For whatever reason the TPM chip was being set to disabled during our imaging process/checklist. This became an issue when we started rolling out MBAM (BitLocker). In order to remediate this we deployed a package using SCCM and PowerShell App Deployment Toolkit that would enable the TPM chip.
Thankfully Lenovo makes it easy to modify the BIOS settings from inside Microsoft Windows. There is a gotcha when enabling the TPM chip though, that gotcha is that the WMI call is different depending on if it is a desktop or a laptop.
Use the below code to automatically enable the TPM chip for Lenovo workstations.
## Get all BIOS settings (for reference)
## gwmi -class Lenovo_BiosSetting -namespace root\wmi | ForEach-Object {if ($_.CurrentSetting -ne "") {Write-Host $_.CurrentSetting.replace(","," = ")}}
$Model = gwmi -Class Win32_ComputerSystemProduct
## Laptop
if ($Model.version.TrimEnd() -like "*ThinkPad*")
{
#enable TPM
(gwmi -class Lenovo_SetBiosSetting –namespace root\wmi).SetBiosSetting("SecurityChip,Active")
#save settings
(gwmi -class Lenovo_SaveBiosSettings -namespace root\wmi).SaveBiosSettings()
}
## Desktop
if ($Model.version.TrimEnd() -like "*ThinkCentre*")
{
#enable TPM
(gwmi -class Lenovo_SetBiosSetting –namespace root\wmi).SetBiosSetting("TCG Security Feature,Active")
#save settings
(gwmi -class Lenovo_SaveBiosSettings -namespace root\wmi).SaveBiosSettings()
}