Windows 10: Verify Trusted Platform Module (TPM) Chip on Windows PC

Discus and support Verify Trusted Platform Module (TPM) Chip on Windows PC in Windows 10 Tutorials to solve the problem; Something I came across not long ago, is Firmware-based Trusted Platform Modules (fTPM). Whereas before in order to take advantage of a TPM you needed... Discussion in 'Windows 10 Tutorials' started by ARC1020, Oct 3, 2016.

  1. ARC1020 Win User

    Verify Trusted Platform Module (TPM) Chip on Windows PC


    Something I came across not long ago, is Firmware-based Trusted Platform Modules (fTPM). Whereas before in order to take advantage of a TPM you needed to have a physical TPM chip soldered to the motherboard, that seems to have changed at some point. You can now have either a Discrete TPM (Physical chip) or Firmware-based TPM.

    As per THIS article, fTPM is acknowledged by the Trusted Computing Group (TCG) as a perfectly valid form of TPM and seems to perform much the same functions as a physical TPM. For Intel, their fTPM is called Intel Platform Trust Technology (PTT). I don't know what chips/motherboards/BIOS support PTT, however due to it being Firmware based (as the name suggests) and not requiring a separate physical chip, it means for some devices it's possible to retrospectively add a TPM to devices that didn't have one before.

    Looking through the Intel NUC list, it's not just 6th gen Skylake NUC's that it's supported on, but also 5th gen Broadwell NUC's and 4th gen Haswell NUC's too. So if you have a NUC and you have the latest BIOS, then the chances are you have a TPM 2.0 module even if you didn't think you did. You just need to enable 'Intel Platform Trust Technology' in BIOS. As previously mentioned, I don't know what other manufacturers support/will support fTPM too.


    The Intel Platform Trust Technology (PTT) setting in Intel VisualBIOS:

    Verify Trusted Platform Module (TPM) Chip on Windows PC [​IMG]



    With Intel PTT on in BIOS, Device Manager and tpm.msc show a TPM 2.0 module installed.

    Verify Trusted Platform Module (TPM) Chip on Windows PC [​IMG]



    Verify Trusted Platform Module (TPM) Chip on Windows PC [​IMG]


    :)
     
    ARC1020, Oct 3, 2016
    #1
  2. RichardEiler, Oct 3, 2016
    #2
  3. Allan Mej Win User
    TPM enabled but not found?

    Hi Roberto,

    This issue occurs because the TPM is using the OEM driver and not the Windows built-in Trusted Platform Module driver. To address your issue, we suggest reinstalling the Trusted Platform Module driver by uninstalling the TPM driver and restarting your
    PC.

    Let us know how things goes.

    Regards.
     
    Allan Mej, Oct 3, 2016
    #3
  4. Verify Trusted Platform Module (TPM) Chip on Windows PC

    @ARC1020, v2.0 is new and is firmware based They want people to have the ability to purchase firmware that has fTPM 2.0 so one doesn't have to go out and buy a motherboard with a TPM header, swap all the internals of their PC, install drivers, etc. Having fTPM is superior in every way to TPM 1.2 using a daughter card.

    I will simply not use daughter card TPM (1.2). I will only use fTPM 2.0. That said, Black Hat was able to crack TPM years ago, and people with a good know-how about semiconductors can "unlock" them, so it's never wise to just rely on even the fTPM.

    For my office desktop, I use 2 SED (self-encrypting drives) that encrypts any and all data on-the-fly with FIPS 140-2 certification utilizing a Secure Erase feature that destroys the drive if tampered with when it's physically put in a locked state.

    For those who do not have a TPM mobo, it's very easy to self-assign a certificate with a Yubikey so Windows recognizes it as a PIV (smart card), trust the certificate and have your own portable TPM. I issue myself a certificate from my server's CA and use my Yubikey in unison with my SED with TPM 2.0 chipset integration (more on this below in the "**EDIT**." For my work laptop, I also use a SED + TPM + Yubikey. Per most of what I'm contracted out to do, I'm always given smart cards for encryption/access, but I can't stand the size of smart cards and the reader you use with them, so I have them load the certificates on my Yubikey 4, which I then transfer to my backup Yubikey.

    **EDIT**

    Also, daughter card TPMs are, in my opinion, wastes of money if you are truly trying to keep things safe on your PC. Sure, cryptography sticks even if someone removes the daughter card from the TPM header on the mobo, but they run on Low Bus Count (LBC), making them EXTREMELY easy to manipulate. If you are going for TPM, you want chipset integration. Intel's does this with their vPro technology, which utilizes the TPM to run as an application within the Management Engine on the new architecture's Platform Control Hub.
     
    DrEmpiricism, Oct 5, 2016
    #4
  5. lx07 Win User
    TPM 2.0 isn't really new (2014) and you are aware I suppose that you can use bitlocker with hardware based encryption.

    Are you suggesting you could pull out the TPM daughter card replace it and then somehow unlock the drive? Or are you saying TPM isn't secure at all?

    Surely if it was an issue someone would have mentioned it. Should I give up on encryption then as it is all so easily bypassed?

    Or is using bitlocker with hardware encryption still the way forward?
     
    lx07, Oct 5, 2016
    #5
  6. 2.0 is new in respect to how it works, which is eons ahead of what 1.2 did/does. Even now, the majority of motherboards simply use a TPM header and require you to purchase a daughter board, which, yes, can come in either 1.2 or 2.0 versions; however, the versions are irrelevant when it comes to the fact they all run in LBC, greatly increasing the ability of semiconductor and pin manipulation and duplication. fTPM 2.0 relies on a backup method of the cryptography of its already significantly better firmware engaged TPM by having it act within the Management Engine on the Platform Control Hub. That in itself is substantial since there are constant and erratic fluctuations in the resistivity of the conductor material. This can be due to factors built in, owner/user changes, etc. Even in itself, with a daughter card TPM 1.2, or soldered TPM module, semiconductor manipulation is extremely difficult, and why machine code/electronic code algorithms are the most difficult types to interpret and code. It's also not something you can just take up in a few classes, either. This kind of manipulation needs to be oriented towards and takes years to learn, and even then, you have firmware updates to accommodate.

    I never suggested you could pull out the TPM daughter card in any way and thus access the drive as if TPM never existed. The cryptography has already been processed and the encryption has already been done. Just like if you use Bitlocker on a USB drive, simply unplugging it from the host system and plugging it in elsewhere does not remove the encryption. Encryption like that would be worse than open-source software encryption.

    You should never give up on encryption, but always remember that encryption is only as good as the methods used to encrypt. To simply have encryption on something is all well and good for moderate sensitive material; however, for critical information, processes, databases, etc. encryption is simply a layer of solid data security. It is not solid data security in itself.

    Bitlocker is mediocre. It works, yes, but it's just your basic encryption, even if you adjust the cipher settings in User/Group Policies. As an example, formatting a Bitlocked drive can be done without any backup verification. Formatting a Bitlocked drive most ways is like not using Bitlocker period because that data/partition will be easily rendered readable by many, many types of software (and a lot of freeware). An average person with the right software from the internet could format a Bitlocked drive to clear the encryption, then use a recovery tool to re-initialize that partition in an unlocked state or simply batch extract all files on the drive. Bitlocker is simply encryption designed to make you feel warm and cozy at night. A much better encryption type, that's free, is VeraCrypt. Its algorithms are robust, it uses containers (including hidden containers). Using something like VeraCrypt to create an encrypted container on a drive that has been encrypted with Bitlocker increases the safety of your material astronomically.

    As stated before, though, hardware encryption will ALWAYS supersede software encryption. Always. Using Bitlocker in conjunction with hardware-based authentication greatly increases Bitlocker's viability and security. Hardware encryption can be pricey, but you have to gauge the cost with how confident you feel about the security of your data.

    Conclusively, for the average user, Bitlocker does what it's suppose to, is fully integrated into the OS, and works (all things considering). For any user out of that aforementioned range of "average," I would investigate additional methods of encryption (like I said with using a high-cipher encrypted container with something like Veracrypt in combination with Bitlocker). If you're dealing with such things as HIPPA, medical dictations, lists of passphrases you use to access an outside secure environment, etc., you need to start looking at pure hardware encryption and not Bitlocker with TPM or Smart Card, or Heaven forbid, just Bitlocker alone.
     
    DrEmpiricism, Oct 5, 2016
    #6
  7. Let me be clear here: I do not want people to think Bitlocker is worthless. Bitlocker works well for what it's designed to do: Safekeep what sound-minded people would keep on a personal computer. Its creation was never intended to be a concrete safety "vault."

    Using hardware + Bitlocker is the route one should go when using Bitlocker outside the range of just storing their porn folder or "warez." Hardware cryptography + encryption is a great combination. For those who have a motherboard lacking a TPM header, a Yubikey 4 can be purchased for $40 and work better because it's removable and not just a perepherial added to the motherboard.

    Even using Bitlocker in conjunction with 7zip's AES-512 to protect a collection of files works well, and again, it's free.

    I personally use a VeraCrypt container on a Bitlocked drive that is Yubikey unlocked for safe keeping moderate personal records and documents. It's an excellent combination. VeraCrypt alone surpasses 99% of paid encryption software. Features like TRULY hidden containers work exceptionally well: You will never find them, a format removes the encrypted container holding encrypted information, so the data is unrecoverable (by the great majority of software the public has access to). Even when I have done a low-level format of a Bitlocked partition with an encrypted VeraCrypt container, then used the means I have to restore the encrypted files, 99% of them were corrupt upon restoration. Using Bitlocker alone, though? I can restore a partition you format over 200+ times. write zeros to, 2-3 pass "wipers," etc. with very little data corruption.

    If you want something hardware exclusive that's cheaper, take at hardware encrypted flash drives. You can find AES-256+ units, or FIPS 140-2 validated USB 3.0 flash drives that are not that expensive. From there you get all the way up into what I use for my home office (due to the work I do).

    Sidenote: Always use a nice, long PIN to secure anything software locked. They're always more secure, no matter how obnoxious your password was going to be.
     
    DrEmpiricism, Oct 5, 2016
    #7
  8. Brink
    Brink New Member

    Verify Trusted Platform Module (TPM) Chip on Windows PC

    Yeah, it's only available starting with Windows 10 build 17093.
     
    Brink, Apr 4, 2018
    #8
  9. Cliff S New Member
    Maybe an addition, unless you have it somewhere else for the Windows Defender Security Center


    Verify Trusted Platform Module (TPM) Chip on Windows PC [​IMG]



    Verify Trusted Platform Module (TPM) Chip on Windows PC [​IMG]



    Verify Trusted Platform Module (TPM) Chip on Windows PC [​IMG]



    Verify Trusted Platform Module (TPM) Chip on Windows PC [​IMG]



    Verify Trusted Platform Module (TPM) Chip on Windows PC [​IMG]
     
    Cliff S, Apr 12, 2018
    #9
  10. Brink
    Brink New Member
    Thank you Cliff. Added as Option Four. *Smile
     
    Brink, Apr 12, 2018
    #10
  11. lx07 Win User
    Only available from 1803? I don't see Device Security on 1709.
     
Thema:

Verify Trusted Platform Module (TPM) Chip on Windows PC

Loading...
  1. Verify Trusted Platform Module (TPM) Chip on Windows PC - Similar Threads - Verify Trusted Platform

  2. Turn on Bit locker without a trusted TPM

    in AntiVirus, Firewalls and System Security
    Turn on Bit locker without a trusted TPM: I recently upgraded my aging laptop from a standard HDD to a new SSD and upgraded RAM, I have Windows 10 Pro I would like to use the BitLocker, I have to enable it without the Trusted TPM as the original HDD is no longer in the computer (cracked HDD). Please let me know what...
  3. Trusted Platform Module

    in AntiVirus, Firewalls and System Security
    Trusted Platform Module: I have received a message to update or clear and update the TPM. It tells me to ensure I have done a backup. Is this REALLY necessary? To do a COMPLETE PC BACKUP in case this causes data loss? Surely, SURELY, MS can do these things without the potential compromise of...
  4. Trusted Platform Module: How do I reset it?

    in AntiVirus, Firewalls and System Security
    Trusted Platform Module: How do I reset it?: Hey everyone, I need a hand with my TPM, or my Trusted Platform Module, which helps with my computer's security. Recently Windows Defender has made a request that I reset my TPM. However, I try to restart the computer so it can reset the TPM, and I get nothing. What am I...
  5. Trusted Platform Module 2.0: Error Code 10 after Downgrading BIOS

    in AntiVirus, Firewalls and System Security
    Trusted Platform Module 2.0: Error Code 10 after Downgrading BIOS: Hi there peeps! I'm writing this lines in hopes for finding a solution to this unusual problem, I have been looking on Google, but none of the solutions have helped me... The Story: This is an Acer E5-553-1786 Laptop, and I decided to upgrade to Bios 1.31 in hopes of...
  6. TPM Trusted Platform Module Issue

    in AntiVirus, Firewalls and System Security
    TPM Trusted Platform Module Issue: After updating to windows 10 version 1803 this comes up after I log in. A configuration change was requested to clean this computers TPM( trusted platform module). Warning clearing erases information started on the TPM. You will lose all created keys and access data...
  7. Security devices - Trusted Platform Module

    in Windows 10 Drivers and Hardware
    Security devices - Trusted Platform Module: Hi there On my nice shiny HP envy laptop : HP ENVY Notebook - 13-d008na (ENERGY STAR) Model #: P0R94EA I of course removed the W10 Home with the HP Bloatware (actually very small amount -- well done HP for delivering a reasonably clean OS not riddled with ads and...
  8. Infineon TPM Modules generating insecure RSA Keys

    in Windows 10 Drivers and Hardware
    Infineon TPM Modules generating insecure RSA Keys: FYI... I get emails for updates for my Lenovo ThinkPad notebook. That said, I got one this morning alerting me that some Lenovo notebooks using Infineon TPM modules are generating insecure RSA keys - RSA Keys Generated by Infineon TPMs are Insecure Anyway, the link...
  9. Reset My PC - Trusted Platform Module

    in Windows 10 Installation and Upgrade
    Reset My PC - Trusted Platform Module: While resetting Windows 10 on a Acer Laptop the following dialogue was displayed: Quote A configuration change was requested to clear this computer's TPM (Trusted Platform Module) WARNING: Clearing erases information stored on the TPM. You will lose all created keys and...
  10. Trusted Platform Module (TPM)

    in Windows 10 Support
    Trusted Platform Module (TPM): I just installed windows 10-1511 on my pc en it works perfect.Verry happy with it. But soon there will be come the anniversary update of windows 10.My motherboard supports TPM 1.0 but not TPM 2.0. For the anniversary update you need TPM 2.0.Does this mean that my computer...