News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • TPM Ignorance

    • This topic has 24 replies, 7 voices, and was last updated 1 month ago.
    Author
    Topic
    #2396822

    Greetings All –

    The recent articles on Windows 11 and TPM 2.0 reminded me that I know virtually nothing about trusted platform modules.  I have a MSI Z390-A motherboard, and I’m running WIN 10 21H1 with September updates.  Entering tpm.msc in a run window told me that no TPM could be found.  I dug out my board manual and located the TPM activation entry in setup under “Security.”  TPM was disabled by default.  I’ve been running my machine that way since I built it in January of 2020.  So I enabled it, choosing the software vs hardware option.  This was purely a guess.  I chose software for no particular reason with a sub entry that auto-filled, which I left alone.  The 1st reboot took a little longer than usual.  Subsequent reboots are normal.  Running the tpm.msc run command again showed TPM is “ready to use.”  It also showed it to be version 2.0.  My questions are what have I done, and what am I supposed to do now.  I’ve been kind of busy, so I haven’t visited the forum in a while.  I could use some education..  Thanks.

    Casey H.

    Viewing 17 reply threads
    Author
    Replies
    • #2396871

      This article says that hardware TPM is more protected against malware.  https://www.digitaltrends.com/computing/what-is-tpm/  TPM is related to the keys used for secure boot and bitlocker, making it harder for rootkit viruses to install or function.

      Secure boot and Bitlocker have pros and cons.  Secure boot makes it harder to boot alternate operating systems (Linux) or bootable recovery or backup software.  Bitlocker can reduce performance and cause you to lose access to your data in some cases like reinstalling windows or non-bootable windows, if you do not have the backup of the recovery key.

      Do you want secure boot, bitlocker, or to install Windows 11 soon?  For now, I would verify your chosen antivirus software is working properly.  Add Malwarebytes as a second layer of protection.  Research Windows 11, but for now I suggest you block it and stay on Windows 10.  Block it by setting TRV to your preferred feature edition, or like this https://www.askwoody.com/forums/topic/settings-to-stay-on-windows-10-but-allow-all-future-updates-for-windows-10/

      1 user thanked author for this post.
    • #2396922

      Thanks anonymous.  I’ll check out the article.  I do not use secure boot, and I only use bitlocker on certain partitions that contain sensitive data, non of which are located on the drive that holds the operating system.  I also have WIN 11 blocked via the strategy described for group policy editor.  I ‘m just wondering if there’s anything else I need to do, and how enabling TPM has affected my system.  I’m also wondering about the two choices in BIOS, if I should change what I’ve done (hardware vs software), and how the associated subsets affect things.  Like I said, I accepted the value that auto-filled when I selected “software.”  Perhaps the article will clear things up.

      Casey H.

    • #2396927

      I finally installed the TPM 2.0 module that has been sitting around for 4 months.

      I ordered it for $15 the day the initial MS announcement went out about the new requirement. I just wanted to be prepared, although had no plans to upgrade from Windows 10 Pro any time soon.

      Because I use BitLocker with either a startup PIN, or a startup key, I was uncertain if adding the TPM 2.0 would rock the boat, causing a do over with BitLocker.

      Well good news! I plugged it into my ASUS Prime Z390-A board today, and Windows reports that TPM 2.0 is now available! I just made sure that discrete TPM was selected in the BIOS and rebooted. That was all that was needed. The alternative is to enable the firmware TPM (Intel PTT).

      I also tested my Macrium boot USB, and it worked fine. I have the startup key embedded, and it automatically unlocked BitLocker, as usual.

      This attachment shows the Group Policy settings that I have setup. I initially had this policy enabled so that I could use BitLocker without a compatible TPM (mandatory if you do not have one). Didn’t have to change anything here.

      • This reply was modified 1 month, 1 week ago by JohnW. Reason: Corrected typo
    • #2396926

      Make sure to backup your Bitlocker recovery key so you do not lose that data.  Since you use Bitlocker, I would probably set TPM enabled and to hardware mode.  That will store the Bitlocker keys partially in the TPM, making them harder for malware to intercept.

      I mentioned the cons of Secure Boot above – difficulty with Linux and recovery software, but I did not go into the pros – higher confidence that the operating system is booting without a rootkit.  If you have a good backup strategy and do not boot other things, since you are already using Bitlocker I would probably turn it on.

      I agree with waiting on Windows 11.  Unless it provides something you see as a real benefit I would delay it until either software you use requires it or we get close to the EOL for Windows 10 patches.

    • #2396942

      I would probably set TPM enabled and to hardware mode.

      I mentioned that I did so above. Asus refers to TPM hardware mode as “Discrete”, vs.”firmware”.

    • #2396944

      I mentioned the cons of Secure Boot above – difficulty with Linux and recovery software

      My Macrium USB recovery disk boots just fine with secure boot enabled, (and has the BitLocker unlock key embedded). I also have several more copies of the key stashed away securely.

      Macrium Reflect is scheduled to run a full disk image every night, so have a very good recovery strategy in place. 🙂

      The point of my post was that I enabled hardware TPM successfully without messing up BitLocker, which I have been using without issue for 5 years.

    • #2396957

      Thank you for those reports, Macrium working and being able to store the key, and enabling hardware = discrete TPM not messing up Bitlocker are great things to know.

      1 user thanked author for this post.
    • #2396972

      Macrium working and being able to store the key

      That’s fairly simple to achieve. There is an option in the Macrium Rescue Media wizard that handles that automatically if you enable it. So you can then do a full disk restore into the existing encrypted disk, without having to re-encrypt afterwards… the alternative to first unlocking BitLocker is to blow away the encrypted drive during the restore. That works too. The image itself  is “in the clear” by default.

      Automatically unlocking BitLocker encrypted drives

      Macrium Reflect can include the components and decryption keys necessary to automatically unlock Microsoft BitLocker encrypted drives in Windows PE.

      In the Rescue Media Builder select ‘Add BitLocker Support’ and ‘Automatically unlock BitLocker Volumes’.

      • #2397599

        does that mean different boot disks for different computers??

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
    • #2397192

      It seems the consensus is that hardware is better than software.  I went back into setup to try to change things.  The software/hardware option was no longer available.  Only the subset was viewable below the enabled/disabled selection.  The info dialogue said PTT was for software (this is what auto-filled when I first chose software on initial setup), and dTPM was for hardware.  I changed PTT to dTPM and rebooted.  Running tpm.msc now showed no tpm detected.  I went back into setup and set the function to disabled in hopes that returning to the menu again, the hardware/software option would again show up.  No luck.  So I changed dTPM back to PTT, and once again version 2.0 shows up and the message says TPM is ready to use.  Ready to use for what? The only thing that seems to be available for manipulation at this point is to clear the TPM to remove ownership and reset it to factory defaults.  I still have no idea how enabling TPM has affected my system and if it is even relevant for my use, other than I need to have it in the distant future for installing Windows 11.

      Casey H.

      • #2397214

        Have a look at Settings > Updates & Security > Windows Security > Device security > Security processor details to see if all is well. See also Trusted Platform Module. In particular TPM and Windows Features shows a table defines which Windows features require TPM support.

        HP Compaq 6000 Pro SFF PC / Windows 10 Pro / 21H1
        Intel®Core™2 “Wolfdale” E8400 3.0 GHz / 8.00 GB
      • #2397301

        Hi Casey,

        The Intel PTT (Platform Trust Technology) is a firmware version of TPM 2.0 available in case a discrete (hardware) TPM module is not installed. https://www.intel.com/content/www/us/en/support/articles/000007452/intel-nuc.html

        You can only select the hardware version in the BIOS if the module is present.

        I have a similar motherboard, the ASUS Z390-A, with the Intel Z390 chipset. It only shipped with an empty 7-pin header (socket) for the TPM module, so I had to order the part and install it. Your manual should show the location on your board where this is located, so you can inspect and confirm if there is actually one on-board. But I would suspect it’s probably not.

        But the BIOS and the hardware should be ready for either configuration that you choose.

        • This reply was modified 1 month ago by JohnW. Reason: Corrected typo
        1 user thanked author for this post.
    • #2397207

      Is there a TPM installed in your TPM header on the motherboard?  Maybe not.  See here https://www.msi.com/blog/How-to-Enable-TPM-on-MSI-Motherboards-Featuring-TPM-2-0 If the header is empty you can only use PTT.  Windows 11 will still install (if the other requirements are met or bypassed).

      Enabling TPM changes where bitlocker and secure boot keys are stored, making them more secure.  This reduces the chance that a rootkit will work.  To get this benefit from it you should have Secure Boot on, which is also a Windows 11 requirement.

      1 user thanked author for this post.
    • #2397402

      There does not appear to be a hardware TPM module installed.  There is a 14 pin connector labeled TPM Module connector that has nothing plugged into it.  (As a side issue, I am wondering that if I had a device plugged into this connector, where would the device itself be located?)  The motherboard manual references a TPM Security Platform Manual for additional information.  That manual did not come in the box, nor is it listed on the MSI website.

      As far as my TPM setup goes, it’s listed as being manufactured by Intel: version 403.1.0.0; Spec 2.0; PPI Spec 1.3; TPM sub-version spec 1.38 (1/18/2018); PC Client Spec 1.03.

      Additionally, I made a mistake when I said I was not using Secure Boot.  I had confused the term with Fast Boot.  In the setup boot menu, I had Legacy+UEFI enabled.  I changed that to UEFI only.  Now I need to check and make sure that my Macrium Reflect flash drive and Windows recovery flash drive both work with this new setup.

      And I still don’t understand what I have either gained or lost by making these changes.  Thanks.

      Casey H.

    • #2397412

      I see from various photos that the module just plugs into the connector: ancillary questioned answered.  The question now is whether to buy one or just go with what’s already there.

      Casey H.

    • #2397406

      Enabling TPM allows all the feature linked by Eyesonwindows that say yes in the TPM  required column https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-recommendations#tpm-and-windows-features

      A few of them are “Windows Defender System Guard” and “Measured Boot”   Both of these are meant to block or allow easier detection by antimalware software of if you have been taken over by a rootkit.  Measured boot is a log of events during boot.

      If you don’t use Linux you are not likely to see any bad effect from TPM on or Secure Boot.

    • #2397422

      As far as my TPM setup goes, it’s listed as being manufactured by Intel: version 403.1.0.0; Spec 2.0; PPI Spec 1.3; TPM sub-version spec 1.38 (1/18/2018); PC Client Spec 1.03.

      There is a hardware TMP (module) and Firmware TMP embedded in Intel (PTT) and AMD (fTPM) CPUs.

      1 user thanked author for this post.
      • #2397588

        That sounds like I should be able to go back and choose the hardware version.  Initially both hardware and software options were visible in setup.  After initially selecting “software,” the hardware option is no longer visible for selection.  I tried temporarily disabling TPM to see if the hardware option became visible again.  No such luck.  There is a clear TPM option in the TPM.msc window that says it returns things to the default condition.  Do you suppose that clicking on it would make the hardware choice become visible in setup again?

        Casey H.

        • #2397716

          A little more research, and it looks like the “hardware” TPM built into Intel CPUs is the firmware option.  So it would seem that the choice is whether to buy a standalone TPM module that plugs into the board or keep what I already have activated in Setup.  Unless anyone can come up with a compelling reason to change, I think I’ll stick with what I have.  Just how “more secure” is the stand alone module?

          Casey H.

    • #2397439

      There is a 14 pin connector labeled TPM Module connector that has nothing plugged into it.

      That’s what I had. I erroneously typed 7-pin in my post, but it’s too late to edit it.

      It’s actually two rows of 7, with one pin missing on one row. So technically there’s only 13 pins.

      Attached is a pic of my module, which plugged directly into the header, no cable required.

      If I had known that PTT firmware was also available, I might not have bothered to order the physical TPM module.

      • This reply was modified 1 month ago by JohnW. Reason: Edit typo
      1 user thanked author for this post.
    • #2397462

      In the AskWoody article, Brian says to run tpm.msc & check that TPM 1.2 is enabled. When I run on my PC, it says the it is “ready for use”. Is this the same as enabled?

      • #2397538

        Yes.

        Windows 10 Pro version 21H2 build 19044.1387 + Microsoft 365 (group ASAP)

    • #2397721

      A little more research, and it looks like the “hardware” TPM built into Intel CPUs is the firmware option.  So it would seem that the choice is whether to buy a standalone TPM module that plugs into the board or keep what I already have activated in Setup.  Unless anyone can come up with a compelling reason to change, I think I’ll stick with what I have.  Just how “more secure” is the stand alone module?

      Casey H.

      You are correct. The option built into the CPU is the firmware option for Intel products referred to as PTT, but represents a itself as TPM 2.0 to the system.

      The hardware option requires a “discrete” physical TPM 2.0 module plugged into the motherboard. Either option should meet the Microsoft TPM requirements for Win 11.

      As far as which TPM option is more secure, refer back to the link posted by forum member “anonymous” in the first reply to this thread.

    • #2398293

      Not sure if I should start a new thread or not, but a continuation of post TPM activation brought me to the core isolation selection/memory integrity selection in settings.  It was unable to activate because of two driver conflicts.  I deleted them both: one deletion was fine, but the other was one of the two CD ROM drivers.  One driver is CDROM.sys, and the other is PxHlpa64.sys.  The latter is from Corel Corp, which no doubt got installed when I installed WINDVD Pro 11 awhile back.  I was hoping to get by with just the first driver, but Device Mgr squawked along with a Code 39 message.  I temporarily put a dot old at the end of the file name, activated Core Isolation, then removed the old designation.  Windows squawked and turned off the Memory Integrity feature.  I’ve worked considerably with the folks at Corel on this software, so everything in it is as current as will likely to be.  I look to be up the proverbial creek.

      Casey H.

    Viewing 17 reply threads
    Reply To: TPM Ignorance

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.