Home Tech Security

What is a TPM, and why does Windows 11

require one?
Officially, Windows 11 requires a Trusted Platform Module. Here's what it does and
how you can work around that requirement if your old PC doesn't have one.

Written by Ed Bott, Senior Contributing Editor

Sept. 9, 2024 at 12:00 a.m. PT

natatravel/Getty Images

When Microsoft introduced Windows 11 in 2021, its new, stringent hardware

compatibility test included checking for the presence of a Trusted Platform Module
(TPM) -- specifically, one that meets the TPM 2.0 standard.

Also: Still have a Windows 10 PC? You have 5 options before support ends next
year

So, what is a TPM, and why does Windows insist that you need one? The simple
answer is that a TPM is a secure cryptoprocessor, a dedicated microcontroller
designed to handle security-related tasks and manage encryption keys in a way
that minimizes the ability of attackers to break into a system. Windows uses that
hardware for a variety of security related features, including Secure Boot, BitLocker,
and Windows Hello.

But the full answer is, as with anything related to computer security, slightly more
complicated.
The TPM architecture is defined by an international standard (formally known
as ISO/IEC 11889), which was created by the Trusted Computing Group more than
20 years ago. The standard deals with how different cryptographic operations are
implemented, with an emphasis on "integrity protection, isolation and
confidentially."

A TPM can be implemented as a discrete chip soldered onto a computer

motherboard, or it can be implemented within the firmware of a PC chipset or the
CPU itself, as Intel, AMD, and Qualcomm have done over the past decade. If you
use a virtual machine, you can even build a virtual TPM chip into it.

Also: 7 password rules to live by in 2024, according to security experts

So, does your PC have a TPM? If it was designed in 2016 and sold with Windows
preinstalled, the answer is almost certainly yes. That's the year Microsoft began
requiring manufacturers to ship PCs with TPM 2.0 available and enabled by default.
Intel CPUs from that era include a TPM 2.0 that's embedded in firmware (Intel calls
this feature Platform Trust Technology, or PTT). Also in 2016, AMD began
incorporating a firmware-based TPM 2.0 called fTPM.

If your PC is older than that, it still might contain a TPM. Intel started including the
feature in its 4th Generation Core processors (Haswell) in 2014, but in general that
technology was only available and enabled in PCs built for the business market.
Computers built in 2013 or earlier might include discrete TPMs that are separate
from the CPU; for the most part, pre-2014 TPMs followed the TPM 1.2 standard,
which is not officially supported by Windows 11.
Also: 11 hidden Windows touchpad tricks power users need to know

To make things even more complicated, your PC might have a TPM that's disabled
in the BIOS or firmware settings. That's certain to be the case on a PC that's been
configured to use a Legacy BIOS instead of UEFI. You can check the configuration
of your Windows PC by using the System Information tool (Msinfo32.exe).

A TPM is meant to be a super-secure location for processing cryptographic

operations and storing the private keys that make strong encryption possible. The
TPM works with the Windows Secure Boot feature, for example, which verifies that
only signed, trusted code runs when the computer starts up. If someone tries to
tamper with the operating system -- to add a rootkit, for example -- Secure Boot
prevents the changed code from executing. (Chromebooks have a similar feature
called Verified Boot, which also uses the TPM to ensure that a system hasn't been
tampered with.)

The TPM also enables biometric authentication with Windows Hello, and it holds
the BitLocker keys that encrypt the contents of a Windows system disk, making it
nearly impossible for an attacker to break that encryption and access your data
without authorization. For a detailed technical explanation, you can read this primer.

Windows 10 and Windows 11 initialize and take ownership of the TPM as part of the
installation process. You don't need to do anything special to set up or use a TPM
beyond making sure it's enabled for use by the PC. And it's not just a Windows
feature. Linux PCs and IoT devices can initialize and use a TPM as well.
Also: Why 'debloating' Windows is a bad idea (and what to do instead)

Apple devices use a different hardware design called the Secure Enclave, which
performs some of the same cryptographic operations as a TPM, and also provides
secure storage of sensitive user data.

The extra level of security that a TPM enforces in tamper-resistant hardware is a

very good thing. To see details about the TPM in your Windows PC, open Device
Manager and look under the Security Devices heading.

On a PC running Windows 10 that includes any version of TPM, you can upgrade to
Windows 11 by making a simple change to the registry. If your PC doesn't include a
TPM, you'll need to use an unofficial hack to bypass the hardware compatibility
checks and install Windows 11. The easiest way to do this is with the help of a free,
open-source utility called Rufus. For details, see "How to upgrade your
'incompatible' Windows 10 PC to Windows 11."

security

The best VPN services of 2024: Expert How to turn on Private DNS Mode on The b
tested Android (and why you should) you c

Editorial standards
 show comments

we equip you to harness the power of

disruptive innovation, at work and at
home.
topics

galleries

videos

do not sell or share my personal information

about ZDNET

meet the team

sitemap

reprint policy

join | log in
newsletters

site assistance

licensing

© 2024 ZDNET, A Red Ventures company. All rights reserved. Privacy Policy | | Cookie Settings |
Advertise | Terms of Use