Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Saturday, December 16, 2017 7:45 PM
I am trying to update the TPM firmware on an HP laptop due to a firmware vulnerability issue. The computer is running Windows 10 Pro Version 1709. The firmware update is asking for the owner password, either from a file, and hand typed in. I don't have it, and I don't know where to get it.
I reset the TPM, using TPM.MSC. The firmware update is still asking for the password.
I reset the TPM via the BIOS. Still asking for the password.
I set the TPM to NOT be managed by the OS in the BIOS. The firmware update said there was no ownership of the TPM, and the firmware could not be updated.
I've have looked at countless documents on this, and have found nothing. How do I get or set the TPM password to a known value with Windows 10 Version 1709 (apparently could be done in tpm.msc in older versions of Windows 10, which is not any help now)?
Thanks.
All replies (22)
Saturday, December 16, 2017 9:14 PM
The firmare update utility typically requires your BIOS password to initiate the update process. In addition - according to official documentation- you need to fully decrypt your hard drive to perform the firmware flash. (Suspending BitLocker might work as well). Here is how I initiate firmware update using PowerShell: http://vacuumbreather.com/index.php/blog/item/44-tpm-upgrade-process-on-dell-hp-systems-using-mdt
Cheers,
Anton
Vacuum Breather Blog | Wing Commander Saga | Twitter
Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".
Monday, December 18, 2017 7:02 AM
Hi Michael,
If you enabled BitLocker without manually initializing the TPM, the TPM owner password will be automatically created and saved in the same location as the BitLocker recovery password.
Please make sure you have decrypted Bitlocker before upgrade TPM.
Bests,
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, December 18, 2017 4:19 PM
The firmare update utility typically requires your BIOS password to initiate the update process. In addition - according to official documentation- you need to fully decrypt your hard drive to perform the firmware flash. (Suspending BitLocker might work as well). Here is how I initiate firmware update using PowerShell: http://vacuumbreather.com/index.php/blog/item/44-tpm-upgrade-process-on-dell-hp-systems-using-mdt
Cheers,
AntonVacuum Breather Blog | Wing Commander Saga | Twitter
Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".
Hi Anton,
Thank you for the info. Bitlocker is not on, fortunately, on this laptop. I reviewed the document you sent, and it is for a later model of HP laptop than the one I am working on. The update I have is not from TPM 1.2 to 2.0, but just a fixed version of 1.2 (unfortunately).
Monday, December 18, 2017 4:22 PM
Hi Michael,
Understand the TPM Owner Password
Momominta
Hi Momominta,
Thank you for the document. The problem with this approach is I would have to enable BitLocker, export the password, then decrypt the drive, install the firmware, and re-encrypt the drive. The document is also for Windows 7, rather than Windows 10 Version 1709. They've made a lot of changes since then, so it is pretty risky.
Michael
Monday, December 18, 2017 4:24 PM
Hi Michael,
If you enabled BitLocker without manually initializing the TPM, the TPM owner password will be automatically created and saved in the same location as the BitLocker recovery password.
Please make sure you have decrypted Bitlocker before upgrade TPM.
Bests,
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Does that work with Windows 10 Version 1709? I just exported the keys from two other computers, and I didn't get an owner password.
Tuesday, December 19, 2017 10:20 AM
Please keep in mind that starting with Windows 10, version 1607, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded.
Which HP model are you trying to flash? Basically, as long as you are using TPMConfig utility, the approach I outlined in my blog post should still apply.
Cheers,
Anton
Vacuum Breather Blog | Wing Commander Saga | Twitter
Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".
Wednesday, January 3, 2018 11:52 PM
Hi Anton,
It was an HP Zbook 17 laptop. Unfortunately, I had to return the laptop back to the customer. The issue seems to be that the firmware upgrade for 1.2 to a never version of 1.2 is different that going from 1.2 to 2.0. I was successful in upgrading two other laptops from 1.2 to 2.0 (not easy but possible). However, for the ZBook there is no 2.0 firmware available. As luck would have it, I didn't see your blog post prior to having to return the laptop to the customer. I'm going to bookmark it for reference.
I've got a new HP EliteDesk 800 that I will be upgrading. I'll see how that goes.
My suggestion for anyone reading this in the future, is to do your TPM firmware upgrades PRIOR to running Windows 10 updates. The later Feature versions of Windows 10 stop support manual setup of owner password.
Friday, January 5, 2018 7:02 AM
Momominta,
Thank you for the link.
Here is another HP Advisory for anyone interested. It did not help me, but may someone else.
https://support.hp.com/us-en/document/c05792935?jumpid=reg_r1002_usen_c-001_title_r0001
Michael
Saturday, January 6, 2018 1:24 AM
Momominta,
Thank you for the link.
Here is another HP Advisory for anyone interested. It did not help me, but may someone else.
https://support.hp.com/us-en/document/c05792935?jumpid=reg_r1002_usen_c-001_title_r0001
Michael
Hi Michael,
What is you computer name and model number
Momominta
Hi Momominta,
It was an HP Zbook 17 G2 running Windows 10 with the latest Fall Creators Update.
Michael
Saturday, January 6, 2018 10:44 PM
Hi Momominta,
I tried this, but this Softpaq is not compatible with that computer.
Thanks for the suggestion, though.
Michael
Tuesday, May 1, 2018 1:18 PM | 8 votes
I am trying to update the TPM firmware on an HP laptop due to a firmware vulnerability issue. The computer is running Windows 10 Pro Version 1709. The firmware update is asking for the owner password, either from a file, and hand typed in. I don't have it, and I don't know where to get it.
I reset the TPM, using TPM.MSC. The firmware update is still asking for the password.
I reset the TPM via the BIOS. Still asking for the password.
I set the TPM to NOT be managed by the OS in the BIOS. The firmware update said there was no ownership of the TPM, and the firmware could not be updated.
I've have looked at countless documents on this, and have found nothing. How do I get or set the TPM password to a known value with Windows 10 Version 1709 (apparently could be done in tpm.msc in older versions of Windows 10, which is not any help now)?
Thanks.
Case Bitlocker if OFF, you can clear "TPM Owner" before update TPM firmware as follows:
Run Command Prompt as Administrator and type following command line:
- reg add HKLM\SOFTWARE\Policies\Microsoft\TPM /f /v OSManagedAuthLevel /t REG_DWORD /d 4
- WMIC /namespace:\root\cimv2\Security\MicrosoftTpm Path Win32_Tpm Where __RELPATH="Win32_Tpm=@" Call SetPhysicalPresenceRequest 14
- shutdown -r -t 15
Then, you can update TPM Firmware 1.2 from 4.32 to 4.34 without Owner Password (no backup file nor hand types).
Good luck.
Thursday, May 3, 2018 1:25 PM
Case Bitlocker if OFF, you can clear "TPM Owner" before update TPM firmware as follows:
Run Command Prompt as Administrator and type following command line:
- reg add HKLM\SOFTWARE\Policies\Microsoft\TPM /f /v OSManagedAuthLevel /t REG_DWORD /d 4
- WMIC /namespace:\root\cimv2\Security\MicrosoftTpm Path Win32_Tpm Where __RELPATH="Win32_Tpm=@" Call SetPhysicalPresenceRequest 14
- shutdown -r -t 15
Then, you can update TPM Firmware 1.2 from 4.32 to 4.34 without Owner Password (no backup file nor hand types).
Good luck.
This does not seem to work in an Enterprise environment, I was able to run the 2 commands succesfully and restarted the HP ZBOOK Gen 1 laptop but after restart when I try to update TPM from 4.32 to 4.34 it still asks for either password or file
Thursday, May 3, 2018 1:44 PM
nevermind, now it worked, I had to check the option in BIOS that allows windows to change TPM
Thank you for your help
Sunday, May 20, 2018 2:21 AM
Same issue with the HP Catch42 question. Tried to explain to HP helpdesk but they just couldnt undertand.
Unlike you Michael, my machine is a bit older and I don't have the option in the BIOS to allow Win to change TPM. Sigh
HP ProDesk 600 G1 SFF i7
BIOS: v02.71 05/09/2017 (latest for this model)
Windows 10 64 v1803 (Build 17134.48) *Not using BitLocker*
Sunday, May 20, 2018 2:58 AM
...my machine is a bit older and I don't have the option in the BIOS to allow Win to change TPM. Sigh
HP ProDesk 600 G1 SFF i7
BIOS: v02.71 05/09/2017 (latest for this model)
Windows 10 64 v1803 (Build 17134.48) *Not using BitLocker*
Hedgy, it looks like we're trying to figure the same thing out at the same time on the same device; I'm also setting up a ProDesk 600 G1 with BIOS version 02.71.
Take a look at the instructions for the BIOS utility below; the TPM settings are covered on page 140, and the policy can be changed with the "Allow PPI policy to be changed by OS" setting.
Maintenance and Service Guide - HP ProDesk 600 G1 Small Form Factor
http://h40032.www1.hp.com/ctg/Manual/c04331099
Friday, May 25, 2018 4:53 AM
Hi Guys, I recently purchased a refurbished HP EliteDesk 800 G1 and did all of the windows updates first thing. Then a bios update. Now I'm trying to do the firmware update for the security processor as indicated necessary by windows defender security center. I'm on Windows 10 Home if that matters. I was able to download the correct update file from HP (SP82407), but when I run the program it asks me for the TPM password or file. I don't have either, and I'm not sure how to find them. I was able to get TPM running, but I can't change the password. I've tried clearing the TPM twice now and it did nothing. I checked the BIOS, and the option to allow the OS to change the security settings was already enabled. Can anyone offer some guidance here? I'm trying to build this PC for my son as his first PC. I'm trying to bring it up to date here, thanks in advance!
Jon
Sunday, May 27, 2018 2:07 AM
I have the same issue, except with an HP Elitebook. I have not been able to find any solutions for finding the owner password or the backup file. Windows 10 ver 1803 does not appear to handle TPM the same as other versions. Maybe with time it will be fixed.
SBT
Thursday, May 31, 2018 12:19 AM
I found a solution to this problem. This lowers security but allows you to retrieve the password.
Follow this blog: https://blogs.technet.microsoft.com/dubaisec/2017/02/28/tpm-owner-password/
1 - Set GPO Policy to store full data
2 - Clear the TPM
3 - Auto Init the TPM - the password will be stored this time because of GPO
Saturday, June 9, 2018 4:00 PM
Case Bitlocker if OFF, you can clear "TPM Owner" before update TPM firmware as follows:
Run Command Prompt as Administrator and type following command line:
- reg add HKLM\SOFTWARE\Policies\Microsoft\TPM /f /v OSManagedAuthLevel /t REG_DWORD /d 4
- WMIC /namespace:\root\cimv2\Security\MicrosoftTpm Path Win32_Tpm Where __RELPATH="Win32_Tpm=@" Call SetPhysicalPresenceRequest 14
- shutdown -r -t 15
Then, you can update TPM Firmware 1.2 from 4.32 to 4.34 without Owner Password (no backup file nor hand types).
Good luck.
it worked. thanks.
my os build such as:Fujitsu E736
Windows 10 Pro
Version 1803
installed on 5 juni 2018
os build 17134.81
after 3 steps above, the laptop just restart and run IFXTPMUpdate_TPM12_v0443 (update utility from fujitsu website) and voila, there no asking for owner password anymore
Tuesday, June 26, 2018 8:41 PM
Hi Michael, Wuhoatu and Silviu19, I'm in the same boat...trying to apply TPM firmware update to my 64bit HP EliteBook 840 G1. My security processor specs are:
MFG: IFX version 4.32, spec version 1.2, PPI spec version 1.2, TPM spec sub-version 2, 3.
I downloaded the TPM firmware from HP site, but when I run it, prompted for either the owner password or location of file containing same password. I know of neither. Have tried everything I'm technically capable of (which isn't close to the levels I'm seeing on this thread), but to no avail. Would command prompt instructions above work for my HP also? If so, 1) at the run line, is there something I need to include to run as administrator? 2) after the shutdown command, and subsequent restart, do I just navigate to the firmware update executable and run it, and it won't ask for the password?
By the way, in my registry, the OSManagedAuthLevel is found under HKEY_LOCAL_MACHINE directory, not HKLM. Maybe that's exactly the same and doesn't matter that it's different? HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM
Thank you in advance for your help. Best, Frank
Friday, July 6, 2018 6:59 AM
This worked for my HP840 EliteBook. Thanks.
Quick Specs: HD+ Touch, Core i7, 8GB, 500GB
Friday, July 20, 2018 4:06 PM
From our Lenovo Field Engineer,
Our deployment team did put together an article on how to deploy the TPM Firmware through SCCM. I will provide a link below that provide details. Hope this is helpful. Thanks.
Document on how to deploy TPM firmware through SCCM:
http://thinkdeploy.blogspot.com/2017/11/patching-ifx-tpm-vulnerability-on-think.html
Aquila non captat muscas