Surface Laptop 3 - A Year Old Problem (Just a Post, not a Problem)
Apparently Microsoft has disabled TPM from their newer hardware since January 30, 2020 - as per this response: https://answers.microsoft.com/en-us/surface/forum/surflaptop3-surfsec/surface-laptop-3-no-tpm-settings-in-eufi/20c5a568-606e-40cf-a136-efd4e08dc35b
We haven’t had a problem with previous devices (SP4 and SL2 works fine) - it just so happens that we bought SL3s recently, and this was the immediate problem.
I was about to ask if anyone had an issue with this, but now I’m just throwing this up here for the sake of knowledge.
Apparently the work around for this is to perform everything you normally would
(I recommend disabling TPM from Powershell because you don’t have to reboot the machine to clear the TPM settings):
CMD > powercfg -h off # Disable Hibernation PS > Disable-TpmAutoProvisioning # New (Doesn't need restart) PS > Clear-Tpm # New (Doesn't need restart) CMD > shutdown /s /t 0 # Shutdown Computer to prevent Sticky-bit
Clearing TPM and disabling Secure Boot in the BIOS for UEFI still works like a charm.
Microsoft TPM PS Commands: https://docs.microsoft.com/en-us/powershell/module/trustedplatformmodule/?view=win10-ps
Anyways, hope you all are having a good one.
To clear up confusion, because the post may be hard to read. This is in referrence to Microsoft removing TPM from their BIOS. This is a work around that worked for me on a Surface Laptop 3 by disabling TPM while inside the Windows OS.
Normally I always disable TPM and Secure Boot before Imaging a machine - whether Capture or Deploy.
The fact that TPM wasn’t in the BIOS got me started on this, and disabling TPM worked like normal when the PS commands were run.
The issue with that command - I just ran it on the machine I Deployed to. BitLocker was never enabled - I get this error:
ERROR: An error occurred (code 0x80310008): BitLocker Drive Encryption is not enabled on this drive. Turn on BitLocker.
Looked at BitLocker through Control Panel? Turned off.
Right-clicked the <C: > drive in “This PC”? Asks if you want to Enable it.
That’s why I was looking for TPM and not BitLocker.
I know I said “machine I Deployed to”. I didn’t have BitLocker enabled on the machine I Captured - my fix was disabling TPM.
@ttrammell the bitlocker issue is strange because we do see this from time to time. The fix?
manage-bde -off c:
This isn’t a tpm issue though. Typically its because Microsoft is essentially encrypting the free space.
@ttrammell Thank you for the clarity on this. I haven’t run into the issue since we only capture from a VM for our golden image, and then deploy to physical hardware.
Yeah, I am bad at that.
So, we had an issue when we ordered SL3s - we couldn’t Capture an image from them, we would get an error on Capture about BitLocker needing to be disabled.
SL3s didn’t have a TPM setting in BIOS that you would normally turn off (They have Secure Boot), like you would do for a normal UEFI setup on say a Dell E6410 - so I searched around and came across that.
The two CMD commands:
powercfg -h off shutdown /s /t 0
I’ve been using those for years now, because of the Sticky-bit issue and the Hibernation reason is lost to time - maybe it also had something to do with Sticky-bit, but I dont’ recall.
The two new commands for Powershell:
This is all entirely for the purpose of disabling TPM like how you would in BIOS.
I don’t think doing the same thing on a Dell E6410 running Windows 10 would work - I would assume you would still need to disable TPM in the BIOS, but I have not tested that.
So if you had a device, like a Surface Laptop 3, that had the issue where TPM isn’t in the BIOS then hopefully clearing the TPM settings in Windows itself before Capturing the image fixes the issue - as it did for me.
So, problem: Cannot Capture an Image from an SL3: No TPM in the BIOS; keeps getting BitLocker error.
Solution: Disabling TPM in Windows via Powershell worked to Capture the image; no BitLocker error.
Hopefully that is a less confusing explanation of the post.
@ttrammell FWIW your subject is a bit misleading. After reading what you posted several times I understand this
Microsoft has removed the ability to change the tpm settings in the surface laptop 3 as of 30-Jan-2020. You must do this now via cli and powershell.
I take it you are running those commands in sequence before capturing the image with FOG? I’m trying to understand what problem you are trying to solve? I think this is all great information, I’m just trying to understand how to apply it.