none
Need Owner Password to Update TPM Firmware

    Question

  • I am trying to update the TPM firmware on an HP laptop due to a firmware vulnerability issue.  The computer is running Windows 10 Pro Version 1709.  The firmware update is asking for the owner password, either from a file, and hand typed in.  I don't have it, and I don't know where to get it.

    I reset the TPM, using TPM.MSC.  The firmware update is still asking for the password.

    I reset the TPM via the BIOS.  Still asking for the password.

    I set the TPM to NOT be managed by the OS in the BIOS.  The firmware update said there was no ownership of the TPM, and the firmware could not be updated.

    I've have looked at countless documents on this, and have found nothing.  How do I get or set the TPM password to a known value with Windows 10 Version 1709 (apparently could be done in tpm.msc in older versions of Windows 10, which is not any help now)?

    Thanks.



    • Edited by Michael1000 Saturday, December 16, 2017 7:47 PM
    Saturday, December 16, 2017 7:45 PM

All replies

  • The firmare update utility typically requires your BIOS password to initiate the update process. In addition - according to official documentation- you need to fully decrypt your hard drive to perform the firmware flash. (Suspending BitLocker might work as well). Here is how I initiate firmware update using PowerShell: http://vacuumbreather.com/index.php/blog/item/44-tpm-upgrade-process-on-dell-hp-systems-using-mdt

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Saturday, December 16, 2017 9:14 PM
  • Saturday, December 16, 2017 9:22 PM
  • Hi Michael, 

    If you enabled BitLocker without manually initializing the TPM, the TPM owner password will be automatically created and saved in the same location as the BitLocker recovery password.

    Please make sure you have decrypted Bitlocker before upgrade TPM.

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 18, 2017 7:02 AM
    Moderator
  • The firmare update utility typically requires your BIOS password to initiate the update process. In addition - according to official documentation- you need to fully decrypt your hard drive to perform the firmware flash. (Suspending BitLocker might work as well). Here is how I initiate firmware update using PowerShell: http://vacuumbreather.com/index.php/blog/item/44-tpm-upgrade-process-on-dell-hp-systems-using-mdt

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Hi Anton,

    Thank you for the info.  Bitlocker is not on, fortunately, on this laptop.  I reviewed the document you sent, and it is for a later model of HP laptop than the one I am working on.  The update I have is not from TPM 1.2 to 2.0, but just a fixed version of 1.2 (unfortunately).

    Monday, December 18, 2017 4:19 PM
  • Hi Michael,

    Understand the TPM Owner Password


    Momominta

    Hi Momominta,

    Thank you for the document.  The problem with this approach is I would have to enable BitLocker, export the password, then decrypt the drive, install the firmware, and re-encrypt the drive.  The document is also for Windows 7, rather than Windows 10 Version 1709.  They've made a lot of changes since then, so it is pretty risky.

    Michael

    Monday, December 18, 2017 4:22 PM
  • Hi Michael, 

    If you enabled BitLocker without manually initializing the TPM, the TPM owner password will be automatically created and saved in the same location as the BitLocker recovery password.

    Please make sure you have decrypted Bitlocker before upgrade TPM.

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Does that work with Windows 10 Version 1709?  I just exported the keys from two other computers, and I didn't get an owner password.

    • Edited by Michael1000 Monday, December 18, 2017 4:26 PM
    Monday, December 18, 2017 4:24 PM
  • Hi Michael,

    How to find a solution of your issue 

    >>The problem with this approach is I would have to enable BitLocker, export the password, then decrypt the drive, install the firmware, and re-encrypt the drive.

    Do they say this below in the article?

    If you enable BitLocker without manually initializing the TPM, the TPM owner password will be automatically created and saved in the same location as the BitLocker recovery password

    That does mean there is no obligation to use BitLocker

    Have you read the title "Understand the TPM Owner Password"

    You say in your first post >>The firmware update is asking for the owner password, either from a file, and hand typed in.  I don't have it, and I don't know where to get it.

    And on the site first two lines, they say >>The Trusted Platform Module (TPM) owner password defines who the owner of the TPM is. You own the TPM if you are able to set the TPM owner password.

    You still don't understand the TMP Owner Password?

    From where did you get your TPM file.

    What do you want to know is: how to take ownership of the TPM?  Type that in google then you find this link https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/dn466538(v=ws.11)

    Windows 8.1 and 8 are close to Windows 10


    Momominta



    Monday, December 18, 2017 10:34 PM
  • Please keep in mind that starting with Windows 10, version 1607, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded.

    Which HP model are you trying to flash? Basically, as long as you are using TPMConfig utility, the approach I outlined in my blog post should still apply.


    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Tuesday, December 19, 2017 10:20 AM
  • Hi Anton,

    Regarding your article, I don't understand why Michael is not able to go through. 


    Momominta

    Tuesday, December 19, 2017 2:06 PM
  • Hi Anton,

    It was an HP Zbook 17 laptop.  Unfortunately, I had to return the laptop back to the customer.  The issue seems to be that the firmware upgrade for 1.2 to a never version of 1.2 is different that going from 1.2 to 2.0.  I was successful in upgrading two other laptops from 1.2 to 2.0 (not easy but possible).  However, for the ZBook there is no 2.0 firmware available.  As luck would have it, I didn't see your blog post prior to having to return the laptop to the customer.  I'm going to bookmark it for reference.

    I've got a new HP EliteDesk 800 that I will be upgrading.  I'll see how that goes.

    My suggestion for anyone reading this in the future, is to do your TPM firmware upgrades PRIOR to running Windows 10 updates.  The later Feature versions of Windows 10 stop support manual setup of owner password.

    Wednesday, January 3, 2018 11:52 PM
  • Hi Michael,

    take a look at this link https://support.hp.com/us-en/document/c05381064/


    Momominta

    Thursday, January 4, 2018 12:32 AM
  • Momominta,

    Thank you for the link.

    Here is another HP Advisory for anyone interested.  It did not help me, but may someone else.

    https://support.hp.com/us-en/document/c05792935?jumpid=reg_r1002_usen_c-001_title_r0001

    Michael

    Friday, January 5, 2018 7:02 AM
  • Momominta,

    Thank you for the link.

    Here is another HP Advisory for anyone interested.  It did not help me, but may someone else.

    https://support.hp.com/us-en/document/c05792935?jumpid=reg_r1002_usen_c-001_title_r0001

    Michael

    Hi Michael,

    What is you computer name and model number


    Momominta

    Friday, January 5, 2018 2:33 PM
  • Momominta,

    Thank you for the link.

    Here is another HP Advisory for anyone interested.  It did not help me, but may someone else.

    https://support.hp.com/us-en/document/c05792935?jumpid=reg_r1002_usen_c-001_title_r0001

    Michael

    Hi Michael,

    What is you computer name and model number


    Momominta

    Hi Momominta,

    It was an HP Zbook 17 G2 running Windows 10 with the latest Fall Creators Update.

    Michael

    Saturday, January 6, 2018 1:24 AM
  • Hi Michael,

    IMPORTANT! Before attempting to upgrade to TPM 2.0, make sure the system BIOS has been updated to the latest available version. Have you update your Bios if not do it now

    SoftPaq 81900 has been released. This version is compatible with TPM 2.0 Firmware

    After downloading softpaq 81900, follow this below

    HOW TO USE:
    1. Download the file by clicking the Download or Obtain Software button and
    saving the file to a folder on your hard drive (make a note of the folder where
    the downloaded file is saved).

    2. Double-click the downloaded file and follow the on-screen instructions.

    Instructions

    1. Run softpaq to extract files. By default it will extract the files in C:\SWSETUP\SP81900 folder.

    2. Copy the desired TPM FW BIN file and the appropriate HP TPM Configuration Utility (either 32-bit or 64-bit) to a temporary folder. Only one TPM FW BIN file is allowed in the temporary folder.

    3. Do not rename the TPM FW BIN file.

    4. Open CMD Prompt in Administrator mode and run TPM.MSC to determine the TPM Manufacturer Information.

      - Manufacturer Name: IFX

      - For TPM 1.2, check the Manufacturer Version 6.40 or 6.41:

      - For version 6.40, use file TPM12_6.40.190.0_to_TPM12_6.43.243.0.BIN

      - For version 6.41, include logic that tries one and,if it fails, uses the other of these:

      TPM12_6.41.197.0_to_TPM12_6.43.243.0.BIN

      or

      TPM12_6.41.198.0_to_TPM12_6.43.243.0.BIN

      NOTE: This is necessary because TPM.msc does not reveal the actual build; no way to tell if you currently have 6.41.197 or 6.41.198.


      - For TPM 2.0, Manufacturer Version: Either 7.40 or 7.41 or 7.60 or 7.61

      - Specification version: Either 1.2 or 2.0

    5. The utility supports

      - Graphical User Interface (GUI) for step-by-step execution

      - Command line mode (including silent execution)

    6. Run MSINFO32 to determine 32-bit or 64-bit OS. Examine System Type (will show either "x64-based PC" or "32-based PC").

    7. Run the appropriate utility (TPMConfig.exe for 32-bit OS or TPMConfig64.exe for 64-bit OS) as an Administrator from the folder where the utility and TPM FW BIN file are located.
    Additional Notes
    • On Windows 7, TPM 1.2 must be activated in BIOS (Check TPM state in BIOS).

    • On Windows 8.x or Windows 10, the OS will automatically take ownership of TPM.

    • Windows 8.x and Windows 10 require GPT partition style when using TPM 2.0. The BIOS setting for boot mode should be set to native UEFI (recommended) or UEFI with CSM.


    Momominta

    Saturday, January 6, 2018 6:21 AM
  • Hi Momominta,

    I tried this, but this Softpaq is not compatible with that computer.

    Thanks for the suggestion, though.

    Michael

    Saturday, January 6, 2018 10:44 PM
  • Hi Momominta,

    I tried this, but this Softpaq is not compatible with that computer.

    Thanks for the suggestion, though.

    Michael

    Hi Michael,

    I am sorry to here that does not work for you. Well, could you call HP Technical support for help.


    Momominta

    Saturday, January 6, 2018 10:56 PM
  • I am trying to update the TPM firmware on an HP laptop due to a firmware vulnerability issue.  The computer is running Windows 10 Pro Version 1709.  The firmware update is asking for the owner password, either from a file, and hand typed in.  I don't have it, and I don't know where to get it.

    I reset the TPM, using TPM.MSC.  The firmware update is still asking for the password.

    I reset the TPM via the BIOS.  Still asking for the password.

    I set the TPM to NOT be managed by the OS in the BIOS.  The firmware update said there was no ownership of the TPM, and the firmware could not be updated.

    I've have looked at countless documents on this, and have found nothing.  How do I get or set the TPM password to a known value with Windows 10 Version 1709 (apparently could be done in tpm.msc in older versions of Windows 10, which is not any help now)?

    Thanks.



    Case Bitlocker if OFF, you can clear "TPM Owner" before update TPM firmware as follows:

    Run Command Prompt as Administrator and type following command line:

    1. reg add HKLM\SOFTWARE\Policies\Microsoft\TPM /f /v OSManagedAuthLevel /t REG_DWORD /d 4
    2. WMIC /namespace:\\root\cimv2\Security\MicrosoftTpm Path Win32_Tpm Where __RELPATH="Win32_Tpm=@" Call SetPhysicalPresenceRequest 14
    3. shutdown -r -t 15

    Then, you can update TPM Firmware 1.2 from 4.32 to 4.34 without Owner Password (no backup file nor hand types).

    Good luck.

    • Proposed as answer by Sirrebral Sunday, May 20, 2018 3:17 AM
    Tuesday, May 1, 2018 1:18 PM

  • Case Bitlocker if OFF, you can clear "TPM Owner" before update TPM firmware as follows:

    Run Command Prompt as Administrator and type following command line:

    1. reg add HKLM\SOFTWARE\Policies\Microsoft\TPM /f /v OSManagedAuthLevel /t REG_DWORD /d 4
    2. WMIC /namespace:\\root\cimv2\Security\MicrosoftTpm Path Win32_Tpm Where __RELPATH="Win32_Tpm=@" Call SetPhysicalPresenceRequest 14
    3. shutdown -r -t 15

    Then, you can update TPM Firmware 1.2 from 4.32 to 4.34 without Owner Password (no backup file nor hand types).

    Good luck.

    This does not seem to work in an Enterprise environment, I was able to run the 2 commands succesfully and restarted the HP ZBOOK Gen 1 laptop but after restart when I try to update TPM from 4.32 to 4.34 it still asks for either password or file


    Thursday, May 3, 2018 1:25 PM
  • nevermind, now it worked, I had to check the option in BIOS that allows windows to change TPM

    Thank you for your help

    Thursday, May 3, 2018 1:44 PM
  • Same issue with the HP Catch22 question. Tried to explain to HP helpdesk but they just couldnt undertand.

    Unlike you Michael, my machine is a bit older and I don't have the option in the BIOS to allow Win to change TPM. Sigh
    HP ProDesk 600 G1 SFF i7
    BIOS: v02.71 05/09/2017 (latest for this model)
    Windows 10 64 v1803 (Build 17134.48) *Not using BitLocker*

    Sunday, May 20, 2018 2:21 AM
  • ...my machine is a bit older and I don't have the option in the BIOS to allow Win to change TPM. Sigh

    HP ProDesk 600 G1 SFF i7
    BIOS: v02.71 05/09/2017 (latest for this model)
    Windows 10 64 v1803 (Build 17134.48) *Not using BitLocker*

    Hedgy, it looks like we're trying to figure the same thing out at the same time on the same device; I'm also setting up a ProDesk 600 G1 with BIOS version 02.71.

    Take a look at the instructions for the BIOS utility below; the TPM settings are covered on page 140, and the policy can be changed with the "Allow PPI policy to be changed by OS" setting.

    Maintenance and Service Guide - HP ProDesk 600 G1 Small Form Factor
    http://h10032.www1.hp.com/ctg/Manual/c04331099


    Sunday, May 20, 2018 2:58 AM
  • Hi Guys, I recently purchased a refurbished HP EliteDesk 800 G1 and did all of the windows updates first thing.  Then a bios update.  Now I'm trying to do the firmware update for the security processor as indicated necessary by windows defender security center.  I'm on Windows 10 Home if that matters.  I was able to download the correct update file from HP (SP82407), but when I run the program it asks me for the TPM password or file.  I don't have either, and I'm not sure how to find them.  I was able to get TPM running, but I can't change the password.  I've tried clearing the TPM twice now and it did nothing.  I checked the BIOS, and the option to allow the OS to change the security settings was already enabled.  Can anyone offer some guidance here?  I'm trying to build this PC for my son as his first PC.  I'm trying to bring it up to date here, thanks in advance!

    Jon

    Friday, May 25, 2018 4:53 AM
  • I have the same issue, except with an HP Elitebook.  I have not been able to find any solutions for finding the owner password or the backup file.  Windows 10 ver 1803 does not appear to handle TPM the same as other versions.  Maybe with time it will be fixed.

    SBT

    Sunday, May 27, 2018 2:07 AM
  • I found a solution to this problem.  This lowers security but allows you to retrieve the password.

    Follow this blog: https://blogs.technet.microsoft.com/dubaisec/2017/02/28/tpm-owner-password/

    1 - Set GPO Policy to store full data

    2 - Clear the TPM

    3 - Auto Init the TPM - the password will be stored this time because of GPO

    Thursday, May 31, 2018 12:19 AM
  • Case Bitlocker if OFF, you can clear "TPM Owner" before update TPM firmware as follows:

    Run Command Prompt as Administrator and type following command line:

    1. reg add HKLM\SOFTWARE\Policies\Microsoft\TPM /f /v OSManagedAuthLevel /t REG_DWORD /d 4
    2. WMIC /namespace:\\root\cimv2\Security\MicrosoftTpm Path Win32_Tpm Where __RELPATH="Win32_Tpm=@" Call SetPhysicalPresenceRequest 14
    3. shutdown -r -t 15

    Then, you can update TPM Firmware 1.2 from 4.32 to 4.34 without Owner Password (no backup file nor hand types).

    Good luck.

    it worked. thanks.

    my os build such as:Fujitsu E736

    Windows 10 Pro

    Version 1803

    installed on 5 juni 2018

    os build 17134.81

    after 3 steps above, the laptop just restart and run IFXTPMUpdate_TPM12_v0443 (update utility from fujitsu website) and voila, there no asking for owner password anymore

    Saturday, June 9, 2018 4:00 PM
  • Hi Michael, Wuhoatu and Silviu19,  I'm in the same boat...trying to apply TPM firmware update to my 64bit HP EliteBook 840 G1.  My security processor specs are: 

    MFG: IFX  version 4.32, spec version 1.2, PPI spec version 1.2, TPM spec sub-version 2, 3. 

    I downloaded the TPM firmware from HP site, but when I run it, prompted for either the owner password or location of file containing same password.  I know of neither.  Have tried everything I'm technically capable of (which isn't close to the levels I'm seeing on this thread), but to no avail.  Would command prompt instructions above work for my HP also?  If so, 1) at the run line, is there something I need to include to run as administrator? 2) after the shutdown command, and subsequent restart, do I just navigate to the firmware update executable and run it, and it won't ask for the password? 

    By the way, in my registry, the OSManagedAuthLevel is found under HKEY_LOCAL_MACHINE directory, not HKLM.  Maybe that's exactly the same and doesn't matter that it's different?  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM

    Thank you in advance for your help.  Best, Frank


    • Edited by Frank Lac Tuesday, June 26, 2018 8:52 PM
    Tuesday, June 26, 2018 8:41 PM
  • This worked for my HP840 EliteBook. Thanks.

    Quick Specs: HD+ Touch, Core i7, 8GB, 500GB

    Friday, July 6, 2018 6:59 AM
  • From our Lenovo Field Engineer, 

    Our deployment team did put together an article on how to deploy the TPM Firmware through SCCM.  I will provide a link below that provide details.  Hope this is helpful. Thanks.

     

    Document on how to deploy TPM firmware through SCCM:

    http://thinkdeploy.blogspot.com/2017/11/patching-ifx-tpm-vulnerability-on-think.html



    Aquila non captat muscas

    Friday, July 20, 2018 4:06 PM