Jump to content


adurrant

Lenovo M810z - Change TPM Version to 1.2

By adurrant, in System Center Configuration Manager (Current Branch)

Recommended Posts

adurrant

adurrant 0

Posted
Posted

Hello,

I'm having issues bitlockering M810z with SCCM, it seems to go through fine but it appears that the TPM version is set to 2.0, I saw on the latest BIOS version that there's support for 'TPM FW Switch Feature' so hoping this is what I need, I've set up SCCM to flash the BIOS for this model, but is there any BIOS settings that I can push through SCCM to ensure that the TPM module is set to 1.2? The TPM chip is set to 'Discrete' already...

 

BIOS I'm upgrading to is here: http://pcsupport.lenovo.com/ec/en/products/DESKTOPS-AND-ALL-IN-ONES/THINKCENTRE-M-SERIES-DESKTOPS/M810Z/downloads/DS121000

 

I'm also having issues updating the BIOS via OSD as I'm unsure where abouts to insert the install\reboot steps as it needs to before the 'Enable Bitlocker' step, here's what my TS looks like at present, deploying Windows 7 Enterprise x64:

image.thumb.png.355ded9bf2161c4287d5fdd64b5ecfc4.png

Any advice?

 

 

Share this post

Link to post
Share on other sites
adurrant

adurrant 0

Posted
Posted
6 minutes ago, simulacra75 said:

Not entirely sure why you're trying to get BitLocker to work with Windows 7 Professional, because it doesn't/cannot work. It's not implemented in Windows 7 Professional. You need to have Windows 7 Ultimate or Enterprise to use BitLocker.

Sorry, I meant enterprise. :)

Share this post

Link to post
Share on other sites
simulacra75

simulacra75 2

Posted
Posted

Well then, that's different!

Okay. Lenovo make things a little easier because they expose the BIOS settings to WMI. This means you can use Powershell, for example, to get settings from WMI and also to change them.

 

Display all BIOS Settings in Powershell

gwmi -class Lenovo_BiosSetting -namespace root\wmi | ForEach-Object {if ($_.CurrentSetting -ne "") {Write-Host $_.CurrentSetting.replace(","," = ")}}

 

Get all possible values for a particular setting (TPM chip in this example)

(gwmi –class Lenovo_GetBiosSelections –namespace root\wmi).GetBiosSelections("SecurityChip") |Format-List Selections

 

Change and save a BIOS setting (making TPM active in this example. Note the 2 step process, changing the value and then saving said value. Also note the setting string is case-sensitive)

(gwmi -class Lenovo_SetBiosSetting –namespace root\wmi).SetBiosSetting("SecurityChip,Active")

(gwmi -class Lenovo_SaveBiosSettings -namespace root\wmi).SaveBiosSettings()

 

That should be enough to get you started i think. Probably worth pointing out that changing BIOS settings via Powershell is not supported on ALL Lenovo models. Give it a try though.

 

Share this post

Link to post
Share on other sites
adurrant

adurrant 0

Posted
Posted
53 minutes ago, simulacra75 said:

Well then, that's different!

Okay. Lenovo make things a little easier because they expose the BIOS settings to WMI. This means you can use Powershell, for example, to get settings from WMI and also to change them.

 

Display all BIOS Settings in Powershell

gwmi -class Lenovo_BiosSetting -namespace root\wmi | ForEach-Object {if ($_.CurrentSetting -ne "") {Write-Host $_.CurrentSetting.replace(","," = ")}}

 

Get all possible values for a particular setting (TPM chip in this example)

(gwmi –class Lenovo_GetBiosSelections –namespace root\wmi).GetBiosSelections("SecurityChip") |Format-List Selections

 

Change and save a BIOS setting (making TPM active in this example. Note the 2 step process, changing the value and then saving said value. Also note the setting string is case-sensitive)

(gwmi -class Lenovo_SetBiosSetting –namespace root\wmi).SetBiosSetting("SecurityChip,Active")

(gwmi -class Lenovo_SaveBiosSettings -namespace root\wmi).SaveBiosSettings()

 

That should be enough to get you started i think. Probably worth pointing out that changing BIOS settings via Powershell is not supported on ALL Lenovo models. Give it a try though.

 

Hello,

Thanks for this, I did see this on Lenovos website, however it appears that it's mostly designed for their thinkpads, thinkcentres appear to have less functionality.... do you know if the above will apply to ThinkPads and ThinkCentres?

Source: https://support.lenovo.com/ec/en/solutions/ht100612

Share this post

Link to post
Share on other sites
simulacra75

simulacra75 2

Posted
Posted

AFAIK, you cannot use a 64-bit boot image in your TS because the Lenovo BIOS Flash utility only supports the x86 architecture. On top of this you need to add a specific  "Run Command Line" that does a "full" restart of the target computer, 

cmd.exe /c shutdown /s /t 0 /f

That should do it but if you cannot use an x86 boot image, you're screwed until Lenovo provide an 64-bit compatible Flash utility

 

Share this post

Link to post
Share on other sites
adurrant

adurrant 0

Posted
Posted

Thanks,

There does appear to be a x64 version in the file structure once extracted:

image.png.24cee1333c0e6a5f0e649d528ff10b42.png

Are you recommending that I flash the BIOS early in the TS before the OS is applied or after? If after, the above command will shut down the OS though, any workarounds with that?

Share this post

Link to post
Share on other sites
adurrant

adurrant 0

Posted
Posted

Hi all, 

Just wanted to post the resolution to this... 

Stage one: upgrade BIOS that supports the TPM FW Switch feature

image.png.1c11c4d9f99e6adb26ce77b8195e02e8.png

However when flashing the bios the process needed to shutdown afterwards to complete so I added into the TS a shutdown command whilst in WinPe, but inbetween that I displayed a message to the PXE booter informing that this will happen to then re-run the task sequence:

image.png.5f570ac4fda751bb38e62ff6655408d0.png

 

image.png.beeb8c7c593401c598d841e4cbe736dc.png

 

The group only ran if the model was correct and the BIOS version was out of date:

image.png.261c1887f5c66b63cf0749cd122aa0ac.png

Then once the BIOS was flashed, the instructions to the engineers were to re-run the task sequence again and obviously this time it skipped the BIOS upgrade as the WMI query was no longer valid, as the TPM chip defaulted to 2.0, I had to set the chip to 'Enabled' then change to 1.2 and then set the security chip to 'active' in that order, now I'm not sure if all of the reboot steps are required but the reboot after the TPM switch is 100% required, here's the steps in order:

image.png.e74753adf6d97b85ad443b6c6a1758c7.png

image.png.100d7d12b1cca59126bfd944831a2e26.png

image.png.4fa48e651be533cdb3ea35a002a2b9af.png

image.png.0807f3fafbda9ccb10479ec73e0f81fd.png

 

Sources:

BIOS Tools package: https://support.lenovo.com/ec/en/solutions/ht100612

Display message in WinPE (you have to add the 'Use Toolkit Package' before running this): https://blogs.technet.microsoft.com/deploymentguys/2011/07/01/message-box-script-for-lite-touch-task-sequences/

Now you cannot change the TPM version using the above tools as Lenovo purposely disable changing it via WMI due to security concerns, so there's a utility to change this: https://pcsupport.lenovo.com/ec/en/products/DESKTOPS-AND-ALL-IN-ONES/THINKCENTRE-M-SERIES-DESKTOPS/M810Z/downloads/DS121000 (download the BIOS Windows BIOS setting tool), documentation is attached in the tool to help you.

I'm sure there might be a way to streamline the above but this worked for me and the client.

Hopefully this might help someone in the future.

 

 

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
Go to topic listing
×
×
  • Create New...