PUBLIC DEFENDER By Brian Livingston Researchers have discovered flaws in TPM 2.0, a security microcontroller that Microsoft requires on a device (with
[See the full post at: TPM 2.0, required by Windows 11, is hackable. Upgrade now?]
![]() |
There are isolated problems with current patches, but they are well-known and documented on this site. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
-
TPM 2.0, required by Windows 11, is hackable. Upgrade now?
Home » Forums » Newsletter and Homepage topics » TPM 2.0, required by Windows 11, is hackable. Upgrade now?
- This topic has 30 replies, 18 voices, and was last updated 2 months ago.
AuthorTopicB. Livingston
AskWoody MVPViewing 13 reply threadsAuthorRepliesRetiredGeek
AskWoody MVPHere’s a little PowerShell script to check your TPM. Run As Administrator!
$GCIArgs = @{NameSpace = "root\cimv2\security\microsofttpm" Class = "Win32_tpm" } Get-CIMInstance @GCIArgs | Select SpecVersion, IsEnabled_InitialValue, IsActivated_InitialValue, ManufacturerVersionInfo | FL
Output:
SpecVersion : 2.0, 0, 1.16 IsEnabled_InitialValue : True IsActivated_InitialValue : True ManufacturerVersionInfo : Intel
HTH
EricB
AskWoody PlusAs usual, security vulnerabilities are surrounded by clouds of uncertainty and confusion. Dell, the manufacturer of my system has not responded as of 2/28/2023.
My system’s TPM 2.0 chip is manufactured by Intel whose response asserts that its products are not impacted. But don’t rest easy yet. The chip’s specification subversion contradicts Intel’s assertion.
Hmmm. What to do? Well, since the vulnerability according to CERT requires a “local, authenticated attacker’ my position at this point in time is to do nothing.
Is this business annoying? Yes, of course. Am I going to lose any sleep over it? Nope, not a minute.
4 users thanked author for this post.
-
John
AskWoody Plus -
RetiredGeek
AskWoody MVPJohn,
According to the list linked in the referenced post Intel platforms are NOT affected. HTH
-
John
AskWoody Plus
-
-
-
EricB
AskWoody PlusAccording to the post, “The Trusted Computing Group, which maintains the specifications for TPM, released a two-page alert (PDF) saying the newly discovered flaws affect only Revisions 1.16, 1.38, and 1.59 of TPM 2.0.”
So if your subversion is one of the above your system may be impacted. This guidance seems to contradict Intel’s assertion, and Dell’s silence doesn’t help.
IMHO, there’s good sense in the old maxim, “When in doubt, do nothing.”
3 users thanked author for this post.
WSjcgc50
AskWoody PlusMy Dell is a little over a year old and my TPM chip has version 1.38 but is made by AMD. I couldn’t find AMD on the list at all although I assume it must be there. I checked for updates and found I had a critical BIOS update and took it. However, couldn’t find any details about what it fixed.
Chatted with a Dell CSR who was no help. He directed me to a link which consists of over 1130 pages of Dell Security Advisories. The one for the update I took was DSA-2023-048 and that is the one advisory I couldn’t find on the list. I could find the numbers on either side of that but not that.
I used to love tech but now find it to be a pain in the ass. Still love using it when it works.
-
alejr
AskWoody MVP
alejr
AskWoody MVPMy Asus Maximus XI Gene motherboard also has an Intel TPM and it’s also version 1.38.
And, as was pointed out by @EricB, the Trusted Computing Group’s document (note: it’s a PDF) indicates 1.38 is one of the main vulnerable versions!
Makes me wonder if Intel’s announcement only applies to their “currently supported” products and they didn’t even bother to test any of their “older” products for the vulnerability.
As has already been stated, there’s a HUGE cloud of uncertainty around this announcement (especially by the various vendors!)
-
G
AskWoody Plus
Mike Ray
Guestbrw2019
AskWoody PlusI have an old Dell Optiplex 7040 with Windows 10 and everything up-to-date which works fine. The TPM is one that this article says is vulnerable: TPM 2.0 Rev 1.16. The links in the article and what I check online is very unclear re. whether I should attempt to update it. I’ve checked with Dell and gotten nowhere. I’d really like more detailed advice if possible. Or should I just not worry about it?
1 user thanked author for this post.
schlee12768
AskWoody PlusAlex5723
AskWoody Pluswhether I should attempt to update it
You can’t update TMP on your own.
You should wait for Windows update or vendor notification.-
rc primak
AskWoody_MVP
rc primak
AskWoody_MVPOK, so I ID’ed my TPM chip and it’s TPM 2.0 Sub-Version 1.38 (vulnerable). It’s also an Intel NUC-11 (Panther Canyon). Intel says not vulnerable. Recently there was a BIOS update, but not for this vulnerability, AFAIK. No current BIOS update, but a Realtek Audio Driv Gen Intel processor) er update.
The BIOS Update was applied at the end of January, 2023, and was dated as from Dec. 28, 2022.
My PowerSpec 685B (12th Gen Intel processor) has the same identical TPM module, except its manufacturer version is slightly higher. (600.18.0.0, vs. the NUC-11 at 600.7.0.0). Same TPM sub-version date, Dec. 18, 2019. I don’t know where I would get a BIOS update for this PC as its motherboard is an ASUS model, but the Micro Center does not supply driver or BIOS updates for any of its PCs.
Intel’s rapid response to this security issue is astounding (end sarcasm).
So now what do I do?
-- rc primak
1 user thanked author for this post.
-
geekdom
AskWoody_MVPSo now what do I do?
Wait for or seek further information.
Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox114.0b8 MicrosoftDefender1 user thanked author for this post.
wavy
AskWoody PlusFor my TUF GAMING X570-PLUS
I see Version 4602
20.69 MB
2023/03/14
“1. Update AGESA version to ComboV2PI 1208
2. Mitigate the AMD potential security vulnerabilities for AMD Athlon™ processors and Ryzen™ processors”🍻
Just because you don't know where you are going doesn't mean any road will get you there.-
Carl
AskWoody PlusSince you have an X570 chipset, I’m assuming you have either a 3000 or 5000 series Ryzen processor (I have both). AMD fixes vulnerabilities, but OEMs (ASUS, MSI, etc) must implement it for the mobos they produce and, as you’ve probably observed, OEMs aren’t particularly timely at doing so.
In response to CVE-2021-26346, on January 10 AMD published:
Security Advisory AMD SB-1301
In it, AMD states “The AGESA versions listed below have been released to the Original Equipment Manufacturers (OEM) to mitigate these issues.” If you look under the “Mitigation” heading, you’ll see that 3000/5000 CPUs have “N/A” under them. I haven’t a clue as to whether this means “Not Available” or “Not Applicable”.
When issues such as this arise, I’m sure OEMs prioritize enterprise, workstation and business SKUs over general consumer and gamer SKUs which are less likely to be targeted, especially when the attack vector is local (hence the lower security threat). Like you, I just updated firmware to 1.2.0.8 on an MSI ACE X570 (a premium board). The firmware is dated March 3 and came with a similar helpful readme /sarcasm:
“This BIOS fixes the following problem of the previous version: – Update to AGESA ComboAm4v2PI 1.2.0.8.”
I agree with you. OEM communication skills leave something to be desired when consumer products and security are involved. However, like EricB above, I’ll not lose any sleep over this for the same reasons, but I’d still feel better knowing that all the doors are locked.
rc primak
AskWoody_MVPWell, one thing this topic prompted me to do was update the BIOS on my PowerSpec B685 tower PC. It has an ASUS motherboard, so I went for the ASUS BIOS update, per instructions received from the PowerSpec Support Chat people. (They are good at providing useful support options, including taking the PC in to the Micro Center and paying them to safely perform the BIOS flash.) What I got was an ASUS branded AMI BIOS, and some extra software from Intel and ASUS. Some of which is actually useful for system monitoring and updating drivers and the BIOS. So some good has come of all this discussion, even if we still are no closer to getting BIOS updates to deal with the two security issues covered in Brian’s excellent article.
The BIOS Update is from January, 2023, so it may cover the vulnerabilities discovered by the security people mentioned in the article. Or maybe not.
The driver updates do make the system perform much closer to expectations for a 12th-Gen Intel tower PC than the off the shelf PowerSpec drivers. And MUCH better than with the generic Microsoft Windows 11 drivers!
-- rc primak
1 user thanked author for this post.
-
wavy
AskWoody Plus -
Sueska
AskWoody Plus@rc-primak I also purchased the PowerSpec 685B and downloaded all of the available drivers from the ASUS site but have not installed any of as yet. Glad to hear your updates went well & you noticed improvements. Perhaps ASUS will issue a new BIOS update soon with a description indicating a TPM 2.0 security fix. Thanks again.
1 user thanked author for this post.
-
rc primak
AskWoody_MVP
-
JohnW
AskWoody PlusI added a discrete TPM 2.0 module to my ASUS motherboard header when the Win 11 requirements were first released. Active and ready to go for whenever I decide to upgrade my Win 10 desktop.
But the TPM sub-version is 1.16 (9/21/2016). So possibly vulnerable.
The manufacturer is Infineon (IFX). They are on the “not affected” list.
So hmmmmm…
Windows 10 Pro 22H2
-
rc primak
AskWoody_MVP
c y c
GuestThe cl@sher hacker group posted about hacking TPM on the dark net over 11 years ago. This is why TPM is useless. There were posts here about TPM being used to hide viruses as well.
https://www.askwoody.com/forums/topic/what-would-you-have-done/#post-2383176
Now it is finally getting out the massive public since there are plans for a new TPM 3.0 which has already been found to have flaws as well.
TPM is just there to give hackers and governments a easier way to break in and steal info and spy on users.
-
b
ManagerThere were posts here about TPM being used to hide viruses as well.
https://www.askwoody.com/forums/topic/what-would-you-have-done/#post-2383176
Twelve-year-old theory — never seen in practice.
Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge
1 user thanked author for this post.
Viewing 13 reply threads -

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Search Newsletters
Search Forums
View the Forum
Search for Topics
Recent Topics
-
Remove One Drive
by
crudolphy
28 minutes ago -
Firefox users on Windows 7, 8 and 8.1 moving to Extended Support Release
by
Alex5723
2 hours, 37 minutes ago -
How to change “User Account Control:Run as administrator”
by
DKThompson
54 minutes ago -
Two monitors, want different “fixed” wallpaper on each one
by
MauryS
7 hours, 28 minutes ago -
Microsoft forcing move to Microsoft account?
by
Tom
5 hours, 23 minutes ago -
Event 2545 Device Management – Enterprise – Diagnostics – Provider
by
Tex265
8 hours, 47 minutes ago -
QBot malware exploits Windows WordPad EXE to take over
by
Alex5723
1 day, 4 hours ago -
Laptop powers off during KB5026361 update
by
dhunter
1 day, 3 hours ago -
How to enable Sleep in Shut down menu?
by
Alex5723
1 day, 5 hours ago -
Beware of Google’s .ZIP domain and password-embedded URLs
by
B. Livingston
46 minutes ago -
Longstanding feature requests, and their status
by
Mary Branscombe
1 day, 13 hours ago -
Three typing tutors — no more “hunt and peck”
by
Deanna McElveen
1 day, 12 hours ago -
Is online banking secure?
by
Susan Bradley
38 minutes ago -
Bluetooth audio not working on older Lenovo T420 with Win 10
by
WSmsc0357
19 hours, 7 minutes ago -
Using wildcards in search and replace
by
Bob Karrow
1 day, 22 hours ago -
How is Windows XP an security risk?
by
Curious
9 hours, 7 minutes ago -
Is using VPN a good idea?
by
Tex265
1 day, 19 hours ago -
How to prevent/disable Bitlocker Automatic Device Encryption?
by
EricB
2 days, 6 hours ago -
Unexplained aspects of installing the latest update of Office 2021
by
TonyC
2 days, 6 hours ago -
Getting started with macOS Disk Utility: RAID, images, and repairs
by
Alex5723
2 days, 15 hours ago -
Getting started with macOS Disk Utility: Resizing, snapshots, and journaling
by
Alex5723
2 days, 15 hours ago -
Are you ready for AI?
by
Susan Bradley
3 hours, 28 minutes ago -
Windows 11 Insider Preview build 25375 released to Canary
by
joep517
2 days, 17 hours ago -
Windows 11 Insider Preview Build 22621.1825 and 22624.1825 released to BETA
by
joep517
2 days, 18 hours ago -
Duplicate image name brings up old images
by
Susan Bradley
3 days, 23 hours ago -
XP offline activation tool, xp_activate32.exe
by
Alex5723
1 day, 12 hours ago -
Huge Tesla leak reveals thousands of safety concerns, privacy problems
by
Alex5723
2 days, 1 hour ago -
Android : iRecorder – Screen Recorder new Android RAT
by
Alex5723
4 days, 4 hours ago -
HP has found an exciting new way to DRM your printer!
by
Alex5723
4 days, 4 hours ago -
Outlook 2019 Resend “you do not appear to be the original sender…” msg
by
Mw Ward
4 days, 15 hours ago
Recent blog posts
- Beware of Google’s .ZIP domain and password-embedded URLs
- Longstanding feature requests, and their status
- Three typing tutors — no more “hunt and peck”
- Is online banking secure?
- Are you ready for AI?
- MS-DEFCON 4: Skip those Secure Boot scripts
- Getting started with winget
- No NumLock key? Problem solved! Here’s the fix.
Key Links
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.