How To Change TPM Modes 1.2<->2.0 - Enterprise Client - Wiki - Client and Mobile Solutions - Dell Community

How To Change TPM Modes 1.2<->2.0

How To Change TPM Modes 1.2<->2.0

Enterprise Client - Wiki

Is my platform capable of switching modes?

Several Dell Latitude, Optiplex, and Precision platforms shipping in 2015 are capable of switching between 1.2 and 2.0 modes in the field.

 

Detecting mode switch capability:

In addition to referencing the table of supported platforms, below, there are also a few options for detecting whether a platform supports Dell discrete TPM mode switching in real time:

  1. Windows Powershell can be used to query the TPM vendor ID (ManufacturerID) and TPM FW version (ManufacturerVersion).
    1. From an admin command prompt, run this command: powershell.exe get-tpm
    2. For Dell platforms that support TPM mode changes, the output from powershell should include:
      1. ManufacturerID: 1464156928 (1.2 mode) or 1314145024 (2.0 mode)
      2. ManufacturerVersion: 5.81 (1.2 mode), or 1.3 (2.0 mode)

  2. Windows TPM.msc snap-in can be used to visually inspect the vendor and version, as well.
    1. From a Windows command prompt, Windows search bar, or the "Run" window (Window key + R) in the programs menu, you can launch the TPM snapin, by typing tpm.msc, and pressing the Enter key.
    2. For Dell platforms that support TPM mode changes, near the bottom of the Trusted Platform Module (TPM) Management on Local Computer (tpm.msc snapin) window, you should be able to see some TPM manufacturer information:
      1. The Manufacturer Name field should say:  WEC (1.2 mode) or NTC (2.0 mode)
      2. The Manufacturer Version field should say: 5.81 (1.2 mode) or 1.3 (2.0 mode)

 

List of platforms which support TPM 1.2-2.0 mode changes:

Below is the limited list of Dell platforms include the capability to switch TPM modes in the field.

 

Line of Business

Model

Latitude

3470

Latitude

3570

Latitude

E5270

Latitude

E5470

Latitude

E5570

Latitude

E7270

Latitude

E7470

Optiplex

3040

Optiplex

3240

Optiplex

5040

Optiplex

7040

Optiplex

7240

Precision

3420

Precision

3620

Precision

3510

Precision

5510

Precision

7510

Precision

7710

XPS

15 9550

 

Note regarding Dell Venue products:

If you have a Dell Venue platform that shipped with Microsoft Windows 8 or 8.1 and Connected Standby, it may have the ability to switch between a fTPM 2.0, or a discrete TPM 1.2. This fTPM 2.0 switching behavior is managed through the Dell BIOS setup menu, or using the Dell Client Command Suite, without the use of a FW update utility.

 

Instructions for switching modes using the TPM update utility:

End users will be able to switch modes using a Dell-provided TPM FW update utility. There are a few steps required to switch modes, which can be performed manually by a physically present user, or automated for remote deployment:

  1. Download the appropriate utility (select either the 1.2 or 2.0 utility, depending on which mode you want)
  2. Clear the TPM owner
  3. Run the utility to change the mode

 

1. Downloading the TPM update utility:

If your platform supports mode changes, the 1.2 and 2.0 mode change utilities are available for download here.

2. Clearing the TPM:

During the TPM mode change, the TPM FW update utility will warn you that data stored in the TPM will not be retained, and that the TPM owner should be cleared.

Data that may be erased during the TPM owner clear process:

    • Bitlocker protection keys
      • During the TPM mode change process, Bitlocker TPM key protection may be suspended temporarily using the mangebde.exe -disable switch, without decrypting the contents on the encrypted drive.
      • The Bitlocker TPM key protector can be re-enabled after the mode change manually, or by specifying a number of reboots before the OS automatically re-enables the TPM protector.

 

    • Virtual SmartCard configuration (enterprise Windows 8.x+)
      • Virtual SmartCard for login will need to be re-enrolled after a TPM mode change.

 

    • Measured Boot remote attestation measurement values (enterprise Windows 8.x+)
      • Measured Boot remote attestation services may need to be re-enabled or re-enrolled after a TPM mode change, depending on the remote attestation service provider

 

    • Other secrets stored by TPM-capable software (such as Dell Data Protection)

 

2.1.  A note regarding automatic ownership of TPM:

Depending on which OS you are using, the OS may attempt to re-take ownership of the TPM automatically after a reboot, once it has been cleared. This automatic ownership feature is normal, but it can interfere with the process of changing TPM modes using the Dell TPM update utility. In order to avoid this condition where the TPM is automatically owned after attempting to clear TPM ownership, you may want to configure the OS to pause the auto-own behavior temporarily.

Here are a few options for temporarily pausing the automatic TPM ownership feature in Windows:

    • Registry Key:
      • Set the HKLM\System\CurrentControlSet\Services\Tpm\WMI\NoAutoProvision registry setting to 1

 

    • Powershell Script:
      • PS C:\> Disable-TpmAutoProvisioning (optionally, the -OnlyForNextRestart switch will allow auto-ownership to resume on the subsequent reboot)
      • Note that this flag will be ignored if ownership is cleared using the TPM management console snapin (TPM.msc) to clear the TPM owner.  If using this method, the TPM must be cleared with powershell or BIOS setup, as described below.

 

    • Use an alternate OS to perform the TPM mode change:
      • OS's like Windows 7 and Windows PE do not automatically own the TPM, and can be used to clear the TPM and then launch the Dell TPM update utility.

 

2.2.  Clearing the TPM with Powershell:

The TPM can be cleared using a command line, such as powershell clear-TPM.

 

2.3.  Clearing the TPM from BIOS Setup:

The TPM can be cleared manually from within the Dell BIOS setup menu (note: for complete details on how to access and use the setup menu, please refer to the Dell owner's manual):

    1. Reboot your Dell PC
    2. Press the F2 key when you see the Dell logo (this will launch the BIOS setup menu)
    3. Navigate to the Security > TPM Security sub-menu
    4. Select the checkbox marked Clear
    5. Use your mouse or keyboard (Tab key) to select the exit button, and save the settings if prompted.

 

3. Running the TPM update utility

 

If you're using Windows, the TPM update utility can be launched from a Windows administrator command prompt, or by simply double-clicking the executable application icon.

The TPM update utility will also run in WinPE (with TPM Base Services enabled) or in DOS.

 

For reference, here is an excerpt of the the installation instructions provided by the Dell TPM update utility:

Installation instructions

Dell TPM Update Utility for Windows/DOS

Download

1. Click "Download File", to download the file.

2. When the File Download window appears, click Save to save the file to your hard drive.

Clear the TPM (See Note 2, 3, and 4)

1.     Before running the TPM update utility, clear the TPM Owner. (From the OS, or from BIOS Setup).  

 

Run the TPM update utility from Windows environment

1. Browse to the location where you downloaded the file and double-click the new file.

2. Windows System will auto restart and update the TPM during the system startup.

3. When the TPM update is finished, the system will auto reboot to take effect.

 

Run the TPM update utility from DOS environment, if Legacy Boot mode (Non-Windows users)

1. Copy the downloaded file to a bootable DOS USB key.

2. Power on the system, then Press F12 key and Select "USB Storage Device" and Boot to DOS prompt.

3. Run the file by typing copied file name where the executable is located.

4. DOS system will auto restart and update the TPM during the system startup.

5. When the TPM update is finished, the system will auto reboot to take effect.

 

Run the BIOS update utility from DOS environment if UEFI Boot Mode (Non-Windows users)

1. Copy the downloaded file to a bootable DOS USB key.

2. Power on the system, then go to BIOS Setup by pressing F2 and go to "General > Boot Sequence > Boot List Option".

3. Change "UEFI" to "Legacy" of Boot List Option.

4. Click "Apply", "Exit" to save changes and reboot system.

5. Press F12, then Select "USB Storage Device" and Boot to DOS prompt.

6. Run the file by typing copied file name where the executable is located.

7. When the TPM update is finished, the system will auto reboot to take effect.

8. Go to BIOS Setup by pressing F2 and go to "General > Boot Sequence > Boot List Option".

9. Change "Legacy" to "UEFI" Boot Option.

10. Click "Apply", "Exit" to save changes and reboot system.

 

--------------------------------------------------------------------------------

Note 1: You will need to provide a bootable DOS USB key. This executable file does not create the DOS system files.

Note 2: If BitLocker is enabled on your system, please make sure you suspend BitLocker encryption before updating

             TPM on a BitLocker enabled system.

Note 3: The TPM must be ON and Enabled in BIOS Setup, and the TPM must not be owned. If the TPM is owned, go

             to BIOS Setup and clear the TPM before proceeding.

Note 4: When the TPM is cleared, some operating system will automatically take ownership of the TPM on the next boot. This feature will need to be disabled to proceed with the update.

 

 

Next steps:

After completing the mode change, the TPM can be used normally.  Depending on which TPM mode you have selected, you may need to re-enable the TPM in the Dell BIOS before the OS can take advantage of TPM features.

 

This can be accomplished in a few different ways:

 

Dell BIOS setup Menu

The TPM can be re-enabled using the Dell BIOS Setup Menu, which can be accessed by pressing the F2 key during a reboot, when the Dell logo is displayed on the screen.

 

To enable the TPM: Navigate to Security > TPM Security > Enable

 

The Dell BIOS TPM Enable setting can also be configured remotely, using the Dell Client Command Suite.

 

TPM.msc

Select the option in the right side of the TPM.msc (see above for instructions) window labeled Prepare the TPM for use

 

Powershell

From an administrator command prompt, use the Windows powershell Initialize-tpm command

.

Manage-bde.exe

Windows OS's that support Bitlocker include a utility called manage-bde.exe, which can perform some limited configuration of the TPM for Bitlocker deployment. Descriptions of the TPM commands available with the Microsoft Windows manage-bde.exe tool can be found here.

Examples:

manage-bde.exe -tpm -turnon

manage-bde.exe -tpm -takeownership <owner password of your choosing>

 

 

2
Comments
  • Can you please provide information on how to use the TPM update utility within WinPE? We are using Windows 10 1607 for WinPE and enabling the WinPE-SecureStartup component which is used for Windows Secure Startup and TPM support. Unfortunately using that WinPE image does not allow the Dell TPM upgrade utility to launch.

  • I followed the instructions and continue to get the following message on my Dell Latitude E6530:

    Error: The System TPM Query Failed, Aborting

    Error: Unable to prepare the TPM update payload

  • Hello.  

    It states above "The TPM update utility will also run in WinPE (with TPM Base Services enabled) or in DOS.".  I cannot get this to run in WinPE (Windows 10 1607 release).  I have added the WinPE-SecureStartup to the image and I can run manage-bde commands and access the WMI root\cimv2\security\microsoftTpm namespace.  

    Has anyone gotten this to work in WinPE?

  • I was unable to get the exe to run under WinPE 10.  I did all the tasks that dawnwertz  listed.  I am trying to go from TPM 2.0 to 1.2 on a Precision 5510.

  • This page says the Precision 5510 is supported:

    en.community.dell.com/.../11850.how-to-change-tpm-modes-1-2-2-0

    Yet this page says it's not:

    www.dell.com/.../DriversDetails

  • After talking with Dell support.  This will only work on 32-bit Windows PE.  It will not work with the 64-bit version of Windows PE.

  • Hi Everyone,

    Apologies for the delayed response.  The TPM FW support team has officially made 64 bit versions of the TPM update utilities available.  

    For TPM 1.2, the installer is DellTpm1.2_Fw5.81.2.1_V3_64.exe.

    For TPM 2.0, the installer is DellTpm2.0_Fw1.3.0.1_V2_64.exe.

    Thank you,

    -Nick

  • I don't deal with TPM in my daily work. I was wondering if TPM setting could affect how Boot-able USB drives act? I have multiple E5470 laptops, one has TPM 1.2 and the other TPM 2.0. We use bootable Ubuntu USB drives for certain secure tests. Issue is on the laptop with TPM1.2, setting boot order for USB first, as long as we use the same exact USB drive, it will boot to USB all day long. If we use a different USB, the boot order is changed to internal SSD. This is driving us crazy. I want student to be able to use any flash drive we give them.

  • @Srjctech,

    Nick brought me your question.

    I've sent you a friend request. Let's get an answer for you.