none
RESOLVED - TPM not detected via MDT image deployment

    Question

  • Hi Deployment gurus,

    I have a Bitlocker/TPM question for you all today. My issue is exactly the same as this pre-existing thred:

    http://social.technet.microsoft.com/Forums/en/w7itproinstall/thread/7b0a588b-5919-4fad-a60b-5eedf50cdf63

    You can see I've added my question on the bottom there. That thread is in the Win7 client install forum, and I thought I'd have better luck if I was to throw it open to the MDT gurus.

    In a nutshell, if I install Win7 from the install DVD to a brand new HP 6730b laptop, then Windows detects the TPM chip, and lists it in Device Manager under a Security Devices branch. If I deploy the OS to the laptop via MDT/litetouch boot CD, I get no TPM. I don't even have an orphaned "unknown device" in Device Manager - I just get nothing. Obviously, Bitlocker can't be set up, because the TPM doesn't exist as far as Windows is installed. When you go into the TPM Administration app, it simply shows the "you don't have a TPM chip installed" screen. The TPM is turned on and enabled in the BIOS, and it all works fine if I install from the Windows 7 DVD with no changes to the BIOS.

    Am I missing something obvious here? From looking through the forum, other people are having great results in configuring bitlocker via the MDT deployment TS, which is exactly what I hope to be able to do. It seems like Gai-jin from the aforementioned thread and myself are the only ones having this trouble.

    Please let me know if you need any further information - any and all suggestions will be most welcome.

    Thanks!

    Matt Russell

    • Edited by Matto-FNQ Monday, May 31, 2010 7:01 AM
    Thursday, May 27, 2010 2:07 AM

All replies

  • Although I've never tried, my first guess would be to include the TPM chipset driver in WinPE along with your network and storage drivers?
    Thursday, May 27, 2010 11:49 AM
  • Hi Joe,

    Thanks for getting back to me. I think you might be on the right track. My problem is that there aren't any special drivers for the TPM - it's just a standard Microsoft driver that comes as part of Win7. I would have thought that if it were a driver injection issue that either it would just work, or that I'd see the device showing up in Device Manager without a driver loaded for it?

    Not saying you're wrong though - far from it! I'm very much an amateur at this, so will investigate how I go about extracting this driver from the OS files, and making it part of the WinPE boot CD.

    Again - thanks veyr much for your help!

    Matto :)

    Friday, May 28, 2010 7:10 AM
  • We see the same issue with HP laptops.  It may not be exclusive to HP, but that's what we are using.

    In our situation, we have the XP drivers imported into the out of box drivers and ther is a TPM driver for XP.  Unfortunately Windows 7 picks up the TPM driver for XP and uses it.  There is a device called Infineon Trusted Modeule under System Devices in Device Manager.

    Once we change the driver for that device to use the driver that comes with Windows 7 (Trusted Platform Module 1.2), then the OS sees the TPM and can initialize it with no issues.

    We are trying to find a way to prevent Windows 7 from using the XP driver that is in out of box drivers.  I have edited the drivrs.xml so it no longer says it is supported on Windows version 6.0, but it still gets applied.

    Friday, May 28, 2010 1:08 PM
  • Use selection profiles or driver groups to limit the drivers being applied... see this article for more details

    MDT 2010 Lite Touch Driver Management
    http://www.deployvista.com/Home/tabid/36/EntryID/132/language/en-US/Default.aspx

    / Johan

    Friday, May 28, 2010 1:16 PM
    Moderator
  • Hi eschloss,

    Thanks for the input. I have tried loading the XP TPM driver into my MDT, and can confirm that mine is now doing the same as yours - I am getting the Infineon Trusted Platform Module showing up in Device Manager, under the System Devices branch. If I go into the TPM administration console at this point, Windows reports no compatible TPM chip.

    However, I checked a machine that I had imaged with the same WIM file prior to adding in the XP driver, and it has the Infineon Trusted Platform Module in the System Devices branch in Device Manager as well. That was before I had loaded in the specific XP drivers. So I don't think that it's actually picking up the XP drivers in my case. Your situation might be different though.

    My current theory is that possibly some of the Intel chipset drivers I've loaded into MDT in the OOB drivers section might be interfeering with the built-in Windows drivers. I've got a lot of Intel chipset drivers loaded in for Windows XP. It's possibly that they are set as being applicable to Win7 as well, and are being injected instead of the install using the generic Windows drivers.

    As per Johan's suggestion, I've created a new Selection Profile called "Only Win7 included drivers", and have restricted it to the folders containing the original source files for Win 7 (both x64 and x86), and have restricted my TS to use that selection profile. If that works, I'll build out the selection profile to include ONLY the other OOB drivers that the computers need, and only use a third-party driver when the device is not detected using the inbuilt Win7 drivers. I'm reasonably convinced (at the moment, anyway) that this is the root cause of my problem.

    I'm currently imaging up the laptop now - will post back with my results once it has completed.

    Thanks for the help!

    Matto :)

    Monday, May 31, 2010 2:47 AM
  • Hi eschloss,

    We are seeing the same thing on our images - The Infineon Trusted Platform Module is showing up under System Devices in Device Manager, not under the Security Devices branch. Interestingly, I had not downloaded and installed the XP driver.

    Further investigation, after being tipped off by Johan's response above showed MDT is getting confused, and injecting the wrong drivers. I've got a bunch of Win XP chipset drivers loaded for these laptops, as we image them with XP as well. By the looks of things, MDT is installing a vendor-specific chipset driver, which is having the sideeffect of incorrectly configuring the TPM driver.

    Using Johan's instructions, I set up a new selection profile, to only include the drivers that are part of the original Windows 7 source install media, and edited the deployment TS to only use drivers from that Selection Profile. I was then able to image the laptop successfully - the TPM chips shows up where it's supposed to be, using the correct MS-supplied driver. Bitlocker is then able to be turned on, and everything's working.

    Currently I'm having trouble with getting the "Enable Bitlocker" task within the Standard Task Sequence to work correctly. It's working, but it's not escrowing the keys into AD, as it's being told to do. I'm not sure what's causing this, but I've only just begun looking into it, so it could be anything. I'm just happy that Windows can see the TPM chip, and Bitlocker can turn on.

    So - for anyone else having this trouble, I would suggest setting up Selection Profiles to heavily restrict the drivers that are available to a task sequence, and slowly building in the drivers that you absolutely need. In the case of these HP laptops, I needed to set up a seperate Application for the QuickLaunch buttons and application, and have added that into the task sequence to deploy automatically. It's working a treat.

    Thanks to everyone for your help!

    Matto :)

    • Proposed as answer by ccatlett1984 Friday, May 11, 2012 2:19 PM
    Monday, May 31, 2010 6:36 AM