How to enable TPM in BIOS Lenovo ThinkCentre

For whatever reason the TPM chip was being set to disabled during our imaging process/checklist. This became an issue when we started rolling out MBAM (BitLocker). In order to remediate this we deployed a package using SCCM and PowerShell App Deployment Toolkit that would enable the TPM chip.

Thankfully Lenovo makes it easy to modify the BIOS settings from inside Microsoft Windows. There is a gotcha when enabling the TPM chip though, that gotcha is that the WMI call is different depending on if it is a desktop or a laptop.

Windows 11 was announced on June 25, 2021 and I am really excited to see all of the recent feature updates. The announcement video was simply amazing! One of the items in the Windows 11 hardware requirements specifies TPM 2.0.  In this blog I will briefly describe what TPM is, explain how systems purchased in the past 5-6 years already have it, and how to enable TPM 2.0 to install Windows 11 (if not already enabled).

Trusted Platform Module(TPM) 2.0 is the latest version of this type of crypto processor(TPM 1.2 was an earlier version not supported by Windows 11). TPM provides hardware based encryption, secure boot, Bitlocker, and ultimately prevents malicious attacks against so many devices used today.  If you are a user of Windows Hello that enables sign-in by fingerprint, facial recognition, PIN, and more, then you are using the functionality provided by TPM.

TPM is not a new capability. It was announced in 2013 and has been included in almost every PC purchased since 2015. As of January 15, TPM 2.0 was required on all certified Windows Devices (source).  This means that TPM will be found on systems built by major manufacturers. Where TPM chips are more likely not to be found is on system built by individuals at home.

Both Intel and AMD systems have a TPM. Intel calls their TPM Intel PTT while AMD calls it AMD PSP fTPM. Windows 11 supported Intel processors are listed here while AMD processors are listed here. Before you enable TPM on your system, you may want to check with the manufacturer website for updates to the firmware. This link has a great list of where to get the firmware updates for most OEM PC manufacturers.

While most systems running today already have a TPM chip, the functionality may not be enabled and that will cause issues during the upgrade check for Windows 11. As I said earlier, the vast majority of systems sold in the past 5-6 years has a TPM chip. If you are seeing a TPM notice during your Windows 11 upgrade, the solution is to simply enable the functionality on your system. I recently published a blog about how to enable Secure Boot, another requirement of Windows 11. This blog and the steps below will guide you how to enable TPM and proceed with a Windows 11 upgrade.

Steps to Enable TPM 2.0

My System Details: Below is information about the system being used in the steps below to enable TPM. Remember, this is on a system using an Intel TPM on a Lenovo laptop, so the steps may be a bit different for you if using an AMD processor or a different system manufacturer other than Lenovo. Visit your manufacturer’s support site to learn how to enable TPM on your system.

We've integrated MBAM 2.5 with SCCM 2012 R2, and have been using this great guide for encrypting hard drives through a task sequence (both during OSD and on imaged machines) http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx

We have mostly Lenovo laptops and desktops in our environment. Using the information we found here http://support.lenovo.com/us/en/documents/ht100612 we've been able to turn on the TPM through WMI on the Lenovo laptops (T440, T430, T420, etc). However, it appears that there's no way to turn on the TPM through WMI for the desktops we have (M83, M93p, M92p, M91p). Their documentation doesn't indicate that there's a way, either. 

There also doesn't appear to be a way to enable the TPM in the BIOS manually, either. Additionally, using tpm.msc only gives us the option of initializing the TPM, thereby taking ownership of it. My understanding is that the MBAM client needs to be the one to initialize and take ownership of the TPM. 

Does anyone know of a way of either simply turning on the Lenovo desktop TPM (either through a script or even manually), or is there a way to get MBAM to take over ownership of the TPM if I have to manually initialize and take ownership of the TPM? Thanks. 

I pulled down the BIOS WMI document from http://support.lenovo.com/us/en/documents/ht100612 for 2014 and towards the end it gives you PowerShell commands that can be used to query the BIOS and set BIOS settings.  There are example commands for querying a machine for all settings, even querying remote machines.

Using the following command I was able to find the TCG setting:(be aware of the (`) marks, had to break up the line for this format) 

gwmi-classLenovo_BiosSetting-namespaceroot\wmi`

|Where-Object{$_.CurrentSetting.split(",",[StringSplitOptions]::RemoveEmptyEntries) -eq"TCG Security Feature"} `

|Format-ListCurrentSetting

and then set it to enabled:

(gwmi-classLenovo_SetBiosSetting-namespaceroot\wmi).SetBiosSetting("TCG Security Feature,Active")

(gwmi-classLenovo_SaveBiosSettings-namespaceroot\wmi).SaveBiosSettings()

Hope this is helpful

Thanks for that. Actually, now that I know it's called TCG Security Feature after using the ListAll.vbs that Lenovo provides, you can enable it by simply using the SetConfig.vbs at the command prompt:

How do I enable TPM on my Lenovo Thinkcentre?

How to enable TPM in BIOS?

How do I enable TPM on Windows 10 Lenovo?

Why can I not find TPM in BIOS?