diff --git a/feature/tpm/tpm.go b/feature/tpm/tpm.go
index e4c2b29e9..b700637e6 100644
--- a/feature/tpm/tpm.go
+++ b/feature/tpm/tpm.go
@@ -23,6 +23,7 @@ import (
 	"github.com/google/go-tpm/tpm2/transport"
 	"golang.org/x/crypto/nacl/secretbox"
 	"tailscale.com/atomicfile"
+	"tailscale.com/envknob"
 	"tailscale.com/feature"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
@@ -31,6 +32,7 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/testenv"
 )
 
 var infoOnce = sync.OnceValue(info)
@@ -49,13 +51,20 @@ func init() {
 	}
 }
 
+var verboseTPM = envknob.RegisterBool("TS_DEBUG_TPM")
+
 func info() *tailcfg.TPMInfo {
+	logf := logger.Discard
+	if !testenv.InTest() || verboseTPM() {
+		logf = log.New(log.Default().Writer(), "TPM: ", 0).Printf
+	}
+
 	tpm, err := open()
 	if err != nil {
-		log.Printf("TPM: error opening: %v", err)
+		logf("error opening: %v", err)
 		return nil
 	}
-	log.Printf("TPM: successfully opened")
+	logf("successfully opened")
 	defer tpm.Close()
 
 	info := new(tailcfg.TPMInfo)
@@ -84,12 +93,12 @@ func info() *tailcfg.TPMInfo {
 			PropertyCount: 1,
 		}.Execute(tpm)
 		if err != nil {
-			log.Printf("TPM: GetCapability %v: %v", cap.prop, err)
+			logf("GetCapability %v: %v", cap.prop, err)
 			continue
 		}
 		props, err := resp.CapabilityData.Data.TPMProperties()
 		if err != nil {
-			log.Printf("TPM: GetCapability %v: %v", cap.prop, err)
+			logf("GetCapability %v: %v", cap.prop, err)
 			continue
 		}
 		if len(props.TPMProperty) == 0 {
@@ -97,6 +106,7 @@ func info() *tailcfg.TPMInfo {
 		}
 		cap.apply(info, props.TPMProperty[0].Value)
 	}
+	logf("successfully read all properties")
 	return info
 }