How to Clear a TPM 2.0 chip with SCCM and PowerShell

With TPM 1.2, Microsoft was able to clear the TPM during the SCCM Task Sequence without asking for permission to clear the TPM. With TPM 2.0, SCCM is unable to clear and activate the TPM chip during the deployment. The first time you boot your computer, you need to provide a BitLocker Recovery Key, or the tpm.msc console will tell you that the TPM is ready for use, with reduced functionality.

I found a script online that I’ve added to my GitHub to clear the TPM 2.0 chip during the deployment. You need to reboot the computer after running this script and it will give a UEFI pop-up during the deployment asking the user for permission to clear the TPM chip. (Physical Presence) I heart from a vendor that Microsoft is working on a workaround to disable the Physical Presence during the deployment. You could experiment with the “NoPPIclear” TPM setting to disable this physical presence feature next time you deploy a computer.

Your Task Sequence should look like this:
– Run the PowerShell script from the URL above
– Restart Computer (You will see the Physical Clearance prompt after the reboot)
– Enable BitLocker Task

One thought on “How to Clear a TPM 2.0 chip with SCCM and PowerShell

  1. Been having the same battle with vendors and Microsoft for a year or 2 now .
    Some Hardware vendors do allow you to disable the need for physical presence to clear the TPM in the BIOS, but regretfully most do not.
    Lenovo are one of those who do and using a custom PS script I can now clear the TPM when rebuilding using SCCM and the build will go through start to finish with no user interaction.
    But I agree it’s a pain since a lot of vendors wont provide you with this functionality in the BIOS and after lengthy discussions with a certain vendor they eventually gave up looking at the issue as far as I can tell.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s