Broadcom drivers not allowing Windows to mange the TPM chip

Background

I’ve been working on a project creating the light-touch task sequences in Microsoft System Center Configuration Manager 2012 to deploy Microsoft Windows 7 to bank branches using offline stand-alone media.  Recently we noticed that three of the thirteen Dell notebooks weren’t prompting the on-site technician to hit the F10 button after the PowerShell script ran and rebooted to clear the TPM chip owner information.  We were also noticing BitLocker wasn’t being enabled.  When you remotely (via script, PowerShell, etc) modify the TPM chip on Dell machines it prompts you at the BIOS screen on reboot to acknowledge a planned change was made to the TPM chip.  This is so malware can’t clear out your TPM ownership and make your machine unbootable until you find the recovery key.  It’s a pain in the rear but I understand why Dell does this.  

 

Summary

In comparing the three notebooks that weren’t working properly to the ten notebooks that were working properly there were some common results seen in both groups. 

 

  Device Manager Drivers Services
Three notebooks not working properly Broadcom TPM listed under System Devices Drivers Provider
=Broadcom
TPM Base Services not started and will not start
Ten notebooks working properly Broadcom Trusted Platform Module X listed under Security Devices Driver Provider
=Microsoft
TPM Base Services started

I also noticed when trying to query for data via WMI to rootcimv2SecurityMicrosoftTpmX nothing was being returned.

I was also getting an error when running the PowerShell script.

Testing I uninstalled the Broadcom TPM device including the Broadcom drivers and refreshed Device Manager.  At that time it installed the Broadcom TPM device using the Microsoft drivers and it listed Broadcom Trusted Platform Module X under Security Devices.  I was then able to start the TPM Base Services.  When I ran the PowerShell script no errors were generated. 

 

Resolution

I deleted the Dell Driver Packs for those three notebooks in ConfigMgr and imported them again NOT including the Broadcom TPM drivers.  After imaging those three notebooks they now use the Microsoft drivers for the Broadcom TPM chip.  That allows the TPM Base Services to start allowing the PowerShell script to run.  They now prompt for the F10 to acknowledge changes have been made to the TPM chip and BitLocker works!

 

Details

Left screenshot not working right screenshot working

Device Manager Differences

screenshot.62

 

Driver Differences

screenshot.63

 

Service Differences

screenshot.65

 

WMI Differences

screenshot.66

 

TPM PowerShell Script

$oTPM = gwmi -Class Win32_TPM -Namespace rootCIMV2SecurityMicrosoftTpm

$oTPM.SetPhysicalPresenceRequest(10)

If(!(($oTPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent)){

$oTPM.CreateEndorsementKeyPair()

}

If(($oTPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent){

$OwnerAuth=$oTPM.ConvertToOwnerAuth(“customrandompassword”)

$oTPM.Clear($OwnerAuth.OwnerAuth)

$oTPM.TakeOwnership($OwnerAuth.OwnerAuth)

}

 

TPM PowerShell Script Results

screenshot.67

 

Text From PowerShell Results

Not Working

PS C:UsersarafelsDesktop> .tpmactivate.ps1
You cannot call a method on a null-valued expression.
At C:UsersarafelsDesktoptpmactivate.ps1:3 char:33
+ $oTPM.SetPhysicalPresenceRequest <<<< (10)
    + CategoryInfo          : InvalidOperation: (SetPhysicalPresenceRequest:String) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

You cannot call a method on a null-valued expression.
At C:UsersarafelsDesktoptpmactivate.ps1:5 char:40
+ If(!(($oTPM.IsEndorsementKeyPairPresent <<<< ()).IsEndorsementKeyPairPresent)){
    + CategoryInfo          : InvalidOperation: (IsEndorsementKeyPairPresent:String) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

You cannot call a method on a null-valued expression.
At C:UsersarafelsDesktoptpmactivate.ps1:11 char:38
+ If(($oTPM.IsEndorsementKeyPairPresent <<<< ()).IsEndorsementKeyPairPresent){
    + CategoryInfo          : InvalidOperation: (IsEndorsementKeyPairPresent:String) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

PS C:UsersarafelsDesktop>

 

Working

PS C:UsersarafelsDesktop> .tpmactivate.ps1

__GENUS          : 2
__CLASS          : __PARAMETERS
__SUPERCLASS     :
__DYNASTY        : __PARAMETERS
__RELPATH        :
__PROPERTY_COUNT : 1
__DERIVATION     : {}
__SERVER         :
__NAMESPACE      :
__PATH           :
ReturnValue      : 0

__GENUS          : 2
__CLASS          : __PARAMETERS
__SUPERCLASS     :
__DYNASTY        : __PARAMETERS
__RELPATH        :
__PROPERTY_COUNT : 1
__DERIVATION     : {}
__SERVER         :
__NAMESPACE      :
__PATH           :
ReturnValue      : 2150105089

__GENUS          : 2
__CLASS          : __PARAMETERS
__SUPERCLASS     :
__DYNASTY        : __PARAMETERS
__RELPATH        :
__PROPERTY_COUNT : 1
__DERIVATION     : {}
__SERVER         :
__NAMESPACE      :
__PATH           :
ReturnValue      : 2150105108

PS C:UsersarafelsDesktop>

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s