Server Products
Data Center Products including boards, integrated systems, Intel® Xeon® Processors, RAID Storage, and Intel® Xeon® Processors
4762 Discussions

What happens to TPM If I change environments?

idata
Employee
1,922 Views

Current Environment:

Lenovo ThinkPad T400, ~New~ Samsung 470 SSD 256Gb, ~New~ Win 7 Ultimate x64- Intel Management & Security Status: lists AMT as 'unconfigured' and TPM as 'operational; active; unowned; enabled' TPM firmware version: 4.2.41.1049 TPM TCG spec version: 1.2. Device manager: This device is working properly.

Previous Environment:

Lenovo ThinkPad T400, Samsung MMCQE28G8MUP 128Gb (old), Vista 7 x64 (old)

Problem: Attempt to institute BitLocker in new system but cannot due to TPM not being initialized.

What has not worked:

Bitlocker offers to initialize, I accept, system reboots, during BIOS reboot warning screen I'm instructed to press F10 to initialize TPM, OS reboots and warning screen pops up on desktop informing me TPM failed to initialize and to contact computer manufacturer for BIOS upgrade. (BIOS is the latest greatest from Lenovo).

Opened TPM snap-in console (TPM.msc), attempt to initialize, reboots and exact scenario as above.

Manufacturer does not seem to have a clue what I'm even talking about.

Installed AMT upgrade from manufacturer but does not affect the problem.

Tried turning off AMT in BIOS and then initializing

Checked the 'Security' menu in BIOS nothing I can tell needs to be change

Attempt to turn off or clear TPM: when I open TPM.msc 'Turn TPM Off' is grayed or contrasted as inactive.

Question:

Could it be, that in changing both OS and SSD, that the original SRK (from the old environment) is locked in the TPM and that the TPM is looking for that same SRK on the SSD so it fails to truly initialize? I still have the old SSD fully intact with the Vista OS.

0 Kudos
2 Replies
idata
Employee
1,012 Views

Greenhead,

I have set up BitLocker on several HP computers. I use the BIOS setup to enable the TPM, make it visible to the OS, and take ownership by setting a TPM password. This process requires entering the BIOS twice. Then BitLocker can be started and managed from within Windows and it isn't necessary to reenter the BIO during a reboot.

I have a Lenovo T61 and the BIOS access to the TPM may or may not be the same. In particular, the Lenovo Client Security Solution 8.3 Deployment Guide, describes using the Client Security Solution 8.3 software to take TPM ownership. I have attached the guide to this post. I don't see that the guide describes using the BIOS to take TPM ownership, but I suspect that it is a standard BIOS feature for boards with TPMs.

The deployment guide does state that with a new OS you must enter the BIOS after a cold boot to "clear the security chip". Apparently the command to clear the TPM will not appear following a warm reboot. Probably "clearing" the TPM means setting a new ownership password, but it might mean to disable and re-enable the TPM, or some other process.

FWIW, in an HP BIOS, a hard drive ATA security password can be set only from a cold boot, as well. Otherwise the hard drive doesn't appear in the list for "Drive Lock."

I hope this helps.

Michael

0 Kudos
idata
Employee
1,012 Views

Hello Michael,

Thanks for the heads up on the Deployment Guide. I'll review it. I have tried to clear the security chip in the BIOS (incidently it will not even appear on the menu if it's from a warm boot) before, but it failed to achieve. I'm thinking of slapping in the old SSD/OS and then trying to clear the security chip. The thought here is that perhaps buried on the old SSD is a machine file needed to 'unseal' the TPM. See http://technet.microsoft.com/en-us/library/cc749022(WS.10).aspx http://technet.microsoft.com/en-us/library/cc749022(WS.10).aspx My hope by posting here is that perhaps someone might be able to confirm or negate my logic.Before anything though I'll read the depolyment guide, thanks so much.

0 Kudos
Reply