Prior to Microsoft announcing that Windows 11 would require a TPM chip it is safe to say that most people had never heard of such a thing. TPM chips, or trusted platform module chips, are not in fact new and have been included on motherboards for the better part of the last decade. However, TPM chips are getting more scrutiny now that they are a hardware requirement to upgrade from Windows 10 to Windows 11.
This article will explain what a TPM chip does, why Windows 11 requires one, how to check your computer’s TPM version, and your upgrade options if you don’t currently have one!
What is TPM?
The TPM (Trusted Platform Module) chip, sometimes referred to as a cryptoprocessor, can be thought of as a chip that exclusively handles encryption and decryption. This ability is put to use for a variety of security features including full disk encryption. In the past the role of TPMs has often been offloaded to peripheral security hardware like smart card readers. These readers played the same role – providing the necessary encryption keys to access your data only when first presented with the correct credentials.
TPMs come in a few different varieties, including standalone chip modules, firmware based TPMs (fTPMs) which operate within the CPU itself, and software based TPMs. For all practical purposes only the first two are considered secure enough to be useful; software level TPMs are too vulnerable to malicious interference.
Windows devices aren’t alone in using TPMs – Apple has been using this technology in their computers for several years as well. Apple isn’t using the term TPM, instead calling their chip the T2 Security Chip. Regardless of the differing nomenclature the chip performs the same role as its Windows counterpart.
If you’re using Windows Hello then you’ve already seen your TPM at work. When your computer scans your face it compares the image from your webcam with information stored within the TPM itself. If the TPM module detects a match then the cryptographic keys within it are used to decrypt the harddrive and permit the operating system to finish loading.
In addition to user authentication, TPM chips can play a role in authenticating network credentials, e-commerce security, password management, attestation (a protocol which verifies hardware, firmware, and data authenticity), and file encryption services such as Microsoft’s Bitlocker.
What’s up with Windows 11 requiring a TPM chip?
It is slightly misleading to say that Windows 11’s TPM requirement marks a departure from previous system requirements. In fact, TPMs have been a routine part of Windows builds since Windows 7 and devices sold with Windows 10 installed have been required to support TPM 2.0 since July 2016.
However, if you built your own device or upgraded an older computer then your computer may not have TPM 2.0. This isn’t to say that your computer doesn’t have a TPM at all – but it is more likely that you have an older version such as TPM 1.2.
The newer version of the trusted platform module supports newer and more robust encryption algorithms, and has more uniform requirements than the former versions. According to the standards put out by the Trusted Computing Group, the three main cryptographic algorithms supported by the older 1.2 models are no longer approved for usage for anything but legacy purposes. The newer algorithms are far more robust and offer much greater protection.
The early generation of TPMs did not have standardized lockout policies. This means that some chips could be vulnerable to brute force attacks. The TCG’s updated TPM 2.0 requirements specify strict lockout rules, providing Windows 11 devices with greater protection against malware and hackers
How do I know if I already have a TPM 2.0 chip installed in my computer?
As alluded to earlier, if you have a newer Windows laptop you almost certainly have a TPM 2.0 chip installed on your computer’s motherboard. Since July 28th, 2016 all devices that came with Windows 10 installed from the factory have had this technology.
However, if your computer is older than this or if it was a custom build there is a chance that either don’t have TPM 2.0 or that you do but it is currently disabled.
To check if your computer meets the upgrade requirements, including TPM status, download and run Microsoft’s PC Health Check App. This app will be able to quickly tell you if your computer is eligible for the upgrade, and if it isn’t the app will present you with a list of the components holding you back.
If you already are confident that your hardware meets the upgrade requirements and are just checking on the status of your TPM, there is another option that doesn’t require downloading anything. Using the Windows+R hotkey, open the Run dialog box, type in “tpm.msc” and click OK. If your TPM chip is enabled, a window will pop up telling you its current status and version number.
If your computer is relatively new but the app fails to detect a TPM chip don’t despair. In some cases the physical TPM chip is installed but is simply not activated. To re-enable it you’ll want to access your computer’s UEFI or BIOS and see if you can find an option that reads ‘enable TPM.’
The exact wording for the option to enable your TPM module will vary by manufacturer. Intel refers to the technology as Platform Trust Technology or PTT, while AMD labels the option fTPM. The option for TPM management is usually under your BIOS security settings tab or advanced settings tab.
Can I add a Trusted Platform Module to my current PC?
In some cases you will be able to add a Trusted Platform Module to your current PC, bringing it inline with Windows 11’s system requirements. In the case of custom-built high end devices that don’t have TPM 2.0, there may be a bundle of header pins on the motherboard labeled TPM standing by for the addition of one of these modules.
You can check whether or not your motherboard has a TPM header by visually inspecting it, or if you know the brand and serial number of your board you can look up its specifications. On the spec sheet you’ll want to read through the list of included Internal I/O Ports. If it says “TPM Header” your board is able to be upgraded and you can move to the next step.
Once you’ve verified that your board has the space to add a TPM module the next step is to find a compatible chip. Unfortunately, TPM chips come in varying pin counts, meaning that you can’t count on just any chip working for you. In general going with a TPM chip from the same company as your motherboard maker is a safe choice, but for a guarantee you’ll need to verify with your motherboard manufacturer that the chip you’ve selected is compatible.
Keep in mind that between the recent chip shortage and the upgrade requirement imposed by Windows 11 the price of TPM chips has soared in recent months and availability has plummeted.
Once you’ve added a TPM there is one final step – you’ll need to access your computer BIOS and enable the new device. This process is generally painless if you’ve installed a compatible TPM module.
If your computer does not have a space to install a TPM module you have one final option: installing a firmware based TPM. The exact steps for this will vary by manufacturer. Some companies, like HP, have computers with upgradeable firmware based TPM modules which can be upgraded to the new version.
Will a TPM limit which features are available to me in Windows 11?
When Microsoft announced the TPM 2.0 requirement for Windows 11 a lot of people were alarmed, thinking that their current computer would be completely ineligible for upgrade. Microsoft has since clarified their position, saying that computers with TPM 1.2 can be upgraded, although they strongly recommend against it.
Microsoft warns that “Your device might malfunction due to these compatibility or other issues. Devices that do not meet these system requirements will no longer be guaranteed to receive updates, including but not limited to security updates.”
Despite these dire warnings, many users with TPM 1.2 have successfully upgraded to Windows 11 already. It is unclear at what point these devices will be unable to receive updates. It may be the case that these warnings are simply Microsoft’s way of mitigating liability, but we will have to wait until the release version is out to know for sure.
If you choose to go ahead with the upgrade you’ll find that in addition to a lack of guaranteed updates, a few Windows 11 features are not available to you. Specifically, computers without TPM 2.0 will be unable to use harddrive encryption, Secure BIO, and Windows Defender System Guard (although Windows Defender Application Control will still work). Windows Hello will work with TPM 1.2, but Microsoft recommends only using it with TPM 2.0 for enhanced performance and security.
Upgrading to Windows 11
Transitioning to a new operating system is supposed to be easy, but inevitably the introduction of these major changes can result in headaches. Windows 11’s requirement of a newer TPM module will result in fewer devices being eligible for the update, but ultimately means that your computer and the data contained within it will be safer.
If you’re upgrading an older computer and would like help with the process, Bristeeri Tech offers fast, reliable, and affordable computer repair services across the South Carolina Midlands. With their help your system update headaches will be a thing of the past.