So a couple of weeks ago I wrote a post on how to verify that your computers are running UEFI and SecureBoot (read here). After that there was a post on the importance of staying supported with up to date hardware (read that here). As a follow up to both of them there is another part that should be monitored as we move deeper into to Windows as a Service. This becomes especially true when we look at todays security landscape and the need to enable all of the new security features.
Some of these new features requires TPM and furthermore some require TPM 2.0. Now this can be inventoried using tools like Microsoft Endpoint Manager. The issue here is that by default ConfigMgr only inventory information about if TPM is present, enabled and owned. It does not keep track of TPM spec version.
So this will be a quick fix! Open up your client settings that targets your workstations and laptops and make sure to enable the TPM spec version. Check out the hardware inventory page and the classes part. If you do a quick search for TPM you will find that spec version is not check. So go ahead and check that. Watch the inventory data flow in and make decisions based on it!
While doing a new install at a customer the last couple of weeks we ran into a strange issue. To make matters worse this is an offline site so all the normal posts and tricks don’t apply.
Now the issue here is that when we run the serviceconnectiontool it will create a telemetry file and download needed hotfixes and upgrades. Now this all works as intended, the challenges is that once the dowloaded files have been imported over and the tool run on the primary again the hotfix is stuck as “available to download”. Now in most scenarios a simple restart of SMS_EXECUTIVE or kick the download process a bit. However, in a offline scenario re-downloading the patch doesn’t really help.
After a bit of looking and trouble shooting it turns out that I’m not the first (and probably not the last) to encounter this. Now Prajwal Desai has made a post on how to fix that on an online system, read the full post here https://www.prajwaldesai.com/sccm-1906-hotfix-download-issues/. What he either doesn’t know or have encountered yet is that the same principles apply to offline systems as well, meaning you should run the serviceconnectiontool as described in the official documentation. When done you still execute the storeprocedure spAddPackageToDownload with the guid as described. Restart the SMS_EXECUTIVE service and wait for extraction of the cab file to happen. The the hotfix will be available to install as expected.
A shoutout to Parjwal for documenting the fix!