What is a TPM, and why does Windows 11 require one?

September 9, 2024 TH Author

When Microsoft introduced Windows 11 in 2021, its new, stringent hardware compatibility test included checking for the presence of a Trusted Platform Module (TPM) — specifically, one that meets the TPM 2.0 standard.

Also: Still have a Windows 10 PC? You have 5 options before support ends next year

So, what is a TPM, and why does Windows insist that you need one? The simple answer is that a TPM is a secure cryptoprocessor, a dedicated microcontroller designed to handle security-related tasks and manage encryption keys in a way that minimizes the ability of attackers to break into a system. Windows uses that hardware for a variety of security related features, including Secure Boot, BitLocker, and Windows Hello.

But the full answer is, as with anything related to computer security, slightly more complicated.

The TPM architecture is defined by an international standard (formally known as ISO/IEC 11889), which was created by the Trusted Computing Group more than 20 years ago. The standard deals with how different cryptographic operations are implemented, with an emphasis on “integrity protection, isolation and confidentially.”

A TPM can be implemented as a discrete chip soldered onto a computer motherboard, or it can be implemented within the firmware of a PC chipset or the CPU itself, as Intel, AMD, and Qualcomm have done over the past decade. If you use a virtual machine, you can even build a virtual TPM chip into it.

Also: 7 password rules to live by in 2024, according to security experts

So, does your PC have a TPM? If it was designed in 2016 and sold with Windows preinstalled, the answer is almost certainly yes. That’s the year Microsoft began requiring manufacturers to ship PCs with TPM 2.0 available and enabled by default. Intel CPUs from that era include a TPM 2.0 that’s embedded in firmware (Intel calls this feature Platform Trust Technology, or PTT). Also in 2016, AMD began incorporating a firmware-based TPM 2.0 called fTPM.

If your PC is older than that, it still might contain a TPM. Intel started including the feature in its 4th Generation Core processors (Haswell) in 2014, but in general that technology was only available and enabled in PCs built for the business market. Computers built in 2013 or earlier might include discrete TPMs that are separate from the CPU; for the most part, pre-2014 TPMs followed the TPM 1.2 standard, which is not officially supported by Windows 11.

Also: 11 hidden Windows touchpad tricks power users need to know

To make things even more complicated, your PC might have a TPM that’s disabled in the BIOS or firmware settings. That’s certain to be the case on a PC that’s been configured to use a Legacy BIOS instead of UEFI. You can check the configuration of your Windows PC by using the System Information tool (Msinfo32.exe).

A TPM is meant to be a super-secure location for processing cryptographic operations and storing the private keys that make strong encryption possible. The TPM works with the Windows Secure Boot feature, for example, which verifies that only signed, trusted code runs when the computer starts up. If someone tries to tamper with the operating system — to add a rootkit, for example — Secure Boot prevents the changed code from executing. (Chromebooks have a similar feature called Verified Boot, which also uses the TPM to ensure that a system hasn’t been tampered with.)

The TPM also enables biometric authentication with Windows Hello, and it holds the BitLocker keys that encrypt the contents of a Windows system disk, making it nearly impossible for an attacker to break that encryption and access your data without authorization. For a detailed technical explanation, you can read this primer.

Windows 10 and Windows 11 initialize and take ownership of the TPM as part of the installation process. You don’t need to do anything special to set up or use a TPM beyond making sure it’s enabled for use by the PC. And it’s not just a Windows feature. Linux PCs and IoT devices can initialize and use a TPM as well.

Also: Why ‘debloating’ Windows is a bad idea (and what to do instead)

Apple devices use a different hardware design called the Secure Enclave, which performs some of the same cryptographic operations as a TPM, and also provides secure storage of sensitive user data.

The extra level of security that a TPM enforces in tamper-resistant hardware is a very good thing. To see details about the TPM in your Windows PC, open Device Manager and look under the Security Devices heading.

On a PC running Windows 10 that includes any version of TPM, you can upgrade to Windows 11 by making a simple change to the registry. If your PC doesn’t include a TPM, you’ll need to use an unofficial hack to bypass the hardware compatibility checks and install Windows 11. The easiest way to do this is with the help of a free, open-source utility called Rufus. For details, see “How to upgrade your ‘incompatible’ Windows 10 PC to Windows 11.”