cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
OprSysOp
Paper Tape
Posts: 3
Registered: ‎07-12-2018
Location: CA
Views: 558
Message 1 of 8

Multiple Thinkpad E570 systems will not update TPM

Good Afternoon, 

 

We currenly have 4 systems all E570's that have this same issue. I have just gotten off the phone with Lenovo Technical support who determined that I should send ALL OF THEM to the DEPOT - which is absolutely ludicrist. 

 

I'm trying update the TPM chip manufactured by IFX (2.0) in our E570 systems from version 7.61 to 7.62 to resolve the security issue noted here: https://support.lenovo.com/ca/en/product_security/len-15552 The update starts as expected however during the reboot there is a message stating that the update is failing due to "Invalid TPM firmware" the TPM is still on version 7.61 .

 

I have updated to the latest BIOS (1.95) from here: https://pcsupport.lenovo.com/ca/en/products/laptops-and-netbooks/thinkpad-edge-laptops/thinkpad-e570...and have been using the TMP update utility provided by Lenovo here: https://pcsupport.lenovo.com/ca/en/products/laptops-and-netbooks/thinkpad-edge-laptops/thinkpad-e570...

 

The issue still remains unresolved. 

 

I am hoping SOMEONE has a resolution for me which does not involve asking 4 oof our employees to go without laptops for weeks while I send them to Lenovo..

Lenovo Staff
Lenovo Staff
Posts: 4,830
Registered: ‎10-29-2009
Location: NC
Views: 545
Message 2 of 8

Re: Multiple Thinkpad E570 systems will not update TPM

On one of the failing systems, please run this command in powershell (running as admin) and paste the complete output here.

 

 gwmi -class Win32_Tpm -namespace root\CIMV2\Security\MicrosoftTpm

 

 

Lenovo Staff
Lenovo Staff
Posts: 4,830
Registered: ‎10-29-2009
Location: NC
Views: 543
Message 3 of 8

Re: Multiple Thinkpad E570 systems will not update TPM

By the way, what are you using the TPM for?  If it's just for BitLocker, did you know that updating the TPM 2.0 firmware is not required?  BitLocker is not affected by the TPM security issue, on TPM 2.0

 

reference:  https://support.microsoft.com/en-us/help/4046783/bitlocker-mitigation-plan-for-vulnerability-in-tpm

 

BitLocker uses the TPM seal and unseal operations together with the storage root key to protect BitLocker secrets on the operating system volume.  The vulnerability affects the seal and unseal operations on TPM 1.2, but it does not affect the operations on TPM 2.0.

OprSysOp
Paper Tape
Posts: 3
Registered: ‎07-12-2018
Location: CA
Views: 528
Message 4 of 8

Re: Multiple Thinkpad E570 systems will not update TPM

@ Thanks for the help, this is what I got: 

 

PS C:\WINDOWS\system32> gwmi -class Win32_Tpm -namespace root\CIMV2\Security\MicrosoftTpm


__GENUS : 2
__CLASS : Win32_Tpm
__SUPERCLASS :
__DYNASTY : Win32_Tpm
__RELPATH : Win32_Tpm=@
__PROPERTY_COUNT : 10
__DERIVATION : {}
__SERVER : OPR-LAPTOP-173
__NAMESPACE : root\CIMV2\Security\MicrosoftTpm
__PATH : \\OPR-LAPTOP-173\root\CIMV2\Security\MicrosoftTpm:Win32_Tpm=@
IsActivated_InitialValue : True
IsEnabled_InitialValue : True
IsOwned_InitialValue : True
ManufacturerId : 1229346816
ManufacturerIdTxt : IFX
ManufacturerVersion : 7.61
ManufacturerVersionFull20 : 7.61.10.57600
ManufacturerVersionInfo : 534c423936373000000000000000000000
PhysicalPresenceVersionInfo : 1.3
SpecVersion : 2.0, 0, 1.16
PSComputerName : OPR-LAPTOP-173

 

- Regarding your other question: Our company deals with encrypted information received from clients via various methods. The use of the systems does not matter. If someone told you that your house could be broken into by someone at anytime because the lock that you were using had a design flaw would you care what the circumstances were or how much trouble it wold be to do it? I doubt it. Most people would replace the lock. I can't replace the computers - though I will think very hard about Lenovo's for future purchases based on the technical support that I receive when I report security issues such as this one.

Lenovo Staff
Lenovo Staff
Posts: 4,830
Registered: ‎10-29-2009
Location: NC
Views: 517
Message 5 of 8

Re: Multiple Thinkpad E570 systems will not update TPM

OprSysOp

 

Most people are only using TPM for BitLocker, that's why I asked.  If you use it for other purposes, then it makes sense to update the firmware.  Regardless, I agree that you should be able to update the firmware if you want to.  I wasn't trying to start an argument.

 

Thanks for the powershell output.  I'll get back to you soon.

Highlighted
Lenovo Staff
Lenovo Staff
Posts: 4,830
Registered: ‎10-29-2009
Location: NC
Views: 511
Message 6 of 8

Re: Multiple Thinkpad E570 systems will not update TPM

I did some research and found that this situation is described in the BIOS readme.  It is due to a design issue of ThinkPad E570 so there is a work-around that is required to update the TPM firmware.

 

https://download.lenovo.com/pccbbs/mobiles/r0duj25w.txt

- To update Infenion TPM Firmware, please follow the steps below. In case TPM 
  Firmware update tool gets error, please check TPM FW version. Please use 1.88
  BIOS to update Infenion TPM FW to 7.62 from 7.40. And 1.91 or newer bios support
  to update Infenion TPM FW to 7.62 from 7.61,  

   1. Power on the unit and press F1 key to enter BIOS setup menu.
   2. Go to Restart page, select OS Optimized Defaults and press Enter.
   3. Select the [Disabled] setting and press Enter.
   4. Press the F9 key to load deyfault configuration.
   5. Select Yes.
   6. Press the F10 key to save settings and exit.
   7. Select Yes.
      The computer will be restarted automatically.
   8. Use TPM FW uility do TPM FW update
   9. After TPM FW update completed successfully, rollback the OS Optimized Defaults
      to Enable.

 

Note that loading BIOS default settings will trip BitLocker so you will need to have your recovery key handy.  I realize that this is a pain but there is no other way to update the TPM firmware on ThinkPad E570.

OprSysOp
Paper Tape
Posts: 3
Registered: ‎07-12-2018
Location: CA
Views: 487
Message 7 of 8

Re: Multiple Thinkpad E570 systems will not update TPM

Thank you. That did it.

 

Perhaps communicating this to the technical support people who answer the phones would save a lot of aggrivation for your customers. If I would have sent these systems into the depot as they had told me to do I would have had multiple staff memebers without computers for weeks and we would have been very unhappy to learn that a workaround was available.

Lenovo Staff
Lenovo Staff
Posts: 4,830
Registered: ‎10-29-2009
Location: NC
Views: 477
Message 8 of 8

Re: Multiple Thinkpad E570 systems will not update TPM

OprSysOp,

 

Thanks for your feedback and sorry for this trouble.  We try to keep the call center folks aware of issues like this but clearly we didn't do a good job in this case.

Holiday Deals
HAPPENING NOW!

Get the best deals on PCs and tech now during the Holiday Sale
Shop the sale

Top Kudoed Authors