Support for the Trusted Platform Module (TPM) is enabled with the 1E BIOS to UEFI Advanced Settings task sequence step – we can enable and active the micro-controller designed to secure hardware by integrating cryptographic keys into devices.

We recommend you set an admin password with the 1E BIOS to UEFI Password Setup task sequence step for HP and Dell devices as they require one to be enforced before any TPM configuration can be carried out. If one isn't set, a temporary password is used before it is dropped but owning the chip will still require a password enforcement. 

Lenovo machines do not require the admin/bios password to be set prior to enabling or activating TPM. Hence, for Lenovo machines, there will not be a temporary password in the SMSTS.LOG, whereas for Dell and HP machines, you will see the temporary password in the SMSTS.LOG.
On this page:

With this task sequence, you can:
Setting the TPM options for the task sequence

  1. Enable TPM – makes it available or visible to the operating system.
  2. Activate TPM – makes it ready to be owned. Any ownership of the TPM chip is not to be cleared. For security reasons and per TPM standards, this cannot be achieved in an automated fashion i.e. during an OS deployment. None of the hardware vendors provide automated methods for clearing and then taking ownership of TPM without a physical presence on the computer (see page 9, section 7: TPM management overview)

Things to consider when implementing TPM

Here are some scenarios that you may encounter when attempting to get TPM up and running – we assume you already have a basic understanding of what TPM and TPM ownership is.

On Windows 8.1 and later, Windows auto-provisions the TPM chip if it is not owned (configurable through Enable/Disable-TpmAutoProvisioning), so there is no need to automate the ownership process, it just works transparently. The OwnerAuth (a hash of the TPM OwnerPassword) is stored in the registry and available to local administrators. Additionaly, you can define a Group Policy to auto copy the OwnerAuth to Active Directory (do a search on the Internet for msTPM-OwnerInformation).

New for Windows 10 CB 1607 (and later), the ownership process auto-creates a rather complex password, sets the ownership and immediately delete the password from the local system. There is no way to recover this new ownership password – this is a new Microsoft guidance and is by design. It is possible to override this behavior and save the OwnerAuth in the registry like Windows 8.1 does.

If we install a new OS and the ownership was not reset, the new Windows OS will determine it does not have full ownership and the system is put into a reduced functionality state but will still allow us to add passwords/secrets to the TPM chip. If we know the TPM OwnerAuth from the previous OS (either by extracting from Windows 8.1 registry or from the AD), we can inject the TPMOwnerAuth into the OS using the PowerShell command Import-TPMOwnerAuth to verify ownership and bring the machine up to a fully enabled state.

Finally, if we do not have the TPM OwnerAuth and if you want to have full ownership of TPM, you can clear the TPM chip from the local TPM Management Console and confirm on the local machine through the required TPM Physical Presence Interface (not part of the OS, by design). Microsoft does not require you to move a machine from a reduced functionality state to a fully owned state, so you can ignore this step.

The process for preparing the TPM chip

The end-to-end process for preparing the TPM chip on a computer is:
End-to-end process for preparing the TPM chip

  1. Start – run the script to determine what state the machine is in and what actions need to be performed.
  2. 1EOEM Enable and 1EOEM Activate – enable and activate the TPM chip using the OEM specific commands, this code has been implemented.
  3. IsOwned – by default, the OS performs auto-provisioning – if no one owns the machine, the OS automatically takes ownership. We are not aware of any scenario where the machine will be without ownership (unless the administrator has disabled off AutoProvisioning).
  4. IsReady()? – the TPM is owned, but does the OS acknowledge that is has full ownership or does it have reduced functionality.
  5. Has AD OwnerPassword? – the administrator can save the OwnerAuth password locally or in Active Directory. Has it been saved?
  6. Run Import-TPMOwnerAuth – if we do have the TPM OwnerAuth, run the Import-TPMOwnerAuth cmdlet to give the current OS full ownership.
  7. Done with Reduced Functionality – TPM is owned, but we do not have the TPM OwnerAuth. In most scenarios this should be OK and there is no need for change.
  8. Clear the TPM (Optional) – optionally, you can clear the TPM from the TPM console or with a task sequence script. A reboot is required and a physical presence is required at the machine.

 Here is some PowerShell code that can help in detecting the state of the machine.

[cmdletbinding()]
param
  (
    [parameter(Mandatory=$false)]
    [string] $TPMOwnerAuth
  ) 
  
  $Tpm = Get-WmiObject -Namespace ROOT\CIMV2\Security\MicrosoftTpm -Class Win32_Tpm
  if ( -not  $tpm.IsEnabled().isenabled ) {
    write-host "Enable TPM with the 1EOEM command"
    write-host "Activate the TPM chip with the 1EOEM command, Then reboot."
  }
  elseif ( -not $tpm.IsActivated().isactivated ) {
    write-host "Activate the TPM chip with the 1EOEM command, Then reboot."
  }
  elseif ( -not $Tpm.isowned().isowned ) {
    write-error "UNknown state, should never be here with auto-provisioning enabled"
  }
  elseif ( -not $tpm.isready().isready ) {
    # IF the TPM Owner Auth password was stored previously in AD, and specified on the command line...
    if ( $TPMOwnerAuth ) {
      Import-TpmOwnerAuth -OwnerAuthorization $TPMOwnerAuth
    }
    else {
      write-host "TPM is enabled, activated, and owned, but not by the current OS."
      write-host "User can manually take ownership, but not required to use TPM."
    }
  }
   else {
     write-host "TPM is Enabled, activated, owned, and ready! Done!"
    }      

The end-to-end process

Install fromTPM stateOwnerAuth state
Preparation on source machine1E OEM CommandPost-installation
Windows (any version)OffN/A
N/A1EEFIOEM Enable and ActivateN/A
Windows 7 or 8.1On and ownedPresent in the registry or AD
Save TPM OwnerAuthN/ARestore TPM OwnerAuth
Windows 10 CB 1607 or laterOn and ownedNot present anywhere
N/AN/AReduced functionality

Run this SaveTPMOwnerAuth.VBS on the old OS during a Refresh task sequence. If a TPM OwnerAuth exists, it extracts the hash from the registry and sees it in the task sequence environment variable space. You can restore it with: 

Powershell.exe -command "Import-TPMOwnerAuth %TPMOwnerAuth%"

You can also find sample code in the HeyScriptingGuys blog on how to extract the TPM OwnerAuth from ActiveDirectory.

Hardware virtualization

Several Intel CPUs come with the Intel Virtualization Technology (VT) which enables a CPU to act as if you have several independent computers so that several OSes can run in parallel to run at the same time on the same machine.

You should not confuse virtualization with multitasking, multi-core, or hyper-threading.

  • With multitasking, there is a single operating system and several programs running at the same time. With virtualization, you can have several OSes running in parallel, each with several programs running where each OS runs on a virtual machine – the OS thinks it is running on a completely independent computer.
  • With multi-core, there is a single processor which has more than one physical processor inside. For example, a computer with one dual-core processor behaves like a computer with two CPUs installed working under symmetrical multi-processing (SMP) – the cannot be used independently. The OS is run by the first CPU and additional cores must be used by the same OS.
  • With hyper-threading, a dual-core CPU can be seen by the OS as a quad-core CPU. These additional processors cannot run separate OSes so for all intent and purposes, has the same effect as the multi-core technology.

The advantage of implementing VT in a CPU is that they have new instruction sets for control virtualization and managing software with the virtual machine monitor can be simpler resulting in improved performance over software-based solutions.

Enabling hardware virtualization

You enable hardware virtualization with the 1E BIOS to UEFI Advanced task sequence step. To do this:

  1. From the Properties menu, choose 1E BIOS to UEFI Advanced Settings
    Enabling hardware virtualization in the BIOS
  2. On the Virtualization tab.
    1. Tick the Enable Data Execution Prevention checkbox – must be enabled for virtualization. It segregates areas of memory as non-executable where the processor will refuse to execute code residing in these areas. It is used to prevent certain types of malicious software, such as a buffer overflow attack, from taking over your computer by injecting their code into another program's data storage area and running it from within. 
    2. Tick the Enable Virtualization Technology (VT-x) checkbox – Intel's technology for virtualizing the x86 and Intel x64 platforms.
    3. Tick the Enable Virtualization Technology for Direct I/O (VT-d) checkbox – Intel's technology for directed I/O which makes it possible for a guest OS to directly access a PCI device, such as a network interface card, using the Input/Output Memory Management Unit (IOMMU).
    4. Tick the Enable Intel Trusted Execution Technology (TXT) checkbox – it ensures the authenticity of a platform and is OS.
      • VT-x, VT-d, TPM must already be be enabled
      • An admin password may be required on some models
      • Intel TXT is not supported with Device Guard – do not enable if you are using Device Guard

Limitations

  1. When virtualization is enabled in the BIOS, some machines must be powered-down – they may report that virtualization is enabled when it isn't. 
  2. On some HP models (like HP EliteBook 840 G2), you must have a restart between enabling TPM and enabling TXT virtualization. If TPM is already enabled prior to running the TS, you can simply enable TXT virtualization.
    1. On such machines, the TxT option can be enabled in another Advanced Settings step after a restart in the TS (when the second '1E BIOS to UEFI' step restart the machine). Like this:
  3. If you enable TXT on Dell machines without first enabling TPM, it results in a BIOS error on a restart caused by a BIOS mis-configuration. To overcome this, ensure you enable TPM before TXT.