TPM 2.0 for Windows Autopilot Securing Device and White Glove Experience
Image from WikiPedia
The TPM hardware gives the ability to store encryption keys on a computer with manipulation. A TPM is usually required for Windows 10, 8 and 7 to enable and use encryption features such as BitLocker and Windows 10 Autopilot White Glove Deployment. It is how you can test if your PC has a TPM chip, activate your TPM, or add a TPM chip to your PC without it.
In the Windows 10 AutoPilot White Glove deployment, TPM 2.0 is essential for Endpoint Manager to trust the system for auto enrollment and it protects the IT systems from unauthentic enrollment. During Autopilot we upload system serial along with hardware hash which is attested by TPM 2.0 for system validation.
How a user can check if the system has TPM using Windows 10?
The Windows-built TPM management tool tells you if your Computer has a TPM. Now in Windows 10 it is part of Security Processor utility.
Simply press Windows Key and type tpm:
TPM is now called Security Processor and however tpm.msc still exist. You can find TPM information with running tpm.msc.
If a machine is TMP ready, you will find Attestation Status Ready:
TPM might be disabled from BIOS?
In some PCs, the TPM chip may be disabled in UEFI firmware or BIOS on the device. Unless the TPM chip is deactivated at this stage, it does not appear on Windows — even though your PC does have the hardware.
To check this, restart your computer on your UEFI or BIOS screen. The specific process on every Computer is different. Some modern PCs need the advanced startup menu Windows 10 or 8, while others allow you to press a certain key, such as Delete, F1/F9/F12/ or Escape, when starting up. Check the documentation of your machine for additional details or check the documentation of your motherboard if you designed your own PC.
See the settings screen for TPM. When it is off, trigger it from here, save and reboot your settings. The TPM should be available for Windows use and give you more platform level security:
TPMs also appear in the Device Manager, so it can be important to ensure that your TPM in the Device Manager is not disabled too. You can find the TPM in Computer Management > Device Manager > Security Devices > TPM: