Lenovo Think Deploy Blog

Below is a possible workflow on how to fix affected Lenovo Think products in your environment using SCCM. The testing involved was done in a small lab environment and what is proposed in this article is not an “official” one-size fits all solution. I’m sure there’s plenty of other methods to achieve the same outcome, you just need to figure out what’s best for your environment. What makes this scenario so challenging is all the dependencies needed before the TPM firmware can be updated. The BIOS needs to be updated, Microsoft’s security hotfix needs to be installed, and THEN the TPM can be updated. Of course, not every customer is going to attempt to do this all at the same time to EVERY device that may already have the latest BIOS, or already have the hotfix installed. What I attempted to do in my lab was to try and simulate a real-world environment. How can I distinguish affected systems from non-affected systems? Which systems need their BIOS updated? Which systems have th

ThinkPads which use the Infineon TPM chip have a firmware update available which addresses the weak RSA key generation issue (read more  here ).   This update is executed by TpmUpdt64.exe (or TpmUpdt.exe on 32-bit OS).  The following details about this utility may be useful if you are implementing this update through SCCM or some other software distribution solution. Command line options:                "  -s        ... Silent mode\n"                "  -r        ... Reboot after program completed\n"                "  -sp       ... Skip power status check\n"                "  -chk      ... Check current TPM firmware\n"                "  -suc password ... Skip user confirmation at startup\n\n"                " Note: -suc option requires supervisor password.\n" Return code: RET_SUCC_REBOOTING               0     // Success (will reboot system) RET_SUCC_NOTREBOOTING            1     // Success (no reboot)