Because the legacy WMI PowerShell cmdlets (e.g. Get-WmiObject) are eventually going to be deprecated, I always try to use the newer CIM-based PowerShell cmdlets (e.g. Get-CimInstance) wherever possible.
This can be a bit confusing sometimes though and it can appear that the new CIM cmdlets have less functionality than their older WMI counterparts. This isn’t the case as I explain later on in the blog post.
This perceived difference is especially true when working with TPM chips on devices. Below is an example of running a query against the ‘Win32_Tpm‘ class in WMI using both the old and new cmdlets.
The legacy ‘Get-WmiObject‘ cmdlet shows ‘70‘ Properties/Methods while the newer ‘Get-CimInstance‘ cmdlet shows only ‘20‘.
(Get-WmiObject -Namespace 'root/cimv2/Security/MicrosoftTpm' -Class 'Win32_Tpm' | Get-Member).Count
70
(Get-CimInstance -Namespace 'root/cimv2/Security/MicrosoftTpm' -Class 'Win32_Tpm' | Get-Member).Count
20
One WMI Method that I use regularly with OSD is the ‘SetPhysicalPresenceRequest‘ Method to configure a TPM to be cleared, activated and enabled. If you use the value of ‘14‘ for the request then you need to configure the firmware/BIOS to not require Physical Presence otherwise you’ll need someone to physically press a key to confirm the TPM clear is allowed.
If you can’t configure the firmware/BIOS to disable requiring physical presence confirmation then you can use the request value of ‘10‘ which won’t ask for physical confirmation but is slightly less effective. Using ‘10‘ should still mean your TPM is ready to be accessed by encryption-related commands later on in the Task Sequence though.
To use this command in a MCM Task Sequence I would historically use a ‘Run Command Line‘ task to run the following PowerShell command:
powershell.exe -ExecutionPolicy bypass -Command "(Get-WmiObject -Namespace "root\CIMV2\Security\MicrosoftTpm" -Class Win32_TPM).SetPhysicalPresenceRequest(14)"
Given my previous statement that I want to use the more modern ‘Get-CimInstance‘ cmdlets I looked into how this could be done with the newer cmdlets so that if or when the legacy WmiObject cmdlets are no longer available in Windows, my Task Sequence commands will continue to run successfully without any changes being needed.
By running ‘Get-WmiObject‘ we can see that ‘SetPhysicalPresenceRequest‘ is listed as an available Method for us to use:
Get-WmiObject -Namespace 'root/cimv2/Security/MicrosoftTpm' -Class 'Win32_Tpm' | Get-Member -MemberType Method
TypeName: System.Management.ManagementObject#root\cimv2\Security\MicrosoftTpm\Win32_Tpm
Name MemberType Definition
---- ---------- ----------
AddBlockedCommand Method System.Management.ManagementBaseObject AddBlockedCommand(System.UIn...
ChangeOwnerAuth Method System.Management.ManagementBaseObject ChangeOwnerAuth(System.Strin...
Clear Method System.Management.ManagementBaseObject Clear(System.String OwnerAuth)
ConvertToOwnerAuth Method System.Management.ManagementBaseObject ConvertToOwnerAuth(System.St...
CreateEndorsementKeyPair Method System.Management.ManagementBaseObject CreateEndorsementKeyPair()
Disable Method System.Management.ManagementBaseObject Disable(System.String OwnerA...
DisableAutoProvisioning Method System.Management.ManagementBaseObject DisableAutoProvisioning(Syst...
Enable Method System.Management.ManagementBaseObject Enable(System.String OwnerAuth)
EnableAutoProvisioning Method System.Management.ManagementBaseObject EnableAutoProvisioning()
GetCapLockoutInfo Method System.Management.ManagementBaseObject GetCapLockoutInfo()
GetDictionaryAttackParameters Method System.Management.ManagementBaseObject GetDictionaryAttackParameters()
GetOwnerAuth Method System.Management.ManagementBaseObject GetOwnerAuth()
GetOwnerAuthForEscrow Method System.Management.ManagementBaseObject GetOwnerAuthForEscrow()
GetOwnerAuthStatus Method System.Management.ManagementBaseObject GetOwnerAuthStatus()
GetPhysicalPresenceConfirmationStatus Method System.Management.ManagementBaseObject GetPhysicalPresenceConfirmat...
GetPhysicalPresenceRequest Method System.Management.ManagementBaseObject GetPhysicalPresenceRequest()
GetPhysicalPresenceResponse Method System.Management.ManagementBaseObject GetPhysicalPresenceResponse()
GetPhysicalPresenceTransition Method System.Management.ManagementBaseObject GetPhysicalPresenceTransition()
GetSrkADThumbprint Method System.Management.ManagementBaseObject GetSrkADThumbprint(System.By...
GetSrkPublicKeyModulus Method System.Management.ManagementBaseObject GetSrkPublicKeyModulus()
GetTcgLog Method System.Management.ManagementBaseObject GetTcgLog()
ImportOwnerAuth Method System.Management.ManagementBaseObject ImportOwnerAuth(System.Strin...
IsActivated Method System.Management.ManagementBaseObject IsActivated()
IsAutoProvisioningEnabled Method System.Management.ManagementBaseObject IsAutoProvisioningEnabled()
IsCommandBlocked Method System.Management.ManagementBaseObject IsCommandBlocked(System.UInt...
IsCommandPresent Method System.Management.ManagementBaseObject IsCommandPresent(System.UInt...
IsEnabled Method System.Management.ManagementBaseObject IsEnabled()
IsEndorsementKeyPairPresent Method System.Management.ManagementBaseObject IsEndorsementKeyPairPresent()
IsFIPS Method System.Management.ManagementBaseObject IsFIPS()
IsKeyAttestationCapable Method System.Management.ManagementBaseObject IsKeyAttestationCapable()
IsLockedOut Method System.Management.ManagementBaseObject IsLockedOut()
IsOwned Method System.Management.ManagementBaseObject IsOwned()
IsOwnerClearDisabled Method System.Management.ManagementBaseObject IsOwnerClearDisabled()
IsOwnershipAllowed Method System.Management.ManagementBaseObject IsOwnershipAllowed()
IsPhysicalClearDisabled Method System.Management.ManagementBaseObject IsPhysicalClearDisabled()
IsPhysicalPresenceHardwareEnabled Method System.Management.ManagementBaseObject IsPhysicalPresenceHardwareEn...
IsReady Method System.Management.ManagementBaseObject IsReady()
IsReadyInformation Method System.Management.ManagementBaseObject IsReadyInformation()
IsSrkAuthCompatible Method System.Management.ManagementBaseObject IsSrkAuthCompatible()
OwnerAuthEscrowed Method System.Management.ManagementBaseObject OwnerAuthEscrowed(System.Str...
Provision Method System.Management.ManagementBaseObject Provision(System.Boolean For...
RemoveBlockedCommand Method System.Management.ManagementBaseObject RemoveBlockedCommand(System....
ResetAuthLockOut Method System.Management.ManagementBaseObject ResetAuthLockOut(System.Stri...
ResetSrkAuth Method System.Management.ManagementBaseObject ResetSrkAuth(System.String O...
SelfTest Method System.Management.ManagementBaseObject SelfTest()
SetPhysicalPresenceRequest Method System.Management.ManagementBaseObject SetPhysicalPresenceRequest(S...
TakeOwnership Method System.Management.ManagementBaseObject TakeOwnership(System.String ...
Running the same command with the ‘Get-CimInstance‘ cmdlet brings back significantly fewer Methods and most importantly ‘SetPhysicalPresenceRequest‘ is missing from the list of Methods!!!!
Get-CimInstance -Namespace 'root/cimv2/Security/MicrosoftTpm' -ClassName 'Win32_Tpm' | Get-Member -MemberType Method
TypeName: Microsoft.Management.Infrastructure.CimInstance#root/cimv2/Security/MicrosoftTpm/Win32_Tpm
Name MemberType Definition
---- ---------- ----------
Clone Method System.Object ICloneable.Clone()
Dispose Method void Dispose(), void IDisposable.Dispose()
Equals Method bool Equals(System.Object obj)
GetCimSessionComputerName Method string GetCimSessionComputerName()
GetCimSessionInstanceId Method guid GetCimSessionInstanceId()
GetHashCode Method int GetHashCode()
GetObjectData Method void GetObjectData(System.Runtime.Serialization.SerializationInfo info, System....
GetType Method type GetType()
ToString Method string ToString()
“Where’s my bloody Method?” I asked whilst preparing myself to overcome OCD and continue using the legacy command…
However, under the covers the ‘SetPhysicalPresenceRequest‘ method still exists in WMI but we just can’t see it as easily using ‘Get-CimInstance‘. In order to view these hidden Methods we need to run a slightly different PowerShell command as per below:
(Get-CimInstance -Namespace root/cimv2/Security/MicrosoftTpm -ClassName Win32_Tpm).CimClass.CimClassMethods
Name ReturnType Parameters Qua
lif
ier
s
---- ---------- ---------- ---
IsEnabled UInt32 {IsEnabled} {De
IsOwned UInt32 {IsOwned} {De
IsActivated UInt32 {IsActivated} {De
IsPhysicalClearDisabled UInt32 {IsPhysicalClearDisabled} {De
IsOwnerClearDisabled UInt32 {IsOwnerClearDisabled} {De
IsPhysicalPresenceHardwareEnabled UInt32 {IsPhysicalPresenceHardwareEnabled} {De
IsOwnershipAllowed UInt32 {IsOwnershipAllowed} {De
IsCommandPresent UInt32 {CommandOrdinal, IsCommandPresent} {De
Enable UInt32 {OwnerAuth} {De
Disable UInt32 {OwnerAuth} {De
IsEndorsementKeyPairPresent UInt32 {IsEndorsementKeyPairPresent} {De
CreateEndorsementKeyPair UInt32 {} {De
TakeOwnership UInt32 {OwnerAuth} {De
Clear UInt32 {OwnerAuth} {De
IsSrkAuthCompatible UInt32 {IsSrkAuthCompatible} {De
ResetSrkAuth UInt32 {OwnerAuth} {De
ChangeOwnerAuth UInt32 {NewOwnerAuth, OldOwnerAuth} {De
SelfTest UInt32 {SelfTestResult} {De
ConvertToOwnerAuth UInt32 {OwnerPassPhrase, OwnerAuth} {De
SetPhysicalPresenceRequest UInt32 {Request, RequestParameter} {De
GetPhysicalPresenceRequest UInt32 {Request} {De
GetPhysicalPresenceTransition UInt32 {Transition} {De
GetPhysicalPresenceResponse UInt32 {Request, Response} {De
AddBlockedCommand UInt32 {CommandOrdinal} {De
RemoveBlockedCommand UInt32 {CommandOrdinal} {De
IsCommandBlocked UInt32 {CommandOrdinal, IsCommandBlocked} {De
ResetAuthLockOut UInt32 {OwnerAuth} {De
IsReady UInt32 {IsReady} {De
IsReadyInformation UInt32 {Information, IsReady} {De
IsAutoProvisioningEnabled UInt32 {IsAutoProvisioningEnabled} {De
EnableAutoProvisioning UInt32 {} {De
DisableAutoProvisioning UInt32 {OnlyForNextBoot} {De
GetOwnerAuth UInt32 {OwnerAuth} {De
Provision UInt32 {ForceClear_Allowed, PhysicalPresencePrompts_Allowed, Information} {De
ImportOwnerAuth UInt32 {OwnerAuth} {De
GetPhysicalPresenceConfirmationStatus UInt32 {Operation, ConfirmationStatus} {De
GetSrkPublicKeyModulus UInt32 {SrkPublicKeyModulus} {De
GetSrkADThumbprint UInt32 {SrkPublicKeyModulus, SrkADThumbprint} {De
GetTcgLog UInt32 {TcgLog} {De
IsKeyAttestationCapable UInt32 {TestResult} {De
GetOwnerAuthForEscrow UInt32 {OwnerAuth, OwnerAuthStatus} {De
OwnerAuthEscrowed UInt32 {OwnerAuth} {De
GetOwnerAuthStatus UInt32 {OwnerAuthStatus} {De
IsFIPS UInt32 {IsFIPS} {De
GetDictionaryAttackParameters UInt32 {LockoutRecovery, MaxTries, RecoveryTime} {De
GetCapLockoutInfo UInt32 {LockoutCounter, MaxTries} {De
IsLockedOut UInt32 {IsLockedOut} {De
So we can now see the required ‘SetPhysicalPresenceRequest‘ method. But how do we use it in a MCM Task Sequence in the same manner as the legacy cmdlet?
The answer is below – we need to pipe one cmdlet (Get-CimInstance) into another (Invoke-CimMethod) to achieve the same result as the legacy cmdlet:
powershell.exe -ExecutionPolicy Bypass -Command "Get-CimInstance -Namespace 'root/cimv2/Security/MicrosoftTpm' -ClassName 'Win32_TPM' | Invoke-CimMethod -MethodName 'SetPhysicalPresenceRequest' -Arguments @{Request='14'}"
Running the newer CIM commands in my MCM ‘Run Command Line‘ task now gives me the same result as the legacy command did and balance is once again restored to the galaxy…
/ JC
Conway's IT Blog 