cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
jwilkinson84
Fanfold Paper
Posts: 10
Registered: ‎10-12-2017
Location: US
Views: 405
Message 1 of 11

T440s & M93p Windows 10 UEFI Bitlocker issue

For some reason these 2 models will image just fine when looking at the TS in SCCM 2012 10. Once the computer is rebooted though it goes right into recovery mode and needs the key entered. Event viewer states: BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'SecureBoot' is missing or invalid. Any ideas?

Lenovo Staff
Lenovo Staff
Posts: 4,702
Registered: ‎10-29-2009
Location: NC
Views: 366
Message 2 of 11

Re: T440s & M93p Windows 10 UEFI Bitlocker issue

Please run the following command in an admin command prompt and post the output

wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get * /format:list

 

 

jwilkinson84
Fanfold Paper
Posts: 10
Registered: ‎10-12-2017
Location: US
Views: 362
Message 3 of 11

Re: T440s & M93p Windows 10 UEFI Bitlocker issue

IsActivated_InitialValue=TRUE
IsEnabled_InitialValue=TRUE
IsOwned_InitialValue=TRUE
ManufacturerId=1398033696
ManufacturerIdTxt=STM
ManufacturerVersion=13.12
ManufacturerVersionFull20=Not Supported
ManufacturerVersionInfo=50
PhysicalPresenceVersionInfo=1.2
SpecVersion=1.2, 2, 3

Lenovo Staff
Lenovo Staff
Posts: 4,702
Registered: ‎10-29-2009
Location: NC
Views: 358
Message 4 of 11

Re: T440s & M93p Windows 10 UEFI Bitlocker issue

You're using a 1.2 TPM which doesn't support PCR7 binding with Secure Boot.  Only TPM 2.0 supports this.  So you have 2 choices.  Either switch to Intel PTT (TPM 2.0) in BIOS setup or else adjust your BitLocker group policy settings to stop using PCR7 in the TPM validation profile.

jwilkinson84
Fanfold Paper
Posts: 10
Registered: ‎10-12-2017
Location: US
Views: 326
Message 5 of 11

Re: T440s & M93p Windows 10 UEFI Bitlocker issue

Our policy isn't configured, so the TPM defaults I believe are 0,2,4,8,9 and 11.

Lenovo Staff
Lenovo Staff
Posts: 4,702
Registered: ‎10-29-2009
Location: NC
Views: 320
Message 6 of 11

Re: T440s & M93p Windows 10 UEFI Bitlocker issue


@jwilkinson84 wrote:

Our policy isn't configured, so the TPM defaults I believe are 0,2,4,8,9 and 11.


Then I have no idea why there would be an event log like "BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'SecureBoot' is missing or invalid."  As far as I know, this is referring to PCR7 which won't work on TPM 1.2.  If you haven't configured your policy to use PCR7 and still getting that error message, I think you will have to ask Microsoft about it.

jwilkinson84
Fanfold Paper
Posts: 10
Registered: ‎10-12-2017
Location: US
Views: 305
Message 7 of 11

Re: T440s & M93p Windows 10 UEFI Bitlocker issue

I was able to get a T440 to work. The only thing im not sure on how to do is get the chip to switch over from Discreate TPM to Intel PTT during the TS. I've added SecurityChip,Active and SecurityChipSelection,IntelPTT to our config file, but no love.

Lenovo Staff
Lenovo Staff
Posts: 4,702
Registered: ‎10-29-2009
Location: NC
Views: 294
Message 8 of 11

Re: T440s & M93p Windows 10 UEFI Bitlocker issue

You can't switch TPM type by WMI.  There is a different tool that can do it, but it can't be automated unless you have a BIOS supervisor password.  Do you?  TPM 1.2 should work though.  Have you tried a clean-install of Win10 without using your corporate image or domain?

jwilkinson84
Fanfold Paper
Posts: 10
Registered: ‎10-12-2017
Location: US
Views: 273
Message 9 of 11

Re: T440s & M93p Windows 10 UEFI Bitlocker issue

Do you know the program that can make that possible? So, 1.2 works for our T450 and 470 models. It doesn't with M93p, T440, and T460 models. I do not have the supervisor password. Can that be something that can be set with the config file or some other means? We want to be able to make Windows 10 available to users and have them just click on the available install and SCCM with do the rest of the magic. 

Lenovo Staff
Lenovo Staff
Posts: 4,702
Registered: ‎10-29-2009
Location: NC
Views: 270
Message 10 of 11

Re: T440s & M93p Windows 10 UEFI Bitlocker issue

If you don't have supervisor password, changing the TPM from 1.2 -> 2.0 is not possible to automate.

TPM 1.2 should work.  I know we have customers using it with Win10 on M93p, T440, and T460.  I think there is some problem with your image or process.  That's why I suggested testing with a clean Win10 installation and not your company image.  Once you confirm that clean image is working with BitLocker, then figure out what is different about your company image where it doesn't work.

Top Kudoed Authors