You may already have one.
Microsoft created a fair amount of chaos and generated a fair amount of flak for requiring a version 2.0 TPM in order to run the soon-to-be-released Windows 11. It didn’t help that they changed their minds, changed their minds, and changed their minds yet again.
Especially over a feature that most people know nothing about.
Let’s dive in to the what and why.
Become a Patron of Ask Leo! and go ad-free!
What's a TPM?
The Trusted Platform Module is a hardware device that implements several security and cryptographic functions in ways that are more secure and resilient than performing those functions on the PC itself. Most computers manufactured in the last five or so years will have support for TPM 2.0, though it may need to be enabled in the UEFI/BIOS. Running “tpm.msc” is a quick way to determine the status of your machine’s support for TPM.
TPM: Trusted Platform Module
A TPM is a hardware component of your computer. Per Wikipedia, it’s “a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.”
The key words in that description are secure and cryptographic. The overarching goal of a TPM is to enable greater security for the computer, as well as for any security-related applications that choose to use TPM.
The TPM can be used for a myriad of security-related functions. Without going into terribly geeky depth, the kind of things the TPM is used for include:
- Securely storing a BitLocker whole-disk encryption key.
- Ensuring that the boot process or system software hasn’t been tampered with.
- Generating random numbers (critical in encryption).
- Generating and storing encryption keys.
That’s just the tip of the iceberg.
One of the important aspects of the TPM is that it’s a separate device — meaning that whatever it does internally is not visible to software running on the PC itself — and no third-party software runs on the TPM itself. This isolates its activity and internal data (which may include stored cryptographic keys) from any malware on the PC.
Determining if your computer has a TPM
Start by running “tpm.msc”. (Use Windows Key + R to open the run dialog, type in tpm.msc, and click OK.)
If the report is similar to the one above, then your machine has a TPM, and Windows is aware of it. In the above image, the TPM reports as version 2.0, meaning it meets the Windows 11 requirements.
If tpm.msc reports that no TPM is found, you might still have one. It may just take an additional step or two.
Enabling your TPM
On some machines (my own, for example), Windows reports no TPM is present, even though the computer is equipped with one. If your computer’s motherboard was manufactured within the last five years or so, then it almost certainly includes a 2.0 TPM, whether or not Windows reports it as available. You may simply need to enable it.
In my case, that involved two UEFI/BIOS settings:
- Settings, Miscellaneous, AMD CPU fTPM: enable.
- Trusted Computing submenu, Security Device Support: enable.
I have to stress that this was on my machine. Your machine will almost certainly be different. Specifically, different UEFI/BIOS venders place the options in different places, and the exact type of option exposed may also vary based on whether your CPU is AMD or Intel.
Check with your computer manufacturer for instructions. Given all the confusion and frustration surrounding the Windows 11 announcements, I would hope most will have instructions readily available.
On my two Dell laptops — the oldest purchased in 2016 — TPM 2.0 was present and enabled without my needing to do a thing.
There are several answers to why Windows 11 will require a version 2.0 TPM:
- Because Microsoft said so.
- Because several large PC customers, such as government or enterprise purchasers, require it.
- Because it enables better security.
It’s the last one that matters the most (and is likely the reason for the preceding two).1 The TPM adds an additional layer of security and enables better security in applications that choose to make use of it. Windows 11 happens to be one of those applications.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Footnotes & References
1: Selling more hardware or forcing upgrades is not one of the reasons. If your machine can’t support TPM 2.0, then no one is forcing you to replace it and upgrade to Windows 11. You can stick with Windows 10 until at least 2025, if not longer, or you can migrate to a Linux distribution without the requirement. You’d only need to purchase a new machine if a) your existing motherboard doesn’t support TPM 2.0, and b) you are for some reason required to move to Windows 11.
- Trusted Platform Module – Wikipedia
- Trusted Platform Module – Microsoft
- Windows 11 and the Great TPM Dilemma – Puget Systems (my computer’s manufacturer)
- What Is a TPM, and Why Do I Need One for Windows 11? – PC Mag