Broadcom drivers not allowing Windows to mange the TPM chip

Background

I’ve been working on a project creating the light-touch task sequences in Microsoft System Center Configuration Manager 2012 to deploy Microsoft Windows 7 to bank branches using offline stand-alone media.  Recently we noticed that three of the thirteen Dell notebooks weren’t prompting the on-site technician to hit the F10 button after the PowerShell script ran and rebooted to clear the TPM chip owner information.  We were also noticing BitLocker wasn’t being enabled.  When you remotely (via script, PowerShell, etc) modify the TPM chip on Dell machines it prompts you at the BIOS screen on reboot to acknowledge a planned change was made to the TPM chip.  This is so malware can’t clear out your TPM ownership and make your machine unbootable until you find the recovery key.  It’s a pain in the rear but I understand why Dell does this.  

 

Summary

In comparing the three notebooks that weren’t working properly to the ten notebooks that were working properly there were some common results seen in both groups. 

 

  Device Manager Drivers Services
Three notebooks not working properly Broadcom TPM listed under System Devices Drivers Provider
=Broadcom
TPM Base Services not started and will not start
Ten notebooks working properly Broadcom Trusted Platform Module X listed under Security Devices Driver Provider
=Microsoft
TPM Base Services started

I also noticed when trying to query for data via WMI to rootcimv2SecurityMicrosoftTpmX nothing was being returned.

I was also getting an error when running the PowerShell script.

Testing I uninstalled the Broadcom TPM device including the Broadcom drivers and refreshed Device Manager.  At that time it installed the Broadcom TPM device using the Microsoft drivers and it listed Broadcom Trusted Platform Module X under Security Devices.  I was then able to start the TPM Base Services.  When I ran the PowerShell script no errors were generated. 

 

Resolution

I deleted the Dell Driver Packs for those three notebooks in ConfigMgr and imported them again NOT including the Broadcom TPM drivers.  After imaging those three notebooks they now use the Microsoft drivers for the Broadcom TPM chip.  That allows the TPM Base Services to start allowing the PowerShell script to run.  They now prompt for the F10 to acknowledge changes have been made to the TPM chip and BitLocker works!

 

Details

Left screenshot not working right screenshot working

Device Manager Differences

screenshot.62

 

Driver Differences

screenshot.63

 

Service Differences

screenshot.65

 

WMI Differences

screenshot.66

 

TPM PowerShell Script

$oTPM = gwmi -Class Win32_TPM -Namespace rootCIMV2SecurityMicrosoftTpm

$oTPM.SetPhysicalPresenceRequest(10)

If(!(($oTPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent)){

$oTPM.CreateEndorsementKeyPair()

}

If(($oTPM.IsEndorsementKeyPairPresent()).IsEndorsementKeyPairPresent){

$OwnerAuth=$oTPM.ConvertToOwnerAuth(“customrandompassword”)

$oTPM.Clear($OwnerAuth.OwnerAuth)

$oTPM.TakeOwnership($OwnerAuth.OwnerAuth)

}

 

TPM PowerShell Script Results

screenshot.67

 

Text From PowerShell Results

Not Working

PS C:UsersarafelsDesktop> .tpmactivate.ps1
You cannot call a method on a null-valued expression.
At C:UsersarafelsDesktoptpmactivate.ps1:3 char:33
+ $oTPM.SetPhysicalPresenceRequest <<<< (10)
    + CategoryInfo          : InvalidOperation: (SetPhysicalPresenceRequest:String) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

You cannot call a method on a null-valued expression.
At C:UsersarafelsDesktoptpmactivate.ps1:5 char:40
+ If(!(($oTPM.IsEndorsementKeyPairPresent <<<< ()).IsEndorsementKeyPairPresent)){
    + CategoryInfo          : InvalidOperation: (IsEndorsementKeyPairPresent:String) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

You cannot call a method on a null-valued expression.
At C:UsersarafelsDesktoptpmactivate.ps1:11 char:38
+ If(($oTPM.IsEndorsementKeyPairPresent <<<< ()).IsEndorsementKeyPairPresent){
    + CategoryInfo          : InvalidOperation: (IsEndorsementKeyPairPresent:String) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

PS C:UsersarafelsDesktop>

 

Working

PS C:UsersarafelsDesktop> .tpmactivate.ps1

__GENUS          : 2
__CLASS          : __PARAMETERS
__SUPERCLASS     :
__DYNASTY        : __PARAMETERS
__RELPATH        :
__PROPERTY_COUNT : 1
__DERIVATION     : {}
__SERVER         :
__NAMESPACE      :
__PATH           :
ReturnValue      : 0

__GENUS          : 2
__CLASS          : __PARAMETERS
__SUPERCLASS     :
__DYNASTY        : __PARAMETERS
__RELPATH        :
__PROPERTY_COUNT : 1
__DERIVATION     : {}
__SERVER         :
__NAMESPACE      :
__PATH           :
ReturnValue      : 2150105089

__GENUS          : 2
__CLASS          : __PARAMETERS
__SUPERCLASS     :
__DYNASTY        : __PARAMETERS
__RELPATH        :
__PROPERTY_COUNT : 1
__DERIVATION     : {}
__SERVER         :
__NAMESPACE      :
__PATH           :
ReturnValue      : 2150105108

PS C:UsersarafelsDesktop>

Two new compute-intensive instances are now generally available for use with Windows Azure Cloud Services

I received an email from Microsoft yesterday introducing two new compute-intensive instances in Windows Azure.  They’re pretty powerful, and expensive.  Not only is the processor and RAM way up there but you get a 40 Bbit/s InfiniBand network with RDMA!  If your company needs this kind of server it’s available now in Windows Azure. Remember, if you deallocate a VM you don’t have to pay for the compute cycles.  I do this often in my lab up in Azure to save money when I’m not doing anything.

 

Dear Customer,

Two new compute-intensive instances are now generally available for use with Windows Azure Cloud Services: 8 virtual cores with 56 GB of RAM, and 16 virtual cores with 112 GB of RAM.

Today we’re announcing the general availability (GA) of two new instances for use with Windows Azure Cloud Services. Called A8 and A9, they feature 8 virtual cores with 56 gigabytes (GB) and 16 virtual cores with 112 GB of memory, respectively.
A8 and A9 belong to a new category of instances called compute-intensive instances that provide faster processors and more virtual cores for higher compute power, larger amounts of memory, and a 40 Gbit/s InfiniBand network that includes remote direct memory access (RDMA) technology for maximum efficiency of parallel Message Passing Interface (MPI) applications.
The pricing for these new instances is shown in the table below.

Compute instance GA price per hour
Cloud Services A8 $2.45
Cloud Services A9 $4.90

Compute-intensive instances are optimal for running compute and network-intensive applications such as high-performance cluster applications, applications using modeling, simulation and analysis, and video encoding. Please consider using the new A8 and A9 instances for running your compute and network-intensive applications.
For more information on using Windows Azure Cloud Services and pricing, please visit the Cloud Services website.
Thank you,
Windows Azure Team

 

This message from Microsoft is an important part of a program, service, or product that you or your company purchased or participates in. Microsoft respects your privacy. Please read our Privacy Statement.

One Microsoft Way, Redmond, WA 98052 USA

iOS 6.1: Excess Exchange activity after accepting an exception to recurring calendar event

I’ve been hearing about a lot of problems in Microsoft Exchange 2010 and above right after Apple rolled out iOS 6.1. Below is the text from Apple’s support site and a link directly to the page.

http://support.apple.com/kb/TS4532

Symptoms

When you respond to an exception to a recurring calendar event with a Microsoft Exchange account on a device running iOS 6.1, the device may begin to generate excessive communication with Microsoft Exchange Server. You may notice increased network activity or reduced battery life on the iOS device. This extra network activity will be shown in the logs on Exchange Server and it may lead to the server blocking the iOS device. This can occur with iOS 6.1 and Microsoft Exchange 2010 SP1 or later, or Microsoft Exchange Online (Office365).

* An exception is a change to a single instance of a repeating calendar event.

 

Resolution

Apple has identified a fix and will make it available in an upcoming software update. In the meantime, you can avoid this bug by not responding to an exception to a recurring event on your iOS device. If you do experience the symptoms described above, disable then reenable the Exchange calendar on your iOS device using the steps below.

1.Go to Settings > Mail, Contacts, Calendars

2.Select the Exchange account from your Accounts list.

3.Turn the switch for Calendars to OFF.

4.Wait ten seconds.

5.Turn the switch for Calendars back to ON.

 

This document will be updated as more information becomes available.

 

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.

How to move a guest virtual machine from one Microsoft Windows 2012 Hyper-V server to another Microsoft Windows 2012 Hyper-V server

Windows Server 2012 has tons of new and great features built into it.  One of my favorites is the ability to move a guest virtual machine from one Hyper-V server to another with no downtime.  I’m not talking a cluster here but actually moving an entire guest VM from one physical server’s local disk to another physical server’s local disk over the network without using any shared storage!

In this example I’m going to move a VM named DC01(my domain controller) from Host1 to Host2.  What Hyper-V does is copy over the VHDX from Host1 to Host2 while It’s still online, copy over the change files , then makes the switch from Host1 to Host2 instantly.

  • Right click the VM DC01 on Host1 and choose move.
    screenshot.3
  • Next.
    screenshot.5
  • In this example I want to move the entire VM from one Hyper-V server to another so I’ll choose move the virtual machine.  If I just wanted to move the storage I would choose the other option.
    screenshot.7
  • Host2 is the destination.
    screenshot.9
  • I want to just move it using the defaults so I’ll choose move the virtual machine’s data to a single location.
    screenshot.11
  • I’m going to browse and choose the destination folder.  screenshot.13
    screenshot.15
  • Finish
    screenshot.17
  • The move begins without taking DC1 down or off-line.  You’ll see in the screenshots below the progress of moving the 10GB VHDX.  The percentage gauge is not accurate.  You’ll see how it’s still 9% when 9GB has been transferred. 
    Host1
  • screenshot.18
    Host2
    screenshot.5
  • Host1
    screenshot.19
    Host2
    screenshot.7
  • Host1
    screenshot.20
    Host2
    screenshot.9
  • Host1
    screenshot.21
    Host2
    screenshot.11
  • Host1
    screenshot.22
    Host2
    screenshot.13
  • Host1
    The DC01 VM is gone
    screenshot.23
    Host2
    The DC02 VM is now on Host2
    screenshot.15
  • The amount of time it takes DC01 to go off-line on Host1 and on-line on Host2 is pretty darn fast.  Please ignore the response time while it’s being moved.  Since this is my budget friendly personal lab I’m not using best practices as in multiple NICs for now.  I’m also still running a 100MEG LAN.  I plan on upgrading soon.  After the VM is running on Host2 my response times are back to “normal”.
    screenshot.91

All of that and just missing one single ping.  Not bad if you ask me. 

Anti-Virus Exclusions

Always remember when introducing new servers and workstations into an environment to review the anti-virus exclusions for that server or workstation.  You don’t want your AV software scanning VHDs, Cluster Shared Volumes, SQL databases, Exchange databases, and files like those.  It’s really easy to roll out a new server and not take the time to exclude certain files, folders, and processes.

I recommend having anti-virus on ALL workstations and servers following best practices in regards to exclusions. Microsoft even recommends certain exclusions for all Windows based systems.  I also strongly recommend having different av groups each with different exclusions based on the role of the server.  I’ve seen too many times where there is a single av policy with exclusions for hyper-v, clustering, SQL, Exchange, AD, and things like that in a single policy.  You can do too much excluding also.  An example of this is excluding the windows folder and it’s sub folders.

Below is a great page that has tons a links to official and unofficial Microsoft recommendations for anti-virus exclusions.

http://social.technet.microsoft.com/wiki/contents/articles/953.windows-anti-virus-exclusion-list-en-us.aspx

Considerations when using file-based antivirus software on Forefront Edge Products

http://technet.microsoft.com/en-us/library/cc707727.aspx

Basically Microsoft is saying it’s OK to have file-based antivirus software on Forefront Edge products as long as the exclusions listed in the TechNet article are followed.  These products are (at of the date this blog was created):

ISA 2000

ISA 2004

ISA 2006

IAG 2007

TMG

UAG

I vaguely remember a few years ago Microsoft’s stance was no file-based antivirus software on any “firewall” product.  The reason was the more software you have on an edge product the more exploits are available.  I can’t remember if I heard that online, from someone, or at the Forefront Airlift.  Either way Microsoft’s stance today is file-based antivirus on Forefront Edge products are OK as long as the exclusions are followed.

http://technet.microsoft.com/en-us/library/cc707727.aspx