Thursday, 21 September 2017 18:39

TPM Upgrade Process on Dell & HP Systems Using MDT

Written by
Rate this item
(6 votes)

image

In my last blog post, I discussed clearing Trusted Platform Module (TPM) using PowerShell and MDT. This time I’m turning my attention to another issue: field upgrading TPM from 1.2 to 2.0 specification on HP and Dell systems which support discreet TPM switching.

Systems that shipped with Windows 7 from the factory will have TPM 1.2, however, most modern systems feature a firmware based component running in a trusted execution environment on a general purpose SoC, which allows discrete TPM mode switching in real time. Customers I worked with in the past couple of months and which roll out Windows 10 intend to make use of important security advantages of TPM 2.0 specification including greater crypto agility by being more flexible with respect to cryptographic algorithms, newer algorithms, which can improve drive signing and key generation performance, a more consistent experience across different implementations and a consistent dictionary attack protection guarantee.

How to update the TPM:

I recommend converting TPM during OSD before Bitlocker is enabled. Let's take a look first at important considerations before you attempt to upgrade TPM firmware:
  • In order to upgrade to TPM 2.0, you may need to update system's BIOS to the latest version.
  • Windows 10 requires GPT partition style when using TPM 2.0.
  • The TPM must be ON and Enabled in BIOS Setup, and the TPM must not be owned. If the TPM is owned, you have to clear the TPM before proceeding.

Additional consideration for HP systems:

  • TPM can be converted between TPM 1.2 and TPM 2.0 up to a maximum of 64 times.
  • The utility can only be run in full OS. It does not support Windows PE.
  • For security reasons, physical presence is required by HP BIOS team.
  • To avoid a complete loss of data, OS drive must be fully decrypted before performing TPM upgrade. Bitlocker re-provisioning scenario is supported.

Additional consideration for Dell Inc. systems:

  • On Windows 10, the OS will automatically take ownership of TPM on the next boot (TPM AutoProvisioning). On Dell Inc. systems you will need to disable this functionality for the duration of the update process.
  • The TPM update utility will also run in WinPE (with TPM Base Services enabled).
  • During the TPM mode change process, Bitlocker TPM key protection may be suspended temporarily using the mangebde.exe -disable switch, without decrypting the contents on the encrypted drive.

Let's take a look at high level steps that are required to switch modes, which can be automated for remote deployment:

  • Download the appropriate utility:
  • Detect mode switch capability using PowerShell by running following command (Get-TPM).ManufacturerVersion:
    • For HP platforms that support TPM mode changes, the output from PowerShell should include: ManufacturerVersion: 6.40 or 6.41 (1.2 mode), or 7.41 (2.0 mode)
    • For Dell platforms that support TPM mode changes, the output from PowerShell should include: ManufacturerVersion: 5.81 (1.2 mode), or 1.3 (2.0 mode).
Assuming the platform supports mode changes and TPM is operating in legacy mode:
  • For Dell Inc. systems TPM AutoProvisioning needs to be disabled in the OS to proceed with the update.
  • Clear the TPM owner (On HP systems you may need to re-enable the TPM in the BIOS).
  • Run the appropriate utility to change the TPM mode.
  • For Dell Inc. systems TPM AutoProvisioning needs to be enabled so that OS may attempt to re-take ownership of the TPM.

Depending on your remote deployment solution, your approach can vary. I will showcase how TPM switching can be accomplished using Microsoft Deployment Toolkit. Accompanying PowerShell scripts should be easily adaptable to your needs.

Note: As mentioned before, they are a few different ways which can be used to accomplish TPM switching task. The approach described below tries to find a common denominator for two different vendors and works for me. Tested on following hardware: Latitude E5470, Latitude E5570, Latitude E7470, OptiPlex 7040, HP ProDesk 600 G2, HP EliteBook 840 G3, HP EliteBook 850 G3, HP EliteBook Folio 1040 G3.

  1. Download TPM upgrade and the TPM clear scripts. Copy the files to your deployment share.
    • ResetTPMOwner.ps1: used to clear TPM ownership using Microsoft APIs.
    • VerifyTpmMode.ps1: verifies TPM mode and initiates TPM 1.2 -> TPM 2.0 discrete upgrade if necessary.
    • TpmUpgradeVerifier.ps1: verifies that TPM 1.2 -> TPM 2.0 upgrade completed successfully.
    • DisableTPMAutoProvisioning.ps1: used to disable Windows 10 TPM autoprovisioning.
    • EnableTPMAutoProvisioning.ps1: used to enable Windows 10 TPM autoprovisioning.
  2. Add following property to your CustomSettings.ini: NeedRebootTpmSwitch
  3. Supply BIOS password:
    • For Dell Inc. systems, modify $DellPassword variable in VerifyTpmMode.ps1.
    • For HP systems, place your encoded password file named password.bin in the same directory as VerifyTpmMode.ps1 script.
  4. Add following steps to your task sequence:
    • Disable-TpmAutoProvisioning
      Condition: Task sequence variable Make equals Dell Inc.
      • Run PowerShell script: DisableTPMAutoProvisioning.ps1
      • Restart computer
    • TPM Clear
      • Run PowerShell script: ResetTPMOwner.ps1
      • Restart computer
        Note: On HP systems, after the TPM is cleared, it is also turned off. This is based on requirements from the Trusted Computing Group that owns the TPM specification. To re-enable the TPM chip, you could for instance run HP BiosConfigUtility with the following command line: /SetValue:"TPM State","Enable" /CurSetupPasswordFile:"password.bin"
    • TPM Switch
      • Run PowerShell script: VerifyTpmMode.ps1
      • Restart computer
        Note: On some HP platforms, after you have changed the TPM mode, you may need to re-enable the TPM
      • Run PowerShell script: TpmUpgradeVerifier.ps1
    • Enable-TpmAutoProvisioning
      Condition: Task sequence variable Make equals Dell Inc.
      • Run PowerShell script: EnableTPMAutoProvisioning.ps1
      • Restart computer.

That's it. Your resulting task sequence may end up looking like this:

If you have any questions tweet me or leave a comment below.

Read 1489 times Last modified on Thursday, 21 September 2017 19:24

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Recent Posts