How to update the TPM Firmware
Welcome to the Infineon TPM Firmware Update.
With the TPM Firmware Update Wizard you can easily check whether your platform is ready for the firmware update. If all preconditions are met, you can update the TPM in just a few steps.
If you prefer to perform the TPM Firmware Update without any explicit user interactions, you can use the Command Line Mode.
Note that a system restart is needed for the update to take effect. Please save all unsaved work in all user sessions before restarting in order to ensure prevention of data loss.
Before you start TPM Firmware Update, please consider the license terms in License.pdf, close all running applications and deactivate or suspend any drive encryption software that uses the TPM.
TPM Firmware Update supports Infineon Trusted Platform Module SLB 9660.
This version of TPM Firmware Update supports the update from version(s) 4.40.119.0 and 4.42.132.0 to version 4.43.257.0 of the TPM Firmware.
Supported operating systems: Microsoft Windows 10 ®, Microsoft Windows 7 ® SP1. Please install all important updates for your operating system before starting TPM Firmware Update.
To run the update, you need to have administrative privileges.
Also, if the Owner Password is not stored by the operating system you need to know the Owner Password or you need to have a valid Owner Password Backup File. If the Owner Password is not stored by the operating system and you do not have a valid Owner Password Backup File or you do not know the Owner Password, you may use these commands to clear the TPM. You will be able to take the ownership later on. WARNING: Clearing the TPM resets it to factory defaults. You will lose all created keys and data protected by those keys.
The following preconditions must be met in addition:
Precondition | Comment | Steps to do if precondition is not met |
---|---|---|
TPM Firmware Update is not prohibited by group policy settings. | TPM Firmware Update can be allowed or prohibited by group policy settings. | TPM Firmware Update has been explicitly prohibited for your system. To get permission, contact your group policy administrator. |
Power cord is plugged. | Only relevant for computers with batteries. | Plug the power cord. Do not unplug it before TPM Firmware Update completes. |
If you use BitLocker with any of the following key protectors (stand-alone or in combination with other key protectors):
|
Only relevant for operating systems with BitLocker Drive Encryption (e.g. Windows 10 Pro or Windows 7 Ultimate). You can use this command line in an elevated command prompt to display current BitLocker status and key protectors. "Off" corresponds to the "fully decrypted" BitLocker state. This is the case, if BitLocker has never been turned on at all, or has explicitly been turned off. "Suspended" (or "disabled") corresponds to the "encrypted, but protection off" BitLocker state. |
You can use the "BitLocker Drive Encryption" control panel applet provided by the operating system to turn off or suspend BitLocker. For details, please refer to Microsoft resources on BitLocker.
Alternatively you can use this command line in an elevated command prompt to suspend the "BitLocker Drive Encryption", e.g. for drive C. |
TPM is enabled and TPM Owner is set. |
The TPM must be enabled. The TPM Owner must be set before the TPM firmware can be updated. |
Make sure that your TPM is enabled in the system BIOS. Check the system BIOS documentation for details how to enable the TPM. You can use Microsoft Trusted Platform Module (TPM) Management application to enable the TPM ("Turn TPM on" action) and set the owner. Refer to Microsoft TechNet for details. |
Shut Down, Hibernate and Sleep can be blocked. | To avoid an unintentional interruption of the update process, a temporary power plan is created and selected. This power plan blocks Shutdown, Hibernate and Sleep. | The power plan could not be created and selected. A possible reason is that this is not allowed by policy settings. To get permission, contact your group policy administrator. |
To find out whether all preconditions are met on your platform, just start TPM Firmware Update Wizard. The wizard will show you a detailed overview.
To run TPM Firmware Update in Wizard Mode (i.e. with graphical user interface), start the executable IFXTPMUpdate_TPM12_v0443.exe without any parameters. In this case the wizard guides you through the following steps:
Note: Wizard Mode always creates a log file in %TEMP% directory.
To run TPM Firmware Update without any user interactions, use the command line tool IFXTPMUpdate_TPM12_v0443.com. By starting IFXTPMUpdate_TPM12_v0443.com you implicitly express that you accept the terms of the license agreement in License.pdf.
The usage is: IFXTPMUpdate_TPM12_v0443.com [action] {[option1] [option2] ...}
Action | Description | ||||||||
---|---|---|---|---|---|---|---|---|---|
/? /h /help |
Shows the command line help | ||||||||
/info |
Logs platform information and preconditions which are not met. You can specify the following additional options:
|
||||||||
/update |
Updates the firmware on the platform. You can specify the following additional options:
|
||||||||
/recovery-driver:[on|off] |
This action is provided for the rare scenarios when TPM Firmware Update was interrupted (for example if your computer lost power during an update). In these scenarios the Microsoft TPM Driver is not accessible and a TPM recovery driver is needed to resume the TPM Firmware Update. /recovery-driver:on enables recovery mode and temporarily installs a TPM recovery driver. If you completed this action, you can run the /update action again. After successful update, the TPM recovery driver is automatically uninstalled. This action is ignored if Microsoft TPM Driver is working properly and there is no pending TPM Firmware Update. /recovery-driver:off disables recovery mode and uninstalls the TPM recovery driver. In case a system restart is required after the TPM recovery driver uninstallation, start TPM Firmware Update again after the restart. You can specify the following additional options:
|
The following table shows examples how to use the command line:
Initial Situation | Actions to be done | Command line |
---|---|---|
You are not sure whether your TPM is ready to be updated. | Check platform details and preconditions without performing the update. | IFXTPMUpdate_TPM12_v0443.com /info |
|
Perform the update with TPM Owner Backup File. Prevent the system restart. Write a log file. | IFXTPMUpdate_TPM12_v0443.com /update /pwdfile:<file> /logfile:<file> |
The firmware update failed due to power loss and you want to resume the update process. You want to check the update result. | Temporarily install TPM recovery driver. Resume the update. Write a log file. |
IFXTPMUpdate_TPM12_v0443.com /recovery-driver:on /logfile:<file> |
The following table explains the steps of the firmware update process:
Step | Description |
---|---|
Set up update process |
Preparations for the firmware update are made. Especially, precautions are taken to block Shut Down, Hibernate and Sleep functions (if supported by the operating system and allowed by group policy settings). |
Initialize update | The firmware parameters are loaded onto the TPM. The Owner Password is verified. |
Perform update | The firmware of the TPM is overwritten. |
Verify update | The new firmware on the TPM is verified. |
Clean up | Temporary data and settings are deleted. Especially, the actions to block Shut Down, Hibernate and Sleep functions are reverted. |
Uninstall TPM recovery driver | If the TPM recovery driver has been installed and the update was performed successfully, uninstall the driver. |
Here you can find helpful commands that may help you bringing your system to a state so that all preconditions for the firmware update can be fulfilled.
Usage | Description | Command(s) |
---|---|---|
Display BitLocker Status | To display BitLocker drive encryption status and used key protectors for drive C: | manage-bde.exe -status C: |
Suspend BitLocker | To suspend BitLocker drive encryption for drive C: | manage-bde.exe -protectors -disable C: |
(Re-)Activate BitLocker | To (re-)activate BitLocker drive encryption for drive C: after the firmware update was performed | manage-bde.exe -protectors -enable C: |
Clear the TPM owner WARNING: Clearing the TPM resets it to factory defaults. You will lose all created keys and data protected by those keys. |
|
|
The following table lists errors specific to TPM Firmware Update. In Wizard Mode, errors are displayed by the graphical user interface. In Command Line Mode, errors are logged to the console and in the log file if a log file was configured. The exit code of IFXTPMUpdate_TPM12_v0443.com is set accordingly.
Note that not all possible errors are listed here, e.g. no Windows system error codes. Details on Windows system error codes are available in the MSDN.
Error | Description | |
---|---|---|
0xE028000A | TPM command with a bad ordinal was called. |
An unknown or blocked TPM command was called. Make sure that the TPM_FieldUpdate command is not blocked on your platform. Make sure that the default settings in the Command Management of Microsoft Trusted Platform Module (TPM) Management have not been changed. |
0xE02A0001 | An internal error occurred. | Contact your system administrator. |
0xE02A0002 | A Trusted Platform Module (TPM) error occurred. | Contact your system administrator. |
0xE02A0003 | A Trusted Software Stack (TSS) error occurred. | Consider to repair, reinstall or update the software which accesses the TPM, e.g. Infineon TPM Driver or TPM Base Services as provided by Windows 7 or higher. |
0xE02A0004 | You do not have permission to perform this operation. | Make sure that you have administrative rights. |
0xE02A0005 | Another instance of TPM Firmware Update is already running. | Do not start TPM Firmware Update while the same program is already running. |
0xE02A0007 | A wrong command line was specified. | Make sure to specify correct parameters (see Command Line Mode). |
0xE02A0008 | No Trusted Platform Module was found. | Check whether your system has a TPM (see Requirements). Make sure that the system BIOS settings do not hide the TPM. |
0xE02A0009 | No connection to the Trusted Platform Module can be established. | Consider to repair, reinstall or update the software which accesses the TPM, e.g. Infineon TPM Driver or TPM Base Services as provided by Windows 7 or higher. |
0xE02A000A | TPM device driver or TPM Base Services are missing, not functional, or do not meet TPM Firmware Update requirements. |
TPM Firmware Update requires either TPM Base Services with a suitable Microsoft TPM Driver or an Infineon TPM Driver. No suitable software could be found on your system. To install a compatible driver, specify the /recovery-driver:on parameter in Command Line Mode, or start TPM Update Wizard. See Command Line Mode and Important Notes. |
0xE02A000B | TPM recovery driver could not be installed or installation requires a restart. | Install the TPM recovery driver manually if error is still reported after a restart. |
0xE02A000C | TPM recovery driver could not be uninstalled. | Uninstall the TPM recovery driver manually (see Important Notes). |
0xE02A000D | Trusted Platform Module vendor is not supported. | Check whether your system has a Trusted Platform Module as specified in the Requirements. |
0xE02A000E | TPM Firmware Update does not include a matching firmware for your Trusted Platform Module. | Contact your vendor to find out whether there is a suitable TPM Firmware Update. Include the TPM and firmware detail info in your query, as shown on the "Check platform details" wizard page. |
0xE02A000F | A wrong Owner Password was specified. | Make sure to specify the correct Owner Password. In Wizard Mode, type the correct password on "Provide the Owner Password" page. In Command Line Mode, specify the correct password using the /pwd:<password> parameter. |
0xE02A0010 | The content of the specified Owner Password Backup File does not match the current Owner Password. |
The specified file could be found and identified as a valid Owner Password Backup File. But the file content does not match the current Owner Password. Make sure to specify the correct Owner Password Backup File. In Wizard Mode, specify the correct file on "Provide the Owner Password" page. In Command Line Mode, specify the correct file using the /pwdfile:<file> parameter. |
0xE02A0011 | The specified Owner Password Backup File does not exist, cannot be opened, or is not a valid Owner Password Backup File. | Make sure to specify the correct file path of an existing Owner Password Backup File. In Wizard Mode, specify the correct file on "Provide the Owner Password" page. In Command Line Mode, specify the correct file using the /pwdfile:<file> parameter. |
0xE02A0012 | An invalid log file path was specified. |
The specified file path is either invalid, or the file cannot be created or accessed due to missing permissions. In Command Line Mode, use the /logfile:<file> parameter to specify a valid file path of a file in a folder where you have permission to create or access a file. |
0xE02A0013 | Multiple TPM Firmware Update preconditions are not met. | Start TPM Firmware Update in Wizard Mode. The "Check platform details" wizard page will display all preconditions which are not met (see Preconditions). |
0xE02A0014 | TPM Owner is not set. | See Preconditions, "TPM is enabled and TPM Owner is set". |
0xE02A0015 | TPM is not enabled. | See Preconditions, "TPM is enabled and TPM Owner is set". |
0xE02A0016 | System is running on battery. | See Preconditions, "Power cord is plugged". |
0xE02A0017 | Update not allowed by policy settings. | See Preconditions, "TPM Firmware Update is not prohibited by group policy settings". |
0xE02A0018 | Shutdown, Hibernate and Sleep cannot be blocked, or blocking of Shutdown, Hibernate and Sleep cannot be reverted. | See Preconditions, "Shut Down, Hibernate and Sleep can be blocked". |
0xE02A0019 | BitLocker Drive Encryption blocks update. | See Preconditions, "BitLocker Drive Encryption is off or suspended". |
0xE02A001A | The Owner Password cannot be retrieved from the operating system. | The Owner Password is not stored by the operating system (Windows 10). In Command Line Mode either use parameter /pwdfile:<file> or /pwd:<password> to specify the Owner Password. |
0xE02A001B | Your TPM already runs the firmware included with this version of TPM Firmware Update or newer. | Contact your vendor to find out whether there is a suitable TPM Firmware Update. Include the TPM and firmware detail info in your query, as shown on the "Check platform details" wizard page. |
0xE02A001C | The maximum allowed number of firmware updates has been reached. | No further TPM firmware update possible because the maximum allowed number of firmware updates for your system has been reached. Contact your system administrator. |
0xE02A001E | Administrative rights weren't given during device driver installation. | Start the program as an administrator. |
0xE02A001F | Administrative rights weren't given during device driver uninstallation. | Start the program as an administrator. |
0xE02A0020 | A system restart is pending. | To finalize the firmware update or the TPM recovery driver uninstallation a system restart is required. |
0xE02A0021 | The TPM recovery driver status cannot be obtained. | Contact your system administrator. |
0xE02A0023 | The TPM does not have an owner. | Take ownership of the TPM before updating the TPM firmware. |
0xE02A0024 | The firmware update is not applicable to the SLB model of this TPM. | Contact your vendor to find out whether there is a suitable TPM Firmware Update. Include the TPM and firmware detail info in your query, as shown on the "Check platform details" wizard page. |
0xE02A0025 | TPM is in Dictionary Attack mode |
Due to multiple failed attempts to provide a valid owner password, the TPM is locked to prevent dictionary attack. The TPM will be automatically unlocked after a certain amount of time. The exact time depends on how many failed attempts have been registered. Note: Depending on your TPM configuration, the TPM may not only be locked but also temporarily disabled. In that case a restart is required in addition to elapsed lockout time. |
Copyright © 2017 Infineon Technologies AG. All rights reserved.
Microsoft and Windows are registered trademarks of Microsoft Corporation in the United States and/or other countries.