Thursday, 21 September 2017 18:39

TPM Upgrade Process on Dell & HP Systems Using MDT

Written by
Rate this item
(9 votes)

image

In my last blog post, I discussed clearing Trusted Platform Module (TPM) using PowerShell and MDT. This time I’m turning my attention to another issue: field upgrading TPM from 1.2 to 2.0 specification on HP and Dell systems which support discreet TPM switching.

Systems that shipped with Windows 7 from the factory will have TPM 1.2, however, most modern systems feature a firmware based component running in a trusted execution environment on a general purpose SoC, which allows discrete TPM mode switching in real time. Customers I worked with in the past couple of months and which roll out Windows 10 intend to make use of important security advantages of TPM 2.0 specification including greater crypto agility by being more flexible with respect to cryptographic algorithms, newer algorithms, which can improve drive signing and key generation performance, a more consistent experience across different implementations and a consistent dictionary attack protection guarantee.

How to update the TPM:

I recommend converting TPM during OSD before Bitlocker is enabled. Let's take a look first at important considerations before you attempt to upgrade TPM firmware:
  • In order to upgrade to TPM 2.0, you may need to update system's BIOS to the latest version.
  • Windows 10 requires GPT partition style when using TPM 2.0.
  • The TPM must be ON and Enabled in BIOS Setup, and the TPM must not be owned. If the TPM is owned, you have to clear the TPM before proceeding.

Additional consideration for HP systems:

  • TPM can be converted between TPM 1.2 and TPM 2.0 up to a maximum of 64 times.
  • The utility can only be run in full OS. It does not support Windows PE.
  • For security reasons, physical presence is required by HP BIOS team.
  • To avoid a complete loss of data, OS drive must be fully decrypted before performing TPM upgrade. Bitlocker re-provisioning scenario is supported.

Additional consideration for Dell Inc. systems:

  • On Windows 10, the OS will automatically take ownership of TPM on the next boot (TPM AutoProvisioning). On Dell Inc. systems you will need to disable this functionality for the duration of the update process.
  • The TPM update utility will also run in WinPE (with TPM Base Services enabled).
  • During the TPM mode change process, Bitlocker TPM key protection may be suspended temporarily using the mangebde.exe -disable switch, without decrypting the contents on the encrypted drive.

Let's take a look at high level steps that are required to switch modes, which can be automated for remote deployment:

  • Download the appropriate utility:
  • Detect mode switch capability using PowerShell by running following command (Get-TPM).ManufacturerVersion:
    • For HP platforms that support TPM mode changes, the output from PowerShell should include: ManufacturerVersion: 6.40, 6.41, and 6.43 (1.2 mode) , or 7.40, 7.41, 7.60, and 7.61 (2.0 mode). Note: following TPM versions are affected by ADV170012: 6.40 or 6.41 (1.2 mode), or 7.40, 7.41, 7.60 or 7.61 (2.0 mode)
    • For Dell platforms that support TPM mode changes, the output from PowerShell should include: ManufacturerVersion: 5.81 (1.2 mode), or 1.3 (2.0 mode).
Assuming the platform supports mode changes and TPM is operating in legacy mode:
  • For Dell Inc. systems TPM AutoProvisioning needs to be disabled in the OS to proceed with the update.
  • Clear the TPM owner (On HP systems you may need to re-enable the TPM in the BIOS).
  • Run the appropriate utility to change the TPM mode.
  • For Dell Inc. systems TPM AutoProvisioning needs to be enabled so that OS may attempt to re-take ownership of the TPM.

Depending on your remote deployment solution, your approach can vary. I will showcase how TPM switching can be accomplished using Microsoft Deployment Toolkit. Accompanying PowerShell scripts should be easily adaptable to your needs.

Note: As mentioned before, there are a few different ways which can be used to accomplish TPM switching task. The approach described below tries to find a common denominator for two different vendors and works for me. Tested on following hardware: Latitude E5470, Latitude E5570, Latitude E7470, OptiPlex 7040, HP ProDesk 600 G2, HP EliteBook 840 G3, HP EliteBook 850 G3, HP EliteBook Folio 1040 G3.

  1. Download TPM upgrade and the TPM clear scripts. Copy the files to your deployment share.
    • ResetTPMOwner.ps1: used to clear TPM ownership using Microsoft APIs.
    • VerifyTpmMode.ps1: verifies TPM mode and initiates TPM 1.2 -> TPM 2.0 discrete upgrade if necessary.
    • TpmUpgradeVerifier.ps1: verifies that TPM 1.2 -> TPM 2.0 upgrade completed successfully.
    • DisableTPMAutoProvisioning.ps1: used to disable Windows 10 TPM autoprovisioning.
    • EnableTPMAutoProvisioning.ps1: used to enable Windows 10 TPM autoprovisioning.
  2. Add following property to your CustomSettings.ini: NeedRebootTpmSwitch
  3. Supply BIOS password:
    • For Dell Inc. systems, modify $DellPassword variable in VerifyTpmMode.ps1.
    • For HP systems, place your encoded password file named password.bin in the same directory as VerifyTpmMode.ps1 script.
  4. Add following steps to your task sequence:
    • Disable-TpmAutoProvisioning
      Condition: Task sequence variable Make equals Dell Inc.
      • Run PowerShell script: DisableTPMAutoProvisioning.ps1
      • Restart computer
    • TPM Clear
      • Run PowerShell script: ResetTPMOwner.ps1
      • Restart computer
        Note: On HP systems, after the TPM is cleared, it is also turned off. This is based on requirements from the Trusted Computing Group that owns the TPM specification. To re-enable the TPM chip, you could for instance run HP BiosConfigUtility with the following command line: /SetValue:"TPM State","Enable" /CurSetupPasswordFile:"password.bin"
    • TPM Switch
      • Run PowerShell script: VerifyTpmMode.ps1
      • Restart computer
        Note: On some HP platforms, after you have changed the TPM mode, you may need to re-enable the TPM
      • Run PowerShell script: TpmUpgradeVerifier.ps1
    • Enable-TpmAutoProvisioning
      Condition: Task sequence variable Make equals Dell Inc.
      • Run PowerShell script: EnableTPMAutoProvisioning.ps1
      • Restart computer.

That's it. Your resulting task sequence may end up looking like this:

If you have any questions tweet me or leave a comment below.

Read 30204 times Last modified on Monday, 02 July 2018 07:25
  1. Comments (9)

  2. Add yours

Comments (9)

This comment was minimized by the moderator on the site

Hi Anton,

What steps would you need to add if you have Bitlocker enabled on computers?

This comment was minimized by the moderator on the site

From my understanding - I didn't test it though - on HP models you need to fully decrypt the drive, suspending BitLocker is (according to HP's documentation) not enough. I haven't looked into upgrading existing Dell Inc. systems yet.

This comment was minimized by the moderator on the site

Anton,

Have you had any Dell systems TPM either turn off or be disabled after the TPM upgrade? It happens quite often when doing the upgrade manually.

This comment was minimized by the moderator on the site

I have seen this only on HP systems thus far - I have an additional step after TPM upgrade, which basically just turns TPM back on. You may want to look into a similair workaround should you wish to automate the process.

This comment was minimized by the moderator on the site

Hi Antom,

All the scripts above fail on Dells 5470, it's the only model I got to tesst on so far. They come back saying Make is unsupported. I ran the commands by it self in powershell one by one and tpm did get upgraded. I guess the variables...

Hi Antom,

All the scripts above fail on Dells 5470, it's the only model I got to tesst on so far. They come back saying Make is unsupported. I ran the commands by it self in powershell one by one and tpm did get upgraded. I guess the variables are from MDT and I'm using ConfigMgr to deploy.

Read More
This comment was minimized by the moderator on the site

I guess the variables are from MDT and I'm using ConfigMgr to deploy.


use a WMI query instead, if your not using ConfigMgr with MDT integration

Select * FROM Win32_ComputerSystem WHERE Manufacturer LIKE "%Dell%"

This comment was minimized by the moderator on the site

Might save some time if the verifiy script was split into a Verify and an Apply. then you could skip the whole thing if the firmware wasn't upgradable?

This comment was minimized by the moderator on the site

I have had an issue with the get-tpm command not being available since the latest ADK update, has anyone else seen this or know how to fix it? It was working before that. It has broken the script for me and I have not been able to find a workaround.

This comment was minimized by the moderator on the site

Paul, this may only work if TPM is properly enabled in the BIOS. Are you using the same hardware? What ADK version?

There are no comments posted here yet

Leave your comments

  1. Posting comment as a guest.
0 Characters
Attachments (0 / 3)
Share Your Location

Recent Posts