winget upgrade
winget upgrade --allÂ
Install-Module -Name PSWindowsUpdate -Force
Get-WindowsUpdate -AcceptAll -Install -AutoReboot
HP G2
Download the TPM 2.0 installer find link, just run it
Might need to disable secure boot first
When running the Bios update Go directly to the folder and run the 64 bit installer.
Find link or zip installers
All-in-One Units: HP EliteOne 800 G2 AIO
Desktop Units: HP EliteDesk / ProDesk 600 & 800 G2 (Mini, SFF, Tower)
HP G2 machines manufactured around 2016 ship hardcoded with TPM 1.2 and a stale 2011 cryptographic certificate matrix in their NVRAM database.
Updating the system BIOS to the latest versions (such as N11 Ver. 02.60 or similar) prepares the motherboard architecture for modern security standards, but it does not automatically upgrade the hardware chip or inject the mandatory WINDOWS_UEFI_CA_2023 certificate keys. If left unconfigured, these systems remain exposed to legacy exploits and will fail modern deployment compliance audits.
To upgrade the security chip, the BIOS must first expose the device interfaces to the underlying operating system.
Restart the computer and tap F10 repeatedly to enter the HP Computer Setup Utility.
Navigate to Security $\rightarrow$ Device Security.
Locate Embedded Security Device and change its status from Hidden to Available.
Go to the Main tab, select Save Changes and Exit, and let the machine reboot completely.
Re-enter the BIOS (Tap F10) as the computer restarts.
Navigate to Security $\rightarrow$ Embedded Security.
Ensure Embedded Security Device is configured to Device Enabled.
Ensure TPM State is configured to Enable and Activate.
Verify that TPM Activation Policy is set to Allow user to reject (or No Prompts if available). Do not alter the "Clear TPM" setting yet.
Go to the Main tab, select Save Changes and Exit, and log completely back into your Windows desktop environment.
Crucial Warning: Windows aggressively attempts to claim and initialize any unmanaged security devices it finds upon desktop load. If Windows re-provisions the TPM chip before the flash tool is executed, the chip firmware will lock, causing the update utility to fail with an access-denied error.
Right-click the Windows Start Button and open PowerShell (Admin) or Terminal (Admin).
Freeze the Windows automated background configuration module by executing the following command:
Powershell Disable-TpmAutoProvisioning
Purge the active cryptographic keys and ownership locks directly from the system architecture by executing:
Clear-Tpm
Windows will present a dialog box requesting a system restart. Confirm the prompt and let the machine reboot.
Watch the monitor closely during startup. Before loading Windows, a dark HP hardware screen will display a security warning stating that a request has been made to clear the TPM chip.
Press the required physical key immediately (typically F1 or F2) to authorize the deletion. The computer will automatically finish booting back to your desktop.
With the chip cleared and Windows auto-provisioning temporarily frozen, the physical silicon layer is unprotected and ready to receive the modern 2.0 configuration image.
Download the official HP TPM transformation firmware tool directly from the verified HP storage repository:
Direct Link: HP SoftPaq SP87753 Utility
Run the downloaded executable file. This will automatically extract the update payloads to the default local directory: C:\SWSetup\SP87753
Open an elevated PowerShell (Admin) window.
Change your execution directory path straight to the extracted folder location by running:
cd C:\SWSetup\SP87753Â
Initiate the hardware upgrade process using the targeted silent argument flags to convert the engine directly to version 2.0:Â
.\TPMConfig64.exe -s -a2.0
The computer will instantly force a hard system reset. Do not disturb the device during this cycle. The display panel will remain black, and the internal cooling fans may spin at maximum velocity for 20 to 30 seconds while the flash chip writes the new microcode to the motherboard surface.
Once the machine boots back into Windows, follow these final validation steps to complete the upgrade and apply the modern certificate hierarchy:
Press Windows Key + R, type tpm.msc, and hit Enter.
The TPM Management console will open. Verify that the Specification Version now proudly reads 2.0.
Restart the computer and tap F10 to enter the BIOS configuration utility for the final time.
Navigate to Advanced $\rightarrow$ Secure Boot Configuration.
Select the option that states Reset Secure Boot keys to factory defaults or change ownership parameters to HP Factory Keys.
Save your changes and exit to the desktop.
The updated G2 motherboard will now cleanly flush its obsolete 2011 certificate tracking tables and sign its NVRAM validation databases with the fresh, secure WINDOWS_UEFI_CA_2023 certification matrix, ensuring full system compliance.
If the cursor is still just blinking on a blank new line without giving any error or returning control to the prompt, the application has officially locked up.
On an EliteOne 800 G2 AIO, this exact freezing behavior happens because Windows Device Guard or Virtualization-Based Security (VBS) is silently isolating the kernel. The 2016-era HP flashing driver (CpqOemIf.sys or similar) is trying to touch the motherboard's physical security layers, but Windows is trapping the driver in a virtual sandbox, causing it to freeze infinitely.
We need to temporarily drop the virtualization shield so the HP utility can actually see the hardware.
First, let's stop the frozen background tool so we can reset.
In your PowerShell window, press Ctrl + C to force-break the execution.
If the prompt doesn't return, close that PowerShell window entirely, open a fresh PowerShell (Admin) window, and run this command to kill any stuck instances:
PowerShell
Stop-Process -Name TPMConfig64, HpFirmwareUpdRec64 -ErrorAction SilentlyContinue
We must temporarily disable the security architectures blocking legacy hardware drivers.
Open your Start Menu, type Core Isolation, and open the system settings panel.
Toggle Memory Integrity to OFF (if it isn't already).
Open your Start Menu again, type Turn Windows features on or off, and open it.
Scroll all the way to the bottom and locate these two items:
Virtual Machine Platform
Windows Hypervisor Platform
Uncheck both boxes if they are checked.
Click OK and restart your computer.
Sometimes PowerShell's internal security wrappers add an extra layer of interference. We will bypass PowerShell entirely and use the standard Windows Command Prompt.
Right-click the Start Button and select Command Prompt (Admin) or Terminal (Admin). (Ensure the window title says "Command Prompt", not PowerShell).
Change into the HP update directory:
DOS
cd C:\SWSetup\SP87753
Instead of using the automatic utility, let's look at the actual .bin update payload files stored inside your folder. Run this command to see them:
DOS
dir *.bin
You will see a file listed named something like TPM12_to_TPM20_v5.62.3126.0.bin. Execute the raw firmware utility manually by explicitly naming that bin file:
DOS
HpFirmwareUpdRec64.exe -b -p -f TPM12_to_TPM20_v5.62.3126.0.bin
(Note: Adjust the numbers at the end of the filename if yours says a slightly different version number like 5.62.x.x).
Because the virtualization shield is down and we are running through the raw command console, the HP flashing wrapper will immediately step out of the way, read the chip, and initiate the automatic 20-second hardware reboot cycle!
Here is the clean breakdown formatted explicitly for a Google Sites page. It uses clean, standard text formatting with zero structural boxes or borders, allowing you to copy and paste it seamlessly into any web text block layout.
Because older builds of Windows 10 and 11 run Virtualization-Based Security (VBS) in the background, the system kernel blocks legacy HP flashing drivers from accessing motherboard registers. This causes the update tools to freeze infinitely without throwing errors. The hypervisor shield must be dropped from the boot configuration database before flashing.
Right-click the Windows Start Button and open Command Prompt (Admin). Do not use PowerShell for this phase.
Execute the following command to completely disable the hypervisor engine for the next boot cycle: bcdedit /set hypervisorlaunchtype off
Confirm the console displays the response: The operation completed successfully.
Restart the computer immediately to apply the configuration bypass.
If previous flash attempts have been executed, the dead tasks may still reside in system memory blocks, preventing the utility from establishing a clean connection to the security hardware interface.
Log back onto the desktop and open a fresh instance of Command Prompt (Admin).
Run the following string task to clear out any frozen microcode wrappers: taskkill /F /IM TPMConfig64.exe /IM HpFirmwareUpdRec64.exe 2>nul
With the virtualization layers disengaged and memory loops cleared, the raw update binary payload can be pushed directly down to the physical chip layer.
In your Command Prompt window, point the directory navigation directly to the extracted HP software folder path: cd C:\SWSetup\SP87753
Verify the exact name of your local firmware payload by listing the folder contents: dir *.bin
Run the low-level flashing tool by calling the file name explicitly, incorporating the batch and policy-bypass parameters. Adjust the file name if your version extension numbers differ slightly: HpFirmwareUpdRec64.exe -b -p -f TPM12_to_TPM20_v5.62.3126.0.bin
The system will process the block and immediately force a hard restart. Leave the computer undisturbed while the monitor is blank and the internal cooling fans run at high speed. The motherboard will complete the hardware transition within 20 to 30 seconds.
Once the computer successfully boots back to the desktop, the firmware conversion is complete. The system hypervisor should be restored to keep standard Windows virtualization and security defenses fully functional.
Open Command Prompt (Admin) one last time.
Execute the following string to return the boot configuration to its normal automation rules: bcdedit /set hypervisorlaunchtype auto
Restart the computer to complete the operational cycle. You are now running a certified, compliant native TPM 2.0 system.
If the console returns an error stating that HpFirmwareUpdRec64.exe is not recognized as an internal or external command, the Command Prompt instance has defaulted back to the root system directory and is looking in the wrong folder. You must manually point the path back to the unpacked HP tools.
Redirect the active command directory path to the SoftPaq deployment folder: cd C:\SWSetup\SP87753
Re-execute the hardware information probe once the directory path reads C:\SWSetup\SP87753>: HpFirmwareUpdRec64.exe -i
If graphical extraction utilities fail to change the folder contents or reveal the hidden flashing tools, the HP installer package can be forced to unpack its core payload layout using native execution switches via the Windows command line.
Open a standard Command Prompt terminal window.
Change the directory path to target your default user profile Downloads folder: cd %userprofile%\Downloads
Run the downloaded SoftPaq executable using the silent allocation and targeted path override switches. This bypasses the installation wizard and dumps the raw files into a clean directory: sp87753.exe /s /f "C:\SWSetup\SP87753"
If you prefer to extract the files directly onto your desktop for easy viewing, utilize this alternative path format instead: sp87753.exe /s /f "%userprofile%\Desktop\HPFiles"
Open the targeted output folder. The directory contents will now successfully display the low-level flashing engine (HpFirmwareUpdRec64.exe) alongside the complete array of security chip upgrade microcode files (*.bin).
If running the SoftPaq installer or command-line extraction tools results in a total system freeze with zero output, the file package may be corrupted or blocked by OS-level execution guards. You can use the built-in Windows cURL engine to stream the raw utility components directly into a fresh root directory, bypassing the broken installer framework entirely.
Open Command Prompt (Admin).
Generate an isolated folder directory directly on the root of the local disk: mkdir C:\HPFlash
Execute the native Windows download tool to fetch the file binary cleanly from the official HP asset repository: curl -o C:\HPFlash\HpFirmwareUpdRec64.exe https://ftp.hp.com/pub/softpaq/sp87501-88000/sp87753.exe
Wait for the transfer percentage block in the terminal window to reach 100%.
Pivot the active terminal window path into the newly created folder: cd C:\HPFlash
List the directory contents to verify the deployment engine is present: dir
The low-level firmware engine will now be fully visible and ready for execution, completely unencumbered by installer blocks.
Now that you have the file natively downloaded into C:\HPFlash, we are in the home stretch.
Because curl pulled the raw binary package down for us, we just need to use the tool itself to unpack the rest of the missing .bin files right into that same folder. Then, we can finally run the flash command.
Here are the final execution steps to complete the upgrade, followed by a clean copy-and-paste section for your Google Site.
You can copy and paste this final phase sequence straight into your Google Site to show users how to complete the flash sequence once the file is successfully downloaded.
Once the raw executable payload is securely located inside the localized C:\HPFlash directory, the utility can be used to unpack its own internal component arrays natively, bypassing the broken Windows installer subroutines completely.
Open Command Prompt (Admin) and ensure the path reads C:\HPFlash>. If needed, navigate back to the folder using:
cd C:\HPFlash
Run the tool using the internal extraction switches to dump the underlying microcode files directly into the active folder block:
HpFirmwareUpdRec64.exe -s -p"C:\HPFlash"
Verify the binary extraction loop completed successfully by listing all available firmware files:
dir *.bin
Execute the system interrogation flag to force the motherboard to report the exact microcode version currently running on the physical security silicon:
HpFirmwareUpdRec64.exe -i
Locate the line reading Current TPM Firmware Version on your screen and note the version string family (such as 5.51 or 5.61).
Review your file list from Step 1 and identify the specific file that contains the prefix TPM12_to_TPM20 and matches your current version number.
Run the low-level flashing utility, appending the explicit file name parameters to complete the hardware transition. Change the filename at the end of this command to match your target file exactly:
HpFirmwareUpdRec64.exe -b -p -f TPM12_to_TPM20_v5.62.3126.0.bin
The system will process the instruction set and immediately execute a hard hardware reset. The monitor screen will remain completely dark and the internal machine cooling fans will spin at maximum capacity for 20 to 30 seconds while the new microcode layer is physically written to the chip surface. Do not disrupt power to the system during this operational phase. When the machine boots back to the desktop, the unit will be natively running a fully compliant TPM 2.0 architecture.
If executing the downloaded SoftPaq file displays a usage helper menu explaining the definitions of the /s, /e, and /f switches rather than processing the files, the utility is requiring an explicit target path structure to dump its archive contents.
Open Command Prompt (Admin) inside the C:\HPFlash directory path.
Execute the extraction payload command utilizing the exact switch combinations requested by the utility menu: HpFirmwareUpdRec64.exe /s /e /f C:\HPFlash
(Note: If your downloaded file retains its original naming convention from the download block, substitute the file name in the string to match: sp87753.exe /s /e /f C:\HPFlash).
Query the folder contents to verify that the raw binary files have been successfully unpacked into the workspace directory: dir *.bin
The directory will now cleanly display the true low-level firmware flashing engine alongside the update configuration files.
Query the physical motherboard security registers to read the active chip revision version: HpFirmwareUpdRec64.exe -i
Deploy the final upgrade sequence by calling the explicit binary payload name that matches your active chip version family: HpFirmwareUpdRec64.exe -b -p -f TPM12_to_TPM20_v5.62.3126.0.bin
If the extraction routine unpacks the raw firmware payloads directly into the workspace directory without automatically creating the standard Hewlett-Packard folder hierarchy, the directory path must be constructed manually on the USB media. HP motherboards expect a specific folder architecture to read files at the boot layer.
Insert a standard USB flash drive into the system, right-click the drive in File Explorer, and format it explicitly to FAT32. Note the assigned drive letter (e.g., E:).
Open Command Prompt (Admin) and switch the active drive partition to target your USB drive letter (replace E: with your drive letter): E:
Execute the directory generation command to build the exact layout required by the native UEFI firmware manager: mkdir "E:\Hewlett-Packard\BIOS\New"
Execute a copy string to push all extracted assets from the local repository directly into the newly generated USB destination path: copy C:\HPFlash*.* "G:\Hewlett-Packard\BIOS\New"
Keep the USB drive connected to the hardware interface and restart the machine.
Tap the Escape key continuously during the initial power cycle to load the HP Startup Menu.
Press F10 to enter the BIOS Setup utility configuration interface.
Navigate to the Main or Security menu tab and select Update System BIOS or Firmware Management.
Choose the option to check for updates via attached storage media. The motherboard will automatically crawl the Hewlett-Packard\BIOS\New directory structure on the USB drive, detect the valid firmware payloads, and execute the hardware flash. The system fans will ramp up to maximum speed for roughly 20 seconds while the chip completes its physical transition to native TPM 2.0.
If the installation files have already been successfully unpacked and reside exclusively on an external USB device designated as Drive G, the firmware modification utility can be triggered natively via the Windows command line targeting the storage media partition.
Insert the USB drive containing the extracted payloads into the target machine.
Launch an administrative instance of the Command Prompt console.
Switch the terminal directory focus directly to your target storage letter: G:
Navigate into the specific repository folder where your update payloads reside: cd Hewlett-Packard\BIOS\New
Query the folder matrix to list the exact firmware binary payload name matching your hardware group: dir *.bin
Highlight or copy the full filename designated with the prefix TPM12_to_TPM20.
To prevent background application freezing during hardware handshake routines, deploy the flash processing strings using silent allocation parameters. This forces the processing engine to run directly as a background kernel task:
HpFirmwareUpdRec64.exe -s -f TPM12_to_TPM20_v5.62.3126.0.bin
Note: Verify that the .bin filename parameters match the explicit string listed on your storage media.
The command utility terminal line will pause quietly for roughly 15 to 30 seconds while staging the installation framework to the system pre-boot cache. The computer will automatically trigger a hard hardware restart environment. The display panel will turn completely black and internal cooling fans will ramp to maximum operational speed for 20 seconds while the chip completes its microcode rewrite. Re-enable default Secure Boot protections inside the F10 configuration options menu upon final boot to finish the deployment.