Jun 25, 2014 - 0 Comments - BitLocker, MBAM, Scripting -

The Curse of the Infineon TPM Driver and BitLocker

During a recent BitLocker and MBAM implementation, I came across a curious issue: a sizeable percentage of the client’s computers used an Infineon driver for the TPM.  This doesn’t outwardly seem to be a concern, but BitLocker requires the built-in Windows TPM driver.

In researching the issue, I found another blog that gave me the answer to Why this happened, and one way to resolve the issue.  While I didn’t use their solution to the problem, I appreciated the insight.  Basically some drivers live on when a computer is upgraded from Windows XP to 7.  These zombie drivers will ruin your BitLocking adventures.

I found that the Infineon drivers consistently existed in the same locations, only dependent on x32/x64 OS architecture:

  • X86 - C:\Windows\System32\DriverStore\FileRepository\ifxtpm.inf_x86_neutral_816932fd6cc123d1\IFXTPM.INF
  • X64 - C:\Windows\System32\DriverStore\FileRepository\tpm.inf_amd64_neutral_d5bb6575cf91cd73\tpm.inf

So, I used pnputil.exe to remove IFXTPM.INF from my life.  This isn’t as simple as it sounds, since removing the driver with pnputil requires you to define the name the driver has within the driver store, not the path to the INF.  To determine that, I ran pnputil.exe -e > c:\GimmeTheDamnName.txt and then reviewed the output in my txt file.  I found that on all of the machines, even regardless of OS architecture, the driver was listed as oem186.inf in the driver store.  This is convenient, as I can use the same command to remove the driver on all systems that suffer from it.  One command to rule them all: pnputil.exe -f -d oem186.inf

Now, this only removes the driver from the store, leaving our TPM feeling sad, alone, and driverless.  Unfortunately, there is no easy way to script or remotely start a “Scan for Hardware Changes” the way you can just by clicking through the Device Manager GUI.  While that is not hard to do on one system, I didn’t want to do it 1200+ times.  So, I decided to dust off the archaic DevCon.exe, which is still available as part of the Windows Driver Kit.  Now I’ll need separate commands to update the driver for each OS architecture:

  • X86 - devcon.exe update C:\Windows\System32\DriverStore\FileRepository\tpm.inf_x86_neutral_8d77c50b5c066979\tpm.inf *PNP0C31
  • X64 - devcon.exe update C:\Windows\System32\DriverStore\FileRepository\tpm.inf_amd64_neutral_d5bb6575cf91cd73\tpm.inf *PNP0C31

With those commands the TPM finds its driver soulmate, BitLocker can go about its encryption business, and everyone can live happily ever after.

Leave a Reply

Your email address will not be published. Required fields are marked *