Windows

Enable or Disable TPM Auto-provisioning: How to fix waiting for TPM auto-provisioning

EnableDisableTPMAutoProv
src: slideplayer

Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. The TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Dell enables TPM by default on all systems that ship with Windows 10. Systems that do not already have the TPM enabled can be enabled remotely via scripting on Skylake and Kaby Lake systems via Dell Command Configure with the BIOS option “PPI Bypass Enable”. Kindly refer to the following TPM related guides: How to upgrade Windows 10 with an unsupported CPU and TPM 1.0 to Windows 11, How to determine if TPM is present and how to enable TPM in the BIOS, How to fix unable to find compatible TPM, How to clear the TPM via the management console or Windows Defender Center App, and How to clear, enable or disable TPM in Windows via the BIOS or UEFI.

Note: TPM 2.0 is designed to be fully functional in UEFI mode. Systems must be in UEFI mode with TPM enabled and secure boot configured and enabled in order to attain the security status. 

Some of the key advantages of using TPM technology are that you can:
- Generate, store, and limit the use of cryptographic keys.
- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself.
- Help ensure platform integrity by taking and storing security measurements. 

When the following error is prompted “waiting for TPM provisioning” from the status tab in the SQL Server Reporting Services as shown below. Since we are not sure if the device is capable of using auto-provisioning. You may also want to see how to resolve the following issues How to fix System Partition not available or large enough [Part 1], how to determine why an MBAM protected device is non-compliant, and System check found some issues during MBAM encryption: Fail, the Power cable must be connected.

waitingforautoprovisioning

Before proceeding to resolve this issue, I would like to determine if your device has auto-provisioning enabled or disabled, etc. Kindly run the following command to quickly view the TPM information. You will need to tun PowerShell as an Admin in order to get this information.

  • get-tpm
  • tpmtool getdeviceinformation – If you wish, you can also run the command “tpmtool getdeviceinformation” to get more information from the device.
Screenshot-2022-05-10-at-12.32.22

Resolution

As you can see from your image, TPM auto-provisioning is disabled. Therefore, I will be enabling it. Enabling it will help prepare the TPM to be used, and reduce the cost of TPM deployment at the organization level. Kindly launch PowerShell as an administrator, and run the following command to have it enabled

Enable-TpmAutoProvisioning
Enableautoprovisioning4

Note: If you have TPM 2.0 and your device is installed in BIOS mode, I will recommend you re-install the device in UEFI mode as it offers improved security features, etc.

In the following section below, I will be showing you how to enable or disable TPM auto-provisioning without reference to any issues.

Enable auto-provisioning

The Enable-TpmAutoProvisioning cmdlet enables Trusted Platform Module (TPM) provisioning to occur during auto-provisioning. Provisioning is the process of preparing a TPM to be used. You can use the Disable-TpmAutoProvisioning cmdlet to prevent auto-provisioning, either permanently or for the next restart.

PS C:\> Enable-TpmAutoProvisioning

This cmdlet returns a TpmObject object that contains the following information:

  • TpmReady. Whether a TPM complies with Windows Server 2012 standards.
  • TpmPresent. Whether there is a TPM on the current computer.
  • ManagedAuthLevel. The level at which the operating system manages the owner authorization. Possible values are Legacy, Balanced, and Full.
  • OwnerClearDisabled. Whether TPM can be reset. If this value is True, the TPM cannot be reset through the operating system by using the owner authorization value. If this value is False, the TPM can be reset through the operating system.
  • AutoProvisioning. Whether the computer can use auto-provisioning. Possible values are NotDefined, Enabled, Disabled, and DisabledForNextBoot.
  • LockedOut. Whether a TPM is locked out.
  • SelfTest. Information returned by a test that TPM runs.

Disable auto-provisioning

The Disable-TpmAutoProvisioning cmdlet disables Trusted Platform Module (TPM) auto-provisioning. Provisioning is the process of preparing a TPM to be used. You can disable provisioning completely or only for the next restart. You can use the Enable-TpmAutoProvisioning cmdlet to enable auto-provisioning.

To do this, run PowerShell as an administrator. In PowerShell, run the following command: Disable-TpmAutoProvisioning and press Enter

PS C:\> Disable-TpmAutoProvisioning
disableautoprovisioning67-1

This command disables TPM auto-provisioning. You can use the Enable-TpmAutoProvisioning cmdlet to enable auto-provisioning

Disable auto-provisioning for the next restart

This command disables TPM auto-provisioning for the next restart. In the next restart after that, auto-provisioning continues.

PS C:\> Disable-TpmAutoProvisioning -OnlyForNextRestart
PS C:\> Disable-TpmAutoProvisioning -OnlyForNextRestart
TpmReady           : False
TpmPresent         : True
ManagedAuthLevel   : Full
OwnerAuth          : OwnerClearDisabled : True
AutoProvisioning   : DisabledForNextBoot
LockedOut          : False
SelfTest           : {191, 191, 245, 191...}

This cmdlet returns a TpmObject object that contains the following information:

  • TpmReady. Whether a TPM complies with Windows Server® 2012 standards.
  • TpmPresent. Whether there is a TMP on the current computer.
  • ManagedAuthLevel. The level at which the operating system manages the owner authorization. Possible values are Legacy, Balanced, and Full.
  • OwnerClearDisabled. Whether TPM can be reset. If this value is True, the TPM cannot be reset through the operating system by using the owner authorization value. If this value is False, the TPM can be reset through the operating system.
  • AutoProvisioning. Whether the computer can use auto-provisioning. Possible values are NotDefined, Enabled, Disabled, and DisabledForNextBoot.
  • LockedOut. Whether a TPM is locked out.
  • SelfTest. Information returned by a test that TPM runs.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x