I have some customers who run strictly Lenovo Computers (laptops and Desktops). On a lot of these computers the security Chip has been disabled or is in Inactive mode, thus not allowing the use of Bitlocker. I just finished messing around with activating the TPM Chip in the BIOS From a Task sequence on those LENOVO computers, and once all the minor obstacles were figured out, it turned out to be quiet easy.

The first thing I wanted to do was to check if the TPM chis was already Active, and if not, Activate it. This is actually real simple on a LENOVO laptop, as this can all be done using WMI. LENOVO has been kind enough to supply the scripts needed to do this, along with some .pdf guides ( Get the scripts HERE).

Be aware that only he following ThinkPad systems are supported:

  • R400, R500
  • T400, T400s, T410, T410s, T420, T420i, T420s, T420si, T500, T510, T520, T520i
  • W500, W510, W520, W700, W700ds, W701
  • X200, X200s, X200 Tablet, X201, X201s, X220, X220i, X220 Tablet, X220i Tablet, X301

Once you have the scripts, the once you need are ListAll.vbs and SetConfig.vbs. The ListAll script, will list the status of all WMI configurable settings in the BIOS. Just open an elevated command prompt and run the ListAll.vbs, and remember use cscript.exe when you execute the script, or you will get like 50 message boxes…

cscript.exe ListAll.vbs

In the picture below (from a LENOVO W520), you can se that the Security chip is Inactive, and needs to be activated for Bitlocker to work. (you will also notice that the computer is running in AHCI mode, and that Virtualization is disabled along with a lot of other stuff.. these settings can be changed as well if necessary)

image

To change the settings we utilize the script SetConfig.vbs. Just place it in your scripts package (or create one), and then in your Task Sequence add a Run Command line STEP Like shown in the Picture

CHI

Command line: Cscript.exe SetConfig.vbs SecurityChip Active 

It’s important that the settings you want to change are written exactly as they appear in the ListAll output, as they are case sensitive, or the script will fail. This means that Active is correct but active is NOT.

That’s basically it. The TPM chip will now be activated during the next reboot, which off cause means that you must add a reboot before enabling Bitlocker.

If you want it real neat and pretty, you could make an option on the step to not run if the Chip is already active. It’s not necessary to do so, but  it will at least give you some info on whether or not the chip was enabled in the SMSTS.log.

Option

Make an If NONE option, and in that if statement, add a Query WMI (as shown a bow), In that Query change the Namespace from root\cimv2 to root\wmi. and In WQL Query write:

Select * FROM Lenovo_BiosSetting WHERE CurrentSetting = 'SecurityChip,Active'

Now the script will only run if the status of the Security Chip is different from Active.

One last thing I ran into was on Lenovo T510 and T410, where this didn’t work. Turned out it was because of an error in the BIOS… So once I flashed the bios with the newest version, it worked like a charm… Should you need a guide on how to do an SCCM unattended BIOS update I will written a guide here shortly