Using scripting or automation for TPM firmware updates from Dell

Summary: Guidelines for automating or using scripts to install or manage Dell TPM firmware updates.

Article Content


Symptoms


If you require scripting or other automation from Dell regarding the update and management of your TPM devices, reference the information and steps provided in this article.


FAQ on TPM Automation

Can Dell provide an automated script to update TPM firmware or activate a TPM?

No. Dell can provide the steps and utilities necessary for updating the TPM firmware, but we are unable to provide a script. Scripting is something customers need to do themselves as every environment is different.

Can a customer completely automate the TPM firmware update via script?

Latitude/Precision/OptiPlex systems support automation via a combination of PowerShell and Dell Command Configure(DCC). This is due to an additional function called "PPI bypass Clear" that is featured on these models.

It is recommended that the person scripting the TPM firmware update be familiar with the Win32_Tpm WMI class by reviewing the information at the following link: Win32_Tpm classSLN309515_en_US__1iC_External_Link_BD_v1.

What can be automated?

SLN309515_en_US__2icon NOTE: Some of these features may require BIOS updates, Dell Command Configure 4.0 or newer, and a BIOS administrator password be set.
  • TPM enable: Automation available using Dell Command Configure "PPI Bypass Enable" option.
  • TPM is disabled: Automation available using Dell Command Configure "PPI Bypass Disable" option.
  • TPM Clear: Automation available using Dell Command Configure "PPI Bypass Clear" option and PowerShell to request clear.
    • Dell Command Configure has a clear listing, but this is only to reflect the option in BIOS and will not push a clear to the system
  • Change Hash Algorithm: Automation available via Dell Command Configure.

Is there a silent installer option for TPM firmware?

Yes. The current version of TPM firmware posted at Dell's Support website supports use of the /s switch which will allow silent install.

How Can I find the TPM firmware Version?

The TPM firmware version can be seen when running the installer. It will tell you the current version and the version you are about to install. You can also get the firmware version by running get-tpm command from a Powershell window run as administrator.

While Windows 7 and above can read the TPM firmware version using PowerShell, it does not display the FULL version number. Only in Windows 10 version 1703 (RS2) and higher can you see the full version and only with a TPM that is in 2.0 Mode (Figure 1).

SLN309515_en_US__3Windows 10 1703 TPM version
Figure 1: Windows 10 1703 showing TPM full version number


Automating TPM Ownership

Dell enables TPM by default on any system that ships with Windows 10. Systems with the TPM not yet enabled can be remotely enabled via scripting on Skylake and Kaby Lake systems via Dell Command Configure using the BIOS option for PPI Bypass Enable.

SLN309515_en_US__2icon NOTE: Dell recommends updating the TPM firmware on any Skylake or Kaby Lake system shipping prior to November 13 of 2017 before using the TPM.

If a TPM is owned, but disabled Dell Command Configure will not enable the TPM. This is working as designed and is in place as a security measure. There is no supported method for enabled a TPM in 2.0 mode with this configuration. PowerShell will have to be used to send the command to enable and activate a TPM in 1.2 mode. Example:

(get-wmiObject -class Win32_Tpm -namespace root\cimv2\security\microsofttpm). SetPhysicalPresenceRequest (22)


Automating TPM Firmware Update

These steps can be scripted or done manually using combinations of Dell Command Configure and PowerShell:

  1. Check TPM firmware version to see if update is needed
    • PowerShell get-tpm command can be used to verify current version. This can be sent to file and parsed to verify if an update is necessary.
  2. Suspend any security using the TPM- Example Suspend/Decrypt Bitlocker
    • Automation means varies by program
  3. Disable Windows Auto Provisioning if needed (Windows 8/10)
    • PowerShell command: Disable-TpmAutoProvisioning
  4. Update BIOS - to ensure PPI bypass options added
  5. Use Dell Command Configure to set a BIOS password
    • CCTK --SetupPwd=<BIOS Password>
  6. Enable the PPI bypass for clear using Dell Command Configure
    • CCTK --TpmPpiClearOverride=Enabled --ValSetupPwd=<BIOS Password>
  7. Clear TPM
    • Requires PowerShell commands and cannot be done via Dell Command Configure
  8. Run TPM firmware update
    • The Dell TPM Firmware can be run using the "/s" switch to run silently
  9. Disable the PPI bypass for clear using Dell Command Configure
    • CCTK --TpmPpiClearOverride=Disabled --ValSetupPwd=<BIOS Password>
  10. Enable Windows Auto Provisioning and if needed and reboot or take ownership of the TPM
    • PowerShell command: Enable-TpmAutoProvisioning
  11. Enable any TPM based security such as Bitlocker

How do I know if a system can be flashed with a new TPM firmware?

Dell offers a variety of systems with different TPM solutions. You can verify if a system supports a TPM firmware update by visiting the Dell support site and looking under "Drivers & Downloads" for that model. TPM firmware updates will be listed under the "Security" category.

SLN309515_en_US__2icon NOTE: Only a limited range of Skylake and Kaby Lake systems support both TPM 1.2 and 2.0 modes. To swap modes you must flash the firmware to the correct mode. Any system that does not list both in the "Drivers and Downloads" section, does not support swapping modes.

Article Properties


Affected Product

Security, Software

Last Published Date

21 Feb 2021

Version

3

Article Type

Solution

Rate This Article


Accurate
Useful
Easy to Understand
Was this article helpful?

0/3000 characters