You may have encountered a scenario where TPM needs to be set to version 1.2 in order for encryption to work correctly (e.g. on Windows 7 platform). Many machines come with TPM 2.0 these days, however they still offer a backward-compatibility of running TPM 1.2 – quite often this is available as an option that can easily be changed in the BIOS. However, it is a bit different for a wide range of HP desktops and laptops. TPM can be switched between the two versions in a form of a firmware update. This article will walk you through steps you need to take in order to automate the process in SCCM Task Sequence.
HP tool – TPM Configuration Utility
First, let me quickly talk you through TPM Config utility:
- It has a limitation of carrying out TPM conversion only 64 times, but our Task Sequence will make sure TPM downgrade occurs only when needed.
- It comes as TPMConfig.exe and TPMConfig64.exe executables to be used on 32-bit and 64-bit platforms respectively.
- The firmware upgrade/downgrade image (BIN) files are to be used for conversion between specific versions. This is not only between TPM specification versions, but also HP’s internal TPM code versions.
- During the process the utility will create a hidden 5GB HP_Tools partition at the end of the drive (if it doesn’t exist already).
- The update process will take place upon reboot.
- When run in silent mode, the command doesn’t hold the handle, so a delay needs to be introduced to allow it to complete its tasks.
- You can point the executable to additional BIN file containing the BIOS password. BIN file stores the password in encrypted format and can be generated with HP Password Encryption Utility (HPQPswd.exe). If you specify password in your upgrade command, it will work if the BIOS password matches and if there is no BIOS password set, so: two birds, one stone.
Create SCCM Package with TPM Configuration Utility
Before you start tweaking your Task Sequence, you need to create a new package that will contain all required files. Download latest HP TPM Configuration Utility and place all files in the root of the directory. Also, include your BIN file with password (should you need one). Next, create a new SCCM Package and point it to your location. You do not need to create a Program, we need this container purely to hold the content. Below is an example of what your package should look like.
TPM downgrade process on paper
Before we actually start putting steps into our Task Sequence, have a look at logic that will be applied. Below is a flowchart that shows you steps we will go through to achieve our goal, and also to protect integrity of the machine. We do not want to brick the device, now do we? We will run our TPM downgrade process only if:
- TPM downgrade is actually required (TPM is not running spec version 1.2)
- Machine model is supported by our tool (i.e. one that we tested on a sample machine)
- TPM chip manufacturer matches expected string
Create SCCM Task Sequence
Now that we know what we should be trying to achieve and we have created our Package with source files, let’s start the implementation! I think it will be easier to show you a final version of the Task Sequence, and then talk you through each one of the steps. For clarity, I have marked every step/group as follows:
- * denotes there is conditional execution (e.g. WMI query set in Options tab)
- > denotes the step is set to “Continue on error”
First of all, since this is OSD Task Sequence, we need to format our HDD. Pretty standard stuff, so no need to dive in deeper. Only thing to note is that the intended Windows partition drive letter has been assigned to OSDisk Task Sequence variable, it will be referenced and used later on.
After HDD is formatted, we start with establishing whether TPM downgrade is needed. We do it by querying Win32_TPM class and checking if SpecVersion does not start with 1.2% (make sure you make note of % wild card at the end of the string). Note the inverted logic in the IF statement.
Type: Group Conditions: If None of the conditions are true: WMI Query (root\cimv2\Security\MicrosoftTPM): SELECT * FROM Win32_TPM WHERE SpecVersion LIKE "1.2%"
Next, assuming the above query was evaluated as true, we check if machine model this Task Sequence is running on matches one of the machines we have previously tested. I would strongly recommend to test this individually on every machine type you want to run it – don’t just include this for all machines that HP says its supported. You don’t want to mass-brick devices! We do it swiftly by querying value of Model property in Win32_ComputerSystem class.
Type: Group Conditions: If Any of the conditions are true WMI Query (root\cimv2): SELECT * FROM Win32_ComputerSystem WHERE Model = "HP EliteDesk 705 G3 SFF" WMI Query (root\cimv2): SELECT * FROM Win32_ComputerSystem WHERE Model = "HP EliteBook 725 G4" WMI Query (root\cimv2): SELECT * FROM Win32_ComputerSystem WHERE Model = "HP EliteBook 745 G4"
We now need to evaluate whether TPM chip manufacturer is one of the expected ones. We are looking for IFX string, that is actually available under ManufacturerID property in Win32_TPM class as a decimal value. Cool!
Type: Group Description: (1229346816 = 0x49465800 (ASCII: IFX)) Conditions: If Any of the conditions are true WMI Query (root\cimv2\Security\MicrosoftTPM): SELECT * FROM Win32_TPM WHERE ManufacturerId = "1229346816"
Assuming all above queries were true (we are not running TPM version 1.2, we are running this on one of the supported machines with supported TPM chip), we can finally get going. We start with creating a “TPM” folder on the primary partition (available under OSDisk variable).
Type: Run Command Line Command line: cmd.exe /c mkdir %OSDISK%\TPM Conditions: If None of the conditions are true: Folder %OSDISK%\TPM exists
Next, we are going to copy all files (TPM utility, firmware files etc.) that we have previously created in our SCCM package to the local HDD (OSDisk). We do it simply using xcopy command – just make sure you select the Package tickbox and reference your package with source files!
Type: Run Command Line Command line: cmd.exe /c xcopy *.* %OSDISK%\TPM Package: Selected "HP TPM Configuration Utility SP78910"
In next two steps, we set TPMCONFIGEXEC variable that will point to either TPMConfig.exe or TPMConfig64.exe, depending on version of WinPE (32-bit or 64-bit). Easily done by querying OSArchitecture property of Win32_OperatingSystem class.
Type: Set Task Sequence Variable Task Sequence Variable: TPMCONFIGEXEC Value: TPMConfig.exe Conditions: If Any the contitions are true WMI Query (root\cimv2): Select * FROM Win32_OperatingSystem WHERE OSArchitecture = "32-bit"
Type: Set Task Sequence Variable Task Sequence Variable: TPMCONFIGEXEC Value: TPMConfig64.exe Conditions: If Any the contitions are true WMI Query (root\cimv2): Select * FROM Win32_OperatingSystem WHERE OSArchitecture = "64-bit"
We finally get to run the executable to kick off TPM chip conversion process from TPM 2.0 to TPM 1.2! We do it by running one of the three steps, depending on the CURRENT HP firmware version. As mentioned before you need to apply the EXACT firmware update file from a specific TPM firmware version to another. We check current TPM firmware version by querying ManufactuterVersion property in Win32_TPM class. Then, we run TPMConfig(64).exe with silent switch (-s). We use -f switch to point it to the required firwamre file, -p to point it to file with encrypted BIOS password (if applicable) and -c switch to instruct it to create HP_Tools partition if necessary.
Type: Run Command Line Command line: cmd.exe /c %TPMCONFIGEXEC% -s -fTPM20_7.40.2098.0_to_TPM12_18.104.22.168.BIN -pBIOSpassword.bin -c Conditions: If Any of the conditions are true WMI Query (root\cimv2\Security\MicrosoftTPM): SELECT * FROM Win32_TPM WHERE ManufacturerVersion = "7.40"
Type: Run Command Line Command line: cmd.exe /c %TPMCONFIGEXEC% -s -fTPM20_7.41.2375.0_to_TPM12_22.214.171.124.BIN -pBIOSpassword.bin -c Conditions: If Any of the conditions are true WMI Query (root\cimv2\Security\MicrosoftTPM): SELECT * FROM Win32_TPM WHERE ManufacturerVersion = "7.41"
Type: Run Command Line Command line: cmd.exe /c %TPMCONFIGEXEC% -s -fTPM20_7.61.2785.0_to_TPM12_126.96.36.199.BIN -pBIOSpassword.bin -c Conditions: If Any of the conditions are true WMI Query (root\cimv2\Security\MicrosoftTPM): SELECT * FROM Win32_TPM WHERE ManufacturerVersion = "7.61"
Since TPM Configuration Utility doesn’t wait for the process to finish and returns straight to command prompt after running, we need to give it enough time to complete the task before rebooting. I have used script described in one of my previous posts (How to control progress bar in MDT/SCCM Task Sequence using VBScript, but you can use any other method of introducing delay as you see fit. Either way – 60 seconds will do!
Type: Run Command Line Description: TPMConfig.exe/TPMConfig64.exe does not hold the handle, give the tool enough time to create partition and stage firmware downgrade Command line: cscript.exe OSDwait.vbs /timeout:60 Package: Selected "OSD Wait 1.0"
At last, we can instruct machine to reboot and complete firmware update process. Just make sure you select to boot machine back to Windows PE! Important note: upon reboot you should see a prompt to press F1 to accept TPM reconfiguration or F2 to reject it.
Type: Restart computer Specify what to run after restart: The boot image assigned to this task sequence
Now the update process should be finished and we are back in Windows PE. Before we re-format the HDD (to get rid of HP_Tools partition we no longer need), it is a good idea to grab the update process log file and store it in RAM drive for future reference and potential troubleshooting. Bear in mind that the log file will have different name, depending whether it was 32-bit or 64-bit executable that created it. I move it to directory stored in %TEMP% system variable, which at this point should lead you to X:\Windows\Temp.
Type: Run Command Line Description: Move TPMConfig.log/TPMConfig64.log file to Temp directory on RAM drive (should be X:\Windows\Temp) Command line: cmd.exe /c move /Y %OSDISK%\TPM\TPMConfig*.log %TEMP% Conditions: If Any of the conditions are true File %OSDISK%\TPM\TPMConfig64.log exists File %OSDISK%\TPM\TPMConfig.log exists
We can re-run our step to format and partition the HDD and that concludes our TPM update section.
Next, we deploy the WIM file onto the HDD – irrespectively of firmware update process. As a very last step, we add a nice touch of checking if our TPMConfig*.log file exists and if it does – we move it from RAM drive to local HDD for future reference.
Type: Run Command Line Description: Move TPMConfig.log/TPMConfig64.log file from RAM drive to Logs directory Command line: cmd.exe /c move /Y %TEMP%\TPMConfig*.log %OSDISK%\Windows\Logs Conditions: If Any of the conditions are true File %OSDISK%\TPM\TPMConfig64.log exists File %OSDISK%\TPM\TPMConfig.log exists
Important thing to note: if the device comes with newer TPM firmware version (above 7.61), none of update steps will execute and the worst that can happen is just a reboot for no reason. While you will not have TPM downgraded to version 1.2, your device will also be automatically protected from accidentally bricking it! As newer version of firmware are released, you can update your package with source files and add relevant step for the update to take place in a controlled manner.
And that concludes the process of downgrading TPM chip to version 1.2 in SCCM Task Sequence on HP machines!