TPM Firmware Switch Tool for ThinkCentre
This article has moved to https://blog.lenovocdrt.com/#/2018/tc_tpm_fwswitch_tool
This post covers the TPM Firmware Switch Tool that was released to remedy the affected ThinkCentres described in the LEN-15552 Security Advisory. Per the ReadMe, here's the list of systems and minimum BIOS versions required before the tool can be implemented:
These files are to be used with the following ThinkCentre products: M610:BIOS version M1AKT30A or above M910x:BIOS version M1AKT30A or above M710q:BIOS version M1AKT30A or above M910t/s:BIOS version M1AKT30A or above M910q :BIOS version M1AKT30A or above M710t/s, E75t/s:BIOS version M16KT47A or above M715t/s:BIOS version O2VKT82A or above
Links to the BIOS versions can be found in the LEN-15552 matrix.
To summarize, the tool will update the TPM firmware to the latest version, whether it be TPM Spec 1.2 or 2.0. It will also allow you to switch the TPM Spec version from 1.2 to 2.0 or vice versa if desired, while also applying the latest TPM firmware in the process.
BitLocker will need to be suspended prior to performing the update otherwise you will be prompted for the BitLocker Recovery Key after the flash completes and the system reboots. Most importantly, a supervisor password is required before attempting to update or switch the TPM firmware.
After you've downloaded and extracted the contents of the tool to a source location, you'll want to edit the flash.cmd by removing the shutdown switch that forces the system to reboot. That way, you can call the shutdown at the end of the task sequence with the SMSTSPostAction variable.
Look for the following line in the flash.cmd and remove /shutdown and save the file.
%Flashtool% /CAPFILE:%FWFILE% /pw:%BIOSPWD% /shutdown
Create a Package in your ConfigMgr console, no program, pointing to the source location of where you extracted the contents of the zip.
Below is a sample Task Sequence that shows the workflow of how this tool can be used to switch TPM Spec versions while applying the latest firmware:
Group-Set TS Variables
Group-Disable BitLocker
Group-Configure TPM
Group-ThinkCentre
- Check SecurityChipStatus - Task Sequence Variable
The value here may differ across models, i.e. SecurityChip, Active or Security Chip,Enable. Be sure to double check this before adding your query. |
- Set OSDBitLockerStatus - Task Sequence Variable (credit to Mike Terrill).
- ThinkCentre SMSTSPostAction - Task Sequence Variable
- This will invoke the flash due to the required shutdown. Remember this was removed from the flash.cmd earlier, otherwise the task sequence would break.
Group-Disable BitLocker
- Native Disable BitLocker Step
Group-Configure TPM
This group will run if the Security Chip is set to an Inactive state |
- Download Think BIOS Config Tool - Download Package Content Step
- I'm using the BIOS Config Tool to enable the security chip.
- Restart Computer Step - Back to Operating System
Group-ThinkCentre
These queries will check the first 4 characters of the BIOS version, which matches to each of the affected ThinkCentres as noted in the security bulletin matrix. |
- Group-Switch TPM Spec 1.2 to 2.0
---
Further research, notes and caveats
- If the Security Chip is Inactive, the TPM will not have an owner. Once the Configure TPM group is executed and Security Chip becomes Active, Windows 10 will take ownership of the TPM automatically. Clearing the TPM will not be necessary after this.
- If down-leveling from TPM 2.0 to 1.2 using the /1 switch, adjust the SpecVersion query to:
SELECT * FROM Win32_TPM WHERE SpecVersion LIKE '2.0%'
- As a result of down-leveling, the TPM will become disabled, inactive, and unowned. This can be fixed using the SetPhysicalPresenceRequest method. (10-Enable, activate, and allow the installation of a TPM owner.)
- Windows 10 will automatically re-enable BitLocker after the reboot.