15.6" IONICO® TPM module?

[MarkMailer39]

Hi,

Quick question - does the Ionico have a TPM chip? In fact, do all the PCS laptops have a TPM?

 

[SpyderTracks]

Hi,

Quick question - does the Ionico have a TPM chip? In fact, do all the PCS laptops have a TPM?

TPM is part of the BIOS, it's present in all motherboards these days.

 

[SpyderTracks]

I should clarify that.

A physical hardware TPM chip isn't present on any device. PC motherboards always have a TPM header, but that's a modular upgrade you have to purchase separately.

But with regards to Windows 11, you don't need a physical TPM chip, you can run what's known as fTPM which stands for FIRMWARE TPM, which is a BIOS controlled version of TPM. All motherboards have that.

 

[MarkMailer39]

OK, makes sense - so for an in tune enrolled device, we can implement full disk encryption without any the needs for a password?

But Windows 11 only, so FDE on Windows 10 would need a boot password?

 

[SpyderTracks]

OK, makes sense - so for an in tune enrolled device, we can implement full disk encryption without any the needs for a password?

But Windows 11 only, so FDE on Windows 10 would need a boot password?

AFAIK, the only requirement for bitlocker is TPM v 1.2 or above:

Device Prerequisites​

A device must meet the following conditions to be eligible for silently enabling BitLocker:

• If end users sign in to the devices as Administrators, the device must run Windows 10 version 1803 or later, or Windows 11.
• If end users sign in to the devices as Standard Users, the device must run Windows 10 version 1809 or later, or Windows 11.
• The device must be Azure AD Joined or Hybrid Azure AD Joined.
• Device must contain at least TPM (Trusted Platform Module) 1.2.
• The BIOS mode must be set to Native UEFI only.

Encrypt Windows devices with BitLocker in Intune - Microsoft Intune

Use policy from Microsoft Intune admin center to encrypt devices with the BitLocker built-in encryption method, and manage the recovery keys for those encrypted devices.

docs.microsoft.com

fTPM is AMD's version which apparently is compatible with bitlocker

Intels version is called PTT which stands for Platform Trust Technology and is fully compatible with Bitlocker

So it's probably worth getting an Intel platform if it's enterprise applications just because fTPM can still be a little buggy from what I'm reading with it suddenly becoming incompatible and losing keys.

Ah, and I just came across concrete evidence that firmware TPM is perfectly compatible with enterprise bitlocker

"A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware.

But yes, enabling bitlocker without boot password is possible with any form of TPM.

The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment."

BitLocker overview - Windows Security

Learn about BitLocker practical applications and requirements.

docs.microsoft.com

 

[MarkMailer39]

Awesome! Thanks for the research, seems like this could be the way, I was going to go down the Intel route just for work stuff, but that makes it a solid choice.

Thanks again, really appreciate the reply

 

[SpyderTracks]

Awesome! Thanks for the research, seems like this could be the way, I was going to go down the Intel route just for work stuff, but that makes it a solid choice.

Thanks again, really appreciate the reply

Pleasure

 

[SpyderTracks]

Just additionally, if you do decide to order from PCS, it would be worth phoning them and verifying any enterprise related questions just to be certain, but also as they do business offers for bulk orders, not sure what the details are, but it's worth phoning to discuss.