diff --git a/attest/pcp_windows.go b/attest/pcp_windows.go
index 99bcb6b..bb85ab1 100644
--- a/attest/pcp_windows.go
+++ b/attest/pcp_windows.go
@@ -58,8 +58,8 @@ var (
 	crypt32CertEnumCertificatesInStore = crypt32.MustFindProc("CertEnumCertificatesInStore")
 	crypt32CertCloseStore              = crypt32.MustFindProc("CertCloseStore")
 
-	tbs              = windows.MustLoadDLL("Tbs.dll")
-	tbsGetDeviceInfo = tbs.MustFindProc("Tbsi_GetDeviceInfo")
+	tbs              *windows.DLL
+	tbsGetDeviceInfo *windows.Proc
 )
 
 // Error codes.
diff --git a/attest/tpm_windows.go b/attest/tpm_windows.go
index 31cbab2..d6f28c6 100644
--- a/attest/tpm_windows.go
+++ b/attest/tpm_windows.go
@@ -42,6 +42,12 @@ type windowsTPM struct {
 func (*windowsTPM) isTPMBase() {}
 
 func probeSystemTPMs() ([]probedTPM, error) {
+	// Initialize Tbs.dll here so that it's linked only when TPM support is required.
+	if tbs == nil {
+		tbs = windows.MustLoadDLL("Tbs.dll")
+		tbsGetDeviceInfo = tbs.MustFindProc("Tbsi_GetDeviceInfo")
+	}
+	
 	// Windows systems appear to only support a single abstracted TPM.
 	// If we fail to initialize the Platform Crypto Provider, we assume
 	// a TPM is not present.