hi. i have tpm2.0 asus module http://a.co/4X8qGSb
its not possible to create admin ownership in windows 10 because firmware is not safe
tpm.msc and click on second option CLEAR TPM - reboot - and this same window CLEAR TPM..
no option to PREPARE!
but......... in uefi i turn off (disable) STORAGE HIERARCHY in SECURITY OPTION and work! PREPARE IS POSSIBLE! :cool:
but STORAGE HIERARCHY - what this. i study of 10 pages with try to explain and my head are overheat 😉
will anyone explain to me if turning off this option is crucial to secure a computer using a bitlocker?
and ASUS!!! please update firmware of this module!! :mad: im going to reddit #asustpm
In case it is helpful to someone, I found a way to update my Asus TPM-M R2.0 14-1 Pin TPM Module to the latest 5.62.3126.0 firmware (previously the TPM had the 5.61.2785.0 firmware with the vulnerability).
Supermicro (a great server company) sells Infineon-based TPMs - e.g., see http://supermicro.com/products/accessories/addon/AOM-TPM-9665V.cfm. Unlike Asus (:mad:) Supermicro has issued the latest firmware security updates for their Infineon TPM modules. Their update packages appear to be general Infineon updates, so I figured it'd be worth a try to update my Asus module using one.
Note that you should only attempt this sort of update if you know what you are doing!! If you aren't adept at the command line or if this is all new to you, then DO NOT ATTEMPT THIS. YOU CAN LOSE DATA IF YOU ARE USING BITLOCKER, etc.!!!
I'll explain what I did and if you want to try with your system/TPM module you will need to adapt as appropriate for your system.
1. You can find TPM update packages by browsing to ftp://ftp.supermicro.com/driver/TPM/. In my case I looked at the various firmwares included, and the "9665FW update package_1.1.zip" bundle contained firmware that matched my Asus TPM. So be sure to pick the right update bundle for your TPM (?).
2. I completely turned OFF and disable Bitlocker and Windows Hello. You must decrypt your drive so that the TPM is NOT in use!
3. I ran "tpm.msc" and executed the "Clear TPM..." option in Action. This rebooted the machine and the Asus BIOS had me press F12 to clear the TPM.
4. After rebooting again, I then booted into the BIOS and turned the TPM completely OFF in the BIOS settings. You must completely disable Windows' use of the TPM in order to update the firmware.
5. I booted back into Windows, and extracted the firmware update package bundle. For ease of operation I then copied the Windows update executable from the "...\Tools\WinPE\Bin\x64\" directory into the "...\Firmware\" directory.
6. I then ran an Administrator command prompt, and changed to the "...\Firmware\" directory. Then I ran "TPMFactoryUpd.exe -update config-file -config TPM20_latest.cfg". The updater detected my TPM, and flash updated to the latest firmware in the bundle. Again, if you try this your command line may need to be different (use "TPMFactoryUpd.exe -?" for command line help with the tool).
7. Then I rebooted back to the BIOS, turned the TPM back on, and re-enabled everything, and "tpm.msc" shows that my Asus TPM has been updated and no longer has the vulnerability.
Note that the update bundle also includes a UEFI updater that you can run from the BIOS, but I didn't bother doing that because I didn't have time to figure it out.
Anyway I hope this is helpful to others!
Thanks @RASMORTHIL this worked for me as well, now running 5.62.3126.0 and the warning is gone.
I'd previously tried finding straight-up Infineon firmware files but had no luck, the Supermicro FTP site was a great find. I didn't decrypt my drives, just suspended BitLocker, cleared the TPM, disabled it in the BIOS, next boot ran the update tool, another reboot and enabled the TPM in the BIOS, BitLocker then re-enabled itself after taking ownership on the next and final boot.
Clement Chong wrote:
I don't think it is a good idea to just suspend since the insecure key (if the key is generated by the TPM with the old firmware it is insecure) is still the same, it is recommended to decrypt the drive, get the TPM to regenerate a new key and re-encrypt the whole drive using the new key.