none
WMI query: Checking TPM status to install software RRS feed

  • Question

  • Maybe someone has already done this. I have two Dell application packages made with Dell Command Configure, one turns on TPM and the other Activates it. I’m trying to set it so that the application will only run if it meets the right condition. I’ve gotten this to work for installing Dell's Command Update, it runs a WMI query for certain models and installs the software if the is that model.

    For some reason I just can’t figure out what kind of query to make for TPM. If I make a query from the command line I get “no instance(s) available” if TPM is not on. If TPM is on but not activated it'll return a False answer.

    Here's what I have

    Dell Enable TPM.
    Added the following conditions to this application:

    If any conditions are true

    WMI namespace: root\cimv2\security\microsofttpm
    WMI query:SELECT * FROM Win32_Tpm WHERE IsEnabled_InitialValue IS FALSE


    WMI namespace: root\cimv2\security\microsofttpm
    WMI query:SELECT * FROM Win32_Tpm WHERE IsEnabled_InitialValue LIKE “%No Instance%”

    I'm looking to make the task sequence as hands off as possible so that even if a tech forgot to enable TPM in the BIOS before starting MDT it would enable TPM during the TS but before it attempted to enable BitLocker.

    If this post is helpful please vote it as Helpful or click Mark for answer.

    Friday, September 4, 2015 2:12 PM

Answers

  • In case anyone else comes across this I'm posting what is working as of MDT 2013 update 1

    I created a group in my task sequence and used an "if any conditions are true" with several WMI queries for the different models (SELECT * FROM Win32_ComputerSystem WHERE Model LIKE "%Optiplex%"), that way the whole group would only be applied to Dell computers.

    For the app to install on systems that didn't have TPM turned on I added a WMI query. "If none of the conditions are true" SELECT * FROM Win32_Tpm WHERE IsEnabled_InitialValue = True


    If this post is helpful please vote it as Helpful or click Mark for answer.

    • Marked as answer by Dan_Vega Friday, October 16, 2015 6:15 PM
    Friday, October 16, 2015 6:15 PM

All replies

  • Think you may find what you are looking for here:

    http://en.community.dell.com/techcenter/os-applications/w/wiki/how-to-enable-trusted-platform-module-using-a-configmgr-2007-task-sequence

    I downloaded their "How to Enable Trusted Platform Module (TPM) on Dell Business Client Systems"; which contained examples and scripts.  While the "DellEnableTPM_Sample.xml" did not really have a query in it for TPM, they do have a few sample scripts that may assist as well (SampleTrustedPlatformModule.vbs).

    Hope this helps

    Friday, September 4, 2015 5:39 PM
  • That doesn't address what I'm doing, I've already created the app packages that can enable and activate TPM and they work, but I want to restrict the task to only run if the machine does not have TPM turned on. If I run the tasks without restriction it will make the changes to the BIOS, but I don't want it attempting to do that for a Dell system that already has TPM turned on and Activated.

    The task group will only try to run on Dell systems, I got that working easily enough


    If this post is helpful please vote it as Helpful or click Mark for answer.

    Friday, September 4, 2015 8:06 PM
  • That doesn't address what I'm doing, I've already created the app packages that can enable and activate TPM and they work, but I want to restrict the task to only run if the machine does not have TPM turned on. If I run the tasks without restriction it will make the changes to the BIOS, but I don't want it attempting to do that for a Dell system that already has TPM turned on and Activated.

    The task group will only try to run on Dell systems, I got that working easily enough


    If this post is helpful please vote it as Helpful or click Mark for answer.

    For Step "Enable TPM" add this condition (if none are true):
    SELECT * FROM Win32_Tpm WHERE IsEnabled_InitialValue=1
    For Step "Activate TPM* add this condition (if none are true):
    SELECT * FROM Win32_Tpm WHERE IsActivated_InitialValue=1

    If you want to set this condition on step "Dell - Configure BIOS & TPM" you need Something different:
    IF all conditions are true
      IF any Conditions are true
        --> Insert your WMI queries (Model based)
      IF any conditions are true
        IF no condition is true
          -->
    SELECT * FROM Win32_Tpm WHERE IsEnabled_InitialValue = 1
        IF no condition is true
          -->
    SELECT * FROM Win32_Tpm WHERE IsActivated_InitialValue = 1
    You need to repeat "
    SELECT * FROM Win32_Tpm WHERE IsEnabled_InitialValue = 1" on step "Enable TPM" and "SELECT * FROM Win32_Tpm WHERE IsActivated_InitialValue = 1" on step "Activate TPM"
    Provided "as is"

    • Proposed as answer by Gaëtan Hermann Friday, September 4, 2015 8:42 PM
    • Marked as answer by Dan_Vega Wednesday, September 9, 2015 1:07 PM
    • Unmarked as answer by Dan_Vega Friday, October 16, 2015 6:02 PM
    • Unproposed as answer by Dan_Vega Friday, October 16, 2015 6:15 PM
    • Proposed as answer by Mathia5 Tuesday, February 27, 2018 10:06 AM
    Friday, September 4, 2015 8:42 PM
  • Hi,

    Not sure if this is any help, but it is applicable to checking status of TPM:

    http://blogs.technet.com/b/deploymentguys/archive/2010/12/22/check-to-see-if-the-tpm-is-enabled.aspx

    Ewen.

    Saturday, September 5, 2015 12:34 AM
  • Thanks! That worked, but for some reason I'm getting a return code 10 from the dell package during the task sequence. If I open an admin command prompt and run it, it works. So I'll troubleshoot that separately.

    If this post is helpful please vote it as Helpful or click Mark for answer.

    Wednesday, September 9, 2015 1:12 PM
  • If I recall correctly the Dell tool returns are a bit more complex than 1 or 0.

    Most important details are logs. If you are unsure how to post logs or where to find them then reference https://keithga.wordpress.com/2014/10/24/video-mdt-2013-log-files-basics-bdd-log-and-smsts-log/

    Wednesday, September 9, 2015 10:22 PM
    Moderator
  • In case anyone else comes across this I'm posting what is working as of MDT 2013 update 1

    I created a group in my task sequence and used an "if any conditions are true" with several WMI queries for the different models (SELECT * FROM Win32_ComputerSystem WHERE Model LIKE "%Optiplex%"), that way the whole group would only be applied to Dell computers.

    For the app to install on systems that didn't have TPM turned on I added a WMI query. "If none of the conditions are true" SELECT * FROM Win32_Tpm WHERE IsEnabled_InitialValue = True


    If this post is helpful please vote it as Helpful or click Mark for answer.

    • Marked as answer by Dan_Vega Friday, October 16, 2015 6:15 PM
    Friday, October 16, 2015 6:15 PM
  • Hey Dan_Vega,

    What is the solution if I get error "Access Denied" and Unable connect to the namespace when we test the query should I manually enable remote WMI on the Host?!

    Wednesday, October 17, 2018 5:38 PM
  • How are you testing the query? This doesn't run remotely. When the task sequence runs it makes the query locally.

    Daniel Vega

    Wednesday, October 17, 2018 7:12 PM
  • Hey Dan,

    There is a tool WBEMTest I can test the connectivity when I added my Domain admin account it works locally but I believe the Query did not retrieve any data?! That's why it jumped to the last task and try to enable BitLocker! <o:p></o:p>

    Thanks<o:p></o:p>

    OR<o:p></o:p>


    • Edited by OmidRajaee Wednesday, October 17, 2018 8:21 PM
    Wednesday, October 17, 2018 8:20 PM
  • I don't have a log to show, because it isn't logged during the Preinstall phase. There are caveats to scripting TPM to be turned on. That is that preprovisioning won't occur since the system has to be rebooted after enabling TPM and you can't do that during the WinPE portion of the imaging. It hasn't been a problem for us anymore because all the systems we by already have TPM enabled out of the box, but ownership hasn't occurred, so it isn't an issue to reimage without clearing TPM. 

    I don't ever rely on the script to enable TPM, I just use it as a safety net because I'd rather the system be preprovisioned for BitLocker.

    I use in part the info from here: Running Dell Command and Configure (formerly Client Configuration Tool Kit (CCTK)) commands in Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager (SCCM) Task Sequences


    Daniel Vega

    Wednesday, October 17, 2018 8:42 PM
  • Thank you <g class="gr_ gr_33 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation only-ins replaceWithoutSep" data-gr-id="33" id="33">Daniel</g>,

    for now, I am focusing on all provisioned laptop and then we'll work on a new image for PE! 

    Have you ever had an issue with the task to verify TPM status before activate and enable TPM?!

    always it passed these tasks! I don't know why:

    I used this two WMI queries to verifying TPM Status:

    SELECT * FROM Win32_Tpm WHERE IsEnabled_InitialValue = FALSE

    SELECT * FROM Win32_Tpm WHERE IsActivated_InitialValue = FALSE


    Wednesday, October 17, 2018 11:11 PM
  • Maybe this script is helpful for you - Check to see if the TPM is enabled

    Daniel Vega

    Thursday, October 18, 2018 1:37 PM