What is TPM for Windows 11?

Windows 11 TPM

Microsoft has announced that Windows 11 will require TPM (Trusted Platform Module) chips on existing and new devices. It’s a significant hardware change that has been years in the making, but the rollout of this requirement has left many confused about whether their hardware is compatible or not.

What is a TPM, and why do you need one for Windows 11? Let’s talk about it.

What is a TPM for Windows 11?

“The Trusted Platform Modules (TPM) is a chip that is either integrated into your PC’s motherboard or added separately into the CPU,” explains David Weston, director of enterprise and OS security at Microsoft. “Its purpose is to protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data.”

The likes of AMD and Intel have made sure all their modern processors pack this technology, but it could be absent if you’re using a chip from a few years ago.

When you log into your computer, the TPM will supply a unique code called a cryptographic key and if there’s no detected issue, your computer will start up as normal. If your PC’s security is compromised, however, the computer will lock down to prevent hackers gaining access.

This is all about security.

TPMs can be used to encrypt disks using Windows features like BitLocker or to prevent dictionary attacks against passwords. This technology is actually not new.

TPM 1.2 chips have existed since 2011, but they’ve typically only been used widely in IT-managed business laptops and desktops. Microsoft wants to bring that same level of protection to everyone using Windows.

Basically, Microsoft is trying to put this in place for users because it seems like a lot of businesses are experiencing attacks on their devices that could be avoided simply by using TPM.

When you consider the various phishing, ransomware, supply chain, and IoT vulnerabilities that exist, the broad range of attacks becomes a lot clearer. TPMs will certainly help with certain attacks, but Microsoft is banking on a combination of modern CPUs, Secure Boot, and its set of virtualization protections to really make a dent in ransomware.

There are more than 1.3 billion Windows 10 machines in use today and hands down the majority of devices that will be breached by hackers will either have some version of Windows 10 or Windows 11 on them. The software giant is trying to put safeguards in place to avoid more embarrassing spyware and ransomware headlines in the news.

Microsoft’s Windows 11 website lists the minimum system requirements, with a link to compatible CPUs and a clear mention that a TPM 2.0 is required at a minimum. You can now use the Windows 11 PC Health Check app that Microsoft asks people to download to check to see if your version of Windows 11 will be running without Secure Boot or TPM support enabled.

How to check for TPM compatibility on your Windows PC

In some cases, PCs that are capable of running TPM 2.0 are not set up to do so. If you are considering upgrading to Windows 11, check to ensure TPM 2.0 is enabled on your device. Most retail PC motherboards used by people building their own PC, for example, ship with TPM turned off by default even though it is almost always available to be enabled.

Option 1: Use the Windows Security app

Run Settings > Update & Security > Windows Security > Device Security

If you do not see a Security processor section on this screen your PC may have a TPM that is disabled. see How to enable TPM for more information or check your PC manufacturer’s support information for instructions. to enable the TPM. If you are able to enable a TPM, complete the next step to verify that it is a TPM 2.0.

If you see an option for Security processor details under Security processor, select that and verify that your Specification version is 2.0. If it is less than 2.0, your device does not meet the Windows 11 requirements.

Option 2: Use the Microsoft Management Console

Press [Windows Key] + R or select Start > Run.

Type “tpm.msc” (do not use quotation marks) and choose OK.

If you see a message saying a “Compatible TPM cannot be found,” your PC may have a TPM that is disabled. See How to enable TPM for more information or check your PC manufacturer’s support information for instructions to enable the TPM. If you are able to enable the TPM, complete the next step to verify that it is a TPM 2.0.

If you see a message confirming TPM is ready to use, check Specification Version under TPM Manufacturer Information to verify it is 2.0. If it is less than 2.0 your device does not meet the Windows 11 requirement.

How to enable TPM

If you need to enable TPM, these settings are managed via the UEFI BIOS (PC firmware) and vary based on your device. You can access these settings by choosing: Settings > Update & Security > Recovery > Restart now.

From the next screen, choose Troubleshoot > Advanced options > UEFI Firmware Settings > Restart to make the changes. These settings are sometimes contained in a sub-menu in the UEFI BIOS labeled Advanced, Security, or Trusted Computing.

The option to enable the TPM may be labeled Security Device, Security Device Support, TPM State, AMD fTPM switch, AMD PSP fTPM, Intel PTT, or Intel Platform Trust Technology.

Basically, TPM is a security mechanism to keep your PC safe. The software company is simply trying to provide a security enhancement that will benefit the Windows ecosystem in years to come