Verify Trusted Platform Module (TPM) Chip on Windows PC

    Verify Trusted Platform Module (TPM) Chip on Windows PC

    How to Check if Windows PC has a Trusted Platform Module (TPM) Chip
    Published by Category: Hardware & Drivers
    07 Nov 2017
    Designer Media Ltd

    Published by


    Brink's Avatar
    Administrator

    Posts: 25,791

    Show Printable Version 


    How to Check if Windows PC has a Trusted Platform Module (TPM) Chip

    information   Information
    Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
    • Generate, store, and limit the use of cryptographic keys.
    • Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself.
    • Help ensure platform integrity by taking and storing security measurements.

    The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.

    TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses.

    Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG).

    Windows can automatically provision and manage the TPM. Group Policy settings can be configured to control whether the TPM owner authorization value is backed up in Active Directory. Because the TPM state persists across operating system installations, TPM information is stored in a location in Active Directory that is separate from computer objects. Depending on an enterprise’s security goals, Group Policy can be configured to allow or prevent local administrators from resetting the TPM’s dictionary attack logic. Standard users can use the TPM, but Group Policy controls limit how many authorization failures standard users can attempt so that one user is unable to prevent other users or the administrator from using the TPM. TPM technology can also be used as a virtual smart card and for secure certificate storage. With BitLocker Network Unlock, domain-joined computers are not prompted for a BitLocker PIN.

    For more details about TPM, see:


    This tutorial will show you how to check if your Windows PC has a Trusted Platform Module (TPM) security hardware chip, and what version if available.


    CONTENTS:
    • Option One: To See if PC has a TPM in Device Manager
    • Option Two: To See if PC has a TPM in TPM Management snap-in console
    • Option Three: To See if PC has a TPM in BIOS or UEFI Firmware Settings





    Verify Trusted Platform Module (TPM) Chip on Windows PC OPTION ONE Verify Trusted Platform Module (TPM) Chip on Windows PC
    To See if PC has a TPM in Device Manager

    1. Press the Win+R keys to open Run, type devmgmt.msc, and click/tap on OK to open Device Manager.

    2. Look to see if you have Security devices listed. If you do, then expand it open to see if you have a Trusted Platform Module device listed with a version number (ex: 1.2).

    Click image for larger version. 

Name:	TPM_Device_Manager.jpg 
Views:	3885 
Size:	79.2 KB 
ID:	57382






    Verify Trusted Platform Module (TPM) Chip on Windows PC OPTION TWO Verify Trusted Platform Module (TPM) Chip on Windows PC
    To See if PC has a TPM in TPM Management snap-in console

    1. Press the Win+R keys to open Run, type tpm.msc, and click/tap on OK to open the TPM Management snap-in.

    2. Look to see if the TPM Management console shows your PC having a TPM available or not.

    Click image for larger version. 

Name:	No_TPM-msc.png 
Views:	2298 
Size:	89.6 KB 
ID:	57381
    Click image for larger version. 

Name:	TPM-msc.jpg 
Views:	4842 
Size:	198.1 KB 
ID:	57383 Click image for larger version. 

Name:	TPM_2.0.jpg 
Views:	169 
Size:	127.7 KB 
ID:	146898






    Verify Trusted Platform Module (TPM) Chip on Windows PC OPTION THREE Verify Trusted Platform Module (TPM) Chip on Windows PC
    To See if PC has a TPM in BIOS or UEFI Firmware Settings

    1. Boot the computer to BIOS or UEFI firmware settings.

    2. Look to see if you may have a Trusted Platform Module (TPM) type setting to enable or disable.

    Name:  TPM_Surface-Pro-2.jpg
Views: 53032
Size:  41.9 KB
    Click image for larger version. 

Name:	TPM_GIGABYTE.jpg 
Views:	1692 
Size:	132.7 KB 
ID:	57388



    That's it,
    Shawn
  1.    03 Oct 2016 #1
    Join Date : Feb 2014
    Posts : 487

    Something I came across not long ago, is Firmware-based Trusted Platform Modules (fTPM). Whereas before in order to take advantage of a TPM you needed to have a physical TPM chip soldered to the motherboard, that seems to have changed at some point. You can now have either a Discrete TPM (Physical chip) or Firmware-based TPM.

    As per THIS article, fTPM is acknowledged by the Trusted Computing Group (TCG) as a perfectly valid form of TPM and seems to perform much the same functions as a physical TPM. For Intel, their fTPM is called Intel Platform Trust Technology (PTT). I don't know what chips/motherboards/BIOS support PTT, however due to it being Firmware based (as the name suggests) and not requiring a separate physical chip, it means for some devices it's possible to retrospectively add a TPM to devices that didn't have one before.

    Looking through the Intel NUC list, it's not just 6th gen Skylake NUC's that it's supported on, but also 5th gen Broadwell NUC's and 4th gen Haswell NUC's too. So if you have a NUC and you have the latest BIOS, then the chances are you have a TPM 2.0 module even if you didn't think you did. You just need to enable 'Intel Platform Trust Technology' in BIOS. As previously mentioned, I don't know what other manufacturers support/will support fTPM too.


    The Intel Platform Trust Technology (PTT) setting in Intel VisualBIOS:
    Click image for larger version. 

Name:	Intel-PTT.png 
Views:	824 
Size:	86.4 KB 
ID:	104313


    With Intel PTT on in BIOS, Device Manager and tpm.msc show a TPM 2.0 module installed.
    Click image for larger version. 

Name:	Dev-Man.png 
Views:	1218 
Size:	42.1 KB 
ID:	104314

    Click image for larger version. 

Name:	MMC-TPM.png 
Views:	1438 
Size:	41.6 KB 
ID:	104315
      My ComputerSystem Spec
  2.    06 Oct 2016 #2
    Join Date : Aug 2016
    Posts : 30
    Windows 10 Pro for Workstations

    @ARC1020, v2.0 is new and is firmware based They want people to have the ability to purchase firmware that has fTPM 2.0 so one doesn't have to go out and buy a motherboard with a TPM header, swap all the internals of their PC, install drivers, etc. Having fTPM is superior in every way to TPM 1.2 using a daughter card.

    I will simply not use daughter card TPM (1.2). I will only use fTPM 2.0. That said, Black Hat was able to crack TPM years ago, and people with a good know-how about semiconductors can "unlock" them, so it's never wise to just rely on even the fTPM.

    For my office desktop, I use 2 SED (self-encrypting drives) that encrypts any and all data on-the-fly with FIPS 140-2 certification utilizing a Secure Erase feature that destroys the drive if tampered with when it's physically put in a locked state.

    For those who do not have a TPM mobo, it's very easy to self-assign a certificate with a Yubikey so Windows recognizes it as a PIV (smart card), trust the certificate and have your own portable TPM. I issue myself a certificate from my server's CA and use my Yubikey in unison with my SED with TPM 2.0 chipset integration (more on this below in the "**EDIT**." For my work laptop, I also use a SED + TPM + Yubikey. Per most of what I'm contracted out to do, I'm always given smart cards for encryption/access, but I can't stand the size of smart cards and the reader you use with them, so I have them load the certificates on my Yubikey 4, which I then transfer to my backup Yubikey.

    **EDIT**

    Also, daughter card TPMs are, in my opinion, wastes of money if you are truly trying to keep things safe on your PC. Sure, cryptography sticks even if someone removes the daughter card from the TPM header on the mobo, but they run on Low Bus Count (LBC), making them EXTREMELY easy to manipulate. If you are going for TPM, you want chipset integration. Intel's does this with their vPro technology, which utilizes the TPM to run as an application within the Management Engine on the new architecture's Platform Control Hub.
    Last edited by DrEmpiricism; 06 Oct 2016 at 12:31.
      My ComputersSystem Spec
  3.    06 Oct 2016 #3
    Join Date : Jul 2015
    Posts : 3,820
    10 Pro

    Quote Originally Posted by DrEmpiricism View Post
    v2.0 is new and can be firmware based <snip>Black Hat was able to crack TPM years ago, and people with a good know-how about semiconductors can "unlock" them.<snip> Ultimately no software beats hardware encryption or cryptography.
    TPM 2.0 isn't really new (2014) and you are aware I suppose that you can use bitlocker with hardware based encryption.

    Are you suggesting you could pull out the TPM daughter card replace it and then somehow unlock the drive? Or are you saying TPM isn't secure at all?

    Surely if it was an issue someone would have mentioned it. Should I give up on encryption then as it is all so easily bypassed?

    Or is using bitlocker with hardware encryption still the way forward?
      My ComputerSystem Spec
  4.    06 Oct 2016 #4
    Join Date : Aug 2016
    Posts : 30
    Windows 10 Pro for Workstations

    Quote Originally Posted by lx07 View Post
    TPM 2.0 isn't really new (2014) and you are aware I suppose that you can use bitlocker with hardware based encryption.

    Are you suggesting you could pull out the TPM daughter card replace it and then somehow unlock the drive? Or are you saying TPM isn't secure at all?

    Surely if it was an issue someone would have mentioned it. Should I give up on encryption then as it is all so easily bypassed?

    Or is using bitlocker with hardware encryption still the way forward?
    2.0 is new in respect to how it works, which is eons ahead of what 1.2 did/does. Even now, the majority of motherboards simply use a TPM header and require you to purchase a daughter board, which, yes, can come in either 1.2 or 2.0 versions; however, the versions are irrelevant when it comes to the fact they all run in LBC, greatly increasing the ability of semiconductor and pin manipulation and duplication. fTPM 2.0 relies on a backup method of the cryptography of its already significantly better firmware engaged TPM by having it act within the Management Engine on the Platform Control Hub. That in itself is substantial since there are constant and erratic fluctuations in the resistivity of the conductor material. This can be due to factors built in, owner/user changes, etc. Even in itself, with a daughter card TPM 1.2, or soldered TPM module, semiconductor manipulation is extremely difficult, and why machine code/electronic code algorithms are the most difficult types to interpret and code. It's also not something you can just take up in a few classes, either. This kind of manipulation needs to be oriented towards and takes years to learn, and even then, you have firmware updates to accommodate.

    I never suggested you could pull out the TPM daughter card in any way and thus access the drive as if TPM never existed. The cryptography has already been processed and the encryption has already been done. Just like if you use Bitlocker on a USB drive, simply unplugging it from the host system and plugging it in elsewhere does not remove the encryption. Encryption like that would be worse than open-source software encryption.

    You should never give up on encryption, but always remember that encryption is only as good as the methods used to encrypt. To simply have encryption on something is all well and good for moderate sensitive material; however, for critical information, processes, databases, etc. encryption is simply a layer of solid data security. It is not solid data security in itself.

    Bitlocker is mediocre. It works, yes, but it's just your basic encryption, even if you adjust the cipher settings in User/Group Policies. As an example, formatting a Bitlocked drive can be done without any backup verification. Formatting a Bitlocked drive most ways is like not using Bitlocker period because that data/partition will be easily rendered readable by many, many types of software (and a lot of freeware). An average person with the right software from the internet could format a Bitlocked drive to clear the encryption, then use a recovery tool to re-initialize that partition in an unlocked state or simply batch extract all files on the drive. Bitlocker is simply encryption designed to make you feel warm and cozy at night. A much better encryption type, that's free, is VeraCrypt. Its algorithms are robust, it uses containers (including hidden containers). Using something like VeraCrypt to create an encrypted container on a drive that has been encrypted with Bitlocker increases the safety of your material astronomically.

    As stated before, though, hardware encryption will ALWAYS supersede software encryption. Always. Using Bitlocker in conjunction with hardware-based authentication greatly increases Bitlocker's viability and security. Hardware encryption can be pricey, but you have to gauge the cost with how confident you feel about the security of your data.

    Conclusively, for the average user, Bitlocker does what it's suppose to, is fully integrated into the OS, and works (all things considering). For any user out of that aforementioned range of "average," I would investigate additional methods of encryption (like I said with using a high-cipher encrypted container with something like Veracrypt in combination with Bitlocker). If you're dealing with such things as HIPPA, medical dictations, lists of passphrases you use to access an outside secure environment, etc., you need to start looking at pure hardware encryption and not Bitlocker with TPM or Smart Card, or Heaven forbid, just Bitlocker alone.
      My ComputersSystem Spec
  5.    06 Oct 2016 #5
    Join Date : Aug 2016
    Posts : 30
    Windows 10 Pro for Workstations

    Let me be clear here: I do not want people to think Bitlocker is worthless. Bitlocker works well for what it's designed to do: Safekeep what sound-minded people would keep on a personal computer. Its creation was never intended to be a concrete safety "vault."

    Using hardware + Bitlocker is the route one should go when using Bitlocker outside the range of just storing their porn folder or "warez." Hardware cryptography + encryption is a great combination. For those who have a motherboard lacking a TPM header, a Yubikey 4 can be purchased for $40 and work better because it's removable and not just a perepherial added to the motherboard.

    Even using Bitlocker in conjunction with 7zip's AES-512 to protect a collection of files works well, and again, it's free.

    I personally use a VeraCrypt container on a Bitlocked drive that is Yubikey unlocked for safe keeping moderate personal records and documents. It's an excellent combination. VeraCrypt alone surpasses 99% of paid encryption software. Features like TRULY hidden containers work exceptionally well: You will never find them, a format removes the encrypted container holding encrypted information, so the data is unrecoverable (by the great majority of software the public has access to). Even when I have done a low-level format of a Bitlocked partition with an encrypted VeraCrypt container, then used the means I have to restore the encrypted files, 99% of them were corrupt upon restoration. Using Bitlocker alone, though? I can restore a partition you format over 200+ times. write zeros to, 2-3 pass "wipers," etc. with very little data corruption.

    If you want something hardware exclusive that's cheaper, take at hardware encrypted flash drives. You can find AES-256+ units, or FIPS 140-2 validated USB 3.0 flash drives that are not that expensive. From there you get all the way up into what I use for my home office (due to the work I do).

    Sidenote: Always use a nice, long PIN to secure anything software locked. They're always more secure, no matter how obnoxious your password was going to be.
      My ComputersSystem Spec

 


Similar Threads
Tutorial Category
Verify Windows 10
Is there a way to change the E-Mail Address I use to verify my Windows Account ?
User Accounts and Family Safety
Some MSI files not installing saying required module not found on W10
We have written several programs in VB.2010. They all have a setup and deploy project to create the MSI file. There is a launch condition for a specific file. This same technique is used in many other programs we have. All work in Windows 7, 8,...
General Support
Windows 10 on Surface Pro 3 Keeps Asking to Verify
So basically after a certain amount of time, when I reboot my Surface Pro 3 or sometimes even leave it running for that long, I wind up getting hit by an error that says that I need to verify my identity. I then have to go over to the Accounts...
User Accounts and Family Safety
Dell D520 Bluetooth 350 Module
Evening, does anyone know if there's drivers for the 350 bluetooth module for my Dell D520 laptop running on 10 please? TIA Scotty:)
Drivers and Hardware
How/where can I verify the system specs for windows 10 on existing PC
I am going to update an older PC but I'm getting windows error saying the video card is not compatible (ie. Nvidia has not updated the GS 7 series drivers for Win 10) I have searched both Asus (motherboard) and Nvidia web sites for some kind of...
General Support
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 03:19.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums