05-14-2018 09:04 AM - edited 05-14-2018 01:16 PM
For some reason these 2 models will image just fine when looking at the TS in SCCM 2012 10. Once the computer is rebooted though it goes right into recovery mode and needs the key entered. Event viewer states: BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'SecureBoot' is missing or invalid. Any ideas?
05-15-2018 09:16 AM
Please run the following command in an admin command prompt and post the output
wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get * /format:list
05-15-2018 09:24 AM
SpecVersion=1.2, 2, 3
05-15-2018 09:35 AM
You're using a 1.2 TPM which doesn't support PCR7 binding with Secure Boot. Only TPM 2.0 supports this. So you have 2 choices. Either switch to Intel PTT (TPM 2.0) in BIOS setup or else adjust your BitLocker group policy settings to stop using PCR7 in the TPM validation profile.
05-17-2018 12:55 PM
Our policy isn't configured, so the TPM defaults I believe are 0,2,4,8,9 and 11.
Then I have no idea why there would be an event log like "BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'SecureBoot' is missing or invalid." As far as I know, this is referring to PCR7 which won't work on TPM 1.2. If you haven't configured your policy to use PCR7 and still getting that error message, I think you will have to ask Microsoft about it.
05-17-2018 02:02 PM
I was able to get a T440 to work. The only thing im not sure on how to do is get the chip to switch over from Discreate TPM to Intel PTT during the TS. I've added SecurityChip,Active and SecurityChipSelection,IntelPTT to our config file, but no love.
05-17-2018 06:36 PM
You can't switch TPM type by WMI. There is a different tool that can do it, but it can't be automated unless you have a BIOS supervisor password. Do you? TPM 1.2 should work though. Have you tried a clean-install of Win10 without using your corporate image or domain?
05-18-2018 07:20 AM
Do you know the program that can make that possible? So, 1.2 works for our T450 and 470 models. It doesn't with M93p, T440, and T460 models. I do not have the supervisor password. Can that be something that can be set with the config file or some other means? We want to be able to make Windows 10 available to users and have them just click on the available install and SCCM with do the rest of the magic.
05-18-2018 07:29 AM
If you don't have supervisor password, changing the TPM from 1.2 -> 2.0 is not possible to automate.
TPM 1.2 should work. I know we have customers using it with Win10 on M93p, T440, and T460. I think there is some problem with your image or process. That's why I suggested testing with a clean Win10 installation and not your company image. Once you confirm that clean image is working with BitLocker, then figure out what is different about your company image where it doesn't work.