What Is A TPM (Trusted Platform Module) – Windows 11 Update

Explaining what a Trust Platform Module is and why you might need one for Windows 11

BIOS Prep 2021 06 25 11 54 16 min

Amongst the frantic anticipation that seems to surround Microsoft’s new operating system, a more concerning topic of discussion has arisen regarding the system requirements needed to actually run Windows 11.

According to early sources, your PC will need to have a Trusted Platform Module enabled (2.0 or later) to actually install and run Windows 11 – sparking plenty of frustration amongst Windows users.

One of the big questions we’ve received since the announcement of Windows 11 is, what is a TPM and do I need one for Windows 11? And for that reason, we’ve decided to create this article, answering the most pressing questions surrounding the topic of TPMs

So, with plenty to get through, let’s dive straight into it!

What Is A TPM?

A TPM, for all intents and purposes, is a small chip found within your computer’s motherboard that acts as a level of security when booting up your PC. Like online banking authentication, the TPM chip offers a level of security that could potentially stop the PC from booting if hacked or broken. Turning your PC on whilst using a TPM chip is like trying to enter a bank vault without the combination – albeit not quite that basic.

When you physically press the power button on your PC – whilst using a newer PC with full-desk encryption and a TPM – the chip will send a unique code called a cryptographic key. If that key arrives as normal, the drive’s encryption is unlocked and your PC will boot up. However, if there is an issue receiving the key, the PC will refuse to boot – annoying, but effective.

Again, this is the most basic understanding of what a TPM is and does – there are many more benefits to utilizing a TPM than this. Plenty of today’s modern applications actually utilize the motherboard’s TPM long after the computer has booted. For example, Outlook and Thunderbird email clients both utilize TPM features to handle the encryption of messages. Furthermore, Firefox and Chrome also both make use of TPM for some of the advanced security features – handling SSL certifications from websites.

Are Trusted Platform Modules Chips?

For the most part, trusted platform modules come in chip form – either found on your motherboard or can be purchased standalone and installed separately. However, there are a number of different forms of TPM that make them much more versatile.

The Trusted Computing Group (TCG), the responsible body for ensuring TPM standards, states that there are a number of additional types of TPM. Firstly, TPMs can be integrated into the main processor of your PC, either in physical or code format – with the latter better known as firmware. Whilst this may not seem as secure as a standalone TPM chip, TCG states otherwise – ensuring that the chip is in a trusted environment that is separate from the rest of the programs using the CPU.

That isn’t all though, TPMs can also come in a virtual capacity – made up from software only. Whilst this seems like a viable route, it is not recommended for real-world situations – warns TCG. This form can become vulnerable to both tampering and security bugs that may of found their way into your operating system.

How Does Windows 11 Use A TPM?

So, what’s all the fuss around Windows 11 and TPMs? Well, both Windows 7 and 10 have plenty of support for TPMs – with laptops making use of TPM functionality for some time – as have desktop PCs used in organizations with strict IT security requirements. In many ways, the TPM chip has physically replaced the smart cards of yesteryear – ofter given to employees by the IT department. The smart card was used to verify that the system hadn’t suffered tampering and would require inserting into a slot to function with the PC. Thank god that isn’t a thing anymore.

Back to Windows, TPMs have been utilized for security features at the operating system level for some time now – most commonly seen in the Windows Hello face-recognition login feature. In fact, TPM 2.0 support has been a requirement of Windows 10 for desktop (including Home, Pro, Enterprise, or Eduction). The same will apply to Windows 11, only running on PCs that have the TPM 2.0 capabilities.

Windows 11

From what we know so far, Microsoft has been pretty strict on the requirements for Windows 11 since they were released, stating that TPM 2.0 was indeed a requirement. If you’re unsure on whether or not your PC is compatible with Windows 11, feel free to check our supported CPU list here or check out the Windows PC Health Checker on the website. Both should indicate whether or not your PC is compatible with Windows 11, however, the tool – at present – is not perfect.

Microsoft also sneakily changed the system requirements for Windows 11 seemingly overnight, with the TPM requirement going from 1.2 to 2.0. That being said, I’d be very surprised if Microsoft issued a new version of Windows that would require the tampering of BIOS options for compatibility. But we’ll see.

Does My PC Have A TPM 2.0 Module?

Naturally, the next question most people ask is, does my PC have a TPM 2.0 module? Chances are. if your PC was built in the last 4-5 years, you will indeed have a TPM chip – or the available slot to install one. However, that isn’t always the case – as you’ll likely read on my Reddit forum posts.

Having said that, plenty of newer hardware doesn’t have a TPM 2.0 module-  so how do you check? Well, the easiest way is to enter the BIOS and see if the option to enable it is there. We have a full guide on how to enable TPM here. However, there are alternative options available.

One option is to look through the motherboard manual and see if it has a TPM 2.0 module installed. Nine times out of ten, this will let you know straight away whether or not your system is compatible or not. If you’ve lost the manual, fear not – most hardware manufacturers will have the latest manual available to download on their website.

Alternatively, you can always see if TPM is enabled on your PC with a simple run command. Below are the steps:

  1. Press WIN + R to open up the run command
  2. Type tpm.msc and press enter
  3. This will load Trusted Platform Module Management and will let you know if it’s enabled in your BIOS

TPM Mnagement enabled

This is what your TPM Management should say if you have TPM enabled on your PC. If not, it will look more like this:

TPM Management module

However, just because TPM isn’t enabled on your PC, doesn’t mean it won’t have a TPM chip. I know, confusing. The only real way to find out is to enter the BIOS or check the motherboard manufacturer manual.

Can I Add A TPM To My Motherboard?

Ultimately, if you haven’t got a TPM module connected to your motherboard, you can indeed install one – and a relatively cheap price. TPM modules retail for around $30 but, as with all things at the moment, actually buying one from a retailer is easier said than done.

Many modern motherboards will come with a cluster of header pins that are dedicated to the TPM module – clearly labeled TPM on the motherboard itself. However, the installation of the TPM module is the least of your worries – the hard part is ensuring that the TPM is properly set up within the BIOS.

As you can imagine, this process varies wildly from manufacturer to manufacturer, so understanding how to set one up properly does require a decent level of BIOS know-how.

Worst of all, if you’re one of the individuals that built a high-performance gaming PC years ago, chances are, it probably won’t have the capacity to even support TPM 2.0 – meaning new hardware will be on the horizon.

Do I Have A TPM

You can easily check whether you’re PC has a TPM chip by checking the motherboard manual – or speaking directly to the motherboard manufacturer via the help center.

That being said, you can also try the following commands. Press WIN + R to bring up the run command. Type tpm.msc and press enter. This should tell you whether or not you have a TPM chip and what module its running.

Does Windows 11 Require TPM?

As far as we can tell, Windows 11 will only run on PCs that have a Trusted Platform Module (TPM) of 2.0. This is a chip that is built into the PC itself and acts as a level of security when loading your PC.

Whilst Microsoft has been strict with the requirements of Windows 11, we’re not sure if you’ll need it come 2022 (official upgrade date).

What Is TPM Management?

TPM management is a tool within your desktop PC that allows you to see whether or not your PC has a TPM, whether it’s enabled, and what module it’s running – 1.2 or 2.0.

Where Is TPM In BIOS

The TPM can be located within the BIOS when going to advanced view, then selecting the boot options. Whilst all motherboard BIOS are different, most will have the same generic headings – one of which should be BOOT.

You will be able to find TPM in this section and will be able to enable/disable it based on your preference.

Which TPM Version Do I Have?

Again, the easiest way to check what version of TPM you have is to consult the motherboard manufacturer. Do this by simply checking the motherboard manual or heading over to the motherboard manufacturer website and typing in the name of the motherboard you own.

Download the manual and seeing what TPM chip it has.

Is TPM Secure

TPMs are nothing new, utilized in PCs and laptops for many years now. In terms of security, they are a great level of security to have, handling the encryption of many applications within the desktop. Furthermore, they act as a level of security when loading your PC. If breached, the TPM chip will refuse to load the computer.

Is It Safe To Clear The TPM?

Clearing the TPM will erase all information stored on it. You will lose all the created keys and access to data encrypted by these keys.

If you’re confident you don’t need the keys, feel free to clear the TPM.