Preparing the TPM for BitLocker Pre-Provisioning in Windows 10 for Think products using SCCM



We have received several inquiries from customers who are moving to Windows 10 that are trying to leverage BitLocker and pre-provisioning during OSD.  Pre-provisioning the disk will encrypt only used space, so when this step executes, the drive will be encrypted before the operating system has been laid down to the client, saving a ton of time.

The catch here is that in order for pre-provisioning to work, a TPM has to be present on the system AND enabled, as stated in the Pre-provision BitLocker step.



With that being said, all Lenovo ThinkPad's with Discrete TPM 1.2 are shipped from the factory with the TPM enabled but NOT Active.  Systems with TPM 2.0 only should already be Enabled.  If the system runs through a deployment without activating the TPM in BIOS, pre-provisioning will not work.  If you review the OSDOfflineBitlocker.exe section of the smsts.log, you'll see the failure



Here's how to activate the TPM on newly shipped systems with Discrete TPM 1.2 in a few simple steps:

1. In your task sequence add a new Group named Configure Security Chip after the disk partition step.

2. Add a Run Command Line step (name whatever you want) with the following command line:

powershell.exe -executionpolicy bypass -command "(Get-WmiObject -Namespace "root\CIMV2\Security\MicrosoftTpm" -Class Win32_TPM).SetPhysicalPresenceRequest(10)"

What this will do is enable, activate, and allow the installation of a TPM owner.  (More information on the SetPhysicalPresenceRequest method can be found here.)

3. Add a Restart Computer step, booting to the boot image assigned to the task sequence.

4. Confirm the Enable BitLocker step is near or at the end of the task sequence.


That's all!  You will notice the computer restart twice for the setting to be applied.  Once the deployment finishes, verify BitLocker is in fact on.


For more control over the Configure Security Chip group, you can add conditions that determines whether or not the group executes.  For example, if the security chip is already active and enabled, it's not really necessary to go through these steps every time.

(Recommended)
On the Configure Security Chip group, add an if any condition with the following two conditions:

WMI Namespace: root\cimv2\Security\MicrosoftTpm
WQL Query: SELECT * FROM Win32_Tpm WHERE IsEnabled_InitialValue = False


WMI Namespace: root\cimv2\Security\MicrosoftTpm
WQL Query: SELECT * FROM Win32_Tpm WHERE IsActivated_InitialValue = False


(Not recommended but can work)
On the Configure Security Chip group, add a if none condition with the following properties:

WMI Namespace: root\wmi
WQL Query: SELECT * FROM Lenovo_BiosSetting WHERE CurrentSetting = 'SecurityChip,Active'

Now, when you deploy systems that may already have the Security Chip activated, it will skip this group and continue on.

One thing to be aware of is that the value set in WMI for the Security Chip may vary.  You can confirm by running this in PowerShell on your system:

(Get-WmiObject -Namespace "root\wmi" -Class Lenovo_BiosSetting).CurrentSetting

Look for Security Chip and note how it's formatted, like below:

You may encounter on some systems that this setting is formatted differently, i.e. Security Chip,Active or SecurityChip,Enable or Security Chip,Enabled

If that's the case, just add another WMI Query to the Configure Security Chip group so it catches all values.

(Note: Systems that have TPM 2.0 only equipped, it should be enabled by default from the factory.  If it's disabled, the below commands can be used to enable it:

powershell.exe -executionpolicy bypass -command "(gwmi –NameSpace root\wmi –Class Lenovo_SetBIOSSetting).SetBIOSSetting(“SecurityChip,Enable”)"

Followed by
powershell.exe -executionpolicy bypass -command "(gwmi –NameSpace root\wmi –Class Lenovo_SaveBIOSSettings).SaveBIOSSettings()"

Reboot the system and the TPM should now be enabled