none
TPM Firmware Update - Prohibited by Group Policy? RRS feed

  • Question

  • I'm at my wit's end with this - trying to update TPM firmware on a HP ElitBook Revolve 810 G3.

    I've been able to meet all preconditions for doing this (suspended BitLocker, made sure suspend/hibernate can be blocked, enabled full TPM manageability from OS, cleared the TPM), except this: "ERROR: TPM Firmware Update has been explicitly prohibited by policy settings for your system. To get permission, contact your group policy administrator (0xe02a0017)." 

    I've been fiddling with every Group Policy setting that might interfere, but can't figure out which policy does prohibit me from updating this TPM's firmware.

    I'd really appreciate any hint on what policy might interfere, or any other suggestions ...


    ________________ drahnier


    Friday, June 15, 2018 11:58 PM

All replies

  • Hi.

    Can you check this Microsoft Doc:

    https://docs.microsoft.com/en-us/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings

    If you still need help, let us know.

    Thanks...


    Richard Sabino

    Monday, June 18, 2018 2:16 AM
  • :

    Richard Sabino

    Thanks for your reply. -

    I did consult that documentation and used it to experiment with a few settings, but -unfortunately - it did not help to solve my issue. - If you have any idea what specific information in that document should have caught my attention, please let me know.


    ________________ drahnier

    Monday, June 18, 2018 2:32 AM
  • Ok, when is the error showing? At what step? That info would be helpful.

    Thank you...


    Richard Sabino

    Monday, June 18, 2018 2:42 AM
  • I can't get my hands on that particular machine before later tonight.

    I'll post logfiles generated by the TPM upgrade utility either later today or early tomorrow (GMT+7).

    UPDATE: Unfortunately, I have to postpone any further experimentation with this machine until the weekend.


    ________________ drahnier


    Monday, June 18, 2018 4:20 AM
  • Hi,

     It is suggested that you can create a new domain account and login, seeing if the error still exists. To confirm it is really blocked by GPO.

    Since we know less about your gp configuration, you can export it gpresult /h and share it on the network drive, let us know more information about it.

    If you don't want to put it on the public forum, you can dislink related gp to have a test.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 18, 2018 8:16 AM
  • vivian_zhou

    Thanks for answering.

    The machine in question is not joined to a domain.

    I do, though, heavily rely on Local Group Policy to "tame" our Windows 10 Pro machines, but to track down the problem, I tried two things:

    (1) reset all Group Policy and Security Settings to defaults:

    RD /S /Q "%WinDir%\System32\GroupPolicyUsers"
    RD /S /Q "%WinDir%\System32\GroupPolicy"
    gpupdate /force
    secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

    Result: Problem still persists.

    (2) did a clean install (wiped disk) from EFI USB of Windows 10 Pro 17134.112 (June roll-up):

    applied neither any Group Policy nor Security Settings and tried to run the TPM FW update right after first logon.

    Result: Problem still persists.


    ________________ drahnier

    Monday, June 18, 2018 8:29 AM
  • Hi,

     what is your model of computer?

    What is the TPM version right now?

    Did you run the update kb and immediately the error pop up? Can you manually download the update?

    If so, you can help us collect the logs to analyze.

     https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs

    You can upload the logs to a network drive and share the link here.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 18, 2018 9:36 AM
  • -- according to 'powershell get-tpm':

    TpmPresent                : True
    TpmReady                  : True
    ManufacturerId            : 1229346816
    ManufacturerIdTxt          : IFX
    ManufacturerVersion       : 4.40
    ManufacturerVersionFull20 : Not Supported for TPM 1.2
    ManagedAuthLevel          : Full
    OwnerAuth                     : (I have removed this due to privacy concerns)
    OwnerClearDisabled        : False
    AutoProvisioning          : Enabled
    LockedOut                 : False
    LockoutHealTime           : Not Supported for TPM 1.2
    LockoutCount              : Not Supported for TPM 1.2
    LockoutMax                : Not Supported for TPM 1.2
    SelfTest                  : {128, 0, 1, 255}

    -- according to HP
    - TPM Chip Infineon SLB9660, TPM 1.2- should be upgraded to ver. 4.43.257.0

    https://support.hp.com/us-en/document/c05792935

    I've got mixed information about whether the SLB9660 can be converted to TPM 2.0. HP seems to not offer this, so the best one can and should do is upgrading TPM 1.2 from it's current version 4.40 to version 4.43

    vivian_zhou:

    -- What do you mean by "Can you manually download the update?"

    HP offers both a graphical and a command line version for upgrading. Both give the same error, right after starting them (checking pre-conditions), before doing anything concrete.



    ________________ drahnier


    • Edited by dd-drahnier Saturday, June 23, 2018 9:09 AM rrected link to HP Support
    Tuesday, June 19, 2018 12:15 AM
  • Hi,

    You should contact HP support to resolve the problem, it is not windows related, sir.

    You have clean install of windows, which brings you a complete clean system.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 19, 2018 9:35 AM
  • Well, I now have two of these HP EliteBooks which refuse to update TPM firmware. 

    Those machines are absolutely identical, both hardware- and software-wise, except one is running on BIOS 1.15, and the other one on a brand new, just released BIOS 1.16. 

    The TPM Update Log, as well as a nicely formatted Group Policy Settings document can be found here (apparently, there is nothing of interest in the GPRESULT log):

    TPM Update Log, GPRESULT Log

     
    I'd REALLY appreciate any help!


    ________________ drahnier


    • Edited by dd-drahnier Saturday, June 23, 2018 9:04 AM wording, spelling
    Friday, June 22, 2018 7:54 AM