05-27-2016 06:49 AM
I am having issues with activating the security chip in BIOS using the script from Lenovo, SetConfig.vbs.
UEFI BIOS Version: N1CET37W (1.05 )
UEFI BIOS Date: 2016-01-15
Embedded Controller Version: N1CHT25W (1.07 )
I am deploying Windows 7 with SCCM 2012 R2, and we are heavy users of all ThinkPad T4**s -models .
OSD (Operative System Deployment) with BitLocker activation for T400s, T410s, T420s, T430s, T440s and T450s are working perfectly.
T460s does not activate BitLocker, and it looks like the BIOS / Security Chip Activation is the issue.
The script successfully activate the security chip (SetConfig.vbs SecurityChip Activate), as I can confirm in BIOS, but Windows does not agree.
When I try to manually start BitLocker from Windows, it demands a reboot to activate TPM.
I have tried running the script several times (from Windows), and rebooting after every time, but still Windows needs to activate TPM itself, and do a reboot.
But if I go into bios, and manually enable SecurityChip (set to inactive first if already activated with the script, reboot, and then manually activate), I can start BitLocker from Windows without rebooting. Windows will then agree that TPM is activated.
OSD will also work after I have done this manually.
Why is it a difference with enabling with script, or enabling manually?
I tried updating the BIOS to 1.09 on another new T460s before deploying Windows 7, and then the script worked !!
A possible solution would be to automatically update the BIOS in the SCCM2012 OSD at the start of the Task Sequence, but this turned out to be easier said than done (tried both script and Lenovo ThinInstaller , but didn't get it to work. Most likely due to impatience).
But the reason I create this post is the fact that I could not find anyone with the same issue.
I can either find anything about this issue in the release notes for the new BIOS versions.
06-13-2016 12:40 PM
I have a very similar issue with the M700 Tiny; a BIOS update (run from a USB stick created from ISO) solves this problem but i am looking to create a SCCM Task Sequence targetted at these devices with BIOS version = xxxx so that the BIOS updates automatically at user first logon, before bitlocker policy applies.
i get the policy applying but then on shutdown/reboot the bitlocker unlock screen appears. a BIOS update solves this.
if i get anywhere with the TS i will post what i can here