Tuesday, October 22, 2013

TPM cannot be enabled without physical presence.

During SCCM 2012 TS to enable start BitLocker encryption of OS drive, Task Sequence failed with following error:

The task sequence execution engine failed executing the action (BitLocker on C: Drive) in the group () with the error code 2147500037
Action output: ==============================[ OSDBitLocker.exe ]==============================
Command line: "OSDBitLocker.exe" /enable /wait:True /mode:TPM /pwd:AD
'IsSrkAuthCompatible' failed (2150105106)
'IsEndorsementKeyPairPresent' failed (2150105095)
TPM cannot be enabled without physical presence. The operating system reported error 2147500037: Unspecified error

Reason for this BitLocker Message issue is because TPM was not enabled during the SCCM Task Sequence.
For HP Models a solution is to export BIOS configuration in txt file and find right setting which enable TPM.
BiosConfigUtility.exe /getconfig:config.txt

Enter this BIOS setting in a file that will be used to modify BIOS settings.
This commands are particularly for HP machines:
BiosConfigUtility.exe /CurSetupPassword:"password" /setconfig:EnableTPM.REPSET

For model HP EliteBook 2570p EnableTPM.REPSET file should look like this:

TPM Activation Policy
    F1 to Boot
    Allow user to reject
    *No prompts
Activate TPM On Next Boot

BiosConfigUtility can be downloaded from HP web site.

Thursday, October 17, 2013

Enabling TPM on HP machines using SCCM 2012

To enable TPM on HP machines there is a tool from HP, Bios Configuration Utility, that modifies BIOS settings from Windows.To modify specified values to BIOS, first they can be exported using following command:
BiosConfigUtility.exe /getconfig:filename.txt

After verifying the exported file the values that we want to modify can be added in new file.
For example, to activate TPM on HP ProBook 6565b these value should be used:

OS Management of TPM
Embedded Security Activation Policy
    F1 to Boot
    Allow user to reject
    *No prompts
Activate Embedded Security On Next Boot

Next step is to execute the command to activate TPM on the specified model. Here it is important to note that to do this step there must be BIOS password enabled.
Here is the command:
biosconfigutility.exe /CurSetupPassword:"password" /setconfig:EnableTPM.REPSET

This command can be added in cmd file, and together with EnableTPM.txt can be added in SCCM package that latter can be executed in Task Sequence.

If you need to verify if TPM is enabled in the BIOS then this WMI command can be used:

SELECT * FROM Win32_Tpm where IsEnabled_InitialValue="False"

This command is considered for following WMI Namespace:

This command can be placed in Task Sequence:


Friday, October 4, 2013

Initializing the TPM Security hardware. Access denied.

Durring manual activation of Bitlocker in order to encrypt Operating system drive there is a message Access Denied.

To mention that TPM is already configured on the local machine. The reason why this message appears is that GPO is configured to write TPM Backup information in AD.

Here the question is that there is not enough permissions to write requested TPM information in AD.

If you follow this article and give enough permissions to SELF account then Bitlocker Encryption will continue.