Auto activate Trusted Platform Module on Fujitsu computers using DeskView and MDT/SCCM

Recently I have been working on a way to auto activate the TPM chip on Fujitsu computers during the Operating System Deployment. Until recently, this has been limited to customers that have purchased DeskView advanced client from Fujitsu.

Now, it is possible to work around this issue, and the way I have done it before is to use manage-bde.exe to activate TPM and BiosSet.exe to set a BIOS-password. However, using the manufacture own software to do everything is always considered best practice and with a script it is now possible.

First the challenge:

When using DeskView to activate TPM you get an error code (413) with a message stating that you need to use DeskView Advanced Client for this operation.

Since we do not have DeskView advanced client we need a way to work around this issue. Before recently, you could just use run “%windir%\system32\manage-bde.exe” –tpm –turnon. This method, do automate the process on a Bare-Metal installation, however you would end up with a logical flaw in a refresh scenario.

The best way is to only use DeskView and run a simple script before the actual steps in the SCCM Task Sequence and you should be able to avoid the 413 error! J

This is what you need to do:

Download DeskView here: fujitsu.com
Copy and paste the sample script into notepad sand save it with a .vbs extension
Copy the script into the DeskView folder
Create a package containing all the necessary files (DeskView and Script)
Add the necessary commands in the Task Sequence you want to run
Add these two WMI-queries to the steps to ensure you not run this steps on other systems than Fujitsu and Laptop,
1. SELECT * FROM Win32_ComputerSystemProduct WHERE Vendor LIKE “%FUJITSU%”
2. SELECT * FROM Win32_Battery where Batterystatus > 0

Now, there is a “bug”. TCG (Trusted Computing Group) requires in the PC-TPM specification, that you have to sit in front of the system (physical presence) to enable TPM. To avoid this you can add a “hidden” switch. This switch is only obtainable through FS Customer support. Contact FS CS or send me an email with the contact form and I will give you the switch.

This is the commands, which you need to use:

Cscript.exe “script.vbs”
BiosSet.exe /NEWPWD=”YourPassword”
BiosSet.exe /TPMSTATE=ON /”Hidden Switch” /PWD=”YourPassword”

(For full list of syntax for BiosSet.exe see DeskView documentation: fujitsu.com)

View of how it looks in the Task Sequence:

Sample of script:

Option Explicit
Dim g_wsh
Set g_wsh = WScript.CreateObject("WScript.Shell")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Fujitsu\Common\DAC\DeskViewClient.BiosSettings.BiosSet\B6B4436F-B78E-4FB7-87E2-0EDFC8E7F620″, "00000001_0000B3E2_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_B6B623BA", "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Fujitsu\Common\DAC\DeskViewClient.BiosSettingsDirectWMI.PrBSetEx\B6B4436F-B78E-4FB7-87E2-0EDFC8E7F620″, "00000001_0000B3E2_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_B6B623BA", "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Fujitsu\Common\DAC\DeskViewClient.SystemData.Altiris_DeskView_Agent\B6B4436F-B78E-4FB7-87E2-0EDFC8E7F620″, "00000001_0000B3E2_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_B6B623BA", "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Fujitsu\Common\DAC\DeskViewClient.Notification.DeskAlert\B6B4436F-B78E-4FB7-87E2-0EDFC8E7F620″, "00000001_0000B3E2_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_B6B623BA", "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fujitsu\Common\DAC\DeskViewClient.BiosSettings.BiosSet\B6B4436F-B78E-4FB7-87E2-0EDFC8E7F620″, "00000001_0000B3E2_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_B6B623BA", "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fujitsu\Common\DAC\DeskViewClient.BiosSettingsDirectWMI.PrBSetEx\B6B4436F-B78E-4FB7-87E2-0EDFC8E7F620″, "00000001_0000B3E2_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_B6B623BA", "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fujitsu\Common\DAC\DeskViewClient.SystemData.Altiris_DeskView_Agent\B6B4436F-B78E-4FB7-87E2-0EDFC8E7F620″, "00000001_0000B3E2_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_B6B623BA", "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fujitsu\Common\DAC\DeskViewClient.Notification.DeskAlert\B6B4436F-B78E-4FB7-87E2-0EDFC8E7F620″, "00000001_0000B3E2_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_B6B623BA", "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fujitsu\DeskUpdate\InstalledPackages\BIOSSET_TPM_REMOTE", "1", "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Fujitsu\DeskUpdate\InstalledPackages\BIOSSET_TPM_REMOTE", "1", "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Fujitsu\Common\DAC\DeskViewClient.BiosSettings.BiosSet\CE66A512-F085-4739-A19A-DB6A617436BF", "00000001_0000CC42_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_CE68D2B0″, "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Fujitsu\Common\DAC\DeskViewClient.BiosSettingsDirectWMI.PrBSetEx\CE66A512-F085-4739-A19A-DB6A617436BF", "00000001_0000CC42_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_CE68D2B0″, "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Fujitsu\Common\DAC\DeskViewClient.SystemData.Altiris_DeskView_Agent\CE66A512-F085-4739-A19A-DB6A617436BF", "00000001_0000CC42_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_CE68D2B0″, "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Fujitsu\Common\DAC\DeskViewClient.Notification.DeskAlert\CE66A512-F085-4739-A19A-DB6A617436BF", "00000001_0000CC42_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_CE68D2B0″, "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fujitsu\Common\DAC\DeskViewClient.BiosSettings.BiosSet\CE66A512-F085-4739-A19A-DB6A617436BF", "00000001_0000CC42_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_CE68D2B0″, "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fujitsu\Common\DAC\DeskViewClient.BiosSettingsDirectWMI.PrBSetEx\CE66A512-F085-4739-A19A-DB6A617436BF", "00000001_0000CC42_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_CE68D2B0″, "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fujitsu\Common\DAC\DeskViewClient.SystemData.Altiris_DeskView_Agent\CE66A512-F085-4739-A19A-DB6A617436BF", "00000001_0000CC42_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_CE68D2B0″, "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fujitsu\Common\DAC\DeskViewClient.Notification.DeskAlert\CE66A512-F085-4739-A19A-DB6A617436BF", "00000001_0000CC42_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_CE68D2B0″, "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fujitsu\DeskUpdate\InstalledPackages\BIOSSET_PWD_HDD", "1", "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Fujitsu\DeskUpdate\InstalledPackages\BIOSSET_PWD_HDD", "1", "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Fujitsu\Common\DAC\DeskViewClient.BiosSettings.BiosSet\B8798761-7DFD-4751-A3E9-0BABDCC94B27″, "00000001_0000CC4C_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_B87B3E44″, "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Fujitsu\Common\DAC\DeskViewClient.BiosSettingsDirectWMI.PrBSetEx\B8798761-7DFD-4751-A3E9-0BABDCC94B27″, "00000001_0000CC4C_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_B87B3E44″, "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Fujitsu\Common\DAC\DeskViewClient.Notification.DeskAlert\B8798761-7DFD-4751-A3E9-0BABDCC94B27″, "00000001_0000CC4C_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_B87B3E44″, "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Fujitsu\Common\DAC\DeskViewClient.SystemData.Altiris_DeskView_Agent\B8798761-7DFD-4751-A3E9-0BABDCC94B27″, "00000001_0000CC4C_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_B87B3E44″, "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fujitsu\Common\DAC\DeskViewClient.BiosSettings.BiosSet\B8798761-7DFD-4751-A3E9-0BABDCC94B27″, "00000001_0000CC4C_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_B87B3E44″, "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fujitsu\Common\DAC\DeskViewClient.BiosSettingsDirectWMI.PrBSetEx\B8798761-7DFD-4751-A3E9-0BABDCC94B27″, "00000001_0000CC4C_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_B87B3E44″, "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fujitsu\Common\DAC\DeskViewClient.Notification.DeskAlert\B8798761-7DFD-4751-A3E9-0BABDCC94B27″, "00000001_0000CC4C_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_B87B3E44″, "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fujitsu\Common\DAC\DeskViewClient.SystemData.Altiris_DeskView_Agent\B8798761-7DFD-4751-A3E9-0BABDCC94B27″, "00000001_0000CC4C_DeskView_User_Fujitsu_00000000_1F0C07F2_070A07DD_0_B87B3E44″, "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fujitsu\DeskUpdate\InstalledPackages\BIOSSET_PWD_USER", "1", "REG_SZ")
Call g_wsh.RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Fujitsu\DeskUpdate\InstalledPackages\BIOSSET_PWD_USER", "1", "REG_SZ")"

Hope this helps you out! 🙂

By Marius A. Skovli|2017-08-22T10:35:41+01:00januar 27th, 2014|Configuration Manager (SCCM), OS Deployment|7 Comments

Om forfatteren: Marius A. Skovli

Microsoft Enterprise Client Management Evangelist with: 10+ years experience within Microsoft System Management Solutions Extensive experience across Private and Public Sector Passion for Community Driven work, volunteering within Microsoft technology Great belief that sharing experience within fellow peers is key to creating a sustainable society Strong commitment to System Center User Group Norway as co-founder and current leader I am a technology enthusiast working as a consultant for the consultant company CTGlobal. I have always been passionate about IT and have the last 10 + years worked with Management and Automation within Microsoft technology. Back in 2005/6 I started working with System Management Server (SMS) 2003 and have been working with Enterprise Client Management ever since, where i today focus on helping customers design and implement solutions based on System Center Configuration Manager and/or Enterprise Mobility Suite from Microsoft. Other parts of my work consists of speaking and presenting at different events and seminars, doing research and blog about solutions I find and products I work with. I truly believe in a strong community where knowledge and know-how is essential. Creating creative arenas where it is possible for peers to spread the word about new technologies and solutions is key and as an act on this I co-founded System Center User Group Norway (www.scug.no). SCUG is an initiative where we discuss, preach and present new technologies and solutions in the System Center Space from Microsoft. This is a free arena for everybody to join that is interested in/or enthusiastic about Microsoft Cloud Platform (Enterprise Client Management or Cloud and Datacenter). Specialties: System Center Configuration Manager (SCCM2007-SCCM2012), Enterprise Mobility and Intune, Windows and Windows server deployment.

7 kommentarer

Julien december 14, 2016 af 10:48

Hi,
I’m looking for the Hidden Switch to enable Fujitsu TPM and avoid the bug
Thanks
Julien
Fritz september 12, 2017 af 7:29

Hi,
I think you missed the most interesting part with Biosset.exe /expert /AR=path/file. You get more details and even more parameters which are available to set.
i know the hidden switch with /APP or with Biosset.exe /expert and so on. Did you have an issues to set protected parameters like TPMChip/TPM State/Skip physical presence with the systempassword?
Anything looks fine when i tried to change any settings but the Biosset.exe reports for every protected parameter an error 27. This error appears when i update the settings with the xml file or if i set them seperated.
Error 27= Could not change protected settings. Set Systempassword first.
Different Systempassword were set – same error.

Do you have any hints?

Regards.
Marcus juni 17, 2019 af 18:30

Hi
i´m sitting here to configure the a tasksequence (W10) of my MDT 2013 (W2K16) without SCCM.

I have the question about the 2 Sequence-etries “Take TPMOwnerShip” and “Activate TPM”. In your screenshot both ar disabled….. What type of Tasksequence have you selected? I used a standard-Client Task but ididn´t have these entries in my sequence and i don´t kwow for need this.

I ´ve downloaded the last DeskView-Client-SW from Fujitsu. The Parameters biosset.exe are little bit different like yours. I´ve used the actually parameter for it. I think i´m on an good way to manage my 140 Client (Fujitsu Laptops + Workstations).

What´s the matter with the “Hidden Switch”. Can you tell my more about this secret….?

Thx´s
Marcus
Markus september 8, 2020 af 14:45

We have a lot of desktops with a fujitsu board and need to enable TPM for Bitlocker if it isn’t already activated.

We had to download the Desk View Instant Bios Management.
The BiosSet included in the normal Desk View package doesn’t work …

Can you send me the hidden switch?
Detlef Milas-Hanke september 2, 2021 af 7:18

Hello Marius, thank you for this information.
We tried to use Biosset.exe for TPM activation for our FSJ PC’s and it will not work.
So we need the hidden switch too.
If it’s possible, please send the hidden switch to us.
Thank you very much and best regards
Detlef
Detlef Milas-Hanke september 2, 2021 af 7:41

Hello Marius, thank you for this information.
We tried to use Biosset.exe for TPM activation for our FSJ PC’s but it will not work.
So we need the hidden switch too.
If it’s possible, please send the hidden switch to us.
Thank you very much and best regards
Detlef
Willem Van Dam februar 24, 2022 af 1:23

How do I start these Fujitsu: Windows….. screens.

Also, please send me the hidden switch and instructions.
Thanks.

Der er lukket for kommentarer.

Auto activate Trusted Platform Module on Fujitsu computers using DeskView and MDT/SCCM

Share This Story, Choose Your Platform!

Om forfatteren: Marius A. Skovli

Beslægtede indlæg

Create fake SCCM Clients with Hardware Inventory

Requirements Not Met ~ Program Rejected (wrong platform)…What Witchery is This?

Identifying Azure AD users with ConfigMgr

SCCM: Improved MDT – “Execute Runbook” Script

Disabling LEDBaT on Your Windows 2016/2019 Server

7 kommentarer