Preparing the TPM for BitLocker Pre-Provisioning in Windows 10 for Think products using SCCM
This article has moved to https://blog.lenovocdrt.com/#/2017/tpm_pre_provision
The catch here is that in order for pre-provisioning to work, a TPM has to be present on the system AND enabled, as stated in the Pre-provision BitLocker step.
With that being said, all Lenovo ThinkPad's with Discrete TPM 1.2 are shipped from the factory with the TPM enabled but NOT Active. Systems with TPM 2.0 only should already be Enabled. If the system runs through a deployment without activating the TPM in BIOS, pre-provisioning will not work. If you review the OSDOfflineBitlocker.exe section of the smsts.log, you'll see the failure
Here's how to activate the TPM on newly shipped systems with Discrete TPM 1.2 in a few simple steps:
1. In your task sequence add a new Group named Configure Security Chip after the disk partition step.
2. Add a Run Command Line step (name whatever you want) with the following command line:
powershell.exe -executionpolicy bypass -command "(Get-WmiObject -Namespace "root\CIMV2\Security\MicrosoftTpm" -Class Win32_TPM).SetPhysicalPresenceRequest(10)"
What this will do is enable, activate, and allow the installation of a TPM owner. (More information on the SetPhysicalPresenceRequest method can be found here.)
3. Add a Restart Computer step, booting to the boot image assigned to the task sequence.
4. Confirm the Enable BitLocker step is near or at the end of the task sequence.
That's all! You will notice the computer restart twice for the setting to be applied. Once the deployment finishes, verify BitLocker is in fact on.
For more control over the Configure Security Chip group, you can add conditions that determines whether or not the group executes. For example, if the security chip is already active and enabled, it's not really necessary to go through these steps every time.
(Recommended)
On the Configure Security Chip group, add an if any condition with the following two conditions:
WMI Namespace: root\cimv2\Security\MicrosoftTpm
WQL Query: SELECT * FROM Win32_Tpm WHERE IsEnabled_InitialValue = False
WMI Namespace: root\cimv2\Security\MicrosoftTpm
WQL Query: SELECT * FROM Win32_Tpm WHERE IsActivated_InitialValue = False
(Not recommended but can work)
On the Configure Security Chip group, add a if none condition with the following properties:
WMI Namespace: root\wmi
WQL Query: SELECT * FROM Lenovo_BiosSetting WHERE CurrentSetting = 'SecurityChip,Active'
Now, when you deploy systems that may already have the Security Chip activated, it will skip this group and continue on.
One thing to be aware of is that the value set in WMI for the Security Chip may vary. You can confirm by running this in PowerShell on your system:
(Get-WmiObject -Namespace "root\wmi" -Class Lenovo_BiosSetting).CurrentSetting
Look for Security Chip and note how it's formatted, like below:
If that's the case, just add another WMI Query to the Configure Security Chip group so it catches all values.
(Note: Systems that have TPM 2.0 only equipped, it should be enabled by default from the factory. If it's disabled, the below commands can be used to enable it:
powershell.exe -executionpolicy bypass -command "(gwmi –NameSpace root\wmi –Class Lenovo_SetBIOSSetting).SetBIOSSetting(“SecurityChip,Enable”)"
Followed by
Reboot the system and the TPM should now be enabled
powershell.exe -executionpolicy bypass -command "(gwmi –NameSpace root\wmi –Class Lenovo_SaveBIOSSettings).SaveBIOSSettings()"
Reboot the system and the TPM should now be enabled