How to deploy bitlocker remotely, How does tpm lockout work – Lenovo ThinkVantage Client Security Solution 8.3 User Manual
Page 79
Appendix D. Using the TPM on ThinkPad notebook computers
The main use case for the TPM is the BitLocker feature that is included with certain versions of the Microsoft
Windows Vista and Windows 7 operating systems. This appendix provides answers to the following
frequently asked questions when deploying BitLocker in Windows environments.
•
“How to deploy BitLocker remotely?” on page 73
•
“How does TPM lockout work?” on page 73
How to deploy BitLocker remotely?
Using the standard Windows tools to activate the TPM, such as the manage-bde.exe file or the TPM control
panel, requires a complete shutdown of the computer. Then, when you turn on the computer again, you
must press a key to confirm the action. This type of interaction makes it impossible to deploy BitLocker in a
remote and unattended way.
There are two distinct status types related to the TPM: Enabled and Activated. An enabled TPM is not
necessarily activated, just like an activated TPM is not necessarily enabled. The TPM must be enabled and
activated before using BitLocker. ThinkPad notebook computers are always shipped with the TPM in the
enabled and deactivated status. Therefore, you should set the TPM status to activated to deploy BitLocker
successfully.
Since 2008, ThinkPad notebook computers have provided Windows Management Instrumentation (WMI) to
change any BIOS setting (including the activated status of the TPM). WMI can be scripted and executed
remotely, and does not require any physical interaction with the computer.
To change the BIOS setting, do the following:
1. Go to the Web site at .
2. Click Sample Scripts for BIOS Deployment Guide to download the script.zip file. Then extract the
zip file.
3. Type cscript.exe SetConfig.vbs SecurityChip Active in the Command Prompt window to execute
the SetConfig.vbs file. If you are using the BIOS supervisor password, type cscript.exe
SetConfigPassword.vbs SecurityChip Active in the Command Prompt window to execute the
SetConfigPassword.vbs file instead.
4. Restart the computer twice. The first restart changes the BIOS setting, and the second restart makes
the new BIOS setting take effect.
Note: The above procedure activates only the TPM on computers where the TPM already is enabled (for
example, models in the factory default status). If you have disabled the TPM by using Windows tools,
such as the manage-bde.exe file or the TPM control panel, you must re-enable the TPM first by using the
same method that was used to disable it.
How does TPM lockout work?
One of the core security features of the TPM is to prevent “hammering,” that is, the attempt to guess
TPM passwords in an automated way. Each TPM implements an anti-hammering method, and when an
attack is detected, the TPM enters lockout mode which means that further password guesses are ignored
until the lockout mode ends. However, the Trusted Computing Group (the organization that defines TPM
behavior) failed to define a standard for TPM lockout, so each TPM manufacturer has developed its own
implementation for lockout. Lenovo has used TPMs from the following four different vendors:
© Copyright Lenovo 2008, 2011
73