In Configuration Manager 2007, we were querying WIN32_TPM in hardware inventory for laptop security report. After the 2012 migration, the report was returning no value on this specific class. The usage of Bitlocker rely on TPM (Trusted Platform Module).
We found by looking in the SQL query of the report that IsActivated, IsEnabled and IsOwner were selected but missing from 2012 inventory. This is collected throught hardware inventory so I decided to take a look at the default client settings.
As you can see the screenshot below, WIN32_TPM class in hardware inventory is configured by default in Configuration Manager 2012 with missing information of the WMI class.
To remediate at this situation, delete and recreate the class with the same name or a new one in the default client settings by importing the following TPM MOF file.
[SMS_Report(TRUE),
SMS_Group_Name(“TPM”),
SMS_Class_ID(“MICROSOFT|TPM|1.0”),
namespace (“\\\\\\\\.\\\\root\\\\CIMv2\\\\Security\\\\MicrosoftTpm”)]
class Win32_Tpm : SMS_Class_Template
{
[SMS_Report(TRUE), key] string SpecVersion;
[SMS_Report(TRUE)] string ManufacturerVersion;
[SMS_Report(TRUE)] string ManufacturerVersionInfo;
[SMS_Report(TRUE)] uint32 ManufacturerId;
[SMS_Report(TRUE)] string PhysicalPresenceVersionInfo;
[SMS_Report(TRUE)] string IsActivated_InitialValue;
[SMS_Report(TRUE)] string IsEnabled_InitialValue;
[SMS_Report(TRUE)] string IsOwned_InitialValue;
};
- Copy and paste the text above and save with .mof extension
- Go in your Configuration Manager 2012 console in the Administration panel
- Select Client Settings section and double click on Default Client Settings
- Choose Hardware Inventory in the left panel then click Set Classes
- Select the (TPM) Win32_TPM and delete
- Click on Import and select the MOF file you just created then Import
- Select all boxes and click OK and again OK
Wait for machine policy and hardware inventory cycle on each computers, then the data will reintegrate the database with the new methods.
You can verify if the data is part of the database with this SQL query.
SELECT ResourceID, IsActivated_InitialValue0, IsEnabled_InitialValue0, IsOwned_InitialValue0 FROM v_GS_TPM
28 Comments on “Win32_TPM Class in Hardware Inventory is missing Data by Default in Configuration Manager 2012”
Hi Nicolas;
I have a report requirement to validate the preboot by means of a pin by means of bitlocker. How can I identify the preboot registration key by PIN
Can anyone clarify the difference between “IsActivated” and “IsEnabled?” Also, what exactly is the “IsOwned” property?
I know this post is quite old, however did any reports ever get created to query for collection building?
I was able to accomplish this by deleting the class and browsing to a machine that has the class and adding it back in. Make sure that you save your client settings completely prior to adding it back in.
Hi Nicolas!
Found your post as i need a report on TPM Chip Manufacturer…
We are using SCCM 1706 and when trying to import the mof file you postet i am getting the same error as others from the mof compiler (0x80044007).
i tried, to remove all ” from the file, but this doesn’t change a thing….
any idea?
I have approx 25000 clients and after enabling the TPM as stated in this article, TPM class added under custom client setting not deafult, i can see only 500-600 systems reporting the TPM related details, rest all other systems doesn’t show any data, where in other systems does show other details , Can u suggest if something which i am missing and can do to fetch the details for all systems. Thanks in advance for the same.
I am seeing the delete button greyed out… anyone else run into that, do I need to run as a different user? I should have full admin rights to our console though…
oops, need to be on the top level of the hierarchy to make these changes, I was not on the primary server when I attempted, makes sense… but still having issues with mofcomp
mofcomp TPM.mof
Microsoft (R) MOF Compiler Version 6.1.7600.16385
Copyright (c) Microsoft Corp. 1997-2006. All rights reserved.
Parsing MOF file: TPM.mof
MOF file has been successfully parsed
Storing data in the repository…
An error occurred while creating object 1 defined on lines 5 – 23:
0X80041002 Class, instance, or property ‘SMS_Class_Template’ was not found.
Compiler returned error 0x80041002
ha ha, i should just wait to post shouldn’t I, used the mofcomp -check syntax and it worked fine, look forward to seeing results roll in, thanks for posting this article very helpful!
Thanks Stephen! Happy to see that you’ve made it. 🙂
I started out with a '64 VW Beetle "Baja" dune buggy then graduated to a '66 Mustang. No shoulder belts, no safety glass, nothing under the hoods but simple engines–no emissions controls–and solid steering columns just waiting to cave your chest in if you hit something head-on. Great cars. Wish I'd kept them both.
Many thanks for being the mentor on this issue. I actually enjoyed your article quite definitely and most of all liked how you really handled the aspect I regarded as controversial. You happen to be always extremely kind to readers really like me and help me in my life. Thank you.
I can’t hear anything over the sound of how awesome this article is.
Nicolas,
As per the instruction i have deleted the class and tried to import the mof. But i am getting an error “The mof file your are trying to import could not be compiled”
Why am i getting this error ??
Thanks,
Ramesh
Hi Ramesh,
This is probably due to your mof file. Did you try to mofcomp your mof locally on a computer?
Run command line and enter : mofcomp.exe NAMEOFTHEMOFILE
What is your mof syntax?
Nicolas,
I’m getting the same issue it appears Ramesh was getting. I ran mofcomp and my results are as follows:
—————————————————————————————————————–
C:\temp>mofcomp.exe win32_tpm.mof
Microsoft (R) MOF Compiler Version 6.3.9600.16384
Copyright (c) Microsoft Corp. 1997-2006. All rights reserved.
Parsing MOF file: win32_tpm.mof
win32_tpm.mof (2): error SYNTAX 0X80044007: Illegal constant value. (Numeric val
ue out of range or strings without quotes)
Compiler returned error 0x80044007
————————————————————————————————————-
My mof file appears to be just what you suggested we use:
[SMS_Report(TRUE),
SMS_Group_Name(“TPM”),
SMS_Class_ID(“MICROSOFT|TPM|1.0″),
namespace (“\\\\\\\\.\\\\root\\\\CIMv2\\\\Security\\\\MicrosoftTpm”)]
class Win32_Tpm : SMS_Class_Template
{
[SMS_Report(TRUE), key] string SpecVersion;
[SMS_Report(TRUE)] string ManufacturerVersion;
[SMS_Report(TRUE)] string ManufacturerVersionInfo;
[SMS_Report(TRUE)] uint32 ManufacturerId;
[SMS_Report(TRUE)] string PhysicalPresenceVersionInfo;
[SMS_Report(TRUE)] string IsActivated_InitialValue;
[SMS_Report(TRUE)] string IsEnabled_InitialValue;
[SMS_Report(TRUE)] string IsOwned_InitialValue;
};
SCCM 2012R2.
Any thoughts? We would like to manage TPM chips and Bitlocker front to back in SCCM and not have to stand up an MBAM environment.
Thanks!
I wouldn’t chose this route today, looking back now. I actually deleted and extended my TPM class with this code, it worked perfectly fine but that’s not what MS has in mind anymore for detecting TPM, as apparently it has flaws. I also noticed today, after looking to see if I could find your syntax error that my SCCM database TPM class has reverted to the old, original MS syntax, without the “IsActivated”,”IsEnabled” and “”IsOwned” additions. I believe (based on the dates in the database table, this occurred when I upgraded to SCCM 2012 R2 SP1, which apparently put the original class back, which now will be an ongoing issue unless you allow it to exist as MS wants it, and look to MBAM to at least add the new classes used to detect and report on TPM. MBAM has you add 3 new classes which along with the Collection it creates in SCCM, is used to detect “capable” computers. You still have to script and enable TPM on your systems no matter what, but the Win32_TPM class, for whatever reason, seems NOT to be how MS wants us to handle TPM validation…
Jack
I would seriously consider my previous response, the TPM class just isn’t meant to be the same as it used to be, at least from how MS is handling it… but your issue with the MOF file failing the check are the quote characters, simply replace all the quote characters in Notepad after you paste the contents above, some of them are web codes, not standard quotes…
Jack
Jack,
Replacing the quote characters worked flawlessly, thank you.
I’m under the impression you are suggesting we stand up the MBAM integration (with at least a separate mbam manager and database server) into SCCM, not just a separate MBAM environment, right?
It the mighty mighty MS Overlords are going to keep replacing any changes to this class with every update to SCCM, we will have to find a different solution for sure.
Brandon,
I am replying to this post because there is no way for me to reply to your post directly, maybe nested too deep 😉 Yes, the fact SP1 over-wrote the changes I had previously made (which I didn’t expect initially but in retrospect, of course I should have) is the main reason I think extending the TPM class might be a bad idea. Now you could change the Class Name, we use our company name in any custom classes we create, this would allow you to extend it but not conflict with the default (i.e. “BHSF_TPM” or similar), you just have to know the name of the View to use for custom Reports. We’ve found MBAM to be very important, if for nothing else than for self-service for folks making changes to their systems (even changing the boot order brings up a challenge that needs a recovery key), from my POV Bitlocker without MBAM, opens a potential support nightmare or potential recovery issue…
Jack
Hi Jack and Brandon,
MBAM is for sure the best solution to manage and operate Bitlocker.
For those that don’t have MBAM and would like to inventory TPM information, customizing the Class Name like Brandon suggested is a great option.
We will update the post.
Thank you!
Thanks, that does help! I haven’t created any reports yet based on the table or view data, so today I disabled the default TPM class in inventory and will re-create it this weekend using your template data above. Funny, I was just getting around to enabling TPM in our enterprise (currently McAfee, moving to BitLocker) and couldn’t understand how this class data was there in 2007 but somehow missing in 2012. Not sure if this was a mistake on MS part or they’ve got some other method for determining TPM status in mind…
Thanks again,
Jack
Nicolas,
I didn’t realize this data was missing from the TPM class until I enabled it and then saw the missing items in SCCM 2012 R2. Now that I have enabled it and some data is in the database, is it OK to still delete and re-create the class or should I name it something else now to avoid conflict?
Regards,
Jack
Hi Jack,
It depends on what you are doing with TPM data.
If the data is not yet used by reports or services in your enterprise. I will suggest to delete and recreate the class since no one used it.
If the data is used, you can create a new class with a different name and make a smooth transition. You can also do the first suggestion in a maintenance windows during off hours and force an hardware inventory on all devices as soon they get their machine policy.
Hope it helps.
I have a follow up question, hopefully you can offer advice. I deleted the default TPM class and imported the one above as the default (same name), it seems to work fine but after months of it being in-place, I still only have 4700 rows in my DB, when I have more than 13,000 clients, all on newer hardware (assumed TPM compliant). I was under the assumption I should at least have 1 row per client by now, even if almost every column was NULL but not the case. Obviously I don’t expect SCCM to return a NULL for every negative result (like the Modem table has only 700 entries, makes sense to not store a row for those that don’t) but I am concerned extending TPM may have caused this, when perhaps the old schema would have returned a row per client. Any chance this is true and may impact our MBAM integration?
Thanks in advance,
Jack
Hi Jack,
Do your TPM class is activated under Default or Custom Client Settings?
You should see one row by device (13K) using the default.
Do you hardware inventory is working properly for other class?
Thanks
Nick
I deleted and re-created the TPM Class but after a little more time, do not think there is any issue. We think the culprit is the HP BIOS, which by default (for us) is set to HIDE the advanced security options, in effect making it look like the device has no TPM chip at all. Until you at least enable SHOWING the advanced options, the computers do not return any data for TPM Class. I would expect MS not to store a row full of NULL’s for every ResourceID so this seems not to be an issue after all. Thanks for the help!
Jack
Welcome!
Thanks for update.