Install and use the Surface Pro 3 Trusted Platform Module (TPM) update tool

Applies to: Surface Pro 3

Summary


This article discusses the Microsoft Surface Pro 3 TPM Update tool. The tool creates a bootable USB drive that updates the TPM firmware on a Surface Pro 3.

More information


The Surface Pro 3 TPM Update tool updates the firmware for the TPM on a Surface Pro 3 to address the following issue:

ADV170012 Vulnerability in TPM could allow security feature bypass

For more information, see Security issue for Trusted Platform Module (TPM) on Surface devices.


Install the Surface Pro 3 TPM Update tool and create a bootable USB flash drive

  1. Download Microsoft_Surface_Pro_3_Tpm_Update_Tool_Setup.msi, and then follow the installation instructions. 
  2. Attach a removable USB flash drive that has at least 500 MB of available space.

    Note You must use a USB flash drive, not a USB hard disk drive.
  3. Right-click the Surface Pro 3 TPM Update tool, select Run as administrator, and then follow the steps that are presented to create the bootable USB flash drive.


Update the Surface Pro 3 device

Note The following steps are specific to using BitLocker. If you are using a third-party encryption tool, contact that software manufacturer for the appropriate steps to disable encryption.

  1. Click Start.
  2. Open Windows PowerShell as an administrator.
  3. Run the following command:
    Suspend-Bitlocker -MountPoint C: -RebootCount 0
  4. Shut down Windows to turn off the Surface device.
  5. Press and hold the Power+Volume Up keys to start the Surface Pro 3 into the UEFI environment. (You can release the keys after the device starts.)
  6. After the device enters the UEFI environment, select Delete all secure boot keys under Secure Boot Control.
  7. Select Yes.
  8. To the right of Secure Boot Control, select Enabled.
  9. When you are prompted, select Disabled.
  10. Select Exit setup.
  11. Select Yes when you are prompted to save the configuration and reset the device. The device restarts.
  12. After Windows has fully restarted, shut down the system again to turn off the Surface Pro 3.
  13. Insert the bootable USB flash drive that you created by using the Surface Pro 3 TPM Update Tool in the previous procedure.
  14. Press and hold the Power+Volume down keys to start the Surface Pro 3 from the USB flash drive into the UEFI environment. (You can release the keys after the device starts).
  15. Follow the instructions that are displayed to update your Surface Pro 3 TPM firmware.
  16. After the update is finished, you receive an "fs1:>" command prompt. Remove the USB flash drive.
  17. Type exit, and then press Enter to restart the Surface Pro 3.


Configure the Surface Pro 3 device after the TPM firmware update

  1. Turn on the Surface Pro 3, start Windows, and then log on as necessary.

    Note If Windows Hello was enabled for logging on by using a PIN, this setting is no longer functional because of the TPM update process. Therefore, you must use the password that was configured for this account to log on. (See step 14 to re-enable the Windows Hello PIN options.)

  2. Click Start.

  3. Type tpm.msc, and then press Enter to open the TPM Management snap-in.

    Note If TPM.msc reports that compatible TPM cannot be found or that TPM is in reduced functionality mode, restart Windows. After the restart, run TPM.msc again to verify that the state of TPM is "Ready for use."

  4. Shut down Windows to turn off the Surface Pro 3.

  5. Press and hold the Power+Volume Up keys to start the Surface Pro 3 into the UEFI environment. (You can release the keys after the device starts.)

  6. To the right of Secure Boot Control, select Disabled.

  7. Select Enabled.

  8. Select Install all factory default keys, and then select the Windows & 3rd-party UEFI CA (Default) option.

  9. Select Exit setup.

  10. Select Yes when you are prompted to save the configuration and reset. The Surface Pro 3 should restart into Windows.

  11. After Windows fully restarts, click Start.

  12. Type manage bitlocker, and then press Enter when the Manage Bitlocker icon is selected in the Search menu.

  13. Select Resume protection.

  14. If your Windows Hello PIN is not working after the update (that is, the Windows logon screen reports that your PIN is no longer available because of a change in security settings), follow these steps to recover the PIN.

    • For Windows Hello for Business (PIN enforced by Group Policy):

      1. Open a Command Prompt window as an administrator.

      2. Run the following command:

        certutil -deleteHelloContainer
      3. Log off.

      4. Log on again by using your password. (The PIN option is not available because the Windows Hello container  was removed by running the command in step 2.)

      5. You should be prompted to create a Windows Hello PIN (as enforced by Group Policy). Follow the instructions to create a new PIN for Windows Hello.

    • For Windows Hello

      1. Go to Settings > Accounts >Sign-in options.

      2. Remove your PIN (the removal will be confirmed by using the user's password).

      3. Click Add to create a new PIN as necessary, enter the user’s password again when you're prompted, and then follow the instructions to create a new PIN for Windows Hello.

  15. Restart any other services that rely on TPM functionality.


Verify the update

To verify that the tool has updated the TPM firmware, follow these steps:

  1. Click Start.
  2. Type tpm.msc, and then press Enter. 
  3. Under TPM Manufacturer Information, check the Manufacturer Version number for either of the following:
    • Previous firmware: 5.0.1089.2
    • New firmware: 5.62.3126.2