Introduction
TPM 2.0 has been around since 2013, but since July 28, 2016, vendors are required to provide their machines with TPM 2.0.
The TPM chip, or Trusted Platform Module, is a hardware component on the motherboard, providing physical-level security for Windows 10.
This blog post explains how to upgrade HP TPM Firmware from version 1.2 to 2.0 using HP TPM Configuration Utility. The TPM version derives from the firmware version of the chip. Most modern chips support both versions 1.2 and 2.0.
The TPM chip is required for features such as:
The only feature at this point that I know of that requires TPM 2.0 is Device Encryption (Not Bitlocker). TPM 2.0 was also required for Credential Guard in Windows 10 1507, but this is not the case anymore.
This blog post describes how to upgrade the TPM chip firmware from 1.2 to 2.0 for HP machines using Microsoft Endpoint Manager (SCCM) and HP TPM Configuration Utility.
If you are interested in downgrading TPM from 2.0 to 1.2, refer to my other blog post.
TPM 2.0 vs. TPM 1.2
TPM 2.0 adds additional security benefits compared to TPM 1.2.
Read more about it on Microsoft Docs.
Verify TPM firmware version
You can verify which the current TPM firmware version on the device:
- Windows Security settings in Windows 10
- Powershell
- TPM.MSC
The different version properties on the chip are:
- Manufacturer version
- Specification version
Alternative 1 – Windows Security settings
Alternative 2 – Powershell
Start an elevated Powershell window and use the following Powershell command:
Get-WmiObject -Namespace rootcimv2securitymicrosofttpm -Class Win32_TPM | Select Specversion
Alternative 3 – TPM.MSC
The last alternative is by using TPM.msc
How to upgrade HP TPM from 1.2 to 2.0 using HP TPM Configuration Utility
Configure HP BIOS settings
In the below sections, I reference some BIOS settings are to be automatically configured.
To read about how I do this, please refer to my blog post on How to use HP BIOS Configuration Utility to set BIOS settings.
Download HP TPM Configuration Utility
The best way to update the TPM firmware is by using TPM Configuration Utility. Start by downloading the HP Softpaq utility and follow the instructions below:
Find available Softpaqs
Open the HP Softpaq Utility. Press Find Model and search for the model that you are looking for. End by pressing Find Available SoftPaqs.
Download HP TPM Configuration Utility
In the list, look for the HP Trusted Platform (TPM) Configuration Utility and press Download.
Create an encrypted password file
- Open <filename>
- Enter password
- Save file
Place source files on a source
Place the source files on a share accessible by Microsoft Endpoint Manager (SCCM).
Create a package in Microsoft Endpoint Manager (SCCM)
Select Create Package in the Microsoft Endpoint Manager (SCCM) console.
Give the package a name and browse to the UNC path of the source files.
Select Do not create a program.
Complete the wizard.
Add a step to update HP TPM firmware in the Task Sequence
In this example, we will run the TPM Upgrade steps in the Operating System Deployment Task Sequence. It is, however, possible to run an independent Task Sequence with these scripts.
To use the correct firmware, the TPM Configuration Utility will need to know the Manufacturer version of the TPM script.
With previous versions of the tool, it requires you to either create a script to check the manufacturer’s version and apply the firmware file or to create one Task Sequence step for each Manufacturer Version.
However, in the later versions of the HP TPM Configuration Utility, this can be done automatically, using a switch.
In order to upgrade TPM, you might need to disable virtualization, or more specifically, VT-X.
Configure the Update TPM to 2.0 step Options tab to only run with the following WMI query:
| WMI Namespace | root\cimv2\Security\MicrosoftTpm |
| WQL Query | Select * from Win32_TPM Where SpecVersion Like "%1.2%" |
Add command line step
Tpmconfig64.exe -s –a2.0 -ppassword.bin
Note: There should be no space between -p and the password file!
Conclusion
To comply with the newest security baselines, you should upgrade existing machines to TPM 2.0.
How many devices do you still have that run TPM 1.2? Please answer in the comments below 🙂
References
Related posts
- How to deploy HP BIOS settings using SCCM
- Downgrade HP TPM from 2.0 to 1.2 using the HP TPM Configuration Utility
Please reveal all steps and syntaxes as shown picture above ‘Upgrade TPM to 2.0″