none
Need Owner Password to Update TPM Firmware

    Question

  • I am trying to update the TPM firmware on an HP laptop due to a firmware vulnerability issue.  The computer is running Windows 10 Pro Version 1709.  The firmware update is asking for the owner password, either from a file, and hand typed in.  I don't have it, and I don't know where to get it.

    I reset the TPM, using TPM.MSC.  The firmware update is still asking for the password.

    I reset the TPM via the BIOS.  Still asking for the password.

    I set the TPM to NOT be managed by the OS in the BIOS.  The firmware update said there was no ownership of the TPM, and the firmware could not be updated.

    I've have looked at countless documents on this, and have found nothing.  How do I get or set the TPM password to a known value with Windows 10 Version 1709 (apparently could be done in tpm.msc in older versions of Windows 10, which is not any help now)?

    Thanks.



    • Edited by Michael1000 Saturday, December 16, 2017 7:47 PM
    Saturday, December 16, 2017 7:45 PM

All replies

  • The firmare update utility typically requires your BIOS password to initiate the update process. In addition - according to official documentation- you need to fully decrypt your hard drive to perform the firmware flash. (Suspending BitLocker might work as well). Here is how I initiate firmware update using PowerShell: http://vacuumbreather.com/index.php/blog/item/44-tpm-upgrade-process-on-dell-hp-systems-using-mdt

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Saturday, December 16, 2017 9:14 PM
  • Saturday, December 16, 2017 9:22 PM
  • Hi Michael, 

    If you enabled BitLocker without manually initializing the TPM, the TPM owner password will be automatically created and saved in the same location as the BitLocker recovery password.

    Please make sure you have decrypted Bitlocker before upgrade TPM.

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 18, 2017 7:02 AM
    Moderator
  • The firmare update utility typically requires your BIOS password to initiate the update process. In addition - according to official documentation- you need to fully decrypt your hard drive to perform the firmware flash. (Suspending BitLocker might work as well). Here is how I initiate firmware update using PowerShell: http://vacuumbreather.com/index.php/blog/item/44-tpm-upgrade-process-on-dell-hp-systems-using-mdt

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Hi Anton,

    Thank you for the info.  Bitlocker is not on, fortunately, on this laptop.  I reviewed the document you sent, and it is for a later model of HP laptop than the one I am working on.  The update I have is not from TPM 1.2 to 2.0, but just a fixed version of 1.2 (unfortunately).

    Monday, December 18, 2017 4:19 PM
  • Hi Michael,

    Understand the TPM Owner Password


    Momominta

    Hi Momominta,

    Thank you for the document.  The problem with this approach is I would have to enable BitLocker, export the password, then decrypt the drive, install the firmware, and re-encrypt the drive.  The document is also for Windows 7, rather than Windows 10 Version 1709.  They've made a lot of changes since then, so it is pretty risky.

    Michael

    Monday, December 18, 2017 4:22 PM
  • Hi Michael, 

    If you enabled BitLocker without manually initializing the TPM, the TPM owner password will be automatically created and saved in the same location as the BitLocker recovery password.

    Please make sure you have decrypted Bitlocker before upgrade TPM.

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Does that work with Windows 10 Version 1709?  I just exported the keys from two other computers, and I didn't get an owner password.

    • Edited by Michael1000 Monday, December 18, 2017 4:26 PM
    Monday, December 18, 2017 4:24 PM
  • Hi Michael,

    How to find a solution of your issue 

    >>The problem with this approach is I would have to enable BitLocker, export the password, then decrypt the drive, install the firmware, and re-encrypt the drive.

    Do they say this below in the article?

    If you enable BitLocker without manually initializing the TPM, the TPM owner password will be automatically created and saved in the same location as the BitLocker recovery password

    That does mean there is no obligation to use BitLocker

    Have you read the title "Understand the TPM Owner Password"

    You say in your first post >>The firmware update is asking for the owner password, either from a file, and hand typed in.  I don't have it, and I don't know where to get it.

    And on the site first two lines, they say >>The Trusted Platform Module (TPM) owner password defines who the owner of the TPM is. You own the TPM if you are able to set the TPM owner password.

    You still don't understand the TMP Owner Password?

    From where did you get your TPM file.

    What do you want to know is: how to take ownership of the TPM?  Type that in google then you find this link https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/dn466538(v=ws.11)

    Windows 8.1 and 8 are close to Windows 10


    Momominta



    • Edited by momominta Monday, December 18, 2017 10:41 PM
    Monday, December 18, 2017 10:34 PM
  • Please keep in mind that starting with Windows 10, version 1607, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded.

    Which HP model are you trying to flash? Basically, as long as you are using TPMConfig utility, the approach I outlined in my blog post should still apply.


    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Tuesday, December 19, 2017 10:20 AM
  • Hi Anton,

    Regarding your article, I don't understand why Michael is not able to go through. 


    Momominta

    Tuesday, December 19, 2017 2:06 PM
  • Hi Anton,

    It was an HP Zbook 17 laptop.  Unfortunately, I had to return the laptop back to the customer.  The issue seems to be that the firmware upgrade for 1.2 to a never version of 1.2 is different that going from 1.2 to 2.0.  I was successful in upgrading two other laptops from 1.2 to 2.0 (not easy but possible).  However, for the ZBook there is no 2.0 firmware available.  As luck would have it, I didn't see your blog post prior to having to return the laptop to the customer.  I'm going to bookmark it for reference.

    I've got a new HP EliteDesk 800 that I will be upgrading.  I'll see how that goes.

    My suggestion for anyone reading this in the future, is to do your TPM firmware upgrades PRIOR to running Windows 10 updates.  The later Feature versions of Windows 10 stop support manual setup of owner password.

    Wednesday, January 03, 2018 11:52 PM
  • Hi Michael,

    take a look at this link https://support.hp.com/us-en/document/c05381064/


    Momominta

    Thursday, January 04, 2018 12:32 AM
  • Momominta,

    Thank you for the link.

    Here is another HP Advisory for anyone interested.  It did not help me, but may someone else.

    https://support.hp.com/us-en/document/c05792935?jumpid=reg_r1002_usen_c-001_title_r0001

    Michael

    Friday, January 05, 2018 7:02 AM
  • Momominta,

    Thank you for the link.

    Here is another HP Advisory for anyone interested.  It did not help me, but may someone else.

    https://support.hp.com/us-en/document/c05792935?jumpid=reg_r1002_usen_c-001_title_r0001

    Michael

    Hi Michael,

    What is you computer name and model number


    Momominta

    Friday, January 05, 2018 2:33 PM
  • Momominta,

    Thank you for the link.

    Here is another HP Advisory for anyone interested.  It did not help me, but may someone else.

    https://support.hp.com/us-en/document/c05792935?jumpid=reg_r1002_usen_c-001_title_r0001

    Michael

    Hi Michael,

    What is you computer name and model number


    Momominta

    Hi Momominta,

    It was an HP Zbook 17 G2 running Windows 10 with the latest Fall Creators Update.

    Michael

    Saturday, January 06, 2018 1:24 AM
  • Hi Michael,

    IMPORTANT! Before attempting to upgrade to TPM 2.0, make sure the system BIOS has been updated to the latest available version. Have you update your Bios if not do it now

    SoftPaq 81900 has been released. This version is compatible with TPM 2.0 Firmware

    After downloading softpaq 81900, follow this below

    HOW TO USE:
    1. Download the file by clicking the Download or Obtain Software button and
    saving the file to a folder on your hard drive (make a note of the folder where
    the downloaded file is saved).

    2. Double-click the downloaded file and follow the on-screen instructions.

    Instructions

    1. Run softpaq to extract files. By default it will extract the files in C:\SWSETUP\SP81900 folder.

    2. Copy the desired TPM FW BIN file and the appropriate HP TPM Configuration Utility (either 32-bit or 64-bit) to a temporary folder. Only one TPM FW BIN file is allowed in the temporary folder.

    3. Do not rename the TPM FW BIN file.

    4. Open CMD Prompt in Administrator mode and run TPM.MSC to determine the TPM Manufacturer Information.

      - Manufacturer Name: IFX

      - For TPM 1.2, check the Manufacturer Version 6.40 or 6.41:

      - For version 6.40, use file TPM12_6.40.190.0_to_TPM12_6.43.243.0.BIN

      - For version 6.41, include logic that tries one and,if it fails, uses the other of these:

      TPM12_6.41.197.0_to_TPM12_6.43.243.0.BIN

      or

      TPM12_6.41.198.0_to_TPM12_6.43.243.0.BIN

      NOTE: This is necessary because TPM.msc does not reveal the actual build; no way to tell if you currently have 6.41.197 or 6.41.198.


      - For TPM 2.0, Manufacturer Version: Either 7.40 or 7.41 or 7.60 or 7.61

      - Specification version: Either 1.2 or 2.0

    5. The utility supports

      - Graphical User Interface (GUI) for step-by-step execution

      - Command line mode (including silent execution)

    6. Run MSINFO32 to determine 32-bit or 64-bit OS. Examine System Type (will show either "x64-based PC" or "32-based PC").

    7. Run the appropriate utility (TPMConfig.exe for 32-bit OS or TPMConfig64.exe for 64-bit OS) as an Administrator from the folder where the utility and TPM FW BIN file are located.
    Additional Notes
    • On Windows 7, TPM 1.2 must be activated in BIOS (Check TPM state in BIOS).

    • On Windows 8.x or Windows 10, the OS will automatically take ownership of TPM.

    • Windows 8.x and Windows 10 require GPT partition style when using TPM 2.0. The BIOS setting for boot mode should be set to native UEFI (recommended) or UEFI with CSM.


    Momominta

    Saturday, January 06, 2018 6:21 AM
  • Hi Momominta,

    I tried this, but this Softpaq is not compatible with that computer.

    Thanks for the suggestion, though.

    Michael

    Saturday, January 06, 2018 10:44 PM
  • Hi Momominta,

    I tried this, but this Softpaq is not compatible with that computer.

    Thanks for the suggestion, though.

    Michael

    Hi Michael,

    I am sorry to here that does not work for you. Well, could you call HP Technical support for help.


    Momominta

    Saturday, January 06, 2018 10:56 PM