Lenovo ThinkEdge SE360 V2 User Manual page 294

Notes:
– If the read back value is matched it means the TPM_TCM_POLICY has been set correctly.
imm.TpmTcmPolicy is defined as below:
– Value 0 use string "Undefined" , which means UNDEFINED policy.
– Value 1 use string "NeitherTpmNorTcm", which means TPM_PERM_DISABLED.
– Value 2 use string "TpmOnly", which means TPM_ALLOWED.
– Value 4 use string "NationZTPM20Only", which means NationZ_TPM20_ALLOWED.
– Below 4 steps must also be used to 'lock' the TPM_TCM_POLICY when using OneCli/ASU
commands:
5. Read TpmTcmPolicyLock to check whether the TPM_TCM_POLICY has been locked , command as
below:
OneCli.exe config show imm.TpmTcmPolicyLock --override --imm <userid>:<password>@<ip_address>
The value must be 'Disabled', it means TPM_TCM_POLICY is NOT locked and must be set.
6. Lock the TPM_TCM_POLICY:
OneCli.exe config set imm.TpmTcmPolicyLock "Enabled" --override --imm <userid>:<password>@<ip_address>
7. Issue reset command to reset system, command as below:
OneCli.exe misc ospower reboot --imm <userid>:<password>@<ip_address>
During the reset, UEFI will read the value from imm.TpmTcmPolicyLock, if the value is 'Enabled' and
the imm.TpmTcmPolicy value is valid, UEFI will lock the TPM_TCM_POLICY setting.
Note: The valid values for imm.TpmTcmPolicy include 'NeitherTpmNorTcm', 'TpmOnly', and
'NationZTPM20Only'.
If the imm.TpmTcmPolicyLock is set as 'Enabled' but imm.TpmTcmPolicy value is invalid, UEFI will
reject the 'lock' request and change imm.TpmTcmPolicyLock back to 'Disabled'.
8. Read back the value to check whether the 'Lock' is accepted or rejected. Command as below:
OneCli.exe config show imm.TpmTcmPolicy --override --imm <userid>:<password>@<ip_address>
Note: If the read back value is changed from 'Disabled' to 'Enabled' that means the TPM_TCM_
POLICY has been locked successfully. There is no method to unlock a policy once it has been set
other than replacing system board.
imm.TpmTcmPolicyLock is defined as below:
Value 1 uses string "Enabled" , which means lock the policy. Other values are not accepted.
Enable UEFI Secure Boot
Optionally, you can enable UEFI Secure Boot.
There are two methods available to enable UEFI Secure Boot:
• From Lenovo XClarity Provisioning Manager
To enable UEFI Secure Boot from Lenovo XClarity Provisioning Manager:
1. Start the server and press the key specified in the on-screen instructions to display the Lenovo
XClarity Provisioning Manager interface. (For more information, see the "Startup" section in the LXPM
documentation compatible with your server at
2. If the power-on Administrator password is required, enter the password.
3. From the UEFI Setup page, click System Settings ➙ Security ➙ Secure Boot.
4. Enable Secure Boot and save the settings.
ThinkEdge SE360 V2 User Guide
284
https://pubs.lenovo.com/lxpm-overview/
.)