Microsoft Windows 11 requires a PC with Trusted Platform Module (TPM), a cause for uncertainty among upgraders and PC builders. What exactly is a TPM? Do you already have one? We explain.
Microsoft’s Windows 11 operating system requires a heretofore little-known PC security feature, the Trusted Platform Module (TPM). It could be cause for concern if you’re looking to build your own Windows 11 PC, or upgrade one running an earlier version of Windows.
“Do I have a TPM that works with Windows 11?” is a question you probably never thought you’d need to ask. But the good news for people who have a PC bought in the last few years is that the answer is almost certainly “Yes.” For everyone else looking to upgrade to Windows 11, especially people who built or upgraded their own Windows desktop, the answer could be more complicated.
Let’s take a look at what TPMs do and how they work in the latest version of Windows.
What Is a TPM?
(Credit: John Burek)
At its most basic, the TPM is a tiny chip on your computer’s motherboard, sometimes separate from the main CPU and memory. The chip is akin to the keypad you use to disable your home security alarm every time you walk in the door, or the authenticator app you use on your phone to log in to your bank account. In this scenario, turning on your computer is analogous to opening the front door of your home or entering your username and password into the login page. If you don’t key in a code within a short period of time, alarms will sound or you won’t be able to access your money.
Likewise, after you press the power button on a newer PC that uses full-disk encryption and a TPM, the tiny chip will supply a unique code called a cryptographic key. If everything is normal, the drive encryption is unlocked and your computer starts up. If there’s a problem with the key—perhaps a hacker stole your laptop and tried to tamper with the encrypted drive inside—your PC won’t boot up.
A Trusted Platform Module (TPM) add-on for Asus mainboards. (Credit: Asus)
While that’s how modern TPM implementations function on a most basic level, it’s far from all they can do. In fact, many apps and other PC features make use of the TPM after the system has already booted up. The Thunderbird and Outlook email clients use TPM to handle encrypted or key-signed messages. The Firefox and Chrome web browsers also employ the TPM for certain advanced functions, such as maintaining SSL certificates for websites. Plenty of consumer tech besides PCs uses TPMs, as well, from printers to connected-home accessories.
Just as TPMs can perform many other functions besides their basic purpose of providing boot-up protection for PCs, so too can they take many different forms besides a standalone chip. The Trusted Computing Group (TCG), responsible for maintaining TPM standards, notes that there are two additional types of TPMs. TPMs can be integrated into the main CPU, either as a physical addition or as code that runs in a dedicated environment, known as firmware. This method is nearly as secure as a standalone TPM chip, since it uses a trusted environment that’s discrete from the rest of the programs that use the CPU.
The third type of TPM is virtual. It runs completely in software. This is not recommended for real-world use, the TCG warns, because it’s vulnerable to both tampering and any security bugs that might be present in the operating system.
What’s the Deal With Windows and TPMs?
Like Windows 11, previous versions of Windows also have extensive support for TPMs. Laptops and desktops meant for use in large organizations with strict IT security requirements have been the main adopters. In many cases, TPMs have replaced the cumbersome smart cards that IT departments once issued to employees. Smart cards must be inserted into a slot or tapped against a built-in wireless reader, to verify that the system hasn’t suffered from tampering.
Security features at the operating system level also already make use of TPMs. Ever used the Windows Hello face-recognition login feature on a laptop? That requires a TPM.
(Credit: Microsoft)
TPMs are efficient alternatives to older methods of securing Windows PCs. In fact, since July 2016 Microsoft has actually required TPM 2.0 support on all new PCs that run any version of Windows 10 for desktop (Home, Pro, Enterprise, or Education). Likewise, Windows 11 will only run on PCs that have TPM capabilities.
Does My PC Already Have TPM 2.0?
If you’ve got a computer that meets the other Windows 11 minimum system requirements, there’s a chance that it supports TPM 2.0. The standard is relatively recent, however. If you bought your PC after 2016, it almost certainly comes with TPM 2.0. If your computer is older than a few years, it likely either has the older TPM 1.2 version (which Microsoft says is not recommended for Windows 11) or has no TPM at all.
Some versions of Windows 10 offer a Security Processor information page in the settings app, which can show the TPM version and other information.
(Credit: Microsoft)
Most of the larger vendors have straightforward support articles published on their website that explain which products have TPM 2.0 support. For example, Dell publishes a handy chart that indicates which type of TPM is installed in which system.
If you have a TPM 2.0 but it’s not currently enabled, Microsoft offers a guide on how to set it up.
Can I Add a TPM to My PC?
If you built your own desktop PC in the last few years and you’re comfortable tinkering with hardware and software security settings in the system’s BIOS, you can probably add a discrete TPM 2.0 chip to your motherboard. Many motherboards come with a cluster of header pins clearly labeled “TPM.” And, as ExtremeTech notes, you can pick up a TPM module for some motherboard models for less than $50.
But it’s not as simple as buying a TPM 2.0 add-on module and plugging it into the header. Even if you’ve got a hardware TPM installed in your home-built computer, you’ll need to ensure that it’s properly set up in the BIOS for the Windows operating system to recognize it. This process varies widely based on which motherboard and CPU you’re using; see the guide mentioned above for more information and links to instructions from some major PC manufacturers.
This Aorus Z490 motherboard has a TPM header located on the edge. (Credit: John Burek)
And if you’re one of the many people who spent significant money to build a top-of-the-line gaming PC years back, with a motherboard or CPU that may lack TPM capabilities or the ability to add them, your system still likely has years of life left, but it may not be able to run Windows 11. A firmware-based TPM 2.0 solution might be an option for some PCs without TPM capability on the motherboard, though implementing one yourself will almost certainly require some trial and error.
Will a TPM Prevent Me From Running Linux?
Conversely, plenty of PC enthusiasts have computers that do support TPMs but who have chosen to disable them for a variety of reasons. If this is you, Windows 11 brings good news and bad news.
The good news is that pretty much anything you want to do with a PC these days can be done with TPMs enabled. Yes, there are exceptions, but they’ll only affect a tiny percentage of users. For example, the TCG has long specified TPM requirements for the open-source Linux operating system, which means that people who want to switch their PCs between running Windows 11 and various Linux distributions should be able to do so. Support will vary depending on which Linux distribution you’re using, and how you configure your dual-boot setup.
(Credit: Microsoft)
Will a TPM Limit Which Windows Features I Can Use?
One of the many tricky parts of the TPM 2.0 requirement in Windows 11 is that Microsoft could introduce additional limitations related to TPM security in future Windows updates. By way of comparison, older Intel Macs don’t support some TPM-related features that the newest Macs support, since Apple now focuses on adding features to the TPMs built in to Apple Silicon, rather than the older, deprecated Apple T2 chip that Intel Macs use as a TPM. This situation already exists to some extent in the Windows world, with the Windows Hello face-recognition mentioned earlier being a prime example.
With Windows 11 and future versions, Microsoft could further segment the user experience. This could include adding new features that require the TPM, but it could also include bringing additional locked-down versions of Windows akin to the old Windows 10 S Mode. For most consumers, this won’t be an issue, but it’s something to keep in mind if you’re planning to upgrade to Windows 11.
Source: Tom Brant – pcmag.com