Microsoft’s upcoming Windows 11 OS would require a heretofore little-known PC security feature, the Trusted Platform Module (TPM), which is cause for concern among early adopters who can’t wait to urge their hands on the new OS.
“Do I even have a TPM that works with Windows?” may be a question you almost certainly never thought you’d got to ask. But the great news for people that have a PC bought within the previous couple of years is that the solution is nearly certainly “Yes.” for everybody else looking to upgrade to Windows 11, especially people that built or upgraded their own Windows desktop, the solution might be more complicated.
Let’s take a glance at what TPMs do and the way Microsoft is incorporating them into subsequent version of Windows, supported what we all know thus far.
At its most elementary , the TPM may be a tiny chip on your computer’s motherboard, sometimes break away the most CPU and memory. The chip is like the keypad you employ to disable your home security alarm whenever you enter the door, or the authenticator app you employ on your phone to log in to your checking account . during this scenario, turning on your computer is analogous to opening the front entrance of your home or entering your username and password into the login page. If you do not key during a code within a brief period of your time , alarms will sound otherwise you won’t be ready to access your money.
Likewise, after you press the facility button on a more moderen PC that uses full-disk encryption and a TPM, the small chip will supply a singular code called a cryptographic key. If everything is normal, the drive encryption is unlocked and your computer starts up. If there is a problem with the key-perhaps a hacker stole your laptop and tried to tamper with the encrypted drive inside-your PC won’t boot up.
A Trusted Platform Module (TPM) add-on for Asus mainboards. (Photo: Asus)
While that’s how modern TPM implementations function on a most elementary level, it is from all they will do. In fact, many apps and other PC features make use of the TPM after the system has already booted up. The Thunderbird and Outlook email clients use TPM to handle encrypted or key-signed messages. The Firefox and Chrome web browsers also employ the TPM surely advanced functions, like maintaining SSL certificates for websites. many consumer tech besides PCs uses TPMs, as well, from printers to connected-home accessories.
Just as TPMs can perform many other functions besides their basic purpose of providing boot-up protection for PCs, so can also they take many various forms besides a standalone chip. The Trusted Computing Group (TCG), liable for maintaining TPM standards, notes that there are two additional sorts of TPMs. TPMs are often integrated into the most CPU, either as a physical addition or as code that runs during a dedicated environment, referred to as firmware. This method is almost as secure as a standalone TPM chip, since it uses a trusted environment that’s discrete from the remainder of the programs that use the CPU.
The third sort of TPM is virtual. It runs completely in software. this is often not recommended for real-world use, the TCG warns, because it’s susceptible to both tampering and any security bugs which may be present within the OS .
For a more in-depth (but still accessible) check out how TPMs work, the short book A Practical Guide to TPM 2.0 is worth a read. For an example of all the ways TPMs are utilized in consumer PCs, also inspect Apple’s guide to the T2 security chips for Macs. (Although Apple doesn’t use the term, the T2 is actually a TPM.)
Windows 7 and Windows 10 both have extensive support for TPMs. Laptops and desktops meant to be used in large organizations with strict IT security requirements are the most adopters. In many cases, TPMs have replaced the cumbersome smart cards that IT departments once issued to employees. Smart cards must be inserted into a slot or tapped against a built-in wireless reader, to verify that the system hasn’t suffered from tampering.
Security features at the OS level also already make use of TPMs. Ever used the Windows Hello face-recognition login feature on a more moderen laptop? that needs a TPM.
TPMs are efficient alternatives to older methods of securing Windows PCs. In fact, since July 2016 Microsoft has actually required TPM 2.0 support on all new PCs that run any version of Windows 10 for desktop (Home, Pro, Enterprise, or Education). Likewise, Windows 11 will only run on PCs that have TPM capabilities. Microsoft has been strict on this requirement before the Windows 11 general availability, which is scheduled to arrive as a free upgrade this season for Windows 10 PCs. If you download the Windows 11 compatibility tool now, it’ll only indicate that your system is prepared if TPM 2.0 is up and running. (Microsoft notes that it’ll be tweaking the tool within the coming days and weeks to be more helpful in explaining compatibility specifics.)
However, Microsoft has quietly noted that Windows 11 will run on PCs that have TPMs older than version 2.0 in certain situations. The company’s support documents indicate that TPM 2.0 is more of a “soft floor” requirement, which PCs with TPM 1.2 also will be ready to run Windows 11. But “devices that meet the soft floor will receive a notification that upgrade isn’t advised,” Microsoft warns.
If you built your own desktop PC within the previous couple of years and you’re comfortable tinkering with hardware and software security settings within the system’s BIOS, you’ll probably add a discrete TPM 2.0 chip to your motherboard. Many motherboards accompany a cluster of header pins clearly labeled “TPM.” And, as ExtremeTech notes, you’ll devour a TPM module for a few motherboard models for fewer than $50.
But it isn’t as simple as buying a TPM 2.0 add-on module and plugging it into the header. albeit you’ve a hardware TPM installed in your home-built computer, you will need to make sure that it’s properly found out within the BIOS for the Windows OS to acknowledge it. This process varies widely supported which motherboard and CPU you’re using. Even Microsoft acknowledges that turning on TPM isn’t necessarily an easy process. Microsoft VP of Product Management Steve Dispense suggests that it’s going to be necessary to enable a setting like Platform Trust Technology (PTT) within the BIOS of Intel-based computers, or fTPM for AMD-based ones.
This Aorus Z490 motherboard features a TPM header located on the sting . (Photo: John Burek)
And if you’re one among the various people that spent significant money to create a top-of-the-line gaming PC years back, with a motherboard or CPU which will lack TPM capabilities or the power to feature them, your system still likely has years of life left, but it’s going to not be ready to run Windows 11.A firmware-based TPM 2.0 solution could be an option for a few PCs without TPM capability on the motherboard, though implementing one yourself will almost certainly require some trial and error.
One of the various tricky parts of the TPM 2.0 requirement in Windows 11 is that Microsoft may take a page out of Apple’s playbook and introduce additional limitations associated with TPM security in future Windows updates. as an example , Macs with the T2 chip have many capabilities that Apple computers without it don’t , including fingerprint recognition and enhanced image signal processing. this example also exists within the Windows 10 world, with the Windows Hello face-recognition mentioned earlier being a major example.
With Windows 11 and future TPM versions, Microsoft could further segment the Windows experience. this might include adding new features that need the TPM, but it could also include bringing additional locked-down versions of Windows like the present Windows 10 S Mode. for many consumers, this would possibly not be a problem , but it’s something to stay in mind if you’re getting to upgrade to Windows 11 as soon because it becomes available.
Does My PC have already got TPM 2.0?
If you’ve a computer that meets the opposite Windows 11 minimum system requirements, there is a chance that it supports TPM 2.0. the quality is comparatively recent, however. If you purchased your PC after 2016, it almost certainly comes with TPM 2.0. If your computer is older than a couple of years, it likely either has the older TPM 1.2 version (which Microsoft says isn’t recommended for Windows 11) or has no TPM in the least .
Microsoft attempts to simplify things by pertaining to its 2016 deadline for implementing TPM 2.0. the corporate notes in its Windows 11 FAQs that “many PCs that are but four years old are going to be ready to upgrade to Windows 11.”
Because TPMs take numerous forms, as mentioned earlier, there’s not how to verify at one glance whether your PC has an enabled TPM 2.0-compatible chip or firmware. Windows offers a generic “security processor” status indicator, but to make certain , you will have to see with the corporate that made your desktop or laptop.
Most of the larger vendors have straightforward support articles published on their website that specify which products have TPM 2.0 support. for instance , Dell publishes a handy chart that indicates which sort of TPM is installed during which system. the corporate uses three differing types of TPM 2.0 in modern Latitude, Precision, OptiPlex, and consumer laptops and desktops.
Conversely, many PC enthusiasts have computers that do support TPMs but who have chosen to disable them for a spread of reasons. If this is often you, Windows 11 brings excellent news and bad news.
The good news is that just about anything you would like to try to to with a PC lately are often through with TPMs enabled. Yes, there are exceptions, but they’ll only affect a small percentage of users. for instance , the TCG has long specified TPM requirements for the open-source Linux OS , which suggests that folks who want to modify their PCs between running Windows 11 and various Linux distributions should be ready to do so. Support will vary counting on which Linux distribution you’re using, and the way the TPM requirement may interact with dual-boot environments isn’t yet 100% clear.