TPM Chips

TPM Chips

When you need to bitlocker hundreds of machines, but can’t have the machines restart, it’s best to look for the TPM chip another way instead of the standard hardware check method. The best way to do this is using a PowerShell Cim Instance.

Get-CimInstance -ClassName win32_tpm -ComputerName $Computer -Namespace "root\cimv2\Security\MicrosoftTPM"

We grab the win32_tpm class from the computer and we want to see the Microsoft compatible TPM chips. The Output gives some good and useful information that can be used later.

IsActivated_InitialValue    : True
IsEnabled_InitialValue      : True
IsOwned_InitialValue        : True
ManufacturerId              : 1398033696
ManufacturerIdTxt           : STM
ManufacturerVersion         : 73.64.17568.6659
ManufacturerVersionFull20   : 73.64.17568.6659
ManufacturerVersionInfo     :
PhysicalPresenceVersionInfo : 1.3
SpecVersion                 : 2.0, 0, 1.38
PSComputerName              : Computer1

The Trusted Computing Group has a good list of Vendor IDs that can be located here.

From here we can see Who built the unit, the spec versions which will tell us which type of bitlocker it can handle. From there we can build logic to bit lock the machine accordingly.