INTRODUCTION

TPM 2.0 has been around since 2013, but vendors have been required to provide their machines with TPM 2.0 since July 28, 2016. The TPM chip, or Trusted Platform Module, is a hardware component on the motherboard.
This blog post explains how to upgrade HP TPM Firmware from version 1.2 to 2.0 using HP TPM Configuration Utility. The TPM version is derived from the firmware version of the chip. Most modern chips support both version 1.2 and 2.0.

The TPM chip is required for features such as:

  • Bitlocker
  • Windows Defender Credential Guard

The only feature at this point that I am aware of that requires TPM 2.0 is Device Encryption (Not Bitlocker). TPM 2.0 was also required for Credential Guard in Windows 10 1507, but this is not currently the case.

This blog post describes how to upgrade the TPM chip firmware from 1.2 to 2.0 for HP machines.

TPM 2.0 vs. TPM 1.2

In any case, TPM 2.0 adds significant security compared to TPM 1.2, and future features will most likely require it.

Read more about it on Microsoft Docs.

VERIFY TPM VERSION

You can verify which the current TPM firmware version on the device:

  1. Windows Security settings (starting with Windows 10 x)
  2. Powershell
  3. TPM.MSC

The different version properties on the chip are as follows:

  • Manufacturer version
  • Specification version

ALTERNATIVE 1 – WINDOWS SECURITY SETTINGS

ALTERNATIVE 2 – POWERSHELL

Start an elevated Powershell window and use the following Powershell command:

Get-WmiObject -Namespace root\cimv2\security\microsofttpm -Class Win32_TPM | Select Specversion 

ALTERNATIVE 3 – TPM.MSC

The last altnernative is by using TPM.msc

SOLUTION

CONFIGURE HP BIOS SETTINGS

In the below sections I will be referencing to some BIOS Settings that are to be automatically configured.
To read about how I do this, please refer to my blog post on How to use HP BIOS Configuration Utility to set BIOS settings.

DOWNLOAD HP TPM CONFIGURATION UTILITY

The best way to update the TPM firmware is by using TPM Configuration Utility. Start by downloading the HP Softpaq utility and follow the instructions below:

FIND AVAILABLE SOFTPAQS

Open the HP Softpaq Utility. Press Find Model and search for the model that you are looking for. End by pressing Find Available SoftPaqs.

DOWNLOAD HP TPM CONFIGURATION UTILITY

In the list, look for the HP Trusted Platform (TPM) Configuration Utility, and press Download.

hp tpm firmware update

CREATE ENCRYPTED PASSWORD FILE

  1. Open <filename>
  2. Enter password
  3. Save file

PLACE SOURCE FILES ON A SHARE

Place the source files on a share accessible by SCCM.

CREATE PACKAGE IN SCCM

Select Create Package in the SCCM console.

Give the package a Name and browse to the UNC path of the source files.

hp tpm firmware update
hp tpm firmware update

Select Do not create a program.

hp tpm firmware update - create package

Finalize the wizard.

hp tpm firmware update - finalize package

ADD STEP TO SCCM TASK SEQUENCE

In this example, we will be running the TPM Upgrade steps in the Operating System Deployment Task Sequence. It is however possible to run an independent Task Sequence with these scripts.

In order to use the correct firmware, the TPM Configuration Utility will need to know the Manufacturer version of the TPM script.

With previous versions of the tool, you are required to either create a script to check the manufacturer version and apply the appropriate firmware file or to create one Task Sequence step for each Manufacturer Version.

However, in the later versions of the HP TPM Configuration Utility, this can be done automatically, using a switch.

In order to upgrade TPM, you might need to disable virtualization.

Configure the Update TPM to 2.0 step Options tab to only run with the following WMI Query:

WMI Namespaceroot\cimv2\Security\MicrosoftTpm
WQL QuerySelect * from Win32_TPM Where SpecVersion Like "%1.2%"

ADD COMMAND LINE STEP

Tpmconfig64.exe -s –a2.0 -ppassword.bin

Note: There should be no space between -p and the password file!

REFERENCES

RELATED POSTS