Updating Infineon TPM on Lenovo ThinkPad during OSD using ConfigMgr

A few weeks ago, a Security Issue was made public regarding Infineon-based TPM Chips. I won’t really outline the issue itself here, as you are probably fully aware of it. All Details can be found here: RSA Keys Generated by Infineon TPMs are Insecure

This blog post will contain the needed Details to update the Infineon-based TPM Firmware on Lenovo ThinkPad Devices during Operating System Deployment in Configuration Manager.

Getting the TPM Firmware Update Utility

Head over to the following Lenovo Download Page and make sure that your ThinkPad Model is listed in the “Supported Systems” Section and that you are going to deploy one of the “Supported Operating Systems”.

Download the TPM Firmware Update Utility from the Download Page and extract it to a Place, where it can be used as a Package Source Folder in ConfigMgr.

Creating the ConfigMgr Package

Head over to the ConfigMgr Console and Create a new Package.

Specify a Name, Manufacturer and the Path to the extracted TPM Firmware Files. Click Next.

Choose “Do not create a program“, Click Next twice and Click Finish.

Make sure to distribute the Package to your Distribution Points after Creation!

Modify the Task Sequence

Open the Task Sequence, which you like to modify

Add a new Group “Lenovo Infineon TPM Update” somewhere between the Steps “Setup Windows and Configuration Manager” and “Enable BitLocker”.

Change to the Options Tab on the created Group, create a new If “All” Condition and specify the following WMI Queries:

WMI Namespace: root\cimv2\Security\MicrosoftTpm
WQL Query: select * from Win32_Tpm where not ManufacturerVersion = "7.62"

WMI Namespace: root\cimv2
WQL Query: select * from Win32_ComputerSystem where Model like "20J%"

WMI Namespace: root\cimv2\Security\MicrosoftTpm
WQL Query: select * from Win32_Tpm where ManufacturerIdTxt = "IFX"

Make sure to use the correct TPM Manufacturer Version and Model! The Readme on the above linked Download Page lists the different Versions, based on the TPM Version. In this example, I target Yoga Devices, using the Model 20J* with the TPM Version 7.62. The ManufacturerIdTxt is used because not all Devices (even within the same Model) are shipped with an Infineon-based TPM Chip.

Create a new “Run Command Line” Step in the Created Group as above. Use the following Command:

TpmUpdt64.exe -s -suc {Password}

If you’re going to deploy a 32-bit based Operating System, you’ll need to use TpmUpdt.exe

If you have a Supervisor Password in-place, which you should (!!!), make sure to specify it in the -suc Argument and replace {Password}.

Disable 64-bit file system redirection and Select the Package you previously created.

Change to the Options Tab and enter “0 1 2 3” as Success code. The complete List of the TPM Firmware Update Utility Return codes can be found here: TPM Firmware Update Utility

At last, create a new Restart Computer Step which restarts the currently installed Operating System.

Result

  

When comparing the displayed Versions of tpm.msc, before and after OSD, you can see that the TPM Version has changed to 7.62, which is the Version that provides the fix for the above Vulnerability.

Rate this post

2 Comments

  1. Justin Lubin 7. June 2018
    • mm Simon Dettling 13. June 2018

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.