System Deployment Boot Mode

Not like earlier generations, this boot mode will permit you to:

• Set an preliminary Supervisor Password
• Prior to now, a supervisor password needed to be set manually or from the manufacturing unit.  As soon as a supervisor password was set, it may very well be modified in an automatic approach leveraging the Lenovo_SetBiosPassword WMI class

• Disable the TPM Bodily Presence for Clear requirement
• Not requires person interplay if a name to clear the TPM was carried out.  In different phrases, no extra urgent F9!

Activating System Deployment Boot Mode

• Boot the system and press F12 till the boot menu seems
• Press the Delete key.  “System Deployment Boot Mode” will seem within the higher proper aspect of the display.  The inner boot machine(s) shall be faraway from the listing.  This can be a safety precaution.

• Choose a boot machine.
• SDB mode is now energetic.
• System will exit SDB mode upon the subsequent reboot.

WMI in SDB Mode

PXE boot a system to WinPE, F8 to a command immediate, and begin PowerShell.  Confirm there isn’t a supervisor password set on the system by working the next command

Get-CimInstance -Namespace root/WMI -ClassName Lenovo_BiosPasswordSettings

Take a look at PasswordState and ensure the worth is 0

Set the Supervisor Password
Run the next instructions to set an preliminary Supervisor Password.  Exchange secretpassword with a Supervisor Password of your alternative.

$setPw = Get-WmiObject -Namespace root/wmi -Class Lenovo_setBiosPassword
$setPw.SetBiosPassword("pap,secretpassword,secretpassword,ascii,us")

Verify TPM Bodily Presence for Clear Standing
By default, the TPM Bodily Presence for Clear setting is all the time going to be enabled from the manufacturing unit.  You may confirm by working these instructions

Get-CimInstance -Namespace root/WMI -ClassName Lenovo_BiosSetting | The place-Object {$_.CurrentSetting -match "PhysicalPresence"} | fl

Disable TPM Bodily Presence for Clear
To disable Bodily Presence, run the next instructions

$tpmClear = Get-WmiObject -Namespace rootwmi -Class Lenovo_SetBiosSetting
$tpmClear.SetBiosSetting("PhysicalPresenceForTpmClear,Disable")

Save the settings utilizing the brand new Supervisor Password

$saveBios = Get-WmiObject -Namespace rootwmi -Class Lenovo_SaveBiosSettings
$saveBios.SaveBiosSettings("secretpassword,ascii,us")

Suppose BIOS Config Software [TBCT] (Making ready the information)
You can even use the TBCT model 1.28 or increased to use these modifications in your working system deployment activity sequence.  On a take a look at system, PXE boot (or USB boot) to WinPE and carry out the next:

• Navigate to the listing containing the TBCT and launch it to current the GUI.
• Scroll by means of the listing of obtainable BIOS settings and make any modifications to be utilized.  On this instance, we will set the PhysicalPresenceForTpmClear setting to Disable 

• Scroll again to the highest and click on the Export Settings button.
• This may output a textual content file containing the BIOS setting(s) to be modified.
• Tick the Supervisor password set on the goal machine field
• Go away the password discipline clean since there’s at present no Supervisor Password set
• Enter an encrypting key (or generate one)
• Tick the Change Supervisor password field
• Enter a Supervisor Password.  (This would be the preliminary Supervisor Password)
• Verify the identical password
• A immediate will seem to create a password file for System Deploy Mode.  This may solely be introduced if the Supervisor Password discipline (above the encrypting key discipline) is clean.  Click on Sure.
• A brand new password file shall be output

ThinkBIOS Config Software (Making use of the BIOS Settings)

To use the brand new Supervisor Password and BIOS settings, carry out the next

• Navigate to the listing containing the TBCT, password .INI, and config .INI.
• Run the primary command to set the Supervisor Password

ThinkBiosConfig.hta "file=yourpassword.ini" "key=yourencryptingkey"

• The second command will apply the BIOS settings utilizing the brand new Supervisor Password

ThinkBiosConfig.hta "file=config.ini"

For those who open the log you will see the password change was profitable, the config file has been validated utilizing the brand new Supervisor Password, and the BIOS setting to disable PhysicalPresenceForTpmClear was efficiently set.

Verify the Up to date BIOS Config

Reboot the system and F1 to get to the BIOS.  Try to be prompted to enter your new Supervisor Password.  Navigate to Safety > Password


The Supervisor Password ought to now present as Enabled

Now navigate to Safety > Safety Chip and confirm the Bodily Presence for Clear setting has been toggled to Off.

Under is an inventory of techniques that do/don’t help SDBM