# // 1.0   SRR   01/02/2012   Created initial version.
# //
# // ***** End Header *****
# //****************************************************************************

# ***** Disclaimer *****
# This file is provided "AS IS" with no warranties, confers no
# rights, and is not supported by the author. Copyright Steve Rollins
#
# The Common Windows PowerShell Libraries for MDT Framework is the property of Aaron Czechowski.
# Its use is subject to the terms specified in the Terms of Use
# (http://www.microsoft.com/info/copyright.mspx).

# //****************************************************************************
# // Define constant variables
# //****************************************************************************

 $ScriptPath = Split-Path -Parent $MyInvocation.MyCommand.Definition
 . $scriptPath\Z-Utility_v1-0a.ps1

 $strComputer = "."
 $tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment 

 Create-LogEntry "Start of CheckTPM Script" $LogTypeInfo
 Create-LogEntry "The log file is here: $logFile" $LogTypeInfo

#Check if TPM is enabled and Activated
Create-LogEntry "About to start checking status of TPM." $LogTypeInfo
 $tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMV2\Security\MicrosoftTpm" -computername $strComputer

   If ($tpm.isEnabled_InitialValue -eq "true") {
    $tpme = "TRUE"
    }
   Else {
    $tpme = "FALSE"
   }
      If ($tpm.isActivated_InitialValue -eq "true") {
    $tpma = "TRUE"
    }
   Else {
    $tpma = "FALSE"
   }

   $tsenv.Value("TPMEnabled") = "$tpme"
   Create-LogEntry "Script has completed, TPMEnabled variable will be set to: $tpme" $LogTypeInfo
   $tsenv.Value("TPMActivated") = "$tpma"
   Create-LogEntry "Script has completed, TPMActivated variable will be set to: $tpma" $LogTypeInfo