Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What Is a TPM? And Why Do I Need One?

You may already have one.

TPM
(Image: FxJ, Public domain, via Wikimedia Commons)
Windows 11 hardware requirements brought the TPM, or Trusted Platform Module, into the spotlight. I'll touch on what it is, why your machine might not appear to have one, and what to do if it doesn't.
Applies to Windows: 11
OK, Windows 11 says I need a TPM 2.0. What is that, how do I get it, and what’s it all about, anyway?

Microsoft created a fair amount of chaos and generated a fair amount of flak for requiring a version 2.0 TPM in order to run the soon-to-be-released Windows 11. It didn’t help that they changed their minds, changed their minds, and changed their minds yet again.

Especially over a feature that most people know nothing about.

Let’s dive in to the what and why.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

What's a TPM?

The Trusted Platform Module is a hardware device that implements several security and cryptographic functions in ways that are more secure and resilient than performing those functions on the PC itself. Most computers manufactured in the last five or so years will have support for TPM 2.0, though it may need to be enabled in the UEFI/BIOS. Running “tpm.msc” is a quick way to determine the status of your machine’s support for TPM.

TPM: Trusted Platform Module

A TPM is a hardware component of your computer. Per Wikipedia, it’s “a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.”

The key words in that description are secure and cryptographic. The overarching goal of a TPM is to enable greater security for the computer, as well as for any security-related applications that choose to use TPM.

The TPM can be used for a myriad of security-related functions. Without going into terribly geeky depth, the kind of things the TPM is used for include:

  • Securely storing a BitLocker whole-disk encryption key.
  • Ensuring that the boot process or system software hasn’t been tampered with.
  • Generating random numbers (critical in encryption).
  • Generating and storing encryption keys.

That’s just the tip of the iceberg.

One of the important aspects of the TPM is that it’s a separate device — meaning that whatever it does internally is not visible to software running on the PC itself — and no third-party software runs on the TPM itself. This isolates its activity and internal data (which may include stored cryptographic keys) from any malware on the PC.

Determining if your computer has a TPM

Start by running “tpm.msc”. (Use Windows Key + R to open the run dialog, type in tpm.msc, and click OK.)

tpm.msc
Running tpm.msc. Click for larger image. (Screenshot: askleo.com)

If the report is similar to the one above, then your machine has a TPM, and Windows is aware of it. In the above image, the TPM reports as version 2.0, meaning it meets the Windows 11 requirements.

If tpm.msc reports that no TPM is found, you might still have one. It may just take an additional step or two.

Enabling your TPM

On some machines (my own, for example), Windows reports no TPM is present, even though the computer is equipped with one. If your computer’s motherboard was manufactured within the last five years or so, then it almost certainly includes a 2.0 TPM, whether or not Windows reports it as available. You may simply need to enable it.

In my case, that involved two UEFI/BIOS settings:

  • Settings, Miscellaneous, AMD CPU fTPM: enable.
  • Trusted Computing submenu, Security Device Support: enable.

I have to stress that this was on my machine. Your machine will almost certainly be different. Specifically, different UEFI/BIOS venders place the options in different places, and the exact type of option exposed may also vary based on whether your CPU is AMD or Intel.

Check with your computer manufacturer for instructions. Given all the confusion and frustration surrounding the Windows 11 announcements, I would hope most will have instructions readily available.

On my two Dell laptops — the oldest purchased in 2016 — TPM 2.0 was present and enabled without my needing to do a thing.

Why TPM?

There are several answers to why Windows 11 will require a version 2.0 TPM:

  • Because Microsoft said so.
  • Because several large PC customers, such as government or enterprise purchasers, require it.
  • Because it enables better security.

It’s the last one that matters the most (and is likely the reason for the preceding two).1 The TPM adds an additional layer of security and enables better security in applications that choose to make use of it. Windows 11 happens to be one of those applications.

Do this:

Subscribe to Confident Computing! More confidence & less frustration -- solutions, answers, & tips -- in your inbox every week.

I'll see you there!

Podcast audio

Play

Footnotes & References

1: Selling more hardware or forcing upgrades is not one of the reasons. If your machine can’t support TPM 2.0, then no one is forcing you to replace it and upgrade to Windows 11. You can stick with Windows 10 until at least 2025, if not longer, or you can migrate to a Linux distribution without the requirement. You’d only need to purchase a new machine if a) your existing motherboard doesn’t support TPM 2.0, and b) you are for some reason required to move to Windows 11.

Additional References

27 comments on “What Is a TPM? And Why Do I Need One?”

  1. I ran the tpm.msc and the results are that my Specification Version: 2.0 but yet I still receive the message that my PC doesn’t meet the requirements for Windows 11. Is there more than just this requirement? I purchase the computer in 2017 with Windows 10 Pro.

    Reply
    • There are other requirements. One of the most common requirements I see many computers failing in is a compatible CPU. I’ve heard a few people say they were able to install Windows 11 even though the compatibility test program said it wasn’t compatible. I suspect many computers that don’t pass that test will be able to run Windows 11.
      I’d like to see comments from anybody who has installed Windows 11 on a machine that Windows said isn’t compatible with Windows 11.

      Reply
      • Not meeting the requirements may mean nothing more than sub-optimal or lacking performance.
        There is bare minimal requirements. Slow machine. May seems to hang or freeze at times. Common, often long, lags.
        Minimal requirements. Low put acceptable performance.
        And optimal or recommended requirements.

        Reply
    • I see TPM in my msc console, but Specification version is 1.2. There is no discussion about updating version to 2.0. Any recommendations there?

      Reply
    • Apple controls the hardware and software on their computers, so the situation is a little different, but as new advances in hardware capabilities are rolled out, even Apple computers come to a point where the hardware can no longer support the software.

      This won’t drive many people to Apple. The entry level MacBook is about $900 whereas a Windows laptop can start as low as $400. Desktops are similar.

      Reply
  2. I still run on Windows 7 Professional.

    Do I need a TPM or will ‘Defender’ keep me safe?

    I refuse to go to WIN 10 and I doubt that WIN 11 is going to be any better.

    Am I just an English luddite or maybe just a happy person?

    Reply
  3. Hi, Leo,
    Thank you for a thought-provoking article.
    You said that first Microsoft required the version 2.0 TPM to run Windows 11 and then changed their minds three times. Does that mean they don’t require it now? If they do, are there versions out that don’t? Also, I would be concerned that with the additional level of encryption if something went wrong with the computer I’d never get my files back. Is that a reasonable concern, and can the TPM be disabled after the system is installed? While I do see the value of security, accessing the files is a higher priority for me.

    Reply
    • Yes and no. The way I understand the current situation is that you won’t be offered Windows 11 if you don’t have a TPM. But if you download and install it it may work. I expect it all to change.

      IMPORTANT: If you’re concerned about losing files because something on your computer goes haywire — be it encryption or anything else like sudden hard disk failure — then you’re not backing up!. You must begin backing up, and this has nothing to do with the TPM. Stuff happens. If your data is in only one place, it’s not backed up.

      Reply
  4. Here’s my paranoid take on this with 40 years IT experience… what Microsoft “says” and what Microsoft “does” (like Bill Gates) isn’t necessary the same. Although touted as a security device, and I’m not saying it doesn’t do that function, it’s also possible TPM is a “hardware/firmware” back door/snitch device that was created years ago, but is just now being implemented via Windows 11. Why do I say this?? Because I DONT TRUST MICROSOFT to do what is right. We live in a day of INCREASING SURVEILLANCE by every entity under the sun. What better way to snoop on users than with a hardware/firmware device such as this?? For my own reasons I won’t be upgrading to Bill’s latest monitoring system. Something about this whole thing just seems very fishy to me… my internal red flag is waving high on this one. P.S. Also, In these days of quantum computing, an organization with deep enough pockets can EASILY break any standard encryption key, so this device is already outdated for its stated purpose.

    Reply
    • The TPM kerfuffle (as Leo puts it) is not about MS surveillance or MS doing the wrong thing. It is about a superfluous requirement that is practically useless for most users. Consider that the 180-degree turn by MS to create Windows 11 is about generating new sales. Add TPM to that mix and it’ll increase the sales. TPM is not like an anti-malware. It doesn’t do much by itself. It needs to be turned on, set up and used. And to do that you need to create a password for the TPM. So guess what, we’re back to were we started with this “security” thing. You need a password to protect the TPM which is supposed to protect other stuff. Yet another eye-brow raising feature of TPM is that its data can be cleared or reset via the OS menus! TPM might be useful for enterprise systems, but again it needs to be used and used properly. It’s hard not to be cynical and predict that it’s only a matter of time before we hear about a huge company, with TPM equipped Windows 11, is hacked.

      Reply
  5. I have identified that my PC does not have TPM but that I can update my motherboard BIOS to a current version that does support TPM. I have downloaded the BIOS upgrade files, but have not yet installed them, partly because I want to wait for WIN11 to “mature” a little at least, no pioneering here!

    My main concern is whether it is SAFE for me to update the BIOS software. My research suggests it could end in disaster.

    Your thoughts on BIOS updates please.

    Many thanks.

    Reply
    • Leo’s article is talking about TPM, where the M stands for “module”. Strictly speaking TPM only refers to the hardware module that plugs into your motherboard. A “BIOS TPM” functionality is implemented in software (aka firmware) on the CPU and accessed via the BIOS. On Intel systems the firmware is referred to as PTT (or fTPM on AMD computers). Supposedly the firmware security functionality is the same as TPM, but since the PTT is accessed via the BIOS it is subject to the same vulnerabilities as the BIOS. Before updating your BIOS first ask yourself (or find out) if you’re doing this because that’s the only way to get Windows 11 on your computer or do you really want to enable and use the TPM functionality? If you can get Windows 11 on your computer without updating the BIOS, then that’s the safer route. Otherwise you’re taking a risk.

      It would not be surprising if BIOS update breaks something or even bricks your computer. It’s also possible that once you update your BIOS to a newer version you may not be able to go back to the older version – at least not without professional help. But just in case, find and download the files for your current BIOS version so you can try to revert, if possible.

      If you intend to use your TPM functionality, then consider that you’ll need to password protect your BIOS in order to protect the TPM, which has its own password to protect the other data it stores. If you currently don’t have a password on your BIOS then I suspect you’re not likely to use the TPM functionality at all.

      Reply
    • As the article and aa1234aa mention, the TPM is a hardware chip. If you don’t have that chip, there’s nothing you can do in the UEFI/BIOS to enable TPM. The setting may be in your UEFI, but that would only work if you actually have the chip.

      On the other hand the article does say that even if tpm.msc says your computer doesn’t have a TPM chip, it might still be there, but disabled, so it’s not always easy to determine. I’m a bit leery of a UEFI update in this case. If your computer did have a TPM chip, The UEFI should already have the setting to enable it. The only case I can think of where that might not happen is if the UEFI had a bug omitting the setting.

      Windows 11 is still in a state of flux, and what is true now may change in the future. Now, it requires a TPM chip and a 7th or 8th generation processors. Some people are reporting that they are running Window 11 won 6th generation CPU machines. The best thing you can do, in my opinion, is wait at least 6 months for Windows 11 to stabilize before installing it. Or even wait until close to the Windows 10 end-of-life as Windows 10 will continue to work perfectly fine until then and even after if you re careful.

      Reply
    • Note what I said above about PTT and fTPM. Recent CPUs or CPU chip sets from both Intel and AMD have TPM *functionality* built into them as additional firmware (i.e. TPM chip emulation). That’s not a dedicated hardware module that plugs into your motherboard, but firmware in the CPU or it’s chip set. These just need to be activated via the BIOS/UEFI. If you have a recent computer, but the BIOS doesn’t have an entry for TPM, then a BIOS update may give you the menus so that you can activate the TPM emulation in the CPU. If you Google “Windows 11 supported Intel processors” or “Windows 11 supported AMD processors” you’ll find Microsoft pages with a list of CPUs which presumably have PTT or fTPM. I say presumably because you can’t trust that any such list is complete or correct.

      To throw another wrench in the works, you should be aware that some TPM emulations are implemented as a regular software application, which is to say, not very secure. Another caveat is that in 2018 AMD said it has a vulnerability in its fTPM implementation. That means if you have one of those you’ll need to update that! Bottom line is that you can never be sure about what you have, if its secure, or if it’ll work. If you really, really want Windows 11 then try it and see what happens. As Leo keeps saying, just have an image backup available – of course that’s only good if you haven’t already messed up your BIOS of UEFI.

      But do what Leo and Mark said. Wait. There is no hurry to be victimized by Windows 11 or anything associated with it. Heck, wait one year or more and let the dust settle. The rule of thumb for any new Windows OS should be wait until after the first update is released.

      Reply
  6. Thanks very much for your help – my PC is only a year old and I was not happy that it did not appear to have a TPM. Found some instructions for accessing my UEFI BIOS – you were right in that it was different for my PC than yours, I found the relevant options under the Security section of the BIOS menu. I accessed my BIOS using Windows 10 Settings, Security, Recovery, Advanced start-up, Troubleshoot – if that is of any use to anyone. My PC boots from a solid state drive so thought it was unlikely I could use a hotkey in time to access the BIOS that way. Have re-run the PC Health Checkup tool provided by Microsoft and all is well and ready for Windows 11.

    Reply
  7. My computer isn’t that old but it still has Bios rather than Ufei. If Ufei were available, I have the impression that it doesn’t have to used. That the “legacy” Bios is still an option.

    As far as Tpm goes, someone gave me a link showing that my computer is not compatible with Windows 11. I am unable to run “tpm.msc” since I am not an administrator and they don’t give me the option to provide the administrator credentials. (Sometimes they ask me to provide the administrator’s credentials when needed, for which I have access) If it becomes necessary, I’ll have to ask the “geek squad” if the mother board can handle Tpm2 before going to something different.

    I serf with a standard account, because someone once told me it was more safe than doing so on an administrator’s account.

    Reply
  8. So a lot of this does not make any sense (at least to me). It sounds like the TPM chip has been around for what, 12 years (2009?) Odd that we’ve never heard of it before now and/or no one advocated its use to enhance security (until Win11 that is). My Dell desktop, ~3 years old, does have it. Of course I have no clue as to whether any programs I use, want or need TPM. How would you know? Anyway, I’m staying with Win10 for the foreseeable future, but my pc is ready when I do make the switch.

    Reply
    • Until now, TPM was used mainly for Bitlocker, and only computers with Windows professional or higher had Bitlocker. If it was used by any other processes, it operated quietly in the background. The reason we’re hearing about it now is because of the controversy it’s caused in being a requirement for Windows 11. I believe it’s a waste of time talking so much about Windows 11. Windows 10 will be supported for 4 more years and does everything useful Windows 11 does and more. In some ways Windows 11 is a deprecated Windows 10, so I won’t even think about upgrading for at least another 6 months and more likely a year. By then, we’ll know exactly what the requirements are after Microsoft makes the final adjustments

      Reply
  9. I think I will wait until “10” does not boot. It’s all about $$$$ and MicroScare. Of course I do think an “image” is gospel! Thanks Leo. I know you do your best to keep everyone “inspired” with personal computing.
    p.s. I am growing more and more concerned with Googleanything.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.