Windows

Get TPM information: How to determine if TPM is present and how to enable TPM in the BIOS

tpmbiosactivation

The trusted platform module (TPM) is a hardware component installed in many newer computers by computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume hibernation until the correct PIN or startup key is presented. The TPM Chip, also known as the Trusted Platform Module is a hardware security module on your motherboard, designed by the Trusted Computing Group Consortium. Kindly refer to the following TPM related guides: How to upgrade Windows 10 with an unsupported CPU and TPM 1.0 to Windows 11​, How to Install Windows 11 in Oracle VirtualBox with no TPM Support, How to delegate permissions for backing up TPM password, How to clear the TPM via the management console or Windows Defender Center App

The tpmtool utility can be used to get information about Trusted Platform Module (TPM). boot process, and Windows 11 Feature-specific, Hardware and Software Requirements: How to upgrade to Windows 11 from Windows 10 as a Windows Insider.

Note: TPM 2.0 is designed to be fully functional in UEFI mode. Systems must be in UEFI mode with TPM enabled and secure boot configured and enabled in order to attain the security statusBefore discussing the command in detail later in the guide, you can quickly use these commands to check the TPM Status from the Command Line to see if is Enabled, Activated, or Owned.

wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsEnabled_InitialValue
wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsActivated_InitialValue
wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsOwned_InitialValue

Alternatively, you can run the following command from the command line to determine if TPM ownership has been taken. (Press CTRL + R and type cmd , then right-click cmd.exe and click Run as administrator).

Wmic /namespace:\\root\CIMV2\Security\MicrosoftTpm path Win32_Tpm get /value
Screenshot-2022-05-10-at-14.36.34

TPM is a chip that is either integrated into your device (not available on all PCs’) motherboard or added separately into the CPU. Its purpose is to help protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data. Below are TPM States:

Disabled

  • The TPM chip is disabled, you need to enable it in the BIOS.

Enabled, Not Ready

  • No owner password is set, you need to initialize the TPM

Enabled, Ready

  • A Password is set and is ready for use.

You can use the following command to quickly view the TPM information of the device as shown in the image below.

tpmtool getdeviceinformation
gt-tpm-info

You could check if your device has TPM via the Command Prompt: To do this, open the elevated Command Prompt and run the following command below. You could also use the command “get-tpm” to get your desired result

wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get * /format:tpmlist.xsl
Screenshot-2021-07-05-at-19.25.05

If TPM isn’t present on the device, the following error message below will be prompted. This command can be run on PowerShell and Command Prompt.

Determine if TPM is present via the TPM.MSC snapin

Ensure you have the “TPM chipset 2.0” enabled and activated on your device. There are numerous ways to determine this. You can check this via the following basic steps
– Device Manager, 
– TPM Management snap-in (tpm.msc), or via the Windows Settings. I highly recommend taking a look at this guide for other steps to determine if TPM is present on your device: How to check if you have Secure Boot and TPM enabled.

TPM

Enable TPM via PowerShell

If the TPM is disabled through the BIOS settings, you have to re-enable it in BIOS or run the following Windows PowerShell command as an administrator:

$tpm = gwmi -n root\cimv2\security\microsofttpm win32_tpm
$tpm.SetPhysicalPresenceRequest(6)

After you run the command, you must restart the operating system and accept any BIOS prompts.

Enable TPM Manually

To enable  TPM (Trusted Platform Module), follow the steps discussed below; Kindly refer to this guide for more information “how to clear, enable or disable TPM in Windows via the BIOS or UEFI“.

  1. Boot computer using F2 into the BIOS setup mode
  2. Locate the “Security” option on the left and expand
  3. Locate the “TPM” option nested under the “Security” setting
  4. To enable the TPM settings you must check the box saying:  “TPM Security” to enable the TPM hard drive security encryption
  5. Ensure the “Activate” radio button is turned on in order to ensure the TPM option works
  6. If the TPM is ‘Deactivated’, or the TPM Security is not enabled the drive will not encrypt until those settings are made
  7. TPM changes sometimes need to be verified by restarting after they are applied
TPM-enabled

Manage-bde tpm

This session applies to Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 only, and NOT Windows workstation. To turn on the TPM, type:

manage-bde  tpm -turnon
Screenshot-2022-02-03-at-20.52.58
At the time of writing this guide, this did not work on Windows 10 as you can see in the image above.

Below is a command to configure the computer’s Trusted Platform Module (TPM). Attached also is the description of all available parameters that can be used with the command.

manage-bde -tpm [-turnon] [-takeownership <ownerpassword>] [-computername <name>] [{-?|/?}] [{-help|-h}]
ParameterDescription
-turnonEnables and activates the TPM, allowing the TPM owner password to be set. You can also use -t as an abbreviated version of this command.
-takeownershipTakes ownership of the TPM by setting an owner password. You can also use -o as an abbreviated version of this command.
<ownerpassword>Represents the owner password that you specify for the TPM.
-computernameSpecifies that manage-bde.exe will be used to modify BitLocker protection on a different computer. You can also use -cn as an abbreviated version of this command.
<name>Represents the name of the computer on which to modify BitLocker protection. Accepted values include the computer’s NetBIOS name and the computer’s IP address.
-? or /?Displays brief Help at the command prompt.
-help or -hDisplays complete Help at the command prompt.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x