Table of Contents
Introduction
Upgrading TPM from 1.2 to 2.0 has been a recommendation for the past few years, but apart from increased security, there hasn’t been a practical reason why you would need to update.
But on Friday, June 25th, 2021, everything changed when Microsoft announced Windows 11 and the requirement of TPM 2.0.
Most computers released within the past 3 years should have TPM 2.0. Some older machines might have TPM, but TPM 1.2. In those cases, the TPM firmware needs an update to 2.0, which this blog post covers.
This blog post covers the TPM chip and how to do a firmware update from TPM 1.2 to TPM 2.0 for HP machines using HP TPM Configuration Utility and SCCM.
Note that a prerequisite for everything in this blog post is that enable TPM in the HP BIOS.
What is the TPM chip?
TPM 2.0 has been around since 2013, but since July 28, 2016, vendors are required to provide their machines with TPM 2.0.
The Trusted Platform Module (TPM), is a hardware component on the motherboard, developed by Intel, providing physical-level security for Windows 10. TPM 2.0 is now a requirement for Windows 11.
The TPM chip is required for features such as:
The only feature that I know of that requires TPM 2.0 is Device Encryption (Not Bitlocker). TPM 2.0 was also required for Credential Guard in Windows 10 1507, but this is no longer the case.
You can go to all machines in your environment, enable TPM in BIOS, and upgrade them to TPM 2.0. Unfortunately, this is no way of working in an enterprise environment.
This blog post describes how to upgrade the TPM chip firmware from 1.2 to 2.0 for HP machines using Microsoft Endpoint Manager (SCCM) and HP TPM Configuration Utility.
If you are interested in downgrading TPM from 2.0 to 1.2, refer to my other blog post.
TPM 1.2 vs. 2.0
TPM 2.0 adds additional security benefits compared to TPM 1.2.
Read more about it on Microsoft Docs.
How to verify TPM firmware version
Here you can find a list of HP laptops with TPM 1.2: https://support.hp.com/bg-en/document/c05381064 .
You can verify the current TPM firmware version on the device:
- Windows Security settings in Windows 10
- Powershell
- TPM.MSC
The different version properties on the chip are:
- Manufacturer version
- Specification version
Alternative 1 – Windows Security settings
Alternative 2 – Powershell
Start an elevated Powershell window and use the following Powershell command:
Get-WmiObject -Namespace rootcimv2securitymicrosofttpm -Class Win32_TPM | Select Specversion
Alternative 3 – TPM.MSC
The last alternative is by using TPM.msc
How to do a HP TPM update from 1.2 to 2.0 using HP TPM Configuration Utility
Configure HP BIOS settings
In the below sections, I reference some BIOS settings that are to be automatically configured.
Please refer to my blog post on How to use HP BIOS Configuration Utility to set BIOS settings to read about how I do this.
In the blog post above, you will learn how to enable TPM, a prerequisite for following this blog post.
Download HP TPM Configuration Utility
The best way to update the TPM firmware is by using TPM Configuration Utility. You can retrieve the latest version through the HP Image Assistant (HPIA). Once installed, select the model you want to update TPM from 1.2 to 2.0 and download TPM Configuration Utility through the tool.
IMPORTANT! Do NOT download the HP TPM Configuration Utility through any other sources, since you might not get the latest version!!
Create an encrypted password file
- Open <filename>
- Enter password
- Save file
Place source files on a source
Place the source files on a share accessible by Microsoft Endpoint Manager (SCCM).
Create a package in Microsoft Endpoint Manager (SCCM)
Select Create Package in the Microsoft Endpoint Manager (SCCM) console.
Give the package a name and browse to the UNC path of the source files.
Select Do not create a program.
Complete the wizard.
Add a step to update HP TPM firmware in the Task Sequence
In this example, we will run the TPM Upgrade steps in the Operating System Deployment Task Sequence. It is, however, possible to run an independent Task Sequence with these scripts.
To use the correct firmware, the TPM Configuration Utility will need to know the Manufacturer version of the TPM script.
With previous versions of the tool, you must either create a script to check the manufacturer’s version and apply the firmware file or create one Task Sequence step for each Manufacturer Version.
However, in the later versions of the HP TPM Configuration Utility, this can be done automatically, using a switch.
To upgrade TPM, you might need to disable virtualization, or more specifically, VT-X.
Configure the Update TPM to 2.0 step Options tab to only run with the following WMI query:
| WMI Namespace | root\cimv2\Security\MicrosoftTpm |
| WQL Query | Select * from Win32_TPM Where SpecVersion Like "%1.2%" |
Add a command-line step
Tpmconfig64.exe -s –a2.0 -ppassword.bin
Note: There should be no space between -p and the password file!
Conclusion
To comply with the newest security baselines and also to be able to install Windows 11, you should upgrade existing machines to TPM 2.0.
How many devices do you still have that run TPM 1.2? Please answer in the comments below 🙂
Please reveal all steps and syntaxes as shown picture above ‘Upgrade TPM to 2.0″
8000+ machines on tpm 1.2
Peut-on mettre à niveau TPM 1.2 vers 2.0 sur HP Elitebook 8460p avec cette procédure?
Hi, I have Several HP Elitebooks and they all have TPM v1.2. (Elitebook 8460p, Folio 9470m)
Can I upgrade them to 2.0 to be able to install Windows 11?
The file link for HP TPM Configuration Utility is not working. Can you email me the link?
Hi
Great article
Is there anyway to suppress the press F1 to upgrade TPM prompt?
/MH
Hi Martin,
When I last checked (a few months ago), this was not possible. I have been in contact with HP about it, and they came back to me that this is kept for security reasons.
/Daniel
I have an HP Z240 Tower Workstation. The version of the enabled TPM is 1.2 unfortunately. This PC was custom built for me regarding things like the chipset, amount of memory, upgraded graphics card, etc. I received this machine in May 2017, roughly one year since Microsoft mandated that PC’s manufactured after 2016 required TPM 2.0. I feel HP is in violation in my case.
yes i did it
download:https://ftp.ext.hp.com/pub/softpaq/sp81501-82000/sp81900.exe
instal
go to C:\SWSetup\SP81900
then move all files frimware to SP81900
then open TPMConfig64
you upgrade sucessful to 2.0 and you can install windows 11
Thank you brother, I also have an HP Z240 Tower Workstation, with your help, I successfully upgraded my TPM 1.2 to 2.0.
Thanks for the comment, and glad to hear the article helped you, Huzefa!
/Daniel
Sir, We have six laptops run with TPM 1.2. so we can upgrade to TPM 2.0. If there is an option kindly suggest me.
What models do you have?
I have upgraded my hp core i7 with 1.2TPM from windows 10 to 11 and it works very well
Great to hear Kweku!
Hi. Please could you help out. I did this download:https://ftp.ext.hp.com/pub/softpaq/sp81501-82000/sp81900.exe
instal
go to C:\SWSetup\SP81900
then move all files frimware to SP81900
then open TPMConfig64
It ran a pop up dark screen and everything was successful. I checked my device manager and scroll down to tpm is still 1.2. I use the latest Windows update 10 Pro. My laptop is hp probook 6550b
Hi,
Instead, try to open an elevated command prompt, browse to the directory, and run it from there. Then you will see any messages that might pop up. Check for success or failure in TPMConfig.log in the directory where you ran the TPM Configuration Utility.
/Daniel
Hi please am using a Diginnos PC. Below are my specifications
Processor : Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz, 2501 Mhz, 2 Core(s), 4 Logical Processor(s)
BIOS Version/Date: American Megatrends Inc. 218, 1/13/2016
BaseBoard Manufacturer: PEGATRON CORPORATION
BaseBoard Product :D15S
Is it possible to use your method to update my TPM 1.2 to 2.0
Hi Charles,
Unfortunately, my method is only applicable for HP models.
/Daniel
Hi, do you know if an upgrade from TPM 1.2 to 2.0 can be done on an HP Elitebook 840 G2? On the chip manufacturer webpage (Infineon) they indicate it is possible to upgrade their TPM SLB 9660 chip to 2.0 specs (it would actually correspond to a SLB 9665 once upgraded from what I could read). Probleme is, HP doesn’t seem to provide such an upgrade for this module (as they do not support this notebook model anymore)…
Looking on the Internet I found this package :
https://www.eluktronics.com/content/TPM/CallTpmBat%20563_0116.zip
It’s from another brand, but using the same TPM chipset.
Would it work? Is there any risk?
Thank you
Hi,
You could always try to download the latest HP TPM Configuration Utility for EliteBook 820 G3, and run it with the -a switch and see if it finds an applicable firmware file.
/Daniel