How to Clear a TPM 2.0 chip with SCCM and PowerShell

With TPM 1.2, Microsoft was able to clear the TPM during the SCCM Task Sequence without asking for permission to clear the TPM. With TPM 2.0, SCCM is unable to clear and activate the TPM chip during the deployment. The first time you boot your computer, you need to provide a BitLocker Recovery Key, or the tpm.msc console will tell you that the TPM is ready for use, with reduced functionality.

I found a script online that I’ve added to my GitHub to clear the TPM 2.0 chip during the deployment. You need to reboot the computer after running this script and it will give a UEFI pop-up during the deployment asking the user for permission to clear the TPM chip. (Physical Presence) I heart from a vendor that Microsoft is working on a workaround to disable the Physical Presence during the deployment. You could experiment with the “NoPPIclear” TPM setting to disable this physical presence feature next time you deploy a computer.

Your Task Sequence should look like this:
– Run the PowerShell script from the URL above
– Restart Computer (You will see the Physical Clearance prompt after the reboot)
– Enable BitLocker Task

3 thoughts on “How to Clear a TPM 2.0 chip with SCCM and PowerShell

  1. Been having the same battle with vendors and Microsoft for a year or 2 now .
    Some Hardware vendors do allow you to disable the need for physical presence to clear the TPM in the BIOS, but regretfully most do not.
    Lenovo are one of those who do and using a custom PS script I can now clear the TPM when rebuilding using SCCM and the build will go through start to finish with no user interaction.
    But I agree it’s a pain since a lot of vendors wont provide you with this functionality in the BIOS and after lengthy discussions with a certain vendor they eventually gave up looking at the issue as far as I can tell.


    1. Hey,
      What vendor are you dealing with?

      The most important piece was that the vendor allowed you to set the TPM to allow clearance without physical presence.

      If that is not possible with the vendor then I would manually clear the TPM prior to a rebuild and then have a single PS line to “initialise-tpm” during OSD.



Leave a Reply to Bachelor Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s