What’s with that Infineon TPM Diver in my Windows 7 Deployment?

I have run into an issue multiple times and thought I would pass it long to hopefully save others the headaches that it has caused me.

We have a company policy, as many do, that all laptops must have encryption enabled.  For our Windows 7 deployments, we are using BitLocker with the TPM.  We have had some systems that do not have BitLocker enabled after the being refreshed from Windows XP to Windows 7.  When trying to manually enable BitLocker after the task sequence runs, the TPM administration page, TPM.msc, says that there was no compatible TPM found.  I know that this particular model of laptop had a TPM, so something was up.

I opened Device Manager and discovered that there was no node for ‘Security Devices’, which is where the ‘Trusted Platform Module 1.2’ should be found.  I did however find an ‘Infineon Trusted Platform Module’ under ‘System Devices’, which is the same place it would be listed in Windows XP.  When I looked closer at the device in Device Manager, I found that it was in fact using the Infineon TPM driver for XP instead of the in-box TPM driver for Windows 7.  I use a selection profile for driver injection during the task sequence, so this should not have happened.  I looked through the MDT log and verified that the Infineon driver was never copied from the deployment share so I was left scratching my head as to how this could have happened.  We manually changed the driver to the in-box driver for the TPM and we were then able to enable and take ownership of the TPM for use with BitLocker.

Over the next week, this happened two more times and I was finally able to determine the events that lead to the issue.  Each time this occurred, the system was refreshed from Windows XP to Windows 7 with an MDT task sequence, meaning that light touch was initiated from a live running Windows XP install.  We never saw the issue when initiating from within WinPE from the PXE server.  Looking through the logs, I discovered that when the drive is cleaned, the existing C:\Drivers folder is not deleted, meaning that the existing drivers from the XP installation were not removed from the system.  The Inject Drivers step in the task sequence was copying the correct drivers to C:\Drivers, but there were already some drivers in that folder to begin with, including the Infineon TPM driver.  When the Windows install looked through that folder for drivers, it found the Infineon driver and used it instead of the in-box driver.

Now that I knew the cause, I needed a resolution to make sure this did not happen again.  I decided to write a custom MDT script to look for the presence of a device using the Infineon driver and install the in-box Windows driver instead. 

First you need a copy of dpinst.exe, the driver package installer.  This is available in the Windows Driver Kit or in any one of many vendor provided drivers.  Make sure you have both the 32 bit and 64 bit versions and copy them to the corresponding architecture folder under Tools on the deployment share.

Create ZTITPMDriver.wsf containing the code below and save it in the Scripts directory of the deployment share.

<job id=”ZTITPMDriver”>
   <script language=”VBScript” src=”ZTIUtility.vbs”/>
   <script language=”VBScript”>

‘ //***************************************************************************
‘ // ***** Script Header *****
‘ //
‘ // Solution:  Solution Accelerator for Business Desktop Deployment
‘ // File:      z-ZTITPMDriver.wsf
‘ //
‘ // Purpose:   Validate that the TPM is using the in-box driver
‘ //
‘ // Usage:     cscript ZTITPMDriver.wsf [/debug:true]
‘ //
‘ // History:
‘ // 1.0.0   08/20/2010  Created initial script
‘ //
‘ // ***** End Header *****
‘ //***************************************************************************

‘//—————————————————————————-
‘//
‘//  Global constant and variable declarations
‘//
‘//—————————————————————————-

Dim iRetVal

‘//—————————————————————————-
‘//  End declarations
‘//—————————————————————————-

‘//—————————————————————————-
‘//  Main routine
‘//—————————————————————————-

‘On Error Resume Next
iRetVal = ZTIProcess
ProcessResults iRetVal
‘On Error Goto 0

‘//—————————————————————————
‘//
‘//  Function:    ZTIProcess()
‘//
‘//  Input:    None
‘//
‘//  Return:    Success – 0
‘//        Failure – non-zero
‘//
‘//  Purpose:    Perform main ZTI processing
‘//      �
‘//—————————————————————————
Function ZTIProcess()

    ‘Check to see if we’re in WinPE
    If oEnv(“SystemDrive”) = “X:” then
        oLogging.CreateEntry “The TPM cannot be managed in WinPE.”,LogTypeWarning
        ZTIProcess = Success
        Exit Function
    End If
  �
    ‘Look to see if we find a device with the Infineion driver loaded  �
    If GetInfineonTPMCount() > 0 Then
        oLogging.CreateEntry “Found a device with the Infineon TPM driver loaded.”, LogTypeWarning
        iRetVal = oUtility.FindFile(“dpinst.exe”,sDpInstFound)
        If iRetVal = Success Then
            If ForceWindowsTPMDriver() Then
                oLogging.CreateEntry “The TPM driver was successfully updated.”, LogTypeInfo
            Else
                oLogging.CreateEntry “The automatic update of the TPM driver was not successful.  Calling manual procedure.”, LogTypeWarning
                If ManualInstallTPMDriver() Then
                    oLoggong.CreateEntry “The TPM driver was successfully updated.”, LogTypeInfo
                Else
                    oLogging.CreateEntry “The manual update of the TPM driver was not successful.”, LogTypeWarning
                    ZTIProcess = Failure
                    Exit Function
                End If
            End If
        Else
            oLogging.CreateEntry “Unable to locate dpinst.exe.  Using manual method.”, LogTypeWarning
            iRetVal = oShell.Popup (“The Infineon TPM driver is loaded.  You must switch to the “”Trusted Platform Module 1.2″” driver to continue.”, 0, “Infineon TPM Found”, 1 + 16)
            If iRetVal = 1 Then
                oShell.Run “mmc.exe devmgmt.msc”, 1, True
            Else
                oLogging.CreateEntry “The dialog was cancelled.  The TPM cannot be enabled and encryption cannot be performed.”, LogTypeError
                ZTIProcess = Failure
                Exit Function
            End If
        End If
    End If
      �
    ZTIProcess = Success

End Function

Function ForceWindowsTPMDriver()
    iRetVal = oUtility.FindFile(“dpinst.exe”,sDpInstFound)
    If iRetVal = Success Then
        oLogging.CreateEntry “DPInst.exe was found at ” & sDpInstFound, LogTypeInfo
        oLogging.CreateEntry “Copying files needed for driver installation to C:\Windows\Temp\TPMDriverInstall” , LogTypeInfo
        oShell.Run “cmd.exe /c mkdir C:\Windows\Temp\TPMDriverInstall”, 0, True
        oShell.Run “cmd.exe /c copy /y “”" & sDpInstFound & “”" “”C:\Windows\Temp\TPMDriverInstall”"”, 0, True
        oShell.Run “cmd.exe /c copy /y C:\Windows\inf\tpm.inf C:\Windows\Temp\TPMDriverInstall”, 0, True
        sCmd = “C:\Windows\Temp\TPMDriverInstall\dpinst.exe /s /f”
        oLogging.CreateEntry “Running command ” & sCmd & ” to install the in-box Windows TPM driver.”, LogTypeInfo
        oShell.Run sCmd, 0, True
        oShell.Run “cmd.exe /c rmdir /s /q C:\Windows\Temp\TPMDriverInstall”, 0, True
        If GetInfineonTPMCount() = 0 Then
            oLogging.CreateEntry “TPM device was updated to use the in-box driver.”, LogTypeInfo
            ForceWindowsTPMDriver = True
        Else
            oLogging.CreateEntry “TPM device was updated not to use the in-box driver.”, LogTypeWarning
            ForceWindowsTPMDriver = False
        End If
    Else
        oLogging.CreateEntry “Unable to locate dpinst.exe.  Using manual method.”, LogTypeWarning
        ForceWindowsTPMDriver = False
    End If

End Function

Function ManualInstallTPMDriver()
    iRetVal = oShell.Popup (“The Infineon TPM driver is loaded.  You must switch to the “”Trusted Platform Module 1.2″” driver to continue.”, 0, “Infineon TPM Found”, 1 + 16)
    If iRetVal = 1 Then
        oShell.Run “mmc.exe devmgmt.msc”, 1, True
    Else
        oLogging.CreateEntry “The dialog was cancelled.  The TPM cannot be enabled and encryption cannot be performed.”, LogTypeError
        ManualInstallTPMDriver = False
        Exit Function
    End If
    If GetInfineonTPMCount() = 0 Then
        oLogging.CreateEntry “The TPM driver was manually updated.”, LogTypeInfo
        ManualInstallTPMDriver = True
    Else
        oLogging.CreateEntry “The TPM driver was not updated.”, LogTypeError
        ManualInstallTPMDriver = False
    End If
End Function

Function GetInfineonTPMCount()
    oLogging.CreateEntry “Looking for a TPM with the Infineon driver loaded.”, LogTypeInfo
    Set oInstances = objWMI.ExecQuery(“Select * from Win32_PnPEntity WHERE Service=’IFXTPM’”)
    iInfineonTPMCount = 0
    For Each oInstance In oInstances
        iInfineonTPMCount = 1
    Next
  �
    GetInfineonTPMCount = iInfineonTPMCount
End Function

   </script>
</job>

 

Insert a step into your task sequence that calls this script prior to enabling BitLocker to ensure the in-box driver is used.