• ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
If you are having hardware issues with your computer, please, Click here for more information.
HP Recommended
HP Z2 G4
Microsoft Windows 10 (64-bit)

My question is how to enable TPM on my PC to use windows bitlocker?

I try to enable TPM on my HP Z2 G4 but cannot find "TPM embedded sercurity" option in my BIOS.

Out out case has barcode that  said that TPM disable but I checked  that chip Infineon SLB 9670 VQ20 is physically located on motherboard.

 TPM DISABLED label at bottom caseTPM DISABLED label at bottom caseTPM chip SLB9670 is on motherboardTPM chip SLB9670 is on motherboard 

I have set BIOS admin password already as requested in some HP model and updated BIOS to newest version 1.07 but TPM option still hidden in Sercurity tab.

Try to use HP Client Management Script Library to get all BIOS info with command "Get-HPBiosSettingsList" , the result doesn't have TPM option either, you could check on this link the result (quite long) Z2 G4 BIOS setting - Pastebin.com 

 

Thank you

 

 

6 REPLIES 6
HP Recommended

some countries do not allow a functioning TPM crypto chip, for these countries HP disables the TPM through a "Featurebyte" setting or through the Bios.

 

there in no known way to change these settings, you must replace the motherboard with one that allows TPM and doing so in regions that prohibit this is illegal and can get you in serious legal trouble

 

https://www.gp-digital.org/world-map-of-encryption/

HP Recommended

all of my PC have TPM 1.2 or 2.0 a decade ago, and a lot of PC and retail motherboard  have TPM 2.0 so I can use encryption legally in my country. There is a Infion TPM chip on motherboard so I think we change change flag or something in Intel ME or reflash BIOS can solve the problem...

HP Recommended

again.........................read carefully what i wrote, simply because a TPM chip is on the board does not mean it's functional/enabled

HP Recommended

Thank you. Let me  check with local HP support to replace motherboard

HP Recommended

I wonder if that "TPM Disabled" label you show is on a workstation that is from a country where having a TPM device available is illegal.  If so I'm sure the HP engineers could disable it permanently so that they could sell stock hardware in that country.  A simple locked firmware flash would do it.  In the US I doubt such a label would be present to notify the owner that TPM has been set to default hidden and to go hunt in the manual for how to switch it from hidden to "Device Available" in BIOS.

 

Many of us, however, are clueless about TPM, and also to the fact that earlier generations of the HP workstations came from the factory with the TPM device set to hidden in BIOS, and that it would be reset to hidden if you restore BIOS to factory defaults in a workstation you had changed the TPM device to "available" from default hidden.  That particular saga is how I became less clueless about this option years ago.

 

So, that is another reason you may not be able to see/probe/use/update your TPM device... if it is "hidden" in BIOS.  The idea behind why system security would want to have a device hidden is because that makes the device not visible to the OS or to BIOS.  Device manager cannot see it so DM will not tell you that a driver is missing, etc.

 

The common earlier BIOS versions in HP workstations such as the xw and ZX00/ZX20 generations let you unhide the TPM by F10 into BIOS, go over to the Security tab, down to Device security, HP factory settings were to have Embedded Security Device set to Device Hidden.  Change that to Device Available.  F10 to save that and also save properly on the way out of BIOS.  Now you can probe the TPM, update it, configure it, etc.

 

The newer HP workstation BIOS starting with the ZX40 has much more complex BIOS navigation... yours has that too.  I have our ZX40 BIOS set to be able to use the Esc key to easily get into BIOS... repeated presses a bit faster than 1/second.  Once there go over to your Security tab, down to TPM Embedded Security, make sure it is set to TPM Device Available instead of Hidden, and also you'd want TPM State Enabled.

 

We're all having to learn this stuff now with the W11Pro64 fiasco.  I'm not going overboard on this yet because it is too soon.  There are TPM 1.2 to 2.0 updaters from HP for some of the later workstations such as the Z440/Z640.  I'll get around to upgrading this Z440 from 1.2 to 2.0.... it is a firmware update process and the old chip becomes the newer chip.  Not going to do that yet.... no rush.

 

From my side.... I really believe that HP can come out with a TPM updater for the ZX20 v2 generation.  They have done that for a large number of business PCs and laptops already.  By unhiding the TPM in a Z400 v2 I was able to get to it with a Toshiba TPM 1.2 updater to a more recent 1.2 version than it has from HP, and could have hit the Update button but chose not to.... maybe HP could even release an updater to TPM 2.0 for that generation of workstations.  I'd be happy as a clam if they'd just do it for the ZX20 v2 generation.

 

A final note.... MS has certain requirements that they lay on PC/workstation producers for which processor(s) must be present for MS to allow W11 to come pre-installed on them from the factory.  Same was true with earlier MS OS releases in the past.  That does not necessarily mean a souped-up Z640 (or maybe Z620 v2 with a flashed TPM 2.0 chip) would not run under W11.  Too soon to worry.  Start asking HP for TPM 1.2 to TPM 2.0 flash updater for your valuable workstations now.  Once you have that I believe you'll be golden.

HP Recommended

to "SDH" i personally don't think that HP is going to try to update the Zx20 line's TPM the reasons being

 

1. systems are way out of warranty

 

2. TPM chip used is a SLB 9635 TT (z800 and possibly the other models) which was EOL'd in 2013, and as far as i know is not hardware compatible with the 2.0 spec

 

https://www.mmc-sl.com/pcn/files/1205_BCM_Multi-Product_Hardware_PCN_Due_to_Infineon_TPM_EOL.pdf

 

HP does not write the firmware for the TPM chip, infineon does and they never wrote TPM 2.0 code for OEM's like HP to use

 

what might be possible is to use a later model TPM chip that is pin compatible with the 9635 such as the  SLB 9665 TT 2.0

 

https://www.digikey.com/htmldatasheets/production/71176/0/0/1/slb9635-tt-1-2-product-brief.html

 

https://www.infineon.com/cms/en/product/security-smart-card-solutions/optiga-embedded-security-solut...

 

doing a swap like this requires "SKILL"  AND A HOT AIR REWORK STATION, in other words this is not a do it yourself project for most users.......... find a local shop willing to do this if you want to try this method 

 

personally like "sdh" says it's way too early to get up in arms over this at this point in time

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.