Posted by: kurtsh | July 3, 2018

INFO: Updating Surface Pro 3 TPM firmware

imageGot a Surface Pro 3?  Have you updated the TPM module’s firmware?  Get ready for some big fun, if not. 

There’s a vulnerability in TPM that was reported a while ago that requires an update to the TPM chip firmware from 5.0.1089.2 to 5.62.3162.2.  Doing so is really laborious.

Because TPM touches certificates & the drive encryption, it’s a fairly involved & carefully orchestrated process that can take 30 minutes or more.  It involves:

  1. Downloading & installing an Update tool to the local machine
  2. Running the tool to format & create a bootable USB drive then unplug the drive
  3. Suspend Bitlocker on your machine (Super critical step!)
  4. Go into the UEFI boot menu of the Surface (Volume UP+Power)
      1. Delete all Secure Boot Keys
      2. Disable Secure Boot Control
      3. Save the configuration
  5. Reboot the computer (It will display a RED boot screen) then shut it down.
  6. Plug in & boot up the bootable USB drive that was created (Volume DOWN+Power)
  7. Update the TPM firmware using the steps from the booted USB key
  8. Boot up Windows & verify that the TPM chip has been properly updates through TPM.MSC
  9. Shutdown the PC & boot into the UEFI menu (Volume UP+Power)
  10. Enable Secure Boot Control
  11. Install Factory Default Keys
  12. Resume Bitlocker
  13. Reset Windows Hello for Business PIN by deleting the certificate container for Hello (certutil –deleteHelloContainer)

Not gonna lie – this isn’t for the light hearted.  I was very surprised that this process was what was required.

For detailed instructions, go to the following page:

While I described the hair-raising process that is required for Surface Pro 3s, this is technically required for ALL devices that have a TPM chip from what I understand – including Surface Pro 4, Surface Book, etc. although there are different less involved processes for those.

There are instructions available for this update for various hardware vendors including HP, Lenovo, Toshiba, Acer, Fujitsu, Panasonic, and others, on the Microsoft Support site so head on over there to see what the process is for your machine:


%d bloggers like this: