When Microsoft introduced Windows 11 in 2021, its new, stringent hardware compatibility test included checking for the presence of a Trusted Platform Module (TPM) — specifically, one that meets the TPM 2.0 standard.
So, what is a TPM, and why does Windows insist that you need one?
Also: How to upgrade your ‘incompatible’ Windows 10 PC to Windows 11
The simple answer is that a TPM is a secure cryptoprocessor, a dedicated microcontroller designed to handle security-related tasks and manage encryption keys in a way that minimizes the ability of attackers to break into a system. Windows uses that hardware for a variety of security-related features, including Secure Boot, BitLocker, and Windows Hello. The TPM performs the essential mathematical chores that make it possible to encrypt and decrypt data, generate random numbers, and validate digital signatures. It’s also a secure place to store digital certificates, encryption keys, and authentication data in a way that can’t be tampered with.
But the full answer is, as with anything related to computer security, slightly more complicated.
The TPM architecture is defined by an international standard (formally known as ISO/IEC 11889), which was created by the Trusted Computing Group more than 20 years ago. The standard deals with how different cryptographic operations are implemented, with an emphasis on “integrity protection, isolation and confidentially [sic].”
A TPM can be implemented as a discrete chip soldered onto a computer motherboard, or it can be implemented within the firmware of a PC chipset or the CPU itself, as Intel, AMD, and Qualcomm have done over the past decade. Even Microsoft has gotten into the act, with its Microsoft Pluton security processor, which is integrated directly into SoCs from AMD and Qualcomm; it can be used as a TPM or as a security processor alongside a discrete TPM. If you use a virtual machine, you can even build a virtual TPM chip into it.
Also: If your Windows 10 PC can’t be upgraded, you have 5 options before time runs out
A December 2024 post on Microsoft’s Windows IT Pro Blog made the case that TPM 2.0 is “a non-negotiable standard for the future of Windows.” In the corporate world, at least, that transition has already happened, and the worldwide installed base of PCs that don’t support this standard should be a very small number by the time Windows 10 support ends in October 2025.
In Windows, the TPM works with the Windows Secure Boot feature, which verifies that only signed, trusted code runs when the computer starts up. If someone tries to tamper with the operating system — to add a rootkit, for example — Secure Boot prevents the changed code from executing. (Chromebooks have a similar feature called Verified Boot, which also uses the TPM to ensure that a system hasn’t been tampered with.)
The TPM also enables biometric authentication with Windows Hello, and it holds the BitLocker keys that encrypt the contents of a Windows system disk, making it nearly impossible for an attacker to break that encryption and access your data without authorization. For a detailed technical explanation, you can read this primer. Today’s high-end business PCs start with a TPM 2.0 and other hardware to enable firmware protection and advanced identity verification, blocking many common security threats.
Also: The 4 easiest ways to test Linux on your old PC before Windows 10 support runs out
So, does your PC have a TPM? If it was designed in 2016 and sold with Windows preinstalled, the answer is almost certainly yes. That’s the year Microsoft began requiring manufacturers to ship PCs with TPM 2.0 available and enabled by default. Intel CPUs from that era include a TPM 2.0 that’s embedded in firmware (Intel calls this feature Platform Trust Technology, or PTT). Also in 2016, AMD began incorporating a firmware-based TPM 2.0 called fTPM.
<!–>
If your PC is older than that, it still might contain a TPM. Intel started including the feature in its 4th Generation Core processors (Haswell) in 2014, but in general that technology was only available and enabled in PCs built for the business market. Computers built in 2013 or earlier might include discrete TPMs that are separate from the CPU; for the most part, pre-2014 TPMs followed the TPM 1.2 standard, which is not officially supported by Windows 11.
To complicate things even more, your PC might have a TPM that’s disabled in the BIOS or firmware settings. That’s certain to be the case on a PC that’s been configured to use a Legacy BIOS instead of UEFI. You can check the configuration of your Windows PC by using the System Information tool (Msinfo32.exe).
Also: 7 password rules to live by in 2024, according to security experts
Windows 10 and Windows 11 initialize and take ownership of the TPM as part of the installation process. You don’t need to do anything special to set up or use a TPM beyond making sure it’s enabled for use by the PC. And it’s not just a Windows feature. Linux PCs and IoT devices can initialize and use a TPM as well.
Apple devices use a different hardware design called the Secure Enclave, which performs some of the same cryptographic operations as a TPM and also provides secure storage of sensitive user data.
The extra level of security that a TPM enforces in tamper-resistant hardware is a very good thing. To see details about the TPM in your Windows PC, open Device Manager and look under the Security Devices heading.
Also: Why ‘debloating’ Windows is a bad idea (and what to do instead)
On a PC running Windows 10 that includes any version of TPM, you can upgrade to Windows 11 by making a simple change to the registry, even if the CPU isn’t officially supported. If your PC doesn’t include a TPM, you’ll need to use an unofficial hack to bypass the hardware compatibility checks and install Windows 11. The easiest way to do this is with the help of a free, open-source utility called Rufus. For details, see “How to upgrade your ‘incompatible’ Windows 10 PC to Windows 11.”
This article was originally published on January 18, 2024, and last updated on December 19, 2024.
–>