What good would that be? During a bare metal we are never in the OS to clear
the TPM.
I don't have a password, I set it then clear it.
I need to go back and run my TS again without clearing the partitions. I think
mine gets past the point where it's staging the boot image. If I recall
correctly it bombs after it boots back up and tries to start doing stuff. (at
the point where I'd expect it to format and partition the disks)
________________________________
John Marcum
MCITP, MCTS, MCSA
Desktop Architect
Bradley Arant Boult Cummings LLP
________________________________
[H_Logo]
From: [email protected] [mailto:[email protected]] On
Behalf Of Bain.John
Sent: Wednesday, February 17, 2016 5:27 PM
To: '[email protected]' <[email protected]>
Subject: RE: [MDT-OSD] Can't Do Bare Metal on Bitlockered PC - Dell BIOS Issue
TPM chips can be cleared from the OS if enabled so in the bios .
This can be automated via a script.
You know your TPM password ?
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Miller, Todd
Sent: February 17, 2016 5:03 PM
To: [email protected]<mailto:[email protected]>
Subject: RE: [MDT-OSD] Can't Do Bare Metal on Bitlockered PC - Dell BIOS Issue
Hmm, well for me, when I have a NTFS partition that is encrypted, the task
sequence stops when it tries to stage the WinPE boot onto the hard drive.
Maybe I've modified my task sequence in some way that breaks proper formatting.
If your WinPE boot disk is different from the WinPE image that your chosen
Task Sequence uses, then the WinPE image has to be staged even before the Task
Sequence starts - so the idea that the repartitioning/formatting is taken care
of exclusively by the task sequences doesn't make 100% sense to me. SCCM Task
Sequence engine might need to stage the WinPE image even before the TS really
starts. - For instance maybe you boot from a 32bit WinPE image, but your
Windows 7 64bit Task Sequence calls for a 64bit WinPE boot disk. The Task
Sequence engine (not the task sequence itself) will try to stage WinPE 64bit
and reboot into it to START the task sequence--- that happens even before the
first item in your task sequence runs.... And I am pretty sure will fail if you
have an unwritable NTFS partition on your hard disk. Sounds like others have
it working, so I guess I will just say that it doesn't work for me and like you
have experienced, I have had to run a diskpart/clean when trying to bare metal
install to a previously encrypted disk. We don't use bitlocker, but the
problem should be the same - maybe bitlocker is easier/different since
bitlocker has that readable partition on the disk where maybe the SCCM engine
can stage the WinPE image. My encryption tool (Intel Drive Encryption) only
has a single encrypted partition and no separate unencrypted area.
On TPM...
Yes, I've tried using CCTK and the new Powershell scripts and neither can clear
an owned TPM chip. I have talked to Warren about it and he did say that it is
against the TPM rules for a BIOS to support clearing TPM in an automated way.
I think it can be cleared from inside of Windows though so not sure about all
of that.
Maybe Warren will pop in with some advice and clarification soon. You can turn
on TPM programmatically but clearing ownership is the trouble.
If there is someone who has figured out how to clear ownership on a TPM chip on
a Dell, in some automated way, please don't leave us in suspense.
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Marcum, John
Sent: Wednesday, February 17, 2016 1:32 PM
To: [email protected]<mailto:[email protected]>
Subject: RE: [MDT-OSD] Can't Do Bare Metal on Bitlockered PC - Dell BIOS Issue
Keith and John --- Bare metal from Configmgr. (on a side note the new XPS is
amazing! I have one in my closet doing nothing. Not because it's bad but
because I for the new 5510 which is even better)
Thanks Todd! I thought that one of the two partition steps in the initialize
phase (or the format disk in preinstall) was supposed to know that it was
booted from PXE therefore no data should be saved (thus it's bare metal
install) and then blow away the partitions. From what you are saying that must
not be true. Seems silly to have to manually delete the partitions. :(
When you say there is no way to clear it programmatically I assume you tried
doing so with the Dell utility thingy?
________________________________
John Marcum
MCITP, MCTS, MCSA
Desktop Architect
Bradley Arant Boult Cummings LLP
________________________________
[H_Logo]
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Miller, Todd
Sent: Wednesday, February 17, 2016 10:45 AM
To: [email protected]<mailto:[email protected]>
Subject: RE: [MDT-OSD] Can't Do Bare Metal on Bitlockered PC - Dell BIOS Issue
The bare metal task sequence will fail because it will have trouble staging the
WinPE boot image to the hard disk. The task sequence will fail any time it
detects an NTFS primary partition that is is unable to write to. The task
sequence sees that there is an NTFS partition and assumes that it will be able
to write to it to stage the WinPE image for reboot, but it cannot. You might
need to inject a check and format into the pre-execution hook stage. The task
sequence can't just blow away the partition because task sequences are also
built for refresh scenarios where you would need to keep the existing NTFS
partition for USMT to do its capture. You might be able to rejigger some of
the rules on the partition and format section at the top of the task sequence
so that it runs more frequently. But I would guess those rules are detecting
that there is a reasonable NTFS partition (and there is not)
Regarding the TPM, chip. Yeah, you have to clear that manually. You could
check to see if it is present and cleared in a pre-execution hook and notify
the user, but there is no way to clear it programmatically. Just give up on
that right now. I wish I could have those two weeks back.
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Keith Garner (hotmail)
Sent: Wednesday, February 17, 2016 10:00 AM
To: [email protected]<mailto:[email protected]>
Subject: RE: [MDT-OSD] Can't Do Bare Metal on Bitlockered PC - Dell BIOS Issue
MDT Lite Touch or Zero Touch?
>From what I recall, MDT Litetouch should be intelligent enough to just blow
>away the existing Bitlockered partition and continue. Same with the TPM, but I
>haven't had a Dell in a while (I get a new XPS 13 next week).
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Marcum, John
Sent: Wednesday, February 17, 2016 6:05 AM
To: [email protected]<mailto:[email protected]>
Subject: [MDT-OSD] Can't Do Bare Metal on Bitlockered PC - Dell BIOS Issue
Sorry if I've asked this before, it's been on my list of things to fix for a
very long time and I'm just now actually getting to it.....
When doing at bare metal deployment on any PC that has had the disk encrypted
with bitlocker I have two issues:
1. I have to manually going into diskpart and blow away the partitions.
Shouldn't the TS do that for me?
2. I have to clear the TPM in the bios manually.
i. On the
newer Dell laptops this in itself is a challenge. I find that I must pray to
Michael Dell, hold me tongue just right and stand on my head to start with. If
I do all that just right I have to clear the TPM, activate the TPM and then
clear it again and then load the bios defaults in the security node or I get an
error when I try to setup the BIOS in my task sequence. I see this problem on
the currently shipping Latitudes, the 6400 takes one more step that I must
completely power it off after doing all those steps and power it back on or it
fails. Am I the only person seeing this issue?
________________________________
John Marcum
MCITP, MCTS, MCSA
Desktop Architect
Bradley Arant Boult Cummings LLP
________________________________
[H_Logo]
________________________________
Confidentiality Notice: This e-mail is from a law firm and may be protected by
the attorney-client or work product privileges. If you have received this
message in error, please notify the sender by replying to this e-mail and then
delete it from your computer.
________________________________
Notice: This UI Health Care e-mail (including attachments) is covered by the
Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and
may be legally privileged. If you are not the intended recipient, you are
hereby notified that any retention, dissemination, distribution, or copying of
this communication is strictly prohibited. Please reply to the sender that you
have received the message in error, then delete it. Thank you.
________________________________
________________________________
Notice: This UI Health Care e-mail (including attachments) is covered by the
Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and
may be legally privileged. If you are not the intended recipient, you are
hereby notified that any retention, dissemination, distribution, or copying of
this communication is strictly prohibited. Please reply to the sender that you
have received the message in error, then delete it. Thank you.
________________________________
