By default, TPM is disabled on brand new Lenovo computers, so in order to enable “BitLocker” during OSD Task Sequence you have to go to BIOS and enable TPM manually. Fortunately, there is a way to do that automatically during the execution of the task sequence. Let me show you how after the break.
Lenovo has developed a special BIOS interface that can be manipulated through Windows Management Instrumentation (WMI), so one can easily change BIOS settings from live operating system with a simple script. The full documentation on the interface is available on lenovo support page. Enabling TPM is just one of the BIOS settings, so everything that needs to be done is to write a script that will use Lenovo BIOS WMI interface to change TPM setting to “Active” and run it during OSD Task Sequence.
I will not go into details on how to do that. The whole script is available for download at the end of this post, so you can just download it and use it in your task sequence. Just put it in a package and use “Run command line” task sequence step to run it, as shown below:
The script also do some logging so you can check for success of the execution. The log file is saved to SYSTEM’s %TEMP% (usually C:\windows\TEMP). The name of the file will be: TurnOnTpm.log. Please note that the script has to be run after the operation system is installed and configured. It will not work in WinPE. There is another important thing to note: The TPM will not be activated until the computer is rebooted twice. Yeah, don’t ask me why twice. You can achieve this easily by adding two “Reboot Computer” steps after the “Run command line” step.
This is about it. As you can se the thing is pretty simple, and powerful to, since there is a good chance that help desk guys (or who ever it is that installs PC in your company) will buy you a beer, for spearing them some manual work :)