Need a laptop with a TPM?

For the third time in a week someone asked the question "If I want to use BitLocker with a Trusted Platforms Module (TPM), which computer should I get?"

Wonderful question. For some reason, the hardvare vendors seem to treat the TPM chip as the ugly stepchild that they do their best to ensure nobody knows they have. Som even ship with the chip disabled in the BIOS by default. And, if you want to find out whether a particular computer has one, be prepared to read long and geeky tech specs, looking for keywords like "TPM 1.1", or, if the manufacturer decides to make things a bit snazzier, key words like "HP ProtectTools Embedded Security", which is HP-Marketing speak for "it has a TPM chip."

I finally found a decent resource. Wave, makers of software that utilize the TPM, provids a matrix of platforms that ship with a TPM, and, if they know, which version. To run BitLocker with a TPM, you must have a version 1.2 TPM chip. The page is not entirely up to date. For example, the HP nx9420, 8510p, and HP6715b, all have a TPM chip, but are not listed. For Lenovo, they list only "ThinkPad Notebooks", when, in fact, the T-series and X-series both have version 1.2 compliant TPM chips. The Dell Latitude Dx20 and Dx30 also have a version 1.2 chip, but only the, Dx20s are listed.

If you have a computer that should have one but BitLocker says you do not have one, check to see if it is enabled. Windows Vista Enterprise and Ultimate will detect it automatically. Open Computer Management, click the Device Manager node, and see if there is a "Security Devices" node there. If there is, expand it. You should see a Trusted Platforms Module there, complete with version. If you do not, check the BIOS. Dell, for example, ship with the TPM turned off. Go into the BIOS and look under the Security entry or tab. There may be a TPM or "TPM Security" entry there. See if the chip is disabled. Enable it and Windows Vista will pick it up the next time you boot.

Published 31 October 2007 09:50 PM by jesper
Filed under:

Comments

# Chris said on 01 November, 2007 10:52 AM

I was extremely frustrated the other day when trying to find a motherboard with the TPM chipset.  I was building an office workstation and wanted to be able to leverage Bitlocker to protect the drive contents.  As mentioned in this article I was unable to locate an appropriate motherboard and ended up using a usb drive as my key.  It's hard to understand why the TPM chipset hasn't taken off.

# Harry Johnston said on 01 November, 2007 03:47 PM

I suspect the problem is that TPM was originally promoted as the magic bullet that would solve all computer security problems.  Nonsense, of course, as was pointed out numerous times.  Unfortunately the upshot is that it makes people uneasy if they don't know any of the useful things it actually /can/ do - which I suspect not many people do.

Personally, the only example I've seen of it being useful is BitLocker.  Do you have any others?

... just to provide an example of the reasons TPM is treated with suspicion, I remember hearing that it would allow applications to know whether an input keystroke was really from the keyboard or not.  That's not a good thing if you're using a computer remotely, or using scripting to perform a silent installation, so I was left with the impression that TPM had the potential to break essential functionality.

Then there's all the FUD, such as the story that only software authorized by Microsoft would run on TPM computers.  I knew that one was wrong, but how do you explain that to the paranoid?

So I guess the summary is that customers needing TPM will probably know enough to go looking for it; customers who don't will probably be worried by it.  Doesn't add up to a good advertising point. :-)

# matt said on 02 November, 2007 10:04 AM

Once enabled in BIOS, tpm.msc is a reliable mechanism for determing the specs of your TPM.  

# Robert Millan said on 08 November, 2007 05:37 AM

You don't have to be paranoid, or lack understanding to be worried about Treacherous Computing.  When you think about the implications of the evil features it *does* include, it's normal you want to avoid it like the plague.

I'm talking, of course, about remote attestation.

Leave a Comment

(required) 
(required) 
(optional)
(required)