• TPM 2.0, required by Windows 11, is hackable. Upgrade now?

    Home » Forums » Newsletter and Homepage topics » TPM 2.0, required by Windows 11, is hackable. Upgrade now?

    • This topic has 30 replies, 18 voices, and was last updated 2 months ago.

    PUBLIC DEFENDER By Brian Livingston Researchers have discovered flaws in TPM 2.0, a security microcontroller that Microsoft requires on a device (with
    [See the full post at: TPM 2.0, required by Windows 11, is hackable. Upgrade now?]

    6 users thanked author for this post.
    Viewing 13 reply threads
    • #2545033

      Lenovo laptop with Intel TMP 2.0 sub version 1.38
      4.5 years old laptop not supported by Lenovo anymore.

    • #2545030

      Following this article, I checked my PC Windows 10 and found that it runs TPM 1.38.
      Does it present a security risk?

      • #2545043


        Check the vendor list at the article’s Vulnerabilty Note links.

        Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

    • #2545087

      Here’s a little PowerShell script to check your TPM. Run As Administrator!

      $GCIArgs = @{NameSpace = "root\cimv2\security\microsofttpm" 
                   Class     = "Win32_tpm"
      Get-CIMInstance @GCIArgs | 
         Select SpecVersion, IsEnabled_InitialValue, 
                IsActivated_InitialValue, ManufacturerVersionInfo |


      SpecVersion              : 2.0, 0, 1.16
      IsEnabled_InitialValue   : True
      IsActivated_InitialValue : True
      ManufacturerVersionInfo  : Intel           


      May the Forces of good computing be with you!


      PowerShell & VBA Rule!
      Computer Specs

      3 users thanked author for this post.
    • #2545104

      As usual, security vulnerabilities are surrounded by clouds of uncertainty and confusion.  Dell, the manufacturer of my system has not responded as of 2/28/2023.

      My system’s TPM 2.0 chip is manufactured by Intel whose response asserts that its products are not impacted.  But don’t rest easy yet.  The chip’s specification subversion contradicts Intel’s assertion.

      Hmmm.  What to do?  Well, since the vulnerability according to CERT requires a “local, authenticated attacker’ my position at this point in time is to do nothing.

      Is this business annoying?  Yes, of course.  Am I going to lose any sleep over it?  Nope, not a minute.

      4 users thanked author for this post.
      • #2545125

        @EricB My Dell has an Intel chip and version 1.38!

        I don’t know if this means it is or isn’t susceptible to the problem

        Dell Inspiron 7580 i7 16GB Win 10 pro 22H2 (19045.2728), Microsoft 365 Version 2302 (16130.20332)

        • #2545130


          According to the list linked in the referenced post Intel platforms are NOT affected. HTH

          May the Forces of good computing be with you!


          PowerShell & VBA Rule!
          Computer Specs

          2 users thanked author for this post.
          • #2545253

            @RetiredGeek, I’m still concerned about the contradiction.

            Intel say no, 1.38 say yes. ??

            Dell Inspiron 7580 i7 16GB Win 10 pro 22H2 (19045.2728), Microsoft 365 Version 2302 (16130.20332)

        • #2545137

          According to the post, “The Trusted Computing Group, which maintains the specifications for TPM, released a two-page alert (PDF) saying the newly discovered flaws affect only Revisions 1.16, 1.38, and 1.59 of TPM 2.0.”

          So if your subversion is one of the above your system may be impacted.  This guidance seems to contradict Intel’s assertion, and Dell’s silence doesn’t help.

          IMHO, there’s good sense in the old maxim, “When in doubt, do nothing.”

          3 users thanked author for this post.
      • #2546056

        My Dell is a little over a year old and my TPM chip has version 1.38 but is made by AMD. I couldn’t find AMD on the list at all although I assume it must be there. I checked for updates and found I had a critical BIOS update and took it. However, couldn’t find any details about what it fixed.

        Chatted with a Dell CSR who was no help. He directed me to a link which consists of over 1130 pages of Dell Security Advisories. The one for the update I took was DSA-2023-048 and that is the one advisory I couldn’t find on the list. I could find the numbers on either side of that but not that.

        I used to love tech but now find it to be a pain in the ass. Still love using it when it works.

        • #2546138

          I couldn’t find AMD on the list at all

          It’s there, just not where you’d expect since the “default” sorting of the list is not alphabetical.

          It’s current status is unknown.


    • #2545135

      My Asus Maximus XI Gene motherboard also has an Intel TPM and it’s also version 1.38.


      And, as was pointed out by @EricB, the Trusted Computing Group’s document (note: it’s a PDF) indicates 1.38 is one of the main vulnerable versions!

      Makes me wonder if Intel’s announcement only applies to their “currently supported” products and they didn’t even bother to test any of their “older” products for the vulnerability.

      As has already been stated, there’s a HUGE cloud of uncertainty around this announcement (especially by the various vendors!)

      2 users thanked author for this post.
    • #2545170


      I’ll put off upgrading my circa 2014 Desktop until Win 10 fails.

      Current Laptop (Win 11) records (Thanks RetiredGeek) TPM as:-

      SpecVersion : 2.0, 0, 1.38
      IsEnabled_InitialValue : True
      IsActivated_InitialValue : True
      ManufacturerVersionInfo : AMD

      Is this bug free?

    • #2545178

      I have an old Dell Optiplex 7040 with Windows 10 and everything up-to-date which works fine. The TPM is one that this article says is vulnerable: TPM 2.0 Rev 1.16. The links in the article and what I check online is very unclear re. whether I should attempt to update it. I’ve checked with Dell and gotten nowhere. I’d really like more detailed advice if possible. Or should I just not worry about it?

      1 user thanked author for this post.
    • #2545222

      Hi Brian,

      Thanks for the heads up.

      I have an AMD chip so….

      That list is really long the Good, the Bad and the Ugly (ooops Unkown).

      My vote is, if mine isn’t broke for sure, don’t try to fix it by turning something off.


      Frank S

    • #2545257

      whether I should attempt to update it

      You can’t update TMP on your own.
      You should wait for Windows update or vendor notification.


      2 users thanked author for this post.
    • #2545276

      OK, so I ID’ed my TPM chip and it’s TPM 2.0 Sub-Version 1.38 (vulnerable). It’s also an Intel NUC-11 (Panther Canyon). Intel says not vulnerable. Recently there was a BIOS update, but not for this vulnerability, AFAIK. No current BIOS update, but a Realtek Audio Driv Gen Intel processor) er update.

      The BIOS Update was applied at the end of January, 2023, and was dated as from Dec. 28, 2022.

      My PowerSpec 685B (12th Gen Intel processor) has the same identical TPM module, except its manufacturer version is slightly higher. (600.18.0.0, vs. the NUC-11 at 600.7.0.0).  Same TPM sub-version date, Dec. 18, 2019. I don’t know where I would get a BIOS update for this PC as its motherboard is an ASUS model, but the Micro Center does not supply driver or BIOS updates for any of its PCs.

      Intel’s rapid response to this security issue is astounding (end sarcasm).

      So now what do I do?

      -- rc primak

      1 user thanked author for this post.
      • #2545286

        So now what do I do?

        Wait for or seek further information.

        Carpe Diem {with backup and coffee}
        offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
        offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
        online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox114.0b8 MicrosoftDefender
        1 user thanked author for this post.
    • #2545298

      For my TUF GAMING X570-PLUS

      I see Version 4602
      20.69 MB
      “1. Update AGESA version to ComboV2PI 1208
      2. Mitigate the AMD potential security vulnerabilities for AMD Athlon™ processors and Ryzen™ processors”


      Just because you don't know where you are going doesn't mean any road will get you there.
      • #2546442

        Since you have an X570 chipset, I’m assuming you have either a 3000 or 5000 series Ryzen processor (I have both). AMD fixes vulnerabilities, but OEMs (ASUS, MSI, etc) must implement it for the mobos they produce and, as you’ve probably observed, OEMs aren’t particularly timely at doing so.

        In response to CVE-2021-26346, on January 10 AMD published:

        Security Advisory AMD SB-1301

        In it, AMD states “The AGESA versions listed below have been released to the Original Equipment Manufacturers (OEM) to mitigate these issues.” If you look under the “Mitigation” heading, you’ll see that 3000/5000 CPUs have “N/A” under them. I haven’t a clue as to whether this means “Not Available” or “Not Applicable”.

        When issues such as this arise, I’m sure OEMs prioritize enterprise, workstation and business SKUs over general consumer and gamer SKUs which are less likely to be targeted, especially when the attack vector is local (hence the lower security threat). Like you, I just updated firmware to on an MSI ACE X570 (a premium board). The firmware is dated March 3 and came with a similar helpful readme /sarcasm:

        “This BIOS fixes the following problem of the previous version: – Update to AGESA ComboAm4v2PI”

        I agree with you. OEM communication skills leave something to be desired when consumer products and security are involved. However, like EricB above, I’ll not lose any sleep over this for the same reasons, but I’d still feel better knowing that all the doors are locked.

    • #2545385

      Well, one thing this topic prompted me to do was update the BIOS on my PowerSpec B685 tower PC. It has an ASUS motherboard, so I went for the ASUS BIOS update, per instructions received from the PowerSpec Support Chat people. (They are good at providing useful support options, including taking the PC in to the Micro Center and paying them to safely perform the BIOS flash.) What I got was an ASUS branded AMI BIOS, and some extra software from Intel and ASUS. Some of which is actually useful for system monitoring and updating drivers and the BIOS. So some good has come of all this discussion, even if we still are no closer to getting BIOS updates to deal with the two security issues covered in Brian’s excellent article.

      The BIOS Update is from January, 2023, so it may cover the vulnerabilities discovered by the security people mentioned in the article. Or maybe not.

      The driver updates do make the system perform much closer to expectations for a 12th-Gen Intel tower PC than the off the shelf PowerSpec drivers. And MUCH better than with the generic Microsoft Windows 11 drivers!

      -- rc primak

      1 user thanked author for this post.
      • #2545459

        It is annoying that all the manufacturer wants to say is: ‘Improves performance’ or ‘improves reliability’. No specifics as if its a big secret. 😡


        Just because you don't know where you are going doesn't mean any road will get you there.
        1 user thanked author for this post.
      • #2546166

        @rc-primak I also purchased the PowerSpec 685B and downloaded all of the available drivers from the ASUS site but have not installed any of as yet. Glad to hear your updates went well & you noticed improvements. Perhaps ASUS will issue a new BIOS update soon with a description indicating a TPM 2.0 security fix. Thanks again.

        1 user thanked author for this post.
        • #2547025

          One would think this is an option. Unless the issue was already known in November, 2022 and only recently got hyped by the tech press.

          -- rc primak

    • #2545494

      I added a discrete TPM 2.0 module to my ASUS motherboard header when the Win 11 requirements were first released. Active and ready to go for whenever I decide to upgrade my Win 10 desktop.

      But the TPM sub-version is 1.16 (9/21/2016). So possibly vulnerable.

      The manufacturer is Infineon (IFX). They are on the “not affected” list.

      So hmmmmm…

      Windows 10 Pro 22H2

      • #2547026

        You may get a “firmware update” from the manufacturer if you look at their site. Wait about a month before checking.

        -- rc primak

    • #2546243

      The cl@sher hacker group posted about hacking TPM on the dark net over 11 years ago. This is why TPM is useless. There were posts here about  TPM being used to hide viruses as well.


      Now it is finally getting out the massive public since there are plans for a new TPM 3.0 which has already been found to have flaws as well.

      TPM is just there to give hackers and governments a easier way to break in and steal info and spy on users.

    Viewing 13 reply threads
    Reply To: TPM 2.0, required by Windows 11, is hackable. Upgrade now?

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: