Patching the IFX TPM vulnerability on Think Products with SCCM

Below is a possible workflow on how to fix affected Lenovo Think products in your environment using SCCM. The testing involved was done in a small lab environment and what is proposed in this article is not an “official” one-size fits all solution. I’m sure there’s plenty of other methods to achieve the same outcome, you just need to figure out what’s best for your environment.

What makes this scenario so challenging is all the dependencies needed before the TPM firmware can be updated. The BIOS needs to be updated, Microsoft’s security hotfix needs to be installed, and THEN the TPM can be updated. Of course, not every customer is going to attempt to do this all at the same time to EVERY device that may already have the latest BIOS, or already have the hotfix installed.

What I attempted to do in my lab was to try and simulate a real-world environment. How can I distinguish affected systems from non-affected systems? Which systems need their BIOS updated? Which systems have the MS security hotfix installed and which ones don’t? In the end, Device Collections seemed like the answer:  a Device Collection to identify a specific model that needed its BIOS updated, one that needed MS’s security hotfix, and one that needed the TPM firmware updated. Configuration Items/Baselines are also key here.

Affected Think products have been identified and can be found on Lenovo’s Security Advisory page (LEN-1552). Links below will direct you to the TPM firmware update utility/ReadMe’s:

• ThinkPad
• ThinkCentre
• ThinkStation

Retrieve Affected Think Products

In the ConfigMgr console, create a new query in the Monitoring workspace > Queries node using the WQL query statement below. If you want to import the query, you can download the zip from here. Ensure the Win32_Tpm hardware class is enabled for inventory in your Client Settings before running the query.

The SQL query is also provided if needed.

SQL:

SELECT ALL SMS_R_System.ItemKey, SMS_R_System.DiscArchKey, SMS_R_System.Name0, SMS_R_System.SMS_Unique_Identifier0, SMS_R_System.Resource_Domain_OR_Workgr0, SMS_R_System.Client0, SMS_G_System_TPM.ManufacturerVersion00 
FROM vSMS_R_System AS SMS_R_System 
INNER JOIN TPM_DATA AS SMS_G_System_TPM 
ON SMS_G_System_TPM.MachineID = SMS_R_System.ItemKey   
WHERE (SMS_G_System_TPM.ManufacturerId00 = 1229346816 AND (((SMS_G_System_TPM.ManufacturerVersion00 >= N'4.00' AND 
SMS_G_System_TPM.ManufacturerVersion00 <= N'4.42') OR 
(SMS_G_System_TPM.ManufacturerVersion00 >= N'6.00' AND 
SMS_G_System_TPM.ManufacturerVersion00 <= N'6.42')) OR 
(SMS_G_System_TPM.ManufacturerVersion00 >= N'7.00' 
AND SMS_G_System_TPM.ManufacturerVersion00 <= N'7.61')))

WQL:

SELECT SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client, SMS_G_System_TPM.ManufacturerVersion 
FROM SMS_R_System INNER JOIN SMS_G_System_TPM 
ON SMS_G_System_TPM.ResourceID = SMS_R_System.ResourceId 
WHERE SMS_G_System_TPM.ManufacturerId = 1229346816 AND ((SMS_G_System_TPM.ManufacturerVersion >= "4.00" AND SMS_G_System_TPM.ManufacturerVersion <= "4.42") OR (SMS_G_System_TPM.ManufacturerVersion >= "6.00" AND SMS_G_System_TPM.ManufacturerVersion <= "6.42") OR (SMS_G_System_TPM.ManufacturerVersion >= "7.00" AND SMS_G_System_TPM.ManufacturerVersion <= "7.61"))

Create Device Collections for Affected Models

Refer to the matrix here to determine the minimum version BIOS that will need to be installed on the device prior to updating the TPM firmware.  

Note: Ensure you have the win32_computersystemproduct hardware class enabled for inventory.  This will pull in the friendly names, i.e. ThinkPad T470s, ThinkCentre M910q, or ThinkStation P710, etc.

In the following example, I need to find all T470s’ with BIOS level older than version 1.19 and add them to a Device Collection.

Add a query rule to retrieve these models

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client 
from SMS_R_System 
inner join SMS_G_System_PC_BIOS 
on SMS_G_System_PC_BIOS.ResourceID = SMS_R_System.ResourceId 
inner join SMS_G_System_COMPUTER_SYSTEM_PRODUCT 
on SMS_G_System_COMPUTER_SYSTEM_PRODUCT.ResourceID = SMS_R_System.ResourceId 
where SMS_G_System_PC_BIOS.SMBIOSBIOSVersion < "N1WET40W (1.19)" 
and SMS_G_System_COMPUTER_SYSTEM_PRODUCT.Version like "ThinkPad T470s%"

Once the collection is populated, deploy the latest BIOS update to these systems. Once the systems have run their Hardware Inventory cycle, they will be removed from the collection.

Configuration Items / Baselines for MS Security Updates

Refer to this MS article to download the appropriate Security Update that applies to the version of Windows you are supporting.

Create a Configuration Item that will detect if the required Hotfix is installed on the system. If not, the system will fall into Non-compliance. In this example, KB4041676 is applicable to Windows 10 v1703 systems and I’m using WQL to check if the Hotfix is present.

Create and deploy a Baseline to a Device Collection which the MS hotfix is applicable, for example, a Collection that contains all Windows 10 v1703 systems.

Create a new Application with the deployment type being Script Installer. The command line to install the hotfix will be:

wusa.exe "windows10.0-kb4041676-x64.msu" /quiet /norestart

For the detection method, I used a simple one-line PowerShell script to check if the Hotfix is installed:

Deploy the Hotfix as a required application to the Non-compliant collection and monitor compliance. Once devices have installed the Hotfix and completed the reboot, it will be removed from the Non-compliant collection once evaluation policies have been applied.

Updating the TPM Firmware

Create a Device Collection that will populate systems with affected TPM’s.  I added several different Membership rules for this Collection:

Query – Affected Infineon TPM’s (Same query that’s presented at the beginning of this article)

Excluded Device Collections – Non-compliant Devices that do not have the MS Hotfix installed and Systems that don’t have the minimum required BIOS version.

Download the firmware update utility for supported Think products. Unzip the contents and copy to a source location. Create a package containing the source files for each family (if applicable) of systems.

Create a custom task sequence that will update the TPM firmware.   

Breakdown:

1. Disable BitLocker – This is a Run command line step, not using the native Disable BitLocker step. The reason for this is that the native BitLocker step suspends BitLocker through only one reboot. Instead, use manage-bde to suspend BitLocker indefinitely using this command 




2. ThinkCentre Group – Add the following condition:
(Note: Steps 3-7 are only required if updating Discrete TPM 1.2)

3. Set OSManagedAuthLevel – Per ThinkCentre’s firmware update utility ReadMe, the TPM owner password will need to be retained. Starting in Windows 10 v1607, the TPM owner password is not retained (More info here). Set the following registry key:

4. Clear TPM – Run command line step. The value 14 will clear, enable, and activate the TPM. Other options can be found here.

5. Restart Computer - Select the option to reboot back into the currently installed OS.


6. Update IFX Firmware (ThinkCentre) - Run command line step

7. Reset OSManagedAuthLevel - Set registry key to not retain TPM owner password

ThinkCentre's Configured for TPM 2.0
Download Link for TPM 2.0 Firmware tool can be found here.

Create a New Group titled Update TPM Spec 2.0 or something similar.

On the options tab, add the following WMI Query to evaluate to confirm the system is configured for TPM 2.0

WMI Namespace: root\cimv2\security\microsofttpm

WQL Query: SELECT * FROM Win32_TPM WHERE SpecVersion LIKE '2.0%'

Add a Run Command Line step, specifying the Package that contains the TPM 2.0 Firmware Update tool.  The command to execute is flash.cmd /2 supervisorpassword /s

8. ThinkPad Group – Add the following condition:

9. Update IFX Firmware (ThinkPad) –  Add a Run command line step:

10. ThinkStation Group – Add the following condition:

11. Set OSManagedAuthLevel – Per ThinkStation’s firmware update utility ReadMe, the TPM owner password will need to be retained.  Set the following registry key:

12. Clear TPM – Run command line step. The value 14 will clear, enable, and activate the TPM. Other options can be found here.

13. Restart Computer - Select the option to reboot back into the currently installed OS.


14. Update IFX Firmware (ThinkStation) - Run command line step

15. Reset OSManagedAuthLevel - Set registry key to not retain TPM owner password

16. Restart Computer – Select the option to reboot back into the currently installed OS.

17. Enable BitLocker – Add the native Enable BitLocker step.

Important Notes: 

This will require physical presence due to clearing of the TPM. A technician will have to be present to hit the F9 key (for ThinkPad) or F12 (ThinkCentre/ThinkStation) to proceed with the clear. 

For ThinkPad, if a Supervisor password is set, this can be bypassed by adding the –suc switch to TpmUpdt64.exe, followed by the supervisor password. For ThinkCentre and ThinkStation, there are options to specify the Owner Passwords. Refer to the Readme’s.

For return codes of the TpmUpdt64.exe utility, refer to http://thinkdeploy.blogspot.com/2017/11/tpm-firmware-update-utility.html