April 24, 2024

What is a TPM and why do I need one for Windows 11?

Microsoft’s Windows 11 operating system requires a previously little-known PC security feature called the Trusted Platform Module (TPM). It may be a concern if you want to build your own Windows 11 PC, or upgrade from an earlier version of Windows.

“Do I have a TPM that works with Windows 11?” is a question you probably never thought you’d have to ask. But the good news for people who have bought a PC in recent years is that the answer is almost certainly yes. For everyone else looking to upgrade to Windows 11, especially people who have built or upgraded their own Windows desktop, the answer may be more complicated.

Let’s take a look at what TPMs do and how they work in the latest version of Windows.

What is a TPM?

Essentially, the TPM is a small chip on your computer’s motherboard, sometimes separate from the main CPU and memory. The chip is similar to the keypad you use to disable your home security alarm every time you walk through the door, or the authenticator app you use on your phone to log into your bank account. In this scenario, turning on your computer is similar to opening the front door of your home or entering your username and password on the login page. If you do not enter a code within a short time, an alarm will sound or you will no longer have access to your money.

Similarly, after you press the power button on a newer PC that uses full-disk encryption and a TPM, the small chip will provide a unique code called a cryptographic key. If everything is normal, the disk encryption will be unlocked and your computer will boot up. If there’s a problem with the key (maybe a hacker stole your laptop and tried to tamper with the encrypted drive inside), your PC won’t boot.

Asus Trusted Platform Module (TPM)

A Trusted Platform Module (TPM) add-on for Asus motherboards. (Credit: Asus)

While this is how modern TPM implementations function at the most basic level, it is far from all they can do. Many apps and other PC functions use the TPM even after the system has already booted. The Thunderbird and Outlook email clients use TPM to process encrypted or key-signed messages. The Firefox and Chrome web browsers also use the TPM for certain advanced functions, such as maintaining SSL certificates for websites. In addition to PCs, much consumer technology also uses TPMs, from printers to accessories for the connected home.

Just as TPMs can perform many functions beyond their basic purpose of providing boot protection for PCs, they can also take many different forms besides being a standalone chip. The Trusted Computing Group (TCG), responsible for enforcing TPM standards, notes that there are two other types of TPMs. TPMs can be integrated into the main CPU either as a physical add-on or as code that runs in a special environment known as firmware. This method is almost as secure as a standalone TPM chip because it uses a trusted environment that is separate from the rest of the programs using the CPU.

The third type of TPM is virtual. It runs completely software. This is not recommended for real-world use, the TCG warns, as it is vulnerable to both tampering and any security bugs that may be present in the operating system.

What’s the deal with Windows and TPMs?

Like Windows 11, earlier versions of Windows also provide extensive support for TPMs. Laptops and desktops intended for use in large organizations with strict IT security requirements are the main adopters. In many cases, TPMs have replaced the cumbersome smart cards that IT departments once issued to employees. Smart cards must be inserted into a slot or held against a built-in wireless reader to verify that the system has not been tampered with.

Operating system-level security features also already use TPMs. Have you ever used Windows Hello’s facial recognition sign-in feature on a laptop? This requires a TPM.

Screenshot of Windows Compatibility Checker

(Credit: Microsoft)

TPMs are efficient alternatives to older methods of securing Windows PCs. Since July 2016, Microsoft has effectively required TPM 2.0 support on all new PCs running any version of Windows 10 for desktop (Home, Pro, Enterprise, or Education). Likewise, Windows 11 only works on PCs with TPM capabilities.

Does my PC already have TPM 2.0?

If you have a computer that meets the remaining Windows 11 minimum system requirements, there’s a chance it supports TPM 2.0. However, the standard is relatively recent. If you bought your PC after 2016, it almost certainly came with TPM 2.0. If your computer is more than a few years old, it probably has the older TPM 1.2 version (which Microsoft says is not recommended for Windows 11) or it doesn’t have TPM at all.

Some versions of Windows 10 provide a security processor information page in the Settings app, which can display the TPM version and other information.

Screenshot of Windows security processor status

(Credit: Microsoft)

Most major vendors have published simple support articles on their websites explaining which products have TPM 2.0 support. For example, Dell publishes a handy diagram showing which type of TPM is installed in which system.

If you have a TPM 2.0 but it is not currently enabled, Microsoft provides a guide to setting it up.

Recommended by our editors

Can I add a TPM to my PC?

If you’ve been building your own desktop PC in recent years and feel comfortable tinkering with the hardware and software security settings in the system’s BIOS, you can probably add a separate TPM 2.0 chip to your motherboard . Many motherboards come with a cluster of header pins clearly marked ‘TPM’. And, as ExtremeTech notes, you can buy a TPM module for less than $50 for some motherboard models.

But it’s not as simple as buying a TPM 2.0 add-on module and plugging it into the header. Even if your home-built computer has a hardware TPM installed, make sure it is set up correctly in the BIOS so that the Windows operating system can recognize it. This process varies greatly depending on the motherboard and CPU you are using; see the guide mentioned above for more information and links to instructions from some major PC manufacturers.

Motherboard with TPM slot

This Aorus Z490 motherboard has a TPM header on the edge. (Credit: John Burek)

And if you’re one of the many people who spent a lot of money years ago to build a top-of-the-line gaming PC, with a motherboard or CPU that may not have TPM capabilities or the ability to add them, then your system probably still has years of life left, but may not be able to run Windows 11. A firmware-based TPM 2.0 solution may be an option for some PCs without TPM capabilities on the motherboard, although implementing one yourself will almost certainly take some trial and error.

Will a TPM stop me from using Linux?

Conversely, many PC enthusiasts have computers that support TPMs, but have chosen to disable them for various reasons. If this is you, Windows 11 brings good news and bad news.

The good news is that almost anything you want to do with a PC these days can be done with TPMs enabled. Yes, there are exceptions, but they only affect a small percentage of users. For example, the TCG has long specified TPM requirements for the open-source Linux operating system, meaning people who want to switch their PCs between running Windows 11 and different Linux distributions should be able to do so. Support varies depending on which Linux distribution you use and how you configure your dual-boot installation.

Windows 11 logo

(Credit: Microsoft)

Will a TPM limit which Windows features I can use?

One of the many tricky parts of the TPM 2.0 requirement in Windows 11 is that Microsoft could introduce additional restrictions related to TPM security in future Windows updates. In comparison, older Intel Macs do not support certain TPM-related features that the latest Macs do support, as Apple is now focusing on adding features to the TPMs built into Apple Silicon, rather than the older, legacy Apple T2 chip that Intel uses. Using Macs as TPM. This situation already exists to some extent in the Windows world, with the aforementioned Windows Hello facial recognition being a good example.

With Windows 11 and future versions, Microsoft could further segment the user experience. This could include adding new features that require the TPM, but it could also involve introducing additional locked versions of Windows, similar to the old Windows 10 S mode. This won’t be a problem for most consumers, but it’s something to keep in mind if you plan to upgrade to Windows 11.

What’s New Now<\/strong> to get our top stories delivered to your inbox every morning.”,”first_published_at”:”2021-09-30T21:30:40.000000Z”,”published_at”:”2022-08-31T18:35:24.000000Z”,”last_published_at”:”2022-08-31T18:35:20.000000Z”,”created_at”:null,”updated_at”:”2022-08-31T18:35:24.000000Z”})” x-show=”showEmailSignUp()”>

Receive our best stories!

Sign up for What’s new now? to get our top stories delivered to your inbox every morning.

This newsletter may contain advertisements, offers or affiliate links. By subscribing to a newsletter you agree to our terms of use and privacy policy. You can unsubscribe from the newsletters at any time.

Leave a Reply

Your email address will not be published. Required fields are marked *