cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Lenovo Employee AlanHui
Lenovo Employee
Posts: 2
Registered: ‎06-12-2017
Location: HK
Views: 144
Message 1 of 3

M910 TPM hash value on Windows 7 Enterprise 64bit

we are reported that 70 M910s machines pop up bitlocker recovery page and located PCR change to all zero two times. After PCR change and machine reboot, bitlocker recovery page pop up.

 

Base on the observation of TPM’s behavior

  1. Please advise if any tool from Lenovo can help to ensure the TPM is working fine. Or how Lenovo would define the tpm chip is working normal.
  2. Please advise if any tool from Lenovo can check the TPM hash value ?
  3.  it is expected that the hash value of all PCR registers in TPM 1.2 would show all zeros ?  

Machine MTM: 10MLS1M51Y
OS: Windows 7 Enterprise

PCR table 2.jpgOrginalPCR table 1.jpgsuddenly changed

Lenovo Employee rbkirk
Lenovo Employee
Posts: 798
Registered: ‎02-20-2009
Location: US
Views: 130
Message 2 of 3

Re: M910 TPM hash value on Windows 7 Enterprise 64bit

If you are running the M910 on Windows 7, that means it MUST have a Skylake 6th gen processor. That would be something like an i5-6500, the "6" indicating 6th gen. If it is a higher number, you cannot run Win7, and must run W10 on that model M910.

 

If running W7, check the following BIOS settings...

1. Make sure the BIOS is current

2. Make sure the TPM is set to 1.2 mode, but only if the drive is a SATA drive. If you have a PCIe NVMe drive in there...well...it's harder to support W7

3. If running a PCIe NVMe drive instead of a SATA based drive, the TPM must be in 2.0 mode, and the proper 2.0 W7 support module must be part of your image (from Microsoft https://support.microsoft.com/en-nz/help/2920188/update-to-add-support-for-tpm-2-0-in-windows-7-and-.... ALSO, the boot partition must be a GPT partition, not an MBR partition.

4. If the drive is a SATA drive, and the TPM is properly set to 1.2 mode, make sure the BIOS setting "Use Optimized OS Defaults" is set to DISABLED, and load default BIOS settings.

 

HOWEVER, at this point, with the end of support for Windows 7 mere months away (like about 6 months away), I would strongly advise you to instead load W10 on those M910's.

If you elect to load W10...

1. Make sure the BIOS is current

2. Make sure the TPM is in 2.0/PTT mode. Clear it before imaging W10

3. Make sure the BIOS setting Use Optimized OS Defaults is set to Enabled, save that, and load default BIOS settings.

4. Destroy all existing partitions on the system with the Microsoft DISKPART command and the CLEAN subcommand. You can google this command for syntax.

5. Load a fresh image of Windows 10 on the M910.

 

 

 

Lenovo Employee AlanHui
Lenovo Employee
Posts: 2
Registered: ‎06-12-2017
Location: HK
Views: 75
Message 3 of 3

Re: M910 TPM hash value on Windows 7 Enterprise 64bit

Thansk for your information. 

I also find that is caused by  Dynamic- Chain of Trust Measurement process. So could we know the TPM behavior on Dynamic- Chain of Trust Measurement process. Would you provide more information on how this can work with the sleep mode to calculate the hash value in the TPM ?

 

Thanks.

 

 

Check out current deals!


Shop current deals

Top Kudoed Authors