Enable the TPM chip for Lenovo workstations via WMI and PowerShell

For whatever reason the TPM chip was being set to disabled during our imaging process/checklist. This became an issue when we started rolling out MBAM (BitLocker). In order to remediate this we deployed a package using SCCM and PowerShell App Deployment Toolkit that would enable the TPM chip.

Thankfully Lenovo makes it easy to modify the BIOS settings from inside Microsoft Windows. There is a gotcha when enabling the TPM chip though, that gotcha is that the WMI call is different depending on if it is a desktop or a laptop.

Use the below code to automatically enable the TPM chip for Lenovo workstations.

## Get all BIOS settings (for reference)
## gwmi -class Lenovo_BiosSetting -namespace root\wmi | ForEach-Object {if ($_.CurrentSetting -ne "") {Write-Host $_.CurrentSetting.replace(","," = ")}}

$Model = gwmi -Class Win32_ComputerSystemProduct

## Laptop
if ($Model.version.TrimEnd() -like "*ThinkPad*")
{
#enable TPM
(gwmi -class Lenovo_SetBiosSetting –namespace root\wmi).SetBiosSetting("SecurityChip,Active")

#save settings
(gwmi -class Lenovo_SaveBiosSettings -namespace root\wmi).SaveBiosSettings()
}

## Desktop
if ($Model.version.TrimEnd() -like "*ThinkCentre*")
{
#enable TPM
(gwmi -class Lenovo_SetBiosSetting –namespace root\wmi).SetBiosSetting("TCG Security Feature,Active")

#save settings
(gwmi -class Lenovo_SaveBiosSettings -namespace root\wmi).SaveBiosSettings()
}

Leave a Reply

Up Next:

No entries in MBAM (BitLocker) event logs

No entries in MBAM (BitLocker) event logs