Win32_TPM class in hardware inventory in Configuration Manager

Win32_TPM Class in Hardware Inventory is missing Data by Default in Configuration Manager 2012

Nicolas PilonJuly 09 20142 Min Read

Founder of System Center Dudes. Nick has been awarded in 2016 to 2019 as a Microsoft MVP in Enterprise Mobility category. Working as a senior SCCM and Intune advisor as well as a specialist Microsoft Cloud solutions specialist.

Nicolas Pilon

Vice-President

SCD Collaborators

In Configuration Manager 2007, we were querying WIN32_TPM in hardware inventory for laptop security report. After the 2012 migration, the report was returning no value on this specific class. The usage of Bitlocker rely on TPM (Trusted Platform Module).

We found by looking in the SQL query of the report that IsActivated, IsEnabled and IsOwner were selected but missing from 2012 inventory. This is collected throught hardware inventory so I decided to take a look at the default client settings.

As you can see the screenshot below, WIN32_TPM class in hardware inventory is configured by default in Configuration Manager 2012 with missing information of the WMI class.

To remediate at this situation, delete and recreate the class with the same name or a new one in the default client settings by importing the following TPM MOF file.

[SMS_Report(TRUE),
SMS_Group_Name(“TPM”),
SMS_Class_ID(“MICROSOFT|TPM|1.0”),
namespace (“\\\\\\\\.\\\\root\\\\CIMv2\\\\Security\\\\MicrosoftTpm”)]
class Win32_Tpm : SMS_Class_Template
{
[SMS_Report(TRUE), key] string SpecVersion;
[SMS_Report(TRUE)] string ManufacturerVersion;
[SMS_Report(TRUE)] string ManufacturerVersionInfo;
[SMS_Report(TRUE)] uint32 ManufacturerId;
[SMS_Report(TRUE)] string PhysicalPresenceVersionInfo;
[SMS_Report(TRUE)] string IsActivated_InitialValue;
[SMS_Report(TRUE)] string IsEnabled_InitialValue;
[SMS_Report(TRUE)] string IsOwned_InitialValue;
};

Copy and paste the text above and save with .mof extension
Go in your Configuration Manager 2012 console in the Administration panel
Select Client Settings section and double click on Default Client Settings
Choose Hardware Inventory in the left panel then click Set Classes

Select the (TPM) Win32_TPM and delete

Click on Import and select the MOF file you just created then Import
Select all boxes and click OK and again OK

Wait for machine policy and hardware inventory cycle on each computers, then the data will reintegrate the database with the new methods.

You can verify if the data is part of the database with this SQL query.

SELECT ResourceID, IsActivated_InitialValue0, IsEnabled_InitialValue0, IsOwned_InitialValue0 FROM v_GS_TPM

Hardware inventory IsActivated IsEnabled IsOwned MOF SCCM 2012 TPM WIn32_TPM WMI

Comments (25)

09.03.2019 AT 09:57 AM

Hi Nicolas; I have a report requirement to validate the preboot by means of a pin by means of bitlocker. How can I identify the preboot registration key by PIN

Hide replies

0 0

Chris

04.10.2019 AT 02:23 PM

Can anyone clarify the difference between "IsActivated" and "IsEnabled?" Also, what exactly is the "IsOwned" property?

CJ Keller

05.18.2018 AT 10:27 AM

I know this post is quite old, however did any reports ever get created to query for collection building?

Jim

01.16.2018 AT 10:41 AM

I was able to accomplish this by deleting the class and browsing to a machine that has the class and adding it back in. Make sure that you save your client settings completely prior to adding it back in.

Daniel

10.23.2017 AT 05:10 AM

Hi Nicolas! Found your post as i need a report on TPM Chip Manufacturer... We are using SCCM 1706 and when trying to import the mof file you postet i am getting the same error as others from the mof compiler (0x80044007). i tried, to remove all " from the file, but this doesn't change a thing.... any idea?

Rahul

05.08.2017 AT 07:03 AM

I have approx 25000 clients and after enabling the TPM as stated in this article, TPM class added under custom client setting not deafult, i can see only 500-600 systems reporting the TPM related details, rest all other systems doesn't show any data, where in other systems does show other details , Can u suggest if something which i am missing and can do to fetch the details for all systems. Thanks in advance for the same.

Stephen

10.07.2015 AT 08:27 AM

I am seeing the delete button greyed out... anyone else run into that, do I need to run as a different user? I should have full admin rights to our console though...

1 0

10.07.2015 AT 08:48 AM

oops, need to be on the top level of the hierarchy to make these changes, I was not on the primary server when I attempted, makes sense... but still having issues with mofcomp mofcomp TPM.mof Microsoft (R) MOF Compiler Version 6.1.7600.16385 Copyright (c) Microsoft Corp. 1997-2006. All rights reserved. Parsing MOF file: TPM.mof MOF file has been successfully parsed Storing data in the repository... An error occurred while creating object 1 defined on lines 5 - 23: 0X80041002 Class, instance, or property 'SMS_Class_Template' was not found. Compiler returned error 0x80041002

10.07.2015 AT 08:54 AM

ha ha, i should just wait to post shouldn't I, used the mofcomp -check syntax and it worked fine, look forward to seeing results roll in, thanks for posting this article very helpful!

10.07.2015 AT 09:12 AM

Thanks Stephen! Happy to see that you've made it. 🙂

Ramesh

04.22.2015 AT 10:59 AM

Nicolas, As per the instruction i have deleted the class and tried to import the mof. But i am getting an error "The mof file your are trying to import could not be compiled" Why am i getting this error ?? Thanks, Ramesh

04.24.2015 AT 12:33 AM

Hi Ramesh, This is probably due to your mof file. Did you try to mofcomp your mof locally on a computer? Run command line and enter : mofcomp.exe NAMEOFTHEMOFILE What is your mof syntax?

2 0

Jack

07.08.2015 AT 02:12 PM

Brandon, I am replying to this post because there is no way for me to reply to your post directly, maybe nested too deep 😉 Yes, the fact SP1 over-wrote the changes I had previously made (which I didn't expect initially but in retrospect, of course I should have) is the main reason I think extending the TPM class might be a bad idea. Now you could change the Class Name, we use our company name in any custom classes we create, this would allow you to extend it but not conflict with the default (i.e. "BHSF_TPM" or similar), you just have to know the name of the View to use for custom Reports. We've found MBAM to be very important, if for nothing else than for self-service for folks making changes to their systems (even changing the boot order brings up a challenge that needs a recovery key), from my POV Bitlocker without MBAM, opens a potential support nightmare or potential recovery issue... Jack

07.23.2015 AT 02:20 PM

Hi Jack and Brandon, MBAM is for sure the best solution to manage and operate Bitlocker. For those that don't have MBAM and would like to inventory TPM information, customizing the Class Name like Brandon suggested is a great option. We will update the post. Thank you!

Brandon

07.08.2015 AT 10:17 AM

Nicolas, I'm getting the same issue it appears Ramesh was getting. I ran mofcomp and my results are as follows: ----------------------------------------------------------------------------------------------------------------- C:\temp>mofcomp.exe win32_tpm.mof Microsoft (R) MOF Compiler Version 6.3.9600.16384 Copyright (c) Microsoft Corp. 1997-2006. All rights reserved. Parsing MOF file: win32_tpm.mof win32_tpm.mof (2): error SYNTAX 0X80044007: Illegal constant value. (Numeric val ue out of range or strings without quotes) Compiler returned error 0x80044007 ------------------------------------------------------------------------------------------------------------- My mof file appears to be just what you suggested we use: [SMS_Report(TRUE), SMS_Group_Name(“TPM”), SMS_Class_ID(“MICROSOFT|TPM|1.0"), namespace (“\\\\\\\\.\\\\root\\\\CIMv2\\\\Security\\\\MicrosoftTpm”)] class Win32_Tpm : SMS_Class_Template { [SMS_Report(TRUE), key] string SpecVersion; [SMS_Report(TRUE)] string ManufacturerVersion; [SMS_Report(TRUE)] string ManufacturerVersionInfo; [SMS_Report(TRUE)] uint32 ManufacturerId; [SMS_Report(TRUE)] string PhysicalPresenceVersionInfo; [SMS_Report(TRUE)] string IsActivated_InitialValue; [SMS_Report(TRUE)] string IsEnabled_InitialValue; [SMS_Report(TRUE)] string IsOwned_InitialValue; }; SCCM 2012R2. Any thoughts? We would like to manage TPM chips and Bitlocker front to back in SCCM and not have to stand up an MBAM environment. Thanks!

07.08.2015 AT 10:56 AM

I would seriously consider my previous response, the TPM class just isn't meant to be the same as it used to be, at least from how MS is handling it... but your issue with the MOF file failing the check are the quote characters, simply replace all the quote characters in Notepad after you paste the contents above, some of them are web codes, not standard quotes... Jack

07.08.2015 AT 12:06 PM

Jack, Replacing the quote characters worked flawlessly, thank you. I'm under the impression you are suggesting we stand up the MBAM integration (with at least a separate mbam manager and database server) into SCCM, not just a separate MBAM environment, right? It the mighty mighty MS Overlords are going to keep replacing any changes to this class with every update to SCCM, we will have to find a different solution for sure.

07.08.2015 AT 10:52 AM

I wouldn't chose this route today, looking back now. I actually deleted and extended my TPM class with this code, it worked perfectly fine but that's not what MS has in mind anymore for detecting TPM, as apparently it has flaws. I also noticed today, after looking to see if I could find your syntax error that my SCCM database TPM class has reverted to the old, original MS syntax, without the "IsActivated","IsEnabled" and ""IsOwned" additions. I believe (based on the dates in the database table, this occurred when I upgraded to SCCM 2012 R2 SP1, which apparently put the original class back, which now will be an ongoing issue unless you allow it to exist as MS wants it, and look to MBAM to at least add the new classes used to detect and report on TPM. MBAM has you add 3 new classes which along with the Collection it creates in SCCM, is used to detect "capable" computers. You still have to script and enable TPM on your systems no matter what, but the Win32_TPM class, for whatever reason, seems NOT to be how MS wants us to handle TPM validation... Jack

Jack Fetter

11.27.2014 AT 06:24 PM

Thanks, that does help! I haven't created any reports yet based on the table or view data, so today I disabled the default TPM class in inventory and will re-create it this weekend using your template data above. Funny, I was just getting around to enabling TPM in our enterprise (currently McAfee, moving to BitLocker) and couldn't understand how this class data was there in 2007 but somehow missing in 2012. Not sure if this was a mistake on MS part or they've got some other method for determining TPM status in mind... Thanks again, Jack

11.27.2014 AT 10:11 AM

Nicolas, I didn't realize this data was missing from the TPM class until I enabled it and then saw the missing items in SCCM 2012 R2. Now that I have enabled it and some data is in the database, is it OK to still delete and re-create the class or should I name it something else now to avoid conflict? Regards, Jack

11.27.2014 AT 10:27 AM

Hi Jack, It depends on what you are doing with TPM data. If the data is not yet used by reports or services in your enterprise. I will suggest to delete and recreate the class since no one used it. If the data is used, you can create a new class with a different name and make a smooth transition. You can also do the first suggestion in a maintenance windows during off hours and force an hardware inventory on all devices as soon they get their machine policy. Hope it helps.

03.01.2015 AT 09:52 AM

I have a follow up question, hopefully you can offer advice. I deleted the default TPM class and imported the one above as the default (same name), it seems to work fine but after months of it being in-place, I still only have 4700 rows in my DB, when I have more than 13,000 clients, all on newer hardware (assumed TPM compliant). I was under the assumption I should at least have 1 row per client by now, even if almost every column was NULL but not the case. Obviously I don't expect SCCM to return a NULL for every negative result (like the Modem table has only 700 entries, makes sense to not store a row for those that don't) but I am concerned extending TPM may have caused this, when perhaps the old schema would have returned a row per client. Any chance this is true and may impact our MBAM integration? Thanks in advance, Jack

03.05.2015 AT 01:07 PM

Hi Jack, Do your TPM class is activated under Default or Custom Client Settings? You should see one row by device (13K) using the default. Do you hardware inventory is working properly for other class? Thanks Nick

03.16.2015 AT 07:20 AM

I deleted and re-created the TPM Class but after a little more time, do not think there is any issue. We think the culprit is the HP BIOS, which by default (for us) is set to HIDE the advanced security options, in effect making it look like the device has no TPM chip at all. Until you at least enable SHOWING the advanced options, the computers do not return any data for TPM Class. I would expect MS not to store a row full of NULL's for every ResourceID so this seems not to be an issue after all. Thanks for the help! Jack

03.16.2015 AT 10:52 AM

Welcome! Thanks for update.

Win32_TPM Class in Hardware Inventory is missing Data by Default in Configuration Manager 2012

Share

Share