New Trick to Enable TPM 2.0 Check in SCCM Task Sequence

You can enable TPM 2.0 check in SCCM task sequence that checks the presence of TPM 2.0 or above on a computer. The Check Readiness step in the task sequence includes checks for TPM 2.0 or later.

If you were looking to enable trusted platform module using a ConfigMgr task sequence, it is now possible. You must be using SCCM 2111 or later to enable TPM 2.0 check in the task sequence.

One of the new features of Configuration Manager 2111, includes the task sequence check for TPM 2.0. The Check Readiness step in the task sequence determines if the TPM 2.0 is enabled and activated.

Note that the TPM 2.0 detection feature in task sequence only detects the presence of TPM 2.0 on the computer. The procedure to enable the TPM 2.0 varies depending on the manufacturer of laptop.

TPM 2.0 Requirement For Windows 11

What is TPM? A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys.

The TPM comes installed on motherboard of a computer, and it communicates to the system by using a hardware bus”. Microsoft documentation is the best place to start learning about TPM fundamentals.

With the release of Windows 11, some of you might be looking to upgrade Windows 10 to Windows 11 using SCCM task sequence.

If you have Windows 10 computers that are enabled with TPM 2.0, you can deploy a servicing plan and upgrade to Windows 11.

One of the issues that you may face during Windows 11 upgrade is the TPM 2.0 requirement for Windows 11. TPM 2.0 is required to run Windows 11, as an important building block for security-related features.

TPM 2.0 is used in Windows 11 for a number of features, including Windows Hello for identity protection and BitLocker for data protection.

If you are certain that your laptop has TPM chip present, you must enable TPM 2.0 and activate it before upgrading to Windows 11. Otherwise, the upgrade will fail for sure.

To find out if your current PC is eligible for Windows 11 upgrade, you can download and run Windows 11 PC health check.

Also Read: How to enable Trusted Platform Module on Virtual Machine.

TPM 2.0 Detection in Task Sequence

TPM 2.0 detection in SCCM task sequence was a basic requirement. You could either use a PowerShell script or a WMI Query in task sequence to detect the presence of TPM on a computer.

The good thing is you can use TPM PowerShell cmdlets, that are useful for managing TPM via PowerShell.

You can also check TPM Status from Command Line. This is a very handy information using which you can find a lot about TPM status during SCCM OSD by running a simple command.

Below is an example of a WMI query for TPM detection in SCCM Task sequence.

WMI Namespace:
root\CIMV2\Security\MicrosoftTpm

WQL Query:
SELECT * FROM Win32_Tpm WHERE IsEnabled_InitialValue = True
SELECT * FROM Win32_Tpm WHERE IsActivated_InitialValue = True
WMI Query for TPM Detection in Task Sequence
WMI Query for TPM Detection in Task Sequence

You can refer to the following PowerShell script to check to see if the TPM is enabled.

How to Enable TPM 2.0 Check in SCCM Task Sequence

Let’s look at the steps to enable TPM 2.0 check in SCCM Task Sequence. To help you better deploy Windows 11, the Check Readiness step in the task sequence now includes checks for TPM 2.0.

To add the Check Readiness step in the task sequence, you can either edit an existing task sequence or create a new upgrade operating system TS.

When you edit the existing task sequence, under Prepare for upgrade, select Check Readiness for Upgrade step.

The last step in the Check Readiness for upgrade includes the checks for TPM 2.0. There are two options to enable TPM 2.0 check in SCCM Task Sequence.

  1. TPM 2.0 or above is enabled – Enabling this option in the task sequence will check if TPM 2.0 or above is enabled on the computer.
  2. TPM 2.0 or above is activated – Enabling this option will check if the TPM 2.0 or later is activated or not.

For now, let’s select both the TPM 2.0 check options where the task sequence will check if TPM 2.0 or later is enabled and activated. Click OK to close the task sequence editor.

Enable TPM 2.0 Check in SCCM Task Sequence
Enable TPM 2.0 Check in SCCM Task Sequence

Deploy the Task Sequence enabled with TPM 2.0 check to your computers. On the client computer, launch the Software Center and click Operating Systems. Select the Task Sequence and click Install.

Notice that on my Windows 10 computer, where the TPM 2.0 or later is not enabled, the task sequence fails during upgrade operating system step.

Task sequence “Upgrade Operating System” failed check readiness verification in step “Check Readiness for Upgrade“. Press button Inspect to see verifications that failed.

Enable TPM 2.0 Check in SCCM Task Sequence
Enable TPM 2.0 Check in SCCM Task Sequence

If you click Inspect button, you can find out why the task sequence failed and at what step it failed.

The following check readiness verification have failed: TPM 2.0 or above is not enabled.

This confirms that your SCCM task sequence can now detect or check if the TPM 2.0 or above is enabled and activated.

Enable TPM 2.0 Check in SCCM Task Sequence
Enable TPM 2.0 Check in SCCM Task Sequence

4 Comments

  1. Avatar photo Jack Fetter says:

    The “Check Readiness” TS Step (SCEM 2111) doesn’t seem to be working. I have it set to verify TPM 2.0 both Present and Active, yet on a system with TPM 1.2, it doesn’t prompt at all, it just moves past as though compliant?

  2. Hello,

    Thanks a lot for that documentation.
    My question : Does this step work under WinPE for TPM ?

    BR
    Mars

    1. Avatar photo Craig Luciano says:

      We also want to know this 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *