-
Notifications
You must be signed in to change notification settings - Fork 1
/
Invoke-TPMUpgrade.ps1
296 lines (247 loc) · 23.5 KB
/
Invoke-TPMUpgrade.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
<#
.SYNOPSIS
Invoke TPM Firmware Update process.
.DESCRIPTION
This script will invoke a TPM update process for a viarity of manufactures from TPM 1.2 -> TPM 2.0 if necessary. This process can be ran in WINPE.
.PARAMETER LogFileName
Set the name of the log file produced by the flash utility.
.EXAMPLE
.NOTES
FileName: Invoke-TPMUpgrade.ps1
Author: Richard tracy
Contact: richard.j.tracy@gmail.com
Created: 2018-08-24
Inspired: Anton Romanyuk
Version history:
1.1.0 - (2018-11-07) Script created
#>
##*===========================================================================
##* FUNCTIONS
##*===========================================================================
Function Write-LogEntry {
param(
[Parameter(Mandatory=$true,Position=0,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)]
[ValidateNotNullOrEmpty()]
[string]$Message,
[Parameter(Mandatory=$false,Position=2)]
[string]$Source = '',
[parameter(Mandatory=$false)]
[ValidateSet(0,1,2,3,4)]
[int16]$Severity,
[parameter(Mandatory=$false, HelpMessage="Name of the log file that the entry will written to.")]
[ValidateNotNullOrEmpty()]
[string]$OutputLogFile = $Global:LogFilePath,
[parameter(Mandatory=$false)]
[switch]$Outhost
)
## Get the name of this function
[string]${CmdletName} = $PSCmdlet.MyInvocation.MyCommand.Name
[string]$LogTime = (Get-Date -Format 'HH:mm:ss.fff').ToString()
[string]$LogDate = (Get-Date -Format 'MM-dd-yyyy').ToString()
[int32]$script:LogTimeZoneBias = [timezone]::CurrentTimeZone.GetUtcOffset([datetime]::Now).TotalMinutes
[string]$LogTimePlusBias = $LogTime + $script:LogTimeZoneBias
# Get the file name of the source script
Try {
If ($script:MyInvocation.Value.ScriptName) {
[string]$ScriptSource = Split-Path -Path $script:MyInvocation.Value.ScriptName -Leaf -ErrorAction 'Stop'
}
Else {
[string]$ScriptSource = Split-Path -Path $script:MyInvocation.MyCommand.Definition -Leaf -ErrorAction 'Stop'
}
}
Catch {
$ScriptSource = ''
}
If(!$Severity){$Severity = 1}
$LogFormat = "<![LOG[$Message]LOG]!>" + "<time=`"$LogTimePlusBias`" " + "date=`"$LogDate`" " + "component=`"$ScriptSource`" " + "context=`"$([Security.Principal.WindowsIdentity]::GetCurrent().Name)`" " + "type=`"$Severity`" " + "thread=`"$PID`" " + "file=`"$ScriptSource`">"
# Add value to log file
try {
Out-File -InputObject $LogFormat -Append -NoClobber -Encoding Default -FilePath $OutputLogFile -ErrorAction Stop
}
catch {
Write-Host ("[{0}] [{1}] :: Unable to append log entry to [{1}], error: {2}" -f $LogTimePlusBias,$ScriptSource,$OutputLogFile,$_.Exception.ErrorMessage) -ForegroundColor Red
}
If($Outhost){
If($Source){
$OutputMsg = ("[{0}] [{1}] :: {2}" -f $LogTimePlusBias,$Source,$Message)
}
Else{
$OutputMsg = ("[{0}] [{1}] :: {2}" -f $LogTimePlusBias,$ScriptSource,$Message)
}
Switch($Severity){
0 {Write-Host $OutputMsg -ForegroundColor Green}
1 {Write-Host $OutputMsg -ForegroundColor Gray}
2 {Write-Warning $OutputMsg}
3 {Write-Host $OutputMsg -ForegroundColor Red}
4 {If($Global:Verbose){Write-Verbose $OutputMsg}}
default {Write-Host $OutputMsg}
}
}
}
# Start Main Code Here
# https://stackoverflow.com/questions/8761888/capturing-standard-out-and-error-with-start-process
Function Execute-Command{
param(
[ValidateNotNullOrEmpty()]
[string]$Title,
[parameter(Mandatory=$false)]
[string]$Path,
[ValidateNotNullOrEmpty()]
[string]$Arguments
)
If(Test-Path $Path){
Try{
$pinfo = New-Object System.Diagnostics.ProcessStartInfo
$pinfo.FileName = $Path
$pinfo.RedirectStandardError = $true
$pinfo.RedirectStandardOutput = $true
$pinfo.UseShellExecute = $false
$pinfo.Arguments = $Arguments
$p = New-Object System.Diagnostics.Process
$p.StartInfo = $pinfo
$p.Start() | Out-Null
$p.WaitForExit()
[pscustomobject]@{
commandTitle = $Title
stdout = $p.StandardOutput.ReadToEnd()
stderr = $p.StandardError.ReadToEnd()
ExitCode = $p.ExitCode
}
}
Catch{
Write-LogEntry ("Failed to execute command [{0} {1}]. Exit Code: {2}" -f $Path,$Arguments,$p.ExitCode) -Severity 3 -Outhost
}
}
Else{
Write-LogEntry ("Unable to execute command [{0} {1}]. Path not found" -f $Path,$Arguments) -Severity 2 -Outhost
}
}
##*===========================================================================
##* VARIABLES
##*===========================================================================
## Instead fo using $PSScriptRoot variable, use the custom InvocationInfo for ISE runs
If (Test-Path -LiteralPath 'variable:HostInvocation') { $InvocationInfo = $HostInvocation } Else { $InvocationInfo = $MyInvocation }
[string]$scriptDirectory = Split-Path $MyInvocation.MyCommand.Path -Parent
[string]$scriptName = Split-Path $MyInvocation.MyCommand.Path -Leaf
[string]$scriptBaseName = [System.IO.Path]::GetFileNameWithoutExtension($scriptName)
[int]$OSBuildNumber = (Get-WmiObject -Class Win32_OperatingSystem).BuildNumber
[string]$Make = (Get-WmiObject -Class Win32_ComputerSystem).Manufacturer
#Create Paths
$TPMFirmwarePath = Join-Path $scriptDirectory -ChildPath TPMFirmware
$TempPath = Join-Path $scriptDirectory -ChildPath Temp
$ToolsPath = Join-Path $scriptDirectory -ChildPath Tools
Try
{
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment
$Progress = New-Object -ComObject Microsoft.SMS.TSprogressUI
#$logPath = $tsenv.Value("LogPath")
$LogPath = $tsenv.Value("_SMSTSLogPath")
$tsenv.Value("SMSTS_TPMUpdate") = "False"
$Make = $TSenv.Value("Make")
}
Catch
{
Write-Warning "TS environment not detected. Assuming stand-alone mode."
}
If(!$LogPath){$LogPath = $env:TEMP}
[string]$FileName = $scriptBaseName +'.log'
$Global:LogFilePath = Join-Path $LogPath -ChildPath $FileName
Write-Host "Using log file: $LogFilePath"
#Preset Reboot to NO
$NeedReboot = "NO"
##*===========================================================================
##* MAIN
##*===========================================================================
Write-LogEntry "Logging to $LogFilePath" -Outhost
#Get TB Password from File
$BiosPassword = Get-Content .\BIOSPassword.txt -ErrorAction SilentlyContinue
$PasswordBin = Get-ChildItem $scriptDirectory -Filter password.bin -ErrorAction SilentlyContinue
if ($tsenv -and $inPE) {
Write-LogEntry "TaskSequence is running in Windows Preinstallation Environment (PE)" -Outhost
}
Else{
Write-LogEntry "TaskSequence is running in Windows Environment" -Outhost
# Detect Bitlocker Status
$OSVolumeEncypted = if ((Manage-Bde -Status C:) -match "Protection On") { Write-Output $true } else { Write-Output $false }
# Supend Bitlocker if $OSVolumeEncypted is $true
if ($OSVolumeEncypted -eq $true) {
Write-LogEntry "Suspending BitLocker protected volume: C:" -Outhost
Manage-Bde -Protectors -Disable C:
}
}
Switch ($Make){
"HP"{
Write-LogEntry "Detecting whether a platform supports HP discrete TPM mode switching in real time." -Outhost
Write-LogEntry "For HP platforms that support TPM mode changes, the output from powershell should include: ManufacturerVersion: 6.40, 6.41 or 6.43 (1.2 mode), or 7.40, 7.41, 7.60, 7.61 or 7.63 (2.0 mode)"
Write-LogEntryt " Checking if installed TPM firmware is affected by ADV170012. Vulnerable TPM versions: ManufacturerVersion: 6.40 or 6.41 (1.2 mode), or 7.40, 7.41, 7.60 or 7.61 (2.0 mode)"
$tpm_mode = (Get-TPM).ManufacturerVersion
Write-LogEntry "Following ManufacturerVersion detected: $tpm_mode"
switch($tpm_mode){
"6.40" {$BinFile = Get-ChildItem $TPMFirmwarePath -Filter TPM12_6.40.190.0_to_TPM20* -Recurse | Select -First 1}
"6.41" {$BinFile = Get-ChildItem $TPMFirmwarePath -Filter TPM12_6.41.190.0_to_TPM20* -Recurse | Select -First 1}
"6.43" {$BinFile = Get-ChildItem $TPMFirmwarePath -Filter TPM12_6.43.190.0_to_TPM20* -Recurse | Select -First 1}
"7.40" {$BinFile = Get-ChildItem $TPMFirmwarePath -Filter TPM12_7.40.190.0_to_TPM20* -Recurse | Select -First 1}
"7.41" {$BinFile = Get-ChildItem $TPMFirmwarePath -Filter TPM12_7.41.190.0_to_TPM20* -Recurse | Select -First 1}
"7.60" {$BinFile = Get-ChildItem $TPMFirmwarePath -Filter TPM12_7.60.190.0_to_TPM20* -Recurse | Select -First 1}
"7.61" {$BinFile = Get-ChildItem $TPMFirmwarePath -Filter TPM12_7.61.190.0_to_TPM20* -Recurse | Select -First 1}
default {$BinFile = $null}
}
If ($BinFile) {
Write-LogEntry "Changing TPM Mode 1.2->2.0." -Outhost
Write-LogEntry "Pause the TPM auto-own behavior temporarily."
Disable-TpmAutoProvisioning -OnlyForNextRestart
#Set Command Arguments for TPM Update
If($PasswordBin){
$cmdLine = ' -f"' + $BinFile.FullName + '" -p"' + $PasswordBin.FullName + '" -s'
}
else {
$cmdLine = ' -f"' + $BinFile.FullName + '" -s'
}
Write-LogEntry ("Changing TPM Mode using [{0}\TPMConfig64.exe]..." -f $ToolsPath) -Outhost
$result = Execute-Command -Title "Change TPM Mode" -Path $ToolsPath\TPMConfig64.exe -Arguments $cmdLine
$NeedReboot = "YES"
Write-Host $result
}
}
"Dell Inc."{
Write-LogEntry "Detecting whether a platform supports Dell discrete TPM mode switching in real time." -Outhost
Write-LogEntry "For Dell platforms that support TPM mode changes, the output from powershell should include: ManufacturerVersion: 5.81 (1.2 mode), or 1.3 (2.0 mode)"
$tpm_mode = (Get-TPM).ManufacturerVersion
Write-LogEntry "Following ManufacturerVersion detected: $tpm_mode"
switch($tpm_mode){
"5.81" {$ExeFile = Get-ChildItem $TPMFirmwarePath -Filter DellTpm2.0_Fw1.3* -Recurse | Select -First 1}
"1.3" {$ExeFile = Get-ChildItem $TPMFirmwarePath -Filter DellTpm1.2_Fw5.8* -Recurse | Select -First 1}
default {$ExeFile = $null}
}
If ($ExeFile -ne $null) {
Write-LogEntry "Changing TPM Mode 1.2->2.0." -Outhost
Write-LogEntry "Pause the TPM auto-own behavior temporarily."
Disable-TpmAutoProvisioning -OnlyForNextRestart
#Set Command Arguments for TPM Update
If($BiosPassword){
$cmdLine = ' /s /p="' + $BiosPassword + '" /l="' + $LogPath + '\' + $ExeFile.BaseName + '.log"'
}
else {
$cmdLine = ' /s /l="' + $LogPath + '\' + $ExeFile.BaseName + '.log"'
}
Write-LogEntry ("Changing TPM Mode using [{0}]..." -f $ExeFile.FullName) -Outhost
$result = Execute-Command -Title "Change TPM Mode" -Path $ExeFile.FullName -Arguments $cmdLine
$NeedReboot = "YES"
Write-Host $result
}
Else{
Write-LogEntry ("TPM mode ({0}), upgrade file was not found or needed, exiting.." -f $tpm_mode) -Outhost
Exit 0
}
}
Default {
Write-LogEntry "$Make is not supported, exiting..." -Outhost
Exit 0
}
}
# Execute reboot if needed
If ($NeedReboot -eq "YES") {
Write-LogEntry "A reboot is required. The installation will resume after restart." -Outhost
$TSenv.Value("SMSTS_TPMRebootRequired") = $NeedReboot
Exit 0
}