What Is A TPM (Trusted Platform Module) – Windows 11 Update

Amongst the frantic anticipation that seems to surround Microsoft’s new operating system, a more concerning topic of discussion has arisen regarding the system requirements needed to actually run Windows 11.

According to early sources, your PC will need to have a Trusted Platform Module enabled (2.0 or later) to actually install and run Windows 11 – sparking plenty of frustration amongst Windows users.

One of the big questions we’ve received since the announcement of Windows 11 is, what is a TPM and do I need one for Windows 11? And for that reason, we’ve decided to create this article, answering the most pressing questions surrounding the topic of TPMs

So, with plenty to get through, let’s dive straight into it!

What Is A TPM?

A TPM, for all intents and purposes, is a small chip found within your computer’s motherboard that acts as a level of security when booting up your PC. Like online banking authentication, the TPM chip offers a level of security that could potentially stop the PC from booting if hacked or broken. Turning your PC on whilst using a TPM chip is like trying to enter a bank vault without the combination – albeit not quite that basic.

When you physically press the power button on your PC – whilst using a newer PC with full-desk encryption and a TPM – the chip will send a unique code called a cryptographic key. If that key arrives as normal, the drive’s encryption is unlocked and your PC will boot up. However, if there is an issue receiving the key, the PC will refuse to boot – annoying, but effective.

Again, this is the most basic understanding of what a TPM is and does – there are many more benefits to utilizing a TPM than this. Plenty of today’s modern applications actually utilize the motherboard’s TPM long after the computer has booted. For example, Outlook and Thunderbird email clients both utilize TPM features to handle the encryption of messages. Furthermore, Firefox and Chrome also both make use of TPM for some of the advanced security features – handling SSL certifications from websites.

Are Trusted Platform Modules Chips?

For the most part, trusted platform modules come in chip form – either found on your motherboard or can be purchased standalone and installed separately. However, there are a number of different forms of TPM that make them much more versatile.

The Trusted Computing Group (TCG), the responsible body for ensuring TPM standards, states that there are a number of additional types of TPM. Firstly, TPMs can be integrated into the main processor of your PC, either in physical or code format – with the latter better known as firmware. Whilst this may not seem as secure as a standalone TPM chip, TCG states otherwise – ensuring that the chip is in a trusted environment that is separate from the rest of the programs using the CPU.

That isn’t all though, TPMs can also come in a virtual capacity – made up from software only. Whilst this seems like a viable route, it is not recommended for real-world situations – warns TCG. This form can become vulnerable to both tampering and security bugs that may of found their way into your operating system.

How Does Windows 11 Use A TPM?

So, what’s all the fuss around Windows 11 and TPMs? Well, both Windows 7 and 10 have plenty of support for TPMs – with laptops making use of TPM functionality for some time – as have desktop PCs used in organizations with strict IT security requirements. In many ways, the TPM chip has physically replaced the smart cards of yesteryear – ofter given to employees by the IT department. The smart card was used to verify that the system hadn’t suffered tampering and would require inserting into a slot to function with the PC. Thank god that isn’t a thing anymore.

Back to Windows, TPMs have been utilized for security features at the operating system level for some time now – most commonly seen in the Windows Hello face-recognition login feature. In fact, TPM 2.0 support has been a requirement of Windows 10 for desktop (including Home, Pro, Enterprise, or Eduction). The same will apply to Windows 11, only running on PCs that have the TPM 2.0 capabilities.

From what we know so far, Microsoft has been pretty strict on the requirements for Windows 11 since they were released, stating that TPM 2.0 was indeed a requirement. If you’re unsure on whether or not your PC is compatible with Windows 11, feel free to check our supported CPU list here or check out the Windows PC Health Checker on the website. Both should indicate whether or not your PC is compatible with Windows 11, however, the tool – at present – is not perfect.

Microsoft also sneakily changed the system requirements for Windows 11 seemingly overnight, with the TPM requirement going from 1.2 to 2.0. That being said, I’d be very surprised if Microsoft issued a new version of Windows that would require the tampering of BIOS options for compatibility. But we’ll see.

Does My PC Have A TPM 2.0 Module?

Naturally, the next question most people ask is, does my PC have a TPM 2.0 module? Chances are. if your PC was built in the last 4-5 years, you will indeed have a TPM chip – or the available slot to install one. However, that isn’t always the case – as you’ll likely read on my Reddit forum posts.

Having said that, plenty of newer hardware doesn’t have a TPM 2.0 module-  so how do you check? Well, the easiest way is to enter the BIOS and see if the option to enable it is there. We have a full guide on how to enable TPM here. However, there are alternative options available.

One option is to look through the motherboard manual and see if it has a TPM 2.0 module installed. Nine times out of ten, this will let you know straight away whether or not your system is compatible or not. If you’ve lost the manual, fear not – most hardware manufacturers will have the latest manual available to download on their website.

Alternatively, you can always see if TPM is enabled on your PC with a simple run command. Below are the steps:

1. Press WIN + R to open up the run command
2. Type tpm.msc and press enter
3. This will load Trusted Platform Module Management and will let you know if it’s enabled in your BIOS
   

This is what your TPM Management should say if you have TPM enabled on your PC. If not, it will look more like this:

However, just because TPM isn’t enabled on your PC, doesn’t mean it won’t have a TPM chip. I know, confusing. The only real way to find out is to enter the BIOS or check the motherboard manufacturer manual.

Can I Add A TPM To My Motherboard?

Ultimately, if you haven’t got a TPM module connected to your motherboard, you can indeed install one – and a relatively cheap price. TPM modules retail for around $30 but, as with all things at the moment, actually buying one from a retailer is easier said than done.

Many modern motherboards will come with a cluster of header pins that are dedicated to the TPM module – clearly labeled TPM on the motherboard itself. However, the installation of the TPM module is the least of your worries – the hard part is ensuring that the TPM is properly set up within the BIOS.

As you can imagine, this process varies wildly from manufacturer to manufacturer, so understanding how to set one up properly does require a decent level of BIOS know-how.

Worst of all, if you’re one of the individuals that built a high-performance gaming PC years ago, chances are, it probably won’t have the capacity to even support TPM 2.0 – meaning new hardware will be on the horizon.

Source: https://www.wepc.com/tips/what-is-a-tpm/

Department of Information Technologies: https://www.ibu.edu.ba/department-of-information-technologies/