Welcome to our peer-to-peer forums, where owners help owners. Need help now? Visit eSupport here.

English Community

Software and Operating SystemEnterprise Client Management
All Forum Topics
Options

19 Posts

09-04-2017

United Kingdom of Great Britain and Northern Ireland

18 Signins

274 Page Views

  • Posts: 19
  • Registered: ‎09-04-2017
  • Location: United Kingdom of Great Britain and Northern Ireland
  • Views: 274
  • Message 1 of 11

SCCM - M810z - Change TPM Version to 1.2

2017-09-05, 12:21 PM

Hello,

 

First post here so hoping I'm in the right area!

 

I'm having issues bitlockering M810z with SCCM, it seems to go through fine but it appears that the TPM version is set to 2.0, I saw on the latest BIOS version that there's support for 'TPM FW Switch Feature' so hoping this is what I need, I've set up SCCM to flash the BIOS for this model, but is there any BIOS settings that I can push through SCCM to ensure that the TPM module is set to 1.2? The TPM chip is set to 'Discrete' already...

 

BIOS I'm upgrading to is here: http://pcsupport.lenovo.com/ec/en/products/DESKTOPS-AND-ALL-IN-ONES/THINKCENTRE-M-SERIES-DESKTOPS/M8...

 

Any help is appreciated 

Reply
Answer
Options

1812 Posts

03-03-2016

United States of America

3898 Signins

46815 Page Views

  • Posts: 1812
  • Registered: ‎03-03-2016
  • Location: United States of America
  • Views: 46815

Re: SCCM - M810z - Change TPM Version to 1.2

2017-09-06, 21:30 PM

adurrant,

 

If I were you I would test with this and see what works the best for you but... here is my best guess without having the specific hardware to test it myself.

 

For an x64 boot image:

SRWinx64.exe /dtpm2 disable   or SRWinx64.exe /ftpm disable        choose the appropriate setting here either DTPM2 or FTPM
SRWinx64.exe /dtpm active

 

You may not need the disable to then set the other active, but it may, so I included it as a precaution.

 

Like I said above though, test and see what works for your environment.  I would even get a fresh boot image from the ADK, copy it elsewhere and test it via command line to see what works.   Then add it into a TS once you know what is the right lines to add in.

 

HTH,

 

Tlawson

 

 

Reply

Replies(10)
Options

205 Posts

06-02-2015

United States of America

364 Signins

2566 Page Views

  • Posts: 205
  • Registered: ‎06-02-2015
  • Location: United States of America
  • Views: 2566
  • Message 2 of 11

Re: SCCM - M810z - Change TPM Version to 1.2

2017-09-05, 19:38 PM

Take a look at the following thread,

 

https://forums.lenovo.com/t5/forums/v3_1/forumtopicpage/board-id/sa01_eg/thread-id/3584/page/2

 

Let me know if that helps.

Reply
Options

19 Posts

09-04-2017

United Kingdom of Great Britain and Northern Ireland

18 Signins

274 Page Views

  • Posts: 19
  • Registered: ‎09-04-2017
  • Location: United Kingdom of Great Britain and Northern Ireland
  • Views: 274
  • Message 3 of 11

Re: SCCM - M810z - Change TPM Version to 1.2

2017-09-06, 14:55 PM
Hello,

Thanks for your reply, it's helped somewhat, I've been able to set the security chip to enabled but I'm having issues changing the TPM version to 1.2, I'm using SCCM and running the following command:

Cscript.exe SetConfig.vbs "Discrete TPM FW Switch" Discrete TPM 1.2

Using the Lenovo bios tools.

I'm going to try the .hta configuration tool that is in the blog but I'm not exactly sure where about to place it in my task sequence, it needs to be before the disks are formatted due to the preprovision bit locker stage.
Reply
Options

205 Posts

06-02-2015

United States of America

364 Signins

2566 Page Views

  • Posts: 205
  • Registered: ‎06-02-2015
  • Location: United States of America
  • Views: 2566
  • Message 4 of 11

Re: SCCM - M810z - Change TPM Version to 1.2

2017-09-06, 15:22 PM

I didn't ask previously, but you are indeed deploying to a Skylake Sku of the m810z? That would be a model that has an Intel i6xxx CPU? If that is the case, then getting the right syntax for the Bios tool would be the next step.

 

Although the Bios Config tool has a gui interface it can also be added to the task sequence and if you are only applying one setting you can invoke it using the "command line".

 

The good thing about the Bios Config tool is you can use an M810z and capture the settings you want to a file and then just point to the file in your task sequence step ie (ThinkBiosConfig.hta “file=C:\m810zConfig.ini”) and the settings will be applied - check the manual for more info.

 

Also, I believe the command you posted may need to be:

Cscript.exe SetConfig.vbs "Discrete TPM FW Switch" "Discrete TPM 1.2"

Reply
Options

19 Posts

09-04-2017

United Kingdom of Great Britain and Northern Ireland

18 Signins

274 Page Views

  • Posts: 19
  • Registered: ‎09-04-2017
  • Location: United Kingdom of Great Britain and Northern Ireland
  • Views: 274
  • Message 5 of 11

Re: SCCM - M810z - Change TPM Version to 1.2

2017-09-06, 15:28 PM
Thanks for your reply, the device CPU is i3-6100.

I'll try manually editing the bios to 1.2 then capturing the .config files so I'll post here once I know more, the device defaults to 2.0 when changing the option to 1.2 in the GUI interface or via PowerShell, I receive an access denied message on both (logged in as admin and there is no bios password set)

In regards to your bottom comment, I've tried that combination of commands with quotes, it didn't work unfortunately even when running manually on the device and not via OSD.
Reply
Options

205 Posts

06-02-2015

United States of America

364 Signins

2566 Page Views

  • Posts: 205
  • Registered: ‎06-02-2015
  • Location: United States of America
  • Views: 2566
  • Message 6 of 11

Re: SCCM - M810z - Change TPM Version to 1.2

2017-09-06, 18:39 PM

I have some new information for you. If you go the download page for the M810z and download the "Windows BIOS setting tool".

 

Inside of that package is SRDos (32 or 64bit), SRWin (32bit) and SRWinx64. This tool will allow you to change to Discreet TPM 1.2 (dTPM). The included readme file is very informative as well.

 

Create a new package in your SCCM console with source files and standard program. To be safe, you may want to run the SRDos executable for your program = srdos.exe /dtpm active, followed by the appropriate restart (to winpe).

 

Because Lenovo prioritizes security over manageability, the TPM setting cannot be changed via wmi and both the other tools interface with wmi to change Bios settings.

 

Sorry for steering you along the wrong path at first.

 

Let me know if this is what you need.

Reply
Options

19 Posts

09-04-2017

United Kingdom of Great Britain and Northern Ireland

18 Signins

274 Page Views

  • Posts: 19
  • Registered: ‎09-04-2017
  • Location: United Kingdom of Great Britain and Northern Ireland
  • Views: 274
  • Message 7 of 11

Re: SCCM - M810z - Change TPM Version to 1.2

2017-09-06, 20:45 PM
Hello,

Looks promising! With the SRDOS program, can this be ran within WINPE? Reason I ask is because I need to set the BIOS up correctly before laying down the operating system for the bit locker stage to be set correctly.

As the M810z latest bios comes with a TPM Switch feature, I assume the command will be /dtpm active and /dtpm2 disable? Table below from the readme.txt

/dtpm [option] Change discrete TPM 1.2 status *
* [option] *
* disable -- Disable discrete TPM 1.2 *
* inactive -- Set discrete TPM 1.2 inactive *
* active -- Set discrete TPM 1.2 active *
* /ftpm [option] Change firmware TPM status *
* [option] *
* disable -- Disable firmware TPM *
* enable -- Set firmware TPM enable *
* /dtpm2 [option] Change discrete TPM 2.0 status *
* [option] *
* disable -- Disable discrete TPM 2.0 *
* enable -- Set discrete TPM 2.0 enable
Reply
Options

1812 Posts

03-03-2016

United States of America

3898 Signins

46815 Page Views

  • Posts: 1812
  • Registered: ‎03-03-2016
  • Location: United States of America
  • Views: 46815
  • Message 8 of 11

Re: SCCM - M810z - Change TPM Version to 1.2

2017-09-06, 21:11 PM

adurrant,

 

You will need to use either the SRWin for x86 or SRWinx64 for x64 as SRDOS is meant for DOS environments.  Since WinPE is Windows based, use the appropriate one for the appropriate architecture of your boot wim.  Make sure you include all the files in that package to ensure all drivers and components are available in the boot image.

 

HTH,

 

Tlawson

Reply
Options

19 Posts

09-04-2017

United Kingdom of Great Britain and Northern Ireland

18 Signins

274 Page Views

  • Posts: 19
  • Registered: ‎09-04-2017
  • Location: United Kingdom of Great Britain and Northern Ireland
  • Views: 274
  • Message 9 of 11

Re: SCCM - M810z - Change TPM Version to 1.2

2017-09-06, 21:21 PM
Thanks Tlawson :)

Any ideas on the correct command syntax to disable 2.0 and enable 1.2?
Reply
Answer
Options

1812 Posts

03-03-2016

United States of America

3898 Signins

46815 Page Views

  • Posts: 1812
  • Registered: ‎03-03-2016
  • Location: United States of America
  • Views: 46815
  • Message 10 of 11

Re: SCCM - M810z - Change TPM Version to 1.2

2017-09-06, 21:30 PM

adurrant,

 

If I were you I would test with this and see what works the best for you but... here is my best guess without having the specific hardware to test it myself.

 

For an x64 boot image:

SRWinx64.exe /dtpm2 disable   or SRWinx64.exe /ftpm disable        choose the appropriate setting here either DTPM2 or FTPM
SRWinx64.exe /dtpm active

 

You may not need the disable to then set the other active, but it may, so I included it as a precaution.

 

Like I said above though, test and see what works for your environment.  I would even get a fresh boot image from the ADK, copy it elsewhere and test it via command line to see what works.   Then add it into a TS once you know what is the right lines to add in.

 

HTH,

 

Tlawson

 

 

0 person found this solution to be helpful.

This helped me too

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms