TPM Firmware Switch Tool for ThinkCentre


This could be deemed as a follow up to the previous post "Patching the IFX TPM vulnerability on Think Products with SCCM".

This post covers the TPM Firmware Switch Tool that was released to remedy the affected ThinkCentres described in the LEN-15552 Security Advisory.  Per the ReadMe, here's the list of systems and minimum BIOS versions required before the tool can be implemented:

These files are to be used with the following ThinkCentre products:
M610:BIOS version M1AKT30A or above
M910x:BIOS version M1AKT30A or above
M710q:BIOS version M1AKT30A or above
M910t/s:BIOS version M1AKT30A or above
M910q :BIOS version M1AKT30A or above
M710t/s, E75t/s:BIOS version M16KT47A or above
M715t/s:BIOS version O2VKT82A or above
 
Links to the BIOS versions can be found in the LEN-15552 matrix.

To summarize, the tool will update the TPM firmware to the latest version, whether it be TPM Spec 1.2 or 2.0.  It will also allow you to switch the TPM Spec version from 1.2 to 2.0 or vice versa if desired, while also applying the latest TPM firmware in the process.

BitLocker will need to be suspended prior to performing the update otherwise you will be prompted for the BitLocker Recovery Key after the flash completes and the system reboots. Most importantly, a supervisor password is required before attempting to update or switch the TPM firmware.

After you've downloaded and extracted the contents of the tool to a source location, you'll want to edit the flash.cmd by removing the shutdown switch that forces the system to reboot.  That way, you can call the shutdown at the end of the task sequence with the SMSTSPostAction variable.

Look for the following line in the flash.cmd and remove /shutdown and save the file.

%Flashtool% /CAPFILE:%FWFILE% /pw:%BIOSPWD% /shutdown

Create a Package in your ConfigMgr console, no program, pointing to the source location of where you extracted the contents of the zip.

Below is a sample Task Sequence that shows the workflow of how this tool can be used to switch TPM Spec versions while applying the latest firmware:



Walkthrough

Group-Set TS Variables
  • Check SecurityChipStatus  - Task Sequence Variable

The value here may differ across models, i.e. SecurityChip, Active or Security Chip,Enable.  Be sure to double check this before adding your query.

  • Set OSDBitLockerStatus - Task Sequence Variable (credit to Mike Terrill).




  • ThinkCentre SMSTSPostAction - Task Sequence Variable
    • This will invoke the flash due to the required shutdown.  Remember this was removed from the flash.cmd earlier, otherwise the task sequence would break.


Group-Disable BitLocker 
  • Native Disable BitLocker Step


 Group-Configure TPM
This group will run if the Security Chip is set to an Inactive state


  • Download Think BIOS Config Tool - Download Package Content Step
 
By using the BIOS Config Tool, I'm calling the configuration file (.ini) that holds the value to enable the security chip and passing the supervisor password.  Alternatively, this can be achieved using Run Command Line steps calling PowerShell and setting/saving the BIOS settings stored in the Lenovo_BiosSetting namespace.


  • Restart Computer Step - Back to Operating System

Group-ThinkCentre
These queries will check the first 4 characters of the BIOS version, which matches to each of the affected ThinkCentres as noted in the security bulletin matrix.


  • Group-Switch TPM Spec 1.2 to 2.0
Query to check the TPM Spec is 1.2 before continuing to switch to 2.0.







  • Update TPM Firmware


---
Further research, notes and caveats

  • If the Security Chip is Inactive, the TPM will not have an owner.  Once the Configure TPM group is executed and Security Chip becomes Active, Windows 10 will take ownership of the TPM automatically.  Clearing the TPM will not be necessary after this.
  • If down-leveling from TPM 2.0 to 1.2 using the /1 switch, adjust the SpecVersion query to:

SELECT * FROM Win32_TPM WHERE SpecVersion LIKE '2.0%'

  • As a result of down-leveling, the TPM will become disabled, inactive, and unowned.  This can be fixed using the SetPhysicalPresenceRequest method.  (10-Enable, activate, and allow the installation of a TPM owner.)
  • Windows 10 will automatically re-enable BitLocker after the reboot.
A fellow contributor of the Lenovo community has put together a solution with the PowerShell App Deployment Toolkit.  The links and other info can be found here.