Is my platform capable of switching modes?
Several Dell Latitude, Optiplex, and Precision platforms shipping in 2015 are capable of switching between 1.2 and 2.0 modes in the field.
Detecting mode switch capability:
In addition to referencing the table of supported platforms, below, there are also a few options for detecting whether a platform supports Dell discrete TPM mode switching in real time:
- Windows Powershell can be used to query the TPM vendor ID (ManufacturerID) and TPM FW version (ManufacturerVersion).
- From an admin command prompt, run this command: powershell.exe get-tpm
- For Dell platforms that support TPM mode changes, the output from powershell should include:
- ManufacturerID: 1464156928 (1.2 mode) or 1314145024 (2.0 mode)
- ManufacturerVersion: 5.81 (1.2 mode), or 1.3 (2.0 mode)
- Windows TPM.msc snap-in can be used to visually inspect the vendor and version, as well.
- From a Windows command prompt, Windows search bar, or the "Run" window (Window key + R) in the programs menu, you can launch the TPM snapin, by typing tpm.msc, and pressing the Enter key.
- For Dell platforms that support TPM mode changes, near the bottom of the Trusted Platform Module (TPM) Management on Local Computer (tpm.msc snapin) window, you should be able to see some TPM manufacturer information:
- The Manufacturer Name field should say: WEC (1.2 mode) or NTC (2.0 mode)
- The Manufacturer Version field should say: 5.81 (1.2 mode) or 1.3 (2.0 mode)
Platforms which support TPM 1.2-2.0 mode changes:
Platforms listed on the Dell TPM Platform Support page with support indicated for TPM versions 1.2 and 2.0 support mode changes.
Instructions for switching modes using the TPM update utility:
End users will be able to switch modes using a Dell-provided TPM FW update utility. There are a few steps required to switch modes, which can be performed manually by a physically present user, or automated for remote deployment:
- Download the appropriate utility (select either the 1.2 or 2.0 utility, depending on which mode you want)
- Clear the TPM owner
- Run the utility to change the mode
1. Downloading the TPM update utility:
If your platform supports mode changes, the 1.2 and 2.0 mode change utilities are available for download here.
2. Clearing the TPM:
During the TPM mode change, the TPM FW update utility will warn you that data stored in the TPM will not be retained, and that the TPM owner should be cleared.
Data that may be erased during the TPM owner clear process:
- Bitlocker protection keys
- During the TPM mode change process, Bitlocker TPM key protection may be suspended temporarily using the mangebde.exe -disable switch, without decrypting the contents on the encrypted drive.
- The Bitlocker TPM key protector can be re-enabled after the mode change manually, or by specifying a number of reboots before the OS automatically re-enables the TPM protector.
- Bitlocker protection keys
- Virtual SmartCard configuration (enterprise Windows 8.x+)
- Virtual SmartCard for login will need to be re-enrolled after a TPM mode change.
- Virtual SmartCard configuration (enterprise Windows 8.x+)
- Measured Boot remote attestation measurement values (enterprise Windows 8.x+)
- Measured Boot remote attestation services may need to be re-enabled or re-enrolled after a TPM mode change, depending on the remote attestation service provider
- Measured Boot remote attestation services may need to be re-enabled or re-enrolled after a TPM mode change, depending on the remote attestation service provider
- Other secrets stored by TPM-capable software (such as Dell Data Protection)
2.1. A note regarding automatic ownership of TPM:
Depending on which OS you are using, the OS may attempt to re-take ownership of the TPM automatically after a reboot, once it has been cleared. This automatic ownership feature is normal, but it can interfere with the process of changing TPM modes using the Dell TPM update utility. In order to avoid this condition where the TPM is automatically owned after attempting to clear TPM ownership, you may want to configure the OS to pause the auto-own behavior temporarily.
Here are a few options for temporarily pausing the automatic TPM ownership feature in Windows:
- Registry Key:
- Set the HKLM\System\CurrentControlSet\Services\Tpm\WMI\NoAutoProvision registry setting to 1
- Registry Key:
- Powershell Script:
- PS C:\> Disable-TpmAutoProvisioning (optionally, the -OnlyForNextRestart switch will allow auto-ownership to resume on the subsequent reboot)
- Note that this flag will be ignored if ownership is cleared using the TPM management console snapin (TPM.msc) to clear the TPM owner. If using this method, the TPM must be cleared with powershell or BIOS setup, as described below.
- Powershell Script:
- Use an alternate OS to perform the TPM mode change:
- OS's like Windows 7 and Windows PE do not automatically own the TPM, and can be used to clear the TPM and then launch the Dell TPM update utility.
- Use an alternate OS to perform the TPM mode change:
2.2. Clearing the TPM with Powershell:
The TPM can be cleared using a command line, such as powershell clear-TPM.
2.3. Clearing the TPM from BIOS Setup:
The TPM can be cleared manually from within the Dell BIOS setup menu (note: for complete details on how to access and use the setup menu, please refer to the Dell owner's manual):
- Reboot your Dell PC
- Press the F2 key when you see the Dell logo (this will launch the BIOS setup menu)
- Navigate to the Security > TPM Security sub-menu
- Select the checkbox marked Clear
- Use your mouse or keyboard (Tab key) to select the exit button, and save the settings if prompted.
3. Running the TPM update utility
If you're using Windows, the TPM update utility can be launched from a Windows administrator command prompt, or by simply double-clicking the executable application icon.
The TPM update utility will also run in WinPE (with TPM Base Services enabled) or in DOS.
For reference, here is an excerpt of the the installation instructions provided by the Dell TPM update utility:
Installation instructions
Dell TPM Update Utility for Windows/DOS
Download
1. Click "Download File", to download the file.
2. When the File Download window appears, click Save to save the file to your hard drive.
Clear the TPM (See Note 2, 3, and 4)
1. Before running the TPM update utility, clear the TPM Owner. (From the OS, or from BIOS Setup).
Run the TPM update utility from Windows environment
1. Browse to the location where you downloaded the file and double-click the new file.
2. Windows System will auto restart and update the TPM during the system startup.
3. When the TPM update is finished, the system will auto reboot to take effect.
Run the TPM update utility from DOS environment, if Legacy Boot mode (Non-Windows users)
1. Copy the downloaded file to a bootable DOS USB key.
2. Power on the system, then Press F12 key and Select "USB Storage Device" and Boot to DOS prompt.
3. Run the file by typing copied file name where the executable is located.
4. DOS system will auto restart and update the TPM during the system startup.
5. When the TPM update is finished, the system will auto reboot to take effect.
Run the BIOS update utility from DOS environment if UEFI Boot Mode (Non-Windows users)
1. Copy the downloaded file to a bootable DOS USB key.
2. Power on the system, then go to BIOS Setup by pressing F2 and go to "General > Boot Sequence > Boot List Option".
3. Change "UEFI" to "Legacy" of Boot List Option.
4. Click "Apply", "Exit" to save changes and reboot system.
5. Press F12, then Select "USB Storage Device" and Boot to DOS prompt.
6. Run the file by typing copied file name where the executable is located.
7. When the TPM update is finished, the system will auto reboot to take effect.
8. Go to BIOS Setup by pressing F2 and go to "General > Boot Sequence > Boot List Option".
9. Change "Legacy" to "UEFI" Boot Option.
10. Click "Apply", "Exit" to save changes and reboot system.
--------------------------------------------------------------------------------
Note 1: You will need to provide a bootable DOS USB key. This executable file does not create the DOS system files.
Note 2: If BitLocker is enabled on your system, please make sure you suspend BitLocker encryption before updating
TPM on a BitLocker enabled system.
Note 3: The TPM must be ON and Enabled in BIOS Setup, and the TPM must not be owned. If the TPM is owned, go
to BIOS Setup and clear the TPM before proceeding.
Note 4: When the TPM is cleared, some operating system will automatically take ownership of the TPM on the next boot. This feature will need to be disabled to proceed with the update.
Next steps:
After completing the mode change, the TPM can be used normally. Depending on which TPM mode you have selected, you may need to re-enable the TPM in the Dell BIOS before the OS can take advantage of TPM features.
This can be accomplished in a few different ways:
Dell BIOS setup Menu
The TPM can be re-enabled using the Dell BIOS Setup Menu, which can be accessed by pressing the F2 key during a reboot, when the Dell logo is displayed on the screen.
To enable the TPM: Navigate to Security > TPM Security > Enable
The Dell BIOS TPM Enable setting can also be configured remotely, using the Dell Client Command Suite.
TPM.msc
Select the option in the right side of the TPM.msc (see above for instructions) window labeled Prepare the TPM for use
Powershell
From an administrator command prompt, use the Windows powershell Initialize-tpm command
.
Manage-bde.exe
Windows OS's that support Bitlocker include a utility called manage-bde.exe, which can perform some limited configuration of the TPM for Bitlocker deployment. Descriptions of the TPM commands available with the Microsoft Windows manage-bde.exe tool can be found here.
Examples:
manage-bde.exe -tpm -turnon
manage-bde.exe -tpm -takeownership <owner password of your choosing>