Introduction

With cybersecurity being one of the most critical factors for organizations to consider, security features such as Bitlocker is becoming increasingly important.

Most organizations have now migrated from Windows 7 to Windows 10. If not, organizations should have purchased Windows 7 ESU licenses to enable further security update support.

With this move, organizations should also consider reviewing their devices to see if they are using the legacy TPM 1.2 standard or TPM 2.0. Most devices within the latest three-year support cycle should have this support.

This blog post covers what the TPM chip is and how to upgrade it from TPM 1.2 to TPM 2.0 for HP machines using HP TPM Configuration Utility and SCCM.

Note that a prerequisite for everything in this blog post is that you enable TPM in the HP BIOS.

What is the TPM chip?

TPM 2.0 has been around since 2013, but since July 28, 2016, vendors are required to provide their machines with TPM 2.0.
The TPM chip, or Trusted Platform Module, is a hardware component on the motherboard, providing physical-level security for Windows 10.

The TPM chip is required for features such as:

The only feature that I know of that requires TPM 2.0 is Device Encryption (Not Bitlocker). TPM 2.0 was also required for Credential Guard in Windows 10 1507, but this is no longer the case.

You can go to all machines in your environment, enable TPM in BIOS, and upgrade them to TPM 2.0. Unfortunately, this is no way of working in an enterprise environment.

This blog post describes how to upgrade the TPM chip firmware from 1.2 to 2.0 for HP machines using Microsoft Endpoint Manager (SCCM) and HP TPM Configuration Utility.

If you are interested in downgrading TPM from 2.0 to 1.2, refer to my other blog post.

TPM 1.2 vs. TPM 2.0

TPM 2.0 adds additional security benefits compared to TPM 1.2.

Read more about it on Microsoft Docs.

How to verify TPM firmware version

Here you can find a list of HP laptops with TPM 1.2: https://support.hp.com/bg-en/document/c05381064 .

You can verify the current TPM firmware version on the device:

  1. Windows Security settings in Windows 10
  2. Powershell
  3. TPM.MSC

The different version properties on the chip are:

  • Manufacturer version
  • Specification version

Alternative 1 – Windows Security settings

Alternative 2 – Powershell

Start an elevated Powershell window and use the following Powershell command:

Get-WmiObject -Namespace rootcimv2securitymicrosofttpm -Class Win32_TPM | Select Specversion 

Alternative 3 – TPM.MSC

The last alternative is by using TPM.msc

How to upgrade HP TPM from 1.2 to 2.0 using HP TPM Configuration Utility

Configure HP BIOS settings

In the below sections, I reference some BIOS settings are to be automatically configured.
Please refer to my blog post on How to use HP BIOS Configuration Utility to set BIOS settings to read about how I do this.

In the blog post above, you will learn how to enable TPM, a prerequisite for following this blog post.

Download HP TPM Configuration Utility

The best way to update the TPM firmware is by using TPM Configuration Utility. Start to download and install HP Softpaq utility and follow the instructions below:

Find available Softpaqs

Open the HP Softpaq Utility. Press Find Model and search for the model that you are looking for. End by pressing Find Available SoftPaqs.

Download HP TPM Configuration Utility

In the list, look for the HP Trusted Platform (TPM) Configuration Utility and press Download.

hp tpm firmware update

Create an encrypted password file

  1. Open <filename>
  2. Enter password
  3. Save file

Place source files on a source

Place the source files on a share accessible by Microsoft Endpoint Manager (SCCM).

Create a package in Microsoft Endpoint Manager (SCCM)

Select Create Package in the Microsoft Endpoint Manager (SCCM) console.

Give the package a name and browse to the UNC path of the source files.

hp tpm firmware update
hp tpm firmware update

Select Do not create a program.

hp tpm firmware update - create package

Complete the wizard.

hp tpm firmware update - finalize package

Add a step to update HP TPM firmware in the Task Sequence

In this example, we will run the TPM Upgrade steps in the Operating System Deployment Task Sequence. It is, however, possible to run an independent Task Sequence with these scripts.

To use the correct firmware, the TPM Configuration Utility will need to know the Manufacturer version of the TPM script.

With previous versions of the tool, you must either create a script to check the manufacturer’s version and apply the firmware file or create one Task Sequence step for each Manufacturer Version.

However, in the later versions of the HP TPM Configuration Utility, this can be done automatically, using a switch.

To upgrade TPM, you might need to disable virtualization, or more specifically, VT-X.

Configure the Update TPM to 2.0 step Options tab to only run with the following WMI query:

WMI Namespaceroot\cimv2\Security\MicrosoftTpm
WQL QuerySelect * from Win32_TPM Where SpecVersion Like "%1.2%"

Add a command-line step

Tpmconfig64.exe -s –a2.0 -ppassword.bin

Note: There should be no space between -p and the password file!

Conclusion

To comply with the newest security baselines, you should upgrade existing machines to TPM 2.0.

How many devices do you still have that run TPM 1.2? Please answer in the comments below 🙂

References

Related posts

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here