Enable LENOVO TPM Security Chip (and other stuff) from a TS

 

I have some customers who run strictly Lenovo Computers (laptops and Desktops). On a lot of these computers the security Chip has been disabled or is in Inactive mode, thus not allowing the use of Bitlocker. I just finished messing around with activating the TPM Chip in the BIOS From a Task sequence on those LENOVO computers, and once all the minor obstacles were figured out, it turned out to be quiet easy.

The first thing I wanted to do was to check if the TPM chis was already Active, and if not, Activate it. This is actually real simple on a LENOVO laptop, as this can all be done using WMI. LENOVO has been kind enough to supply the scripts needed to do this, along with some .pdf guides ( Get the scripts HERE).

Be aware that only he following ThinkPad systems are supported:

  • R400, R500
  • T400, T400s, T410, T410s, T420, T420i, T420s, T420si, T500, T510, T520, T520i
  • W500, W510, W520, W700, W700ds, W701
  • X200, X200s, X200 Tablet, X201, X201s, X220, X220i, X220 Tablet, X220i Tablet, X301

Once you have the scripts, the once you need are ListAll.vbs and SetConfig.vbs. The ListAll script, will list the status of all WMI configurable settings in the BIOS. Just open an elevated command prompt and run the ListAll.vbs, and remember use cscript.exe when you execute the script, or you will get like 50 message boxes…

cscript.exe ListAll.vbs

In the picture below (from a LENOVO W520), you can se that the Security chip is Inactive, and needs to be activated for Bitlocker to work. (you will also notice that the computer is running in AHCI mode, and that Virtualization is disabled along with a lot of other stuff.. these settings can be changed as well if necessary)

image

To change the settings we utilize the script SetConfig.vbs. Just place it in your scripts package (or create one), and then in your Task Sequence add a Run Command line STEP Like shown in the Picture

CHI

Command line: Cscript.exe SetConfig.vbs SecurityChip Active 

It’s important that the settings you want to change are written exactly as they appear in the ListAll output, as they are case sensitive, or the script will fail. This means that Active is correct but active is NOT.

That’s basically it. The TPM chip will now be activated during the next reboot, which off cause means that you must add a reboot before enabling Bitlocker.

If you want it real neat and pretty, you could make an option on the step to not run if the Chip is already active. It’s not necessary to do so, but  it will at least give you some info on whether or not the chip was enabled in the SMSTS.log.

Option

Make an If NONE option, and in that if statement, add a Query WMI (as shown a bow), In that Query change the Namespace from root\cimv2 to root\wmi. and In WQL Query write:

Select * FROM Lenovo_BiosSetting WHERE CurrentSetting = ‘SecurityChip,Active’

Now the script will only run if the status of the Security Chip is different from Active.

One last thing I ran into was on Lenovo T510 and T410, where this didn’t work. Turned out it was because of an error in the BIOS… So once I flashed the bios with the newest version, it worked like a charm… Should you need a guide on how to do an SCCM unattended BIOS update I will written a guide here shortly

By | 2011-08-25T10:23:00+00:00 August 25th, 2011|General info, OS Deployment|20 Comments

About the Author:

Michael Petersen
Twitter: @OSDeployLinkedin: Michael PetersenMicrosoft Community Contributor

20 Comments

  1. Josh August 28, 2011 at 3:03 - Reply

    Great article. We are going to be moving to Windows 7 64-bit in a few months. We need to hit over 3000 machines. This is going to come in very handy! Now if only I could find something like this for the Dell Latitude E4300 an E6400 series and I’ll be golden.

  2. sivhead December 16, 2011 at 16:29 - Reply

    Will this work if the BIOS is password protected. Will I need to remove password protection 1st. I suppose I can test and post.

  3. Glen June 5, 2012 at 2:00 - Reply

    Hi,
    I’m getting invalid query when using the test query option in an SCCM task sequence for Select * FROM Lenovo_BiosSetting WHERE CurrentSetting = ‘SecurityChip,Active’

    • Lars Halvorsen November 26, 2012 at 16:37 - Reply

      to Glen:
      Make sure you have the namespace set to rootwmi.
      Default location is rootcimv2

  4. Dexter June 20, 2012 at 18:18 - Reply

    Thanks, this turns on and takes ownership of the TPM fine on a laptop out of the box but does not initialize the TPM. Any ideas? Thanks.

  5. Wayne June 21, 2012 at 14:50 - Reply

    Can anyone tell me why running the script with a service account in the Task Sequence doesn’t work, (even though the account has access to the location of the script and has admin rights, etc) but running it with a regular user account works just fine?

  6. sivhead July 4, 2012 at 9:44 - Reply

    you mentioned in your article that you would go through the method that you used to update the Lenovo BIOS, can you enlighten me thanks siv

  7. eric August 5, 2013 at 16:46 - Reply

    Thanks, I saw the bios editing tools on Lenoov but you did a much better job of explaining them.

  8. Aktam January 10, 2014 at 23:51 - Reply

    Thanks a lot for this valued article.

  9. Mike January 16, 2014 at 14:02 - Reply

    Select * FROM Lenovo_BiosSetting WHERE CurrentSetting = ‘SecurityChip,Active’

    The above returns INVALID QUERY, even when set to rootwmi when the ‘Test query’ button is pressed.

    Is there a typo, or is something lost in translation when cutting and pasting from this web page?? I am running SCCM 2012 R2.

  10. Mike January 16, 2014 at 14:27 - Reply

    Yes i can confirm the WQL “Select * FROM Lenovo_BiosSetting WHERE CurrentSetting = ‘SecurityChip,Active’” DEFINITELY does not work…..

    Michael, could you take another look at this? It would be extremely useful for our re-images not to have to go through the steps to enable the TPM because they require a reboot delaying the whole process.

  11. Mike Compton January 16, 2014 at 15:19 - Reply

    I have sorted this. Perhaps its related to the language variation of the SCCM install?

    The query that works fine for me is (English language install of SCCM):

    Select * FROM Lenovo_BiosSetting WHERE CurrentSetting = “SecurityChip,Active”

    This “Contains valid syntax”

    Hope this helps!!

  12. […] ilgili makalesine ise buradan […]

  13. […] ilgili makalesine ise buradan […]

  14. Mike October 22, 2014 at 20:20 - Reply

    I too would be interested in seeing the process to automatically update the BIOS.

  15. Steve Nguyen March 23, 2015 at 12:36 - Reply

    We have Thinkpad T430. followed your guided but it doesn’t work…
    Security chip did not show on BIOS anymore… How can I enable it?

    Thank you,

  16. Casper December 29, 2015 at 14:34 - Reply

    The WMI query works fine, just remember to NOT copy paste the query into your sccm task sequence.
    It will not use the wrong quotes (“ “) around “SecurityChip,Active”.
    You need to replace them in the editor.

    My TS also failed until I changed the quotes in the WMI to the correct quotes.

  17. Kapil July 7, 2016 at 17:51 - Reply

    Any one have idea how to turn on turn off TPM chip for Lenovo Ideapad MIIX700

  18. Nemanja Jovic February 19, 2018 at 15:20 - Reply

    Great article, one additional step can be to add one more IF statement that will match true condition, so it will run only on Lenovo models, if not specified before in OSD.
    Select Manufacturer from Win32_ComputerSystem WHERE Manufacturer LIKE “LENOVO”

Leave A Comment