Is your system compatible with this?

Check the table below to see if your system is able to perform this switch. If it isn't, then I'm afraid this guide won't work for you.

Alternatively there are a couple of ways of checking this on your PC:

1. Windows Powershell can be used to query the TPM vendor ID (ManufacturerID) and TPM FW version (ManufacturerVersion).

   1. From a Windows search bar, type CMD to bring up the Command Prompt icon, right click on that icon and select run as an admin, then run this command :

      powershell.exe get-tpm

   2. For Dell platforms that support TPM mode changes, the output from powershell should include :

      1. Manufacturer ID : 1464156928 (1.2 mode) or 1314145024 (2.0 mode)

      2. Manufacturer Version : 5.81 (1.2 mode), or 1.3 (2.0 mode)

2. Windows TPM.msc snap-in can be used to visually inspect the vendor and version, as well.

   1. From a Windows command prompt, Windows search bar, or the Run window <Win+R> in the programs menu, you can launch the TPM snapin, by typing tpm.msc, and pressing the <Enter> key.

   2. For Dell platforms that support TPM mode changes, near the bottom of the Trusted Platform Module (TPM) Management on the Local Computer (tpm.msc snapin) window, you should be able to see some TPM manufacturer information :

      1. The Manufacturer Name field should say: WEC (1.2 mode) or NTC (2.0 mode)

      2. The Manufacturer Version field should say: 5.81 (1.2 mode) or 1.3 (2.0 mode)

Download the TPM Update Utility

You can download the utility on the link below:

• Dell TPM 2.0 Update Utility

Clear the TPM

Note: During the TPM mode change, the TPM firmware update utility will warn you that data stored in the TPM will not be retained, and that the TPM owner should be cleared.

Data that may be erased during this :

• Bitlocker Protection Keys
  • Bitlocker TPM key protection may be suspended temporarily using the mangebde.exe -disable switch, without decrypting the contents on the encrypted drive.
  • The Bitlocker TPM key protector can be re-enabled after the mode change manually or by specifying a number of reboots before the OS automatically re-enables the TPM protector.
• Virtual SmartCard configuration (enterprise Windows 8.x+)
  • Virtual SmartCard for login will need to be re-enrolled after a TPM mode change.
• Measured Boot remote attestation measurement values (enterprise Windows 8.x+)
  • Measured Boot remote attestation services may need to be re-enabled or re-enrolled after a TPM mode change, depending on the remote attestation service provider
• Other secrets stored by TPM-capable software (such as Dell Data Protection)

From within the BIOS

1. Reboot your PC

2. Tap rapidly on the <F2> key when you see the Dell Splash screen as it starts up.

3. Go to Security > TPM Security

4. Click on the checkbox marked Clear

5. Exit the BIOS, saving your settings.

From within Powershell

1. Run this Command from the command line:

   powershell clear-TPM

Note: The OS may try to automatically re-take ownership of the TPM after a reboot. You may want to take steps to pause this behaviour while you are still working on the TPM.

• Registry Key : set the HKLM\System\CurrentControlSet\Services\Tpm\WMI\NoAutoProvision to 1

Run the TPM update utility

Run the TPM update utility from Windows environment:

1. Browse to the location where you downloaded the update file and double-click it to run it.

2. Windows System will automatically reboot and update the TPM during the system startup.

3. When the TPM update is finished, the system will automatically reboot again to take effect.

Complete the update process

Go back into the BIOS and go back to Security > TPM Security and ensure the TPM is enabled.

Go back into the BIOS as Windows 10 needs the BIOS to be configured as a UEFI BIOS for Windows 10's installation.

Note: Dell Systems shipped before 2009 had a Legacy only BIOS. Dell Systems shipped between 2010 and 2011 could have been shipped as one type, but be capable of being changed to the other. All Dell systems shipped since 2012 will have been UEFI as standard. For this guide we expect your BIOS to be UEFI as we are dealing with the EXX70 series of systems.

There are some settings you need to ensure are set correctly:

1. Ensure the UEFI boot is chosen under the Boot tab.

2. Windows 10 should install with Secure Boot enabled. (Older operating systems may have a problem with this and secure boot would need to be disabled in order to run the installation media.)

3. Ensure the Load Legacy Option ROM is disabled.

4. Ensure the Boot List is set to UEFI.

5. Save and Exit.

Note: Reinstalling your Operating System will format and reinstall your Hard Drive. This means that you are starting from a blank disk and will lose anything you haven't backed up or kept a note of for reinstall. This includes things like product keys for any non-OEM software.

Reinstall Windows 10

The guide below takes your through installing Windows 10 using Dell media :

• How to install Windows 10 from the Dell ISO

Installing your Drivers

You can install your drivers from either the Resource DVD that came with your system or you can download the latest drivers for your PC from the Dell Support Site.

You can search on the support site using the terms "<Your Model type>", "Windows 10" & "Driver Install Order" to find an article that takes you through the install order for the majority of our Latitude PCs.

Configuring your system

At this point you can start to configure your PC the way you want it to run. This includes enabling BitLocker.

TPM 1.2 supports a single owner authorization. Using an RSA 2048b Endorsement Key (EK) for signing/attestation. While using a single RSA 2048b Storage Root Key (SRK) for encryption. This means the owner has control over both the signing/attestation and encryption functions of the TPM. In general, the SRK serves as the parent for any keys created in TPM 1.2. TPM 1.2 was specified as an opt-in device.

TPM 2.0 has the same functionality represented by the EK for signing/attestation and SRK for encryption as in 1.2, but the control is split into two different hierarchies in 2.0. The Endorsement Hierarchy (EH) and the Storage Hierarchy (SH). In addition to the EH and SH, TPM 2.0 also contains a Platform Hierarchy (PH) for maintenance functions, and a Null Hierarchy. Each hierarchy has its own unique "owner" for authorization. Because of this, TPM 2.0 supports 4 authorizations which would be analogous to the single TPM 1.2 owner.

In TPM 2.0, the new Platform Hierarchy is intended to be used by platform manufacturers. The Storage and Endorsement hierarchies, and the Null hierarchy will be used by OS's and OS-present applications. TPM 2.0 has been specified in a way that makes discovery and management less cumbersome than 1.2. TPM 2.0 has the capability to support RSA and ECC algorithms for Endorsement Keys and SRK's.

Firmware-based TPM

This is a TPM that operates using the resources and context of a multi-function/feature compute device (Such as an SoC, CPU, or other similar compute environment.).

Discrete TPM

This is implemented as an isolated, separate function/feature chip, with all necessary compute resources contained within the discrete physical chip package. A discrete TPM has full control of dedicated internal resources (Such as volatile memory, non-volatile memory, and cryptographic logic.), and it is the only function accessing and utilizing those resources.

TCG Certified discrete TPM

This is required to meet compliance and security requirements including hardening of the chip and its internal resources similar to smart cards. TCG compliance verifies the TPM correctly implements the TCG specifications. The hardening required by TCG certification allows a Certified discrete TPM to protect itself against more complicated physical attacks.

The table of encryption algorithms below provides a summary.