Upgrading TPM Firmware version silently

NilsTammann · ‎06-15-2017

Hello. I am trying to update my computers TPM firmware versions during SCCM task sequence. Everything is working fine, but after a restart i get a message: "TPM Firmware Update Request. A request to update TPM Firmware is pending. Please press the appropriate key to accept or reject the request. Press F1=ACCEPT, PRESS F2=Reject".

Is it somehow possible to silence this message and to accept it silently ? I tried using BIOS Configuration Utility but i couldnt find a setting that controls this.

NilsTammann · ‎06-26-2017

Any ideas ?

TryToDoMybest · ‎06-29-2017

Hello

this kind of configuration change requires physical presence, you can't avoid such step.

Imagine if someone start the utility and by mistake change the firmware version while the disk is encrypted by bitlocker.

he risks to lose all data. so if you run the TPMconfig utily and accept the firmware change , it's you decision.

Someone could be interested about how you partitioned the disk and if you were changing from .12 to 2.0 or viceversa , whics OS are you installing and if the HP_TOOLS parttion was created , if the BIOS is set to UEFI or legacy.

If you can provide more data somedoby else using SCCM can learn from your experience.

I prefer to change the fimware version using another boot.wim with WinPE 10 64bit leaving it out of OS instalallation Task Sequence.

so the OS installation could be done in two set

change firmare from 1.2 to 2.0 or viceversa depending on the OS used , using a boot.wim from USB or PXE server
use SCCM for OS instalallation , so you don't have to press F1 to change TPM firmware

Bye

This_Guy1 · ‎10-18-2017

Were you able to find a solution for this?

I am trying to find a way to update the TPM firmware on about 1500 laptops in our environment that are spread out all over the place.

We were going to run it as a PowerShell script through SCCM, but can't figure out how to get past the F1 key strike at reboot.

TryToDoMybest · ‎10-18-2017

Hello

no way to bypass F1 to accept TPM firmware upgrade at reboot.

it's a security feature hardcoded in the BIOS.

Even more if your disk data are encrypted , before to update the TPM firmware you must decrypt the data , then upgrade the TPM firmware.

bye

This_Guy1 · ‎10-18-2017

Yeah, we are disabling BitLocker before the update is kicked off in the script.

But if it's hardcoded this could be a difficult thing, to get past.

I am setting up a lab to see if just disabling would still require this if you have any other information let me know but I am at a complete standstill on this atm.

NilsTammann · ‎10-19-2017

We couldn't find a way past this so we just accepted the fact that F1 must me pressed and informed our technicians about it.

TryToDoMybest · ‎10-26-2017

Hello

HP just release BIOS version 1.18.

There is a new parameter that can be set to disable to let you update the TPM firmware without physical presence.

BY default it's enable ,that means someone have to press F1 to accept TPM firmware update.

With that parameter set to disable ,you can do it without press F1.

Bye

AlesRajh · ‎11-21-2017

I have upgraded BIOS to 1.18 and take data out. Which one setting should be to avoid F1?

BIOSConfig 1.0
;
; Originally created by BIOS Configuration Utility
; Version: 4.0.21.1
; Date="2017/11/21" Time="09:53:16" UTC="1"
;
; Found 169 settings
;
Product Name
HP EliteBook 840 G3
Processor 1 Type
Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz
Processor 1 Speed
2700 MHz
Processor 1 Cache Size (L1/L2/L3)
128 KB / 512 KB / 3 MB
Processor 1 MicroCode Revision
BC
Processor 1 Stepping
3
Processor 1 Bottom-Slot 1(left)
4 GB Hynix/Hyundai
Processor 1 Bottom-Slot 2(right)
Empty
Serial Number
5CG7434CFR
SKU Number
Y8Q87EA#BED
Universally Unique Identifier (UUID)
633AFBC81BBCE711BB99860E7201C0DA
Memory Size
4096 MB
System Board CT Number
PFKZT00WBA13N2
Primary Battery Serial Number
28418 2017/10/13
Product Family
103C_5336AN HP EliteBook
MS Digital Marker
010000000000000001000000000000001D00000043373251382D544E4456362D56394D4D4D2D3658364A542D3646344332
System BIOS Version
N75 Ver. 01.18 10/17/2017
BIOS Build Version
0000
ME Firmware Version
11.0.22.3001
Integrated Video BIOS Version
Intel(R) GOP Driver [9.0.1039]
Embedded Controller Firmware Version
85.77
Born On Date
11/20/2017
System Board ID
8079
Integrated MAC Address 1
AC-E2-D3-94-02-63
WLAN FCC ID
PD98260NG
Bluetooth FCC ID
PD98260NG
Asset Tracking Number
5CG7434CFR
Ownership Tag

Feature Byte
3X476J6b757H7M7Q7W7m7s9AaBaEapaqauawbUbhcAdQdUdpdqgd.Eh
Build ID
15WWCSDT601#SBED#DBED
USB Type-C Controller Firmware Version
00.13
BIOS Rollback Policy
*Unrestricted Rollback to older BIOS
Restricted Rollback to older BIOS
Minimum BIOS Version
00.00
Manufacturing Programming Mode
Unlock
*Lock
Password Minimum Length
8
At least one symbol is required in Administrator and User passwords
*No
Yes
At least one number is required in Administrator and User passwords
*No
Yes
At least one upper case character is required in Administrator and User passwords
*No
Yes
At least one lower case character is required in Administrator and User passwords
*No
Yes
Are spaces allowed in Administrator and User passwords?
*No
Yes
Prompt for Admin password on F9 (Boot Menu)
*Disable
Enable
Prompt for Admin password on F11 (System Recovery)
*Disable
Enable
Prompt for Admin password on F12 (Network Boot)
*Disable
Enable
Wake on LAN Power-on Password Policy
Bypass Password
*Require Password
TPM Specification Version
2.0
TPM Device
Hidden
*Available
TPM State
Disable
*Enable
Clear TPM
*No
On next boot
TPM Activation Policy
F1 to Boot
Allow user to reject
*No prompts
Verify Boot Block on every boot
*Disable
Enable
BIOS Data Recovery Policy
*Automatic
Manual
Prompt on Network Controller Configuration Change
*Disable
Enable
Lock BIOS Version
*Disable
Enable
Dynamic Runtime Scanning of Boot Block
Disable
*Enable
Physical Presence Interface
Disable
*Enable
Drivelock Password on restart
Disable
*Enable
Save/Restore MBR of System Hard Drive
*Disabled
Enabled
Secure Erase Hard Disk Serial Number

Secure Erase Hard Disk Model Number

Secure Erase Completion Date

Secure Erase Completion Status

Permanent Disable Absolute Persistence Module Set Once
*No
Yes
Absolute Persistence Module Current State
*Inactive
Active
System Management Command
Disable
*Enable
SureStart Production Mode
Disable
*Enable
Select Language
*English
Deutsch
Espanol
Italiano
Francais
Japanese
Portugues
Dansk
Svenska
Nederlands
Norsk
Suomi
Simplified Chinese
Traditional Chinese
Select Keyboard Layout
*English
Deutsch
Espanol
Italiano
Francais
Japanese
Portugues
Dansk
Svenska
Nederlands
Norsk
Suomi
Simplified Chinese
Traditional Chinese
Sunday
*Disable
Enable
Monday
*Disable
Enable
Tuesday
*Disable
Enable
Wednesday
*Disable
Enable
Thursday
*Disable
Enable
Friday
*Disable
Enable
Saturday
*Disable
Enable
BIOS Power-On Hour
0
BIOS Power-On Minute
0
Power On When AC Detected
*Disabled
Enabled
Power On When Lid is Opened
*Disabled
Enabled
Startup Menu Delay (sec.)
*0
5
10
15
20
25
30
35
40
45
50
55
60
Fast Boot
Disable
*Enable
Audio Alerts During Boot
Disable
*Enable
NumLock on at boot
*Disable
Enable
CD-ROM Boot
Disable
*Enable
Prompt on Memory Size Change
Disabled
*Enabled
USB Storage Boot
Disable
*Enable
Network (PXE) Boot
Disable
*Enable
Prompt on Fixed Storage Change
*Disabled
Enabled
Prompt on Battery Errors
Disable
*Enable
Legacy Boot Options
Disable
*Enable
Legacy Boot Order
HDD:USB:1
HDD:SATA:1
NETWORK:EMBEDDED:1
UEFI Boot Options
Disable
*Enable
UEFI Boot Order
HDD:SATA:1
HDD:USB:1
NETWORK IPV4:EMBEDDED:1
NETWORK IPV6:EMBEDDED:1
Smart Card Reader Power Setting (if present)
Always powered on
*Powered on if card is present
Launch Hotkeys without Fn Keypress
*Disabled
Enabled
Power Control
*Disable
Enable
Swap Fn and Ctrl (Keys)
*Disabled
Enabled
Lock Wireless Button
*Disabled
Enabled
Fan Always on while on AC Power
*Disabled
Enabled
Wake on LAN on DC mode
*Disabled
Enabled
Boost Converter
Disabled
*Enabled
Backlit keyboard timeout
5 secs.
*15 secs.
30 secs.
1 min..
5 mins.
Never.
Fan Quiet Mode
*Disabled
Enabled
Bluetooth
Disabled
*Enabled
Wireless Network Device (WLAN)
Disabled
*Enabled
LAN / WLAN Auto Switching
Disabled
*Enabled
Configure Legacy Support and Secure Boot
Legacy Support Enable and Secure Boot Disable
*Legacy Support Disable and Secure Boot Enable
Legacy Support Disable and Secure Boot Disable
Import Custom Secure Boot keys
*Do Nothing
On next boot
Clear Secure Boot keys
*Disable
Enable
Reset Secure Boot keys to factory defaults
*Disable
Enable
Enable MS UEFI CA key
No
*Yes
Ready to disable MS UEFI CA Key
Not Ready
*Ready
Custom Keys Image Verification State
*No Custom Keys
Fail
Success
Enable Turbo Boost on DC
*Disable
Enable
Audio Device
Disable
*Enable
Embedded LAN controller
Disable
*Enable
Wake On LAN
Disabled
*Boot to Network
Boot to Hard Drive
Boot to Normal Boot Order
Integrated Microphone
Disable
*Enable
Internal Speakers
Disable
*Enable
Runtime Power Management
Disable
*Enable
Extended Idle Power States
Disable
*Enable
Headphone Output
Disable
*Enable
Wake unit from sleep when lid is opened
*Disabled
Enabled
Disable Battery On Next Boot
*Do not disable
Next shut down
Wake on USB
Disable
*Enable
PCI Express Power Management
Disable
*Enable
Integrated Camera
Disable
*Enable
Fingerprint Device
Disable
*Enable
Video Memory Size
*32 MB
64 MB
128 MB
256 MB
512 MB
M2 SSD1
Disable
*Enable
SATA1
Disable
*Enable
Media Card Reader
Disable
*Enable
Restrict USB Devices
*Allow all USB Devices
Allow only keyboard and mouse
Allow all but storage devices and hubs
USB Charging Port Function
Disable
*Enable
Disable Charging Port in sleep/off if battery below (%):
10
Left USB Ports
Disable
*Enable
Right USB Ports
Disable
*Enable
Right USB Port 1
Disable
*Enable
Right USB Port 2
Disable
*Enable
Docking USB Ports
Disable
*Enable
Smart Card
Disabled
*Enabled
Configure Option ROM Launch Policy
All Legacy
*All UEFI
All UEFI Except Video
Turbo-boost
Disable
*Enable
Hyperthreading
Disable
*Enable
Multi-processor
Disable
*Enable
Virtualization Technology (VTx)
Disable
*Enable
Virtualization Technology for Directed I/O (VTd)
Disable
*Enable
Trusted Execution Technology (TXT)
*Disable
Enable
Deep Sleep
Off
*On
Update Source
*HP
Custom
Automatically Check for Updates
Daily
Weekly
*Monthly
Automatic BIOS Update Setting
*Disable
Let user decide whether to install updates
Install all updates automatically
Install only important updates automatically
Update Address

Force Check on Reboot
*Disable
Enable
Update BIOS via Network
Disable
*Enable
Use Proxy
*Disable
Enable
Proxy Address

DNS Configuration
*Automatic
Manual
DNS Addresses

Data transfer timeout
30
IPv4 Address

IPv4 Configuration
*Automatic
Manual
IPv4 Gateway

IPv4 Subnet Mask

Connected BIOS
Disable
*Enable
Force HTTP no-cache
*Disable
Enable
Save Custom Defaults
*Do not Save
Save
Apply Custom Defaults and Exit
*No
Yes
Apply Factory Defaults and Exit
*No
Yes
Restore Security Settings to Factory Defaults
*Disable
Enable

TryToDoMybest · ‎11-21-2017

Hello

in the cuurent setting there is :

Physical Presence Interface
Disable
*Enable

you have to change it to:

Physical Presence Interface
*Disable
Enable

bye

Create an account on the HP Community to personalize your profile and ask a question