Windows 11

Fun with TPM firmware version numbers

I’ve spent a lot of time looking at Autopilot log files, hardware hashes, and TPM-related “stuff.” And it’s always puzzled me why things have to be so difficult. In this case, it’s about something really simple: The TPM firmware version of a particular TPM chip/device. If you look in the TPM MMC, you see a version like:

But if you look at an Autopilot hash, you see this:

So why two different firmware versions? Well, they aren’t two different versions at all, they are the same thing represented in a different way. Let’s look at the values in hex to see what I mean, with each of the two big numbers in the TPMVersion string above converted to hex using HxD, my favorite hex editing tool:

So the first four bytes are the equivalent of 538247443, and the second four bytes are 1394722. But now let’s look at the values two bytes at a time:

So the first two are 275, the “minor” part of the version in TPM.MSC. The next two are 8213, the “major” part of the version:

The next two are 18466, so that’s the “revision” part of the TPM.MSC version. And the last two are 21, the “build” part of the TPM.MSC version. So put those together in the right order and you end up with “8213.275.21.18466”, exactly what we see in TPM.MSC.

2 replies »

  1. Hi Michael, thank you for your UEFIv2 scripts! They indeed helped me understand UEFI variables, and secure boot in particular. The problem is, the script is totally borked in PowerShell 7, almost no functions work. Do you think you would be able to fix it? Generally, it’s the changes in .NET 6 API vs. Framework that did it. PowerShell 5 will certainly be around for years, but is officially deprecated. (Or was it only its ISE that was? I forgot, really.)

    Do you have it in a GitHub repo? I can’t promise to be able to get to it soon, but maybe some other sweet soul will come up with a fix.

    Sorry for a reply to an unrelated post, but the most recent one directly related to UEFI tweaking no longer takes comments.


    • I noticed that myself, just haven’t had a chance to fix that yet :-). PowerShell 5.1 is still supported and is the only version built-in, so that’s what ends up getting used the most, but making it work with later versions is on my list.