This post is an extension to my friend and MVP -Nicolai Henriksen- great post on this issue. Link: http://www.sccm.biz/2012/06/sccm-and-bitlocker-tpm-real-life.html

Use his post as a starting point.

It’s not always the TPM chip is not activated or the password is not set.

What happens then is the script/TS step fail.

I’ve written a PowerShell script to help you with this logic.

It will check if you have a TPM chip at all. If you do it will check what kind of computer brand you have (I’ve only added Lenovo and HP, but you can add your own). If It’s a HP computer it will gather the current BIOS settings on the computer your running it on. If the syntax matches the syntax in any of your “Configuration”.txt files it will use that. Otherwise it will exit with the code 2 so you’ll know you need to create another “Configuration”.txt file 🙂

It will also check if your current password is set already or if it’s blank. If the BIOS password is not any of the ones you’ve provided , the script will exit with the code 3. Then you know it’s protected with an unknown password… (with the BiosConfigUtility.exe from HP you may use the /CurSetupPassword and provide multiple current passwords).

 

You’ll need you do a few adjustments based on if you’ll create a package, where you choose to place the files or use a MDT TS and add it to the toolkit.

As you can see I haven’t included the Lenovo script(s), but I’m sure you can see the pattern and will be able to add that on you own 🙂

 

 

Leave a Reply