A few weeks ago, a Security Issue was made public regarding Infineon-based TPM Chips. I won’t really outline the issue itself here, as you are probably fully aware of it. All Details can be found here: RSA Keys Generated by Infineon TPMs are Insecure
This blog post will contain the needed Details to update the Infineon-based TPM Firmware on Lenovo ThinkPad Devices during Operating System Deployment in Configuration Manager.
Getting the TPM Firmware Update Utility
Head over to the following Lenovo Download Page and make sure that your ThinkPad Model is listed in the “Supported Systems” Section and that you are going to deploy one of the “Supported Operating Systems”.
Download the TPM Firmware Update Utility from the Download Page and extract it to a Place, where it can be used as a Package Source Folder in ConfigMgr.
Creating the ConfigMgr Package
Head over to the ConfigMgr Console and Create a new Package.
Specify a Name, Manufacturer and the Path to the extracted TPM Firmware Files. Click Next.
Choose “Do not create a program“, Click Next twice and Click Finish.
Make sure to distribute the Package to your Distribution Points after Creation!
Modify the Task Sequence
Open the Task Sequence, which you like to modify
Add a new Group “Lenovo Infineon TPM Update” somewhere between the Steps “Setup Windows and Configuration Manager” and “Enable BitLocker”.
Change to the Options Tab on the created Group, create a new If “All” Condition and specify the following WMI Queries:
WMI Namespace: root\cimv2\Security\MicrosoftTpm WQL Query: select * from Win32_Tpm where not ManufacturerVersion = "7.62" WMI Namespace: root\cimv2 WQL Query: select * from Win32_ComputerSystem where Model like "20J%" WMI Namespace: root\cimv2\Security\MicrosoftTpm WQL Query: select * from Win32_Tpm where ManufacturerIdTxt = "IFX"
Make sure to use the correct TPM Manufacturer Version and Model! The Readme on the above linked Download Page lists the different Versions, based on the TPM Version. In this example, I target Yoga Devices, using the Model 20J* with the TPM Version 7.62. The ManufacturerIdTxt is used because not all Devices (even within the same Model) are shipped with an Infineon-based TPM Chip.
Create a new “Run Command Line” Step in the Created Group as above. Use the following Command:
TpmUpdt64.exe -s -suc {Password}
If you’re going to deploy a 32-bit based Operating System, you’ll need to use TpmUpdt.exe
If you have a Supervisor Password in-place, which you should (!!!), make sure to specify it in the -suc Argument and replace {Password}.
Disable 64-bit file system redirection and Select the Package you previously created.
Change to the Options Tab and enter “0 1 2 3” as Success code. The complete List of the TPM Firmware Update Utility Return codes can be found here: TPM Firmware Update Utility
At last, create a new Restart Computer Step which restarts the currently installed Operating System.
Result
When comparing the displayed Versions of tpm.msc, before and after OSD, you can see that the TPM Version has changed to 7.62, which is the Version that provides the fix for the above Vulnerability.
Nice post, I have a quick question I am planning to do the same thing on HP laptops & desktops during OSD using ConfigMgr. I have a pre-provisioning BitLocker step and HP bios update at the end of the TS. I am thinking on adding TPM update after this steps what do you think? Any suggestion will be greatly appreciate.
Thanks,
I have the Update TPM and Update BIOS Steps in my Environment also after the Provisioning BitLocker Steps. Didn’t have any issues so far. Just make sure it is before the “Enable BitLocker” Step.