Enable TPM inventory

So a couple of weeks ago I wrote a post on how to verify that your computers are running UEFI and SecureBoot (read here). After that there was a post on the importance of staying supported with up to date hardware (read that here). As a follow up to both of them there is another part that should be monitored as we move deeper into to Windows as a Service. This becomes especially true when we look at todays security landscape and the need to enable all of the new security features.

Some of these new features requires TPM and furthermore some require TPM 2.0. Now this can be inventoried using tools like Microsoft Endpoint Manager. The issue here is that by default ConfigMgr only inventory information about if TPM is present, enabled and owned. It does not keep track of TPM spec version.

So this will be a quick fix! Open up your client settings that targets your workstations and laptops and make sure to enable the TPM spec version. Check out the hardware inventory page and the classes part. If you do a quick search for TPM you will find that spec version is not check. So go ahead and check that. Watch the inventory data flow in and make decisions based on it!

Happy deployments!

/Peter

Supported Hardware

For some reason the last couple of engagements there has been discussions on what its means to run supported hardware for your devices and why that is imported. For me this has always been a no brainer, I refuse to be last person to solve everything. This applied to everything I do, if there is an issue I don’t want to be that last stop, the one everyone expects to magically fix everything. This is especially true for devices so I always make sure the devices that we run are supported.

Now in the old days of Windows 7 this was not a big issue. The same device that was supported 5 years ago was usually still supported later on as well and since the same OS was run all was the same. With Windows 10 its a different story. And before you start screaming about “<insert brand name> should fix this” or “I will switch to <insert other brand name>” you need to consider why this is happening and what the consequences of a change actually are.

So if we look at why, well its pretty simple and as a lot of other things it basically boils down to money. Intel/AMD wants to make more money, they way they do that is to sell more CPUs. To sell more CPUs to enterprise customers (who don’t just change CPUs) they need to speed up how often they release new versions of the CPUs. This together with the fact that newer CPUs are more secure and faster by design means the Microsoft also have to step up and release new versions of the OS more often (exactly how often is a different discussion). But this all means that the vendors have to supply new models with the new CPUs more often and since they don’t want to support a million different models (cost money to support) they move the support cycles.

The other side of this is that even if you where to change to different vendor, odds are they are doing the same thing and you would still have all of your old models laying around and you would still have to deal with them. With all of what that entails both regarding support and firmware updates.

So if we establish that we cannot solve the issue by moving to another vendor the solution is then to have a lifecycle process to make sure old hardware is replace in a timely fashion. This will beside the point of making sure you are supported also make it easier to stay compliant with patching, firmware updates and so as you will get better control on the actual devices running in the your organization.

So there are three links that you should keep track of (since I am assuming you are running one of the big vendors). The list is without any preference and available to help you find the information.

For Lenovo
https://support.lenovo.com/se/en/solutions/ht509394

For HP
https://support.hp.com/bg-en/document/c05195282

For Dell
https://www.dell.com/support/article/us/en/04/sln297954/dell-computers-tested-for-windows-10-november-2019-update-and-previous-versions-of-windows-10?lang=en

 

Happy deployments!

/Peter

#MEMCM and the stuck hotfix

While doing a new install at a customer the last couple of weeks we ran into a strange issue. To make matters worse this is an offline site so all the normal posts and tricks don’t apply.

Now the issue here is that when we run the serviceconnectiontool it will create a telemetry file and download needed hotfixes and upgrades. Now this all works as intended, the challenges is that once the dowloaded files have been imported over and the tool run on the primary again the hotfix is stuck as “available to download”. Now in most scenarios a simple restart of SMS_EXECUTIVE or kick the download process a bit. However, in a offline scenario re-downloading the patch doesn’t really help.

After a bit of looking and trouble shooting it turns out that I’m not the first (and probably not the last) to encounter this. Now Prajwal Desai has made a post on how to fix that on an online system, read the full post here https://www.prajwaldesai.com/sccm-1906-hotfix-download-issues/. What he either doesn’t know or have encountered yet is that the same principles apply to offline systems as well, meaning you should run the serviceconnectiontool as described in the official documentation. When done you still execute the storeprocedure spAddPackageToDownload with the guid as described. Restart the SMS_EXECUTIVE service and wait for extraction of the cab file to happen. The the hotfix will be available to install as expected.

A shoutout to Parjwal for documenting the fix!

Happy deployments!

/Peter