In my last blog post, I discussed clearing Trusted Platform Module (TPM) using PowerShell and MDT. This time I’m turning my attention to another issue: field upgrading TPM from 1.2 to 2.0 specification on HP and Dell systems which support discreet TPM switching. Systems that shipped with Windows 7 from the factory will have TPM 1.2, however, most modern systems feature a firmware based component running in a trusted execution environment on a general purpose SoC, which allows discrete TPM mode switching in real time. Customers I worked with in the past couple of months and which roll out Windows 10 intend to make use of important security advantages of TPM 2.0 specification including greater crypto agility by being more flexible with respect to cryptographic algorithms, newer algorithms, which can improve drive signing and key generation performance, a more consistent experience across different implementations and a consistent dictionary attack protection guarantee. How to update the TPM:I recommend converting TPM during OSD before Bitlocker is enabled. Let's take a look first at important considerations before you attempt to upgrade TPM firmware:
Additional consideration for HP systems:
Additional consideration for Dell Inc. systems:
Let's take a look at high level steps that are required to switch modes, which can be automated for remote deployment:
Assuming the platform supports mode changes and TPM is operating in legacy mode:
Depending on your remote deployment solution, your approach can vary. I will showcase how TPM switching can be accomplished using Microsoft Deployment Toolkit. Accompanying PowerShell scripts should be easily adaptable to your needs. Note: As mentioned before, there are a few different ways which can be used to accomplish TPM switching task. The approach described below tries to find a common denominator for two different vendors and works for me. Tested on following hardware: Latitude E5470, Latitude E5570, Latitude E7470, OptiPlex 7040, HP ProDesk 600 G2, HP EliteBook 840 G3, HP EliteBook 850 G3, HP EliteBook Folio 1040 G3.
That's it. Your resulting task sequence may end up looking like this: If you have any questions tweet me or leave a comment below. Read 114079 times Last modified on Monday, 02 July 2018 07:25
This comment was minimized by the moderator on the site Hi Anton, What steps would you need to add if you have Bitlocker enabled on computers? Bernard
This comment was minimized by the moderator on the site From my understanding - I didn't test it though - on HP models you need to fully decrypt the drive, suspending BitLocker is (according to HP's documentation) not enough. I haven't looked into upgrading existing Dell Inc. systems yet. Anton Romanyuk
This comment was minimized by the moderator on the site Anton, Have you had any Dell systems TPM either turn off or be disabled after the TPM upgrade? It happens quite often when doing the upgrade manually. Bruce
This comment was minimized by the moderator on the site I have seen this only on HP systems thus far - I have an additional step after TPM upgrade, which basically just turns TPM back on. You may want to look into a similair workaround should you wish to automate the process. Anton Romanyuk
This comment was minimized by the moderator on the site Hi Antom, All the scripts above fail on Dells 5470, it's the only model I got to tesst on so far. They come back saying Make is unsupported. I ran the commands by it self in powershell one by one and tpm did get upgraded. I guess the variables... Hi Antom, All the scripts above fail on Dells 5470, it's the only model I got to tesst on so far. They come back saying Make is unsupported. I ran the commands by it self in powershell one by one and tpm did get upgraded. I guess the variables are from MDT and I'm using ConfigMgr to deploy. Read More Bruce
This comment was minimized by the moderator on the site I guess the variables are from MDT and I'm using ConfigMgr to deploy. use a WMI query instead, if your not using ConfigMgr with MDT integration Select * FROM Win32_ComputerSystem WHERE Manufacturer LIKE "%Dell%" Mike
This comment was minimized by the moderator on the site Might save some time if the verifiy script was split into a Verify and an Apply. then you could skip the whole thing if the firmware wasn't upgradable? Mike
This comment was minimized by the moderator on the site I have had an issue with the get-tpm command not being available since the latest ADK update, has anyone else seen this or know how to fix it? It was working before that. It has broken the script for me and I have not been able to find a workaround. Paul
This comment was minimized by the moderator on the site Paul, this may only work if TPM is properly enabled in the BIOS. Are you using the same hardware? What ADK version? Cheese
This comment was minimized by the moderator on the site Hi there, great article. I'm trying to run this in an MDT/SCCM task sequence. Where would you recommend to place this in the task sequence? John
This comment was minimized by the moderator on the site Depending on the vendor, upgrade process may only be supported in FullOS. I usually run the script during the State Restore phase using the approach outlined above. Anton Romanyuk
This comment was minimized by the moderator on the site For Dell just do it all in WinPE.. Must more reliable I've found and you don't need to disable the autoprovisioning. Dan
This comment was minimized by the moderator on the site Anyone doing this with older Lenovo systems? Christopher Moriarty There are no comments posted here yet Load MoreLeave your comments
Main Menu
Recent Posts
Guides
How do I update my Dell TPM?Go to Start > Settings > Update & Security > Windows Security > Device security . Under Security processor, select Security processor details. Select Security processor troubleshooting, and then under Clear TPM, select Clear TPM. You'll need to restart your device to complete the process.
Can you upgrade your TPM version?When a system board is replaced, you must make sure that the TPM 2.0 firmware is updated to the latest version. To update the TPM version: Go to Lenovo Data Center Support and navigate to the support page for your server. Click Drivers & Software and download the latest version of BIOS/UEFI firmware.
Does Dell Command update TPM?Can Dell provide an automated script to update TPM firmware or activate a TPM? No. Dell can provide the steps and utilities necessary for updating the TPM firmware, but we are unable to provide a script.
Can I add a TPM 2.0 to my computer?Can I Add a TPM to My PC? If you built your own desktop PC in the last few years and you're comfortable tinkering with hardware and software security settings in the system's BIOS, you can probably add a discrete TPM 2.0 chip to your motherboard.
|