Auto activate Trusted Platform Module on Fujitsu computers using DeskView and MDT/SCCM

Recently I have been working on a way to auto activate the TPM chip on Fujitsu computers during the Operating System Deployment. Until recently, this has been limited to customers that have purchased DeskView advanced client from Fujitsu.

Now, it is possible to work around this issue, and the way I have done it before is to use manage-bde.exe to activate TPM and BiosSet.exe to set a BIOS-password. However, using the manufacture own software to do everything is always considered best practice and with a script it is now possible.

First the challenge:

When using DeskView to activate TPM you get an error code (413) with a message stating that you need to use DeskView Advanced Client for this operation.

Since we do not have DeskView advanced client we need a way to work around this issue. Before recently, you could just use run “%windir%\system32\manage-bde.exe” –tpm –turnon. This method, do automate the process on a Bare-Metal installation, however you would end up with a logical flaw in a refresh scenario.

The best way is to only use DeskView and run a simple script before the actual steps in the SCCM Task Sequence and you should be able to avoid the 413 error! J

This is what you need to do:

  1. Download DeskView here: fujitsu.com
  2. Copy and paste the sample script into notepad sand save it with a .vbs extension
  3. Copy the script into the DeskView folder
  4. Create a package containing all the necessary files (DeskView and Script)
  5. Add the necessary commands in the Task Sequence you want to run
  6. Add these two WMI-queries to the steps to ensure you not run this steps on other systems than Fujitsu and Laptop,
    1. SELECT * FROM Win32_ComputerSystemProduct WHERE Vendor LIKE “%FUJITSU%”
    2. SELECT * FROM Win32_Battery where Batterystatus > 0

Now, there is a “bug”. TCG (Trusted Computing Group) requires in the PC-TPM specification, that you have to sit in front of the system (physical presence) to enable TPM. To avoid this you can add a “hidden” switch. This switch is only obtainable through FS Customer support. Contact FS CS or send me an email with the contact form and I will give you the switch.

This is the commands, which you need to use:

  1. Cscript.exe “script.vbs”
  2. BiosSet.exe /NEWPWD=”YourPassword”
  3. BiosSet.exe /TPMSTATE=ON /”Hidden Switch” /PWD=”YourPassword”

(For full list of syntax for BiosSet.exe see DeskView documentation: fujitsu.com)

View of how it looks in the Task Sequence:

fujitsucomputerstpm01   fujitsucomputerstpm02

fujitsucomputerstpm03  fujitsucomputerstpm04

fujitsucomputerstpm05

Sample of script:


Hope this helps you out! 🙂

By | 2017-08-22T10:35:41+00:00 January 27th, 2014|Configuration Manager (SCCM), OS Deployment|2 Comments

About the Author:

Marius A. Skovli

Microsoft Enterprise Client Management Evangelist with: 10+ years experience within Microsoft System Management Solutions

Extensive experience across Private and Public Sector
Passion for Community Driven work, volunteering within Microsoft technology
Great belief that sharing experience within fellow peers is key to creating a sustainable society
Strong commitment to System Center User Group Norway as co-founder and current leader

I am a technology enthusiast working as a consultant for the consultant company CTGlobal. I have always been passionate about IT and have the last 10 + years worked with Management and Automation within Microsoft technology. Back in 2005/6 I started working with System Management Server (SMS) 2003 and have been working with Enterprise Client Management ever since, where i today focus on helping customers design and implement solutions based on System Center Configuration Manager and/or Enterprise Mobility Suite from Microsoft. Other parts of my work consists of speaking and presenting at different events and seminars, doing research and blog about solutions I find and products I work with. I truly believe in a strong community where knowledge and know-how is essential. Creating creative arenas where it is possible for peers to spread the word about new technologies and solutions is key and as an act on this I co-founded System Center User Group Norway (www.scug.no). SCUG is an initiative where we discuss, preach and present new technologies and solutions in the System Center Space from Microsoft. This is a free arena for everybody to join that is interested in/or enthusiastic about Microsoft Cloud Platform (Enterprise Client Management or Cloud and Datacenter).

Specialties:
System Center Configuration Manager (SCCM2007-SCCM2012), Enterprise Mobility and Intune, Windows and Windows server deployment.

2 Comments

  1. Julien December 14, 2016 at 10:48 - Reply

    Hi,
    I’m looking for the Hidden Switch to enable Fujitsu TPM and avoid the bug
    Thanks
    Julien

  2. Fritz September 12, 2017 at 7:29 - Reply

    Hi,
    I think you missed the most interesting part with Biosset.exe /expert /AR=path/file. You get more details and even more parameters which are available to set.
    i know the hidden switch with /APP or with Biosset.exe /expert and so on. Did you have an issues to set protected parameters like TPMChip/TPM State/Skip physical presence with the systempassword?
    Anything looks fine when i tried to change any settings but the Biosset.exe reports for every protected parameter an error 27. This error appears when i update the settings with the xml file or if i set them seperated.
    Error 27= Could not change protected settings. Set Systempassword first.
    Different Systempassword were set – same error.

    Do you have any hints?

    Regards.

Leave A Comment