For whatever reason the TPM chip was being set to disabled during our imaging process/checklist. This became an issue when we started rolling out MBAM (BitLocker). In order to remediate this we deployed a package using SCCM and PowerShell App Deployment Toolkit that would enable the TPM chip.
Thankfully Lenovo makes it easy to modify the BIOS settings from inside Microsoft Windows. There is a gotcha when enabling the TPM chip though, that gotcha is that the WMI call is different depending on if it is a desktop or a laptop.
Use the below code to automatically enable the TPM chip for Lenovo workstations.
## Get all BIOS settings (for reference) ## gwmi -class Lenovo_BiosSetting -namespace root\wmi | ForEach-Object {if ($_.CurrentSetting -ne "") {Write-Host $_.CurrentSetting.replace(","," = ")}} $Model = gwmi -Class Win32_ComputerSystemProduct ## Laptop if ($Model.version.TrimEnd() -like "*ThinkPad*") { #enable TPM (gwmi -class Lenovo_SetBiosSetting –namespace root\wmi).SetBiosSetting("SecurityChip,Active") #save settings (gwmi -class Lenovo_SaveBiosSettings -namespace root\wmi).SaveBiosSettings() } ## Desktop if ($Model.version.TrimEnd() -like "*ThinkCentre*") { #enable TPM (gwmi -class Lenovo_SetBiosSetting –namespace root\wmi).SetBiosSetting("TCG Security Feature,Active") #save settings (gwmi -class Lenovo_SaveBiosSettings -namespace root\wmi).SaveBiosSettings() }