This article presents a definitive solution for Lenovo M900-series Tiny computers that encounter difficulties in preserving Trusted Platform Module (TPM) information within the BIOS. Some information is private to my work, and therefore is omitted.
In early 2024, a problem was identified where units initiated BitLocker after every restart. The affected units were isolated to the M900 series. A BIOS modification was discovered to rectify the issue, but this solution proved inconsistent across certain units. Several immediate solutions were attempted to alleviate the issue, including:
- CMOS Battery Replacement
- Reset BIOS to Optimized Defaults
- Disabling BitLocker and waiting for an Intune synchronization
- Summoning a wizard to try to fix it (Wizard wanted to be paid more than me, so this may still work if someone wants to spot the wizard fund)
The specific BIOS setting that failed to preserve changes was the TPM setting, specifically changing it to '''Firmware TPM'''. This setting can be found under '''Security''' -> '''TCG Feature Setup''' -> '''TCG Security Device''' in a dropdown menu. By default, it is set to '''Discrete TPM''', and units affected by this issue will revert back to this setting, even when correctly configured.
The first attempt at a permanent solution was launching Lenovo System Update on affected units and trying to install a BIOS update. Although some units did show a "BIOS Update Utility - 10/11" update, it would fail to install. This was later found out to be because of System Update downloading an older version of the BIOS, which did not install with a CMD flag to force that update no matter what (thank goodness). A quick fix for high priority machines was splicing the SSD from the affected unit to one that was not affected by the BIOS issue.
The primary fix for this issue involves a Lenovo-provided BIOS rewrite/flash utility. A task sequence is run that allows for the BIOS to be force updated to a version with the TPM issue fixed.
The name of the affected device will need to be added to a Device Collection in System Center Configuration Manager that the task sequence is deployed to. The task sequence that I created is written to not automatically install and restart the machine, so a machine can be added and not have the remediation run until the machine can be down for about 10-15 minutes.
GPUPDATE can be run to have the remediation synced, or Configuration Manager from Control Panel's actions can be run to force it along a bit quicker. The remediation will appear in Software Center as an OS Update.
The task sequence works as follows:
- The sequence will check the WMI-Object for the M900 model number, 10FLS4GC00, and stops the script if this fails.
- An XCOPY command that copies the extracted BIOS update executable to the root of C:\ on the local machine is run.
- A Suspend-Bitlocker command is run to ensure Bitlocker Recovery does not happen during the remediation. It sets the reboot count to 5 as a failsafe if anything were to go wrong.
- Disable-Bitlocker follows to remove the current Bitlocker encryption. This will allow for Intune to beam down a new key with the Firmware TPM in place at some point after the remediation.
- The Lenovo flash tool is run over command line in the background. This allows for the first half of the BIOS upgrade to occur, and, when completed, creates an output log ("C:\SWTOOLS\FLASH\FWJYBFUSA\update.log").
- A script runs to wait and check for the update.log file to appear in the directory. If it does not appear after 200 seconds, the code terminates. If the output.log is found, a S5 Shutdown is initiated.
- The machine will shutdown, and the green power light on the power button will flash. Note: Some M900 units tested will sit in a shutdown state for the better part of 3-5 minutes before starting the BIOS update.
- Once done, F1 into the BIOS settings from the boot splash screen, and check under '''Security''' -> '''TCG Feature Setup''' -> '''TCG Security Device''' for the TPM settings. Set the TPM to '''Firmware TPM''', and F10 to save. Immediately F1 back to the BIOS, and check to see if the change stuck.
The Lenovo Flash Tool that I used can easily be found on the M900 drivers page, under "UEFI/BIOS" options. I turned the extracted version that installs to C:\SWTOOLS\FLASH\FWJYBFUSA into a package that my task sequence installed.