If you’ve been following tech news at all lately, you’ve likely heard about the ruckus Microsoft is stirring up over minimum hardware requirements for its new Windows 11 operating system. One of those requirements is a TPM 2.0 chip. But what exactly is that, and why is Microsoft requiring it?
TPM stands for “Trusted Platform Module” and it’s a type of chip located on your computer’s motherboard for security. While that’s a good jumping-off point, we dove in and explored the little-known component even more to answer all of your burning questions, like what it’s used for, how to see if your computer already has one, and where to buy one if it doesn’t.
Table of Contents
A Trusted Platform Module is a tiny chip on your computer’s motherboard providing security-related functions at a hardware level. It’s essentially a secure crypto-processor capable of carrying out operations like generating encryption keys and providing a mix of software- and hardware-based authentication in a tamper-resistant fashion.
Modern off-the-shelf computers typically already have a standalone TPM chip soldered to the motherboard. If you are building your own PC, you can also purchase one separately as an add-on module for any motherboard that supports it. However, not all motherboards support TPM chips or have the corresponding connector, as we’ll discuss later.
There are other forms TPMs can take, besides physical standalone chips, though the average user won’t need to worry about this. Some can be integrated into the main CPU as firmware or as a physical add-on. There are also purely virtual TPMs, running completely within software. Though neither are as secure as a standalone chip, the former is still the more viable option of the two as it uses a discrete and trusted environment compared to one that can be easily hacked and altered.
In short, TPM chips are all about security. They are most commonly used to protect and encrypt data, and can store sensitive information like passwords, encryption keys, and security certificates with a hardware barrier.
A TPM chip can quarantine itself (and thus, any data stored on there) if it detects malware or a virus on your device. In some cases, the chip can scan your computer’s BIOS upon restart and run a series of conditional tests to check for unwanted programs or access before running it. The chips are also capable of detecting whether someone has tampered with your computer’s drive (say, if it was stolen) and preventing your computer from booting up and locking the system if it does detect something. The chips can also store biometric login information, like that used for Windows Hello.
Most commonly, however, the chips are used to generate unique cryptographic keys. In doing so, the chip keeps a part of the key to itself (literally—it’s only stored in the TPM, never on your hard drive). The keys help encrypt your hard drive, and anyone trying to access that key can’t just abscond with the hard drive and get the information later when they connect it to their computer’s motherboard at home.
Furthermore, experienced users often use the chips to handle encrypted, key-signed messages in email clients. The chips are also frequently used by browsers—like Chrome—in advanced functions like maintaining SSL certificates.
Previously, the component was typically only used by big companies needing to secure their information. You’d mostly see the chips in corporate laptops, as they were used there to ensure neither the hardware or software had been messed with by employees or anyone else.
Media companies using set-top boxes often employed them to ensure their content could be properly distributed without theft. Modern smartphones, like Pixels and iPhones, have also recently adopted similar security chips.
Now, though it has yet to state why, Microsoft is also choosing to make the chip a significant part of its hardware requirements for its upcoming Windows 11 update. It is thrusting a relatively niche component into the spotlight, as anyone wanting to run the new operating system will need to know about it.
When Microsoft announced Windows 11 at its June 24 event, it also listed out specific hardware requirements that computers would need to meet if they were to run the operating system. In its documentation, Microsoft initially listed TPM 1.2 as a “hard floor” requirement and TPM 2.0 as a “soft floor,” and said, “Devices that do not meet the hard floor cannot be upgraded to Windows 11, and devices that meet the soft floor will receive a notification that upgrade is not advised.” Yes, that’s very confusing.
Naught but a few days later did Microsoft remove that information from its website. It also stated in an updated blog post that it had temporarily removed the PC Health Check app that let users see whether or not their computer was compatible with the new hardware requirements, citing backlash. Currently, Microsoft lists TPM 2.0 as the only hard minimum.
To date, Microsoft has never presented such stringent hardware requirements for any previous versions of Windows. Between not providing any reasoning for the requirements, removing the PC Health Check app, and flip-flopping on other statements, no one is surprised that the company is dealing with backlash.
Given the nature of TPM chips and what they can do, it’s possible Microsoft is simply just being extra mindful of security. In fact, the chips will offer a baseline of hardware security for Windows 11 to run on. Microsoft has also been sharing warnings about firmware attacks for months, and with all the ransomware attacks we’ve seen, (not to mention IoT and supply vulnerabilities or phishing attacks) it certainly won’t hurt to make an extra effort to ensure things are more secure for the future.
But while TPM chips will go a long way to mitigate these attacks, which are predominantly launched against devices running Windows, Microsoft needs to consider its users as well.
Some might argue that the heavier hardware requirements are fiscally motivated. The idea is to help propel planned obsolescence and force more people into buying a new computer that has all of the required hardware. That might prevent people from holding onto their old desktop that’s still running Windows 8 for another decade as folks have done in the past with previous updates. Given that Microsoft is a business and not a philanthropic endeavor, that’s a fair argument.
However, Microsoft’s history proves it’s less than stellar when it comes to pushing its software and hardware into the future. The company has actually required TPMs to be enabled on any new PCs since Windows 10, OEMs have been required to ship devices with TPM support but the company has never forced its device partners to enable them for Windows to run. It’s worth keeping in mind that even Windows 10 laptops and desktops just five years old or less might be cut off from Windows 11.
Between being strong-armed into an upgrade and Microsoft staying mum on the subject, it’s no wonder users are confused, frustrated, and even upset. On the one hand, it’s fair and even expected for a company to take steps to keep its product (and, in turn, its users) safe; on the other, suddenly making that product harder to access, potentially limiting the user base, and definitely confusing it isn’t exactly the wisest business move.
The issue is made worse by the scalpers that have (of course) already hoarded the available components only to sell them for ridiculously marked-up prices on eBay.
Though Microsoft is still unclear whether it’ll be cool with the TPM 1.2 standard or ultimately opt for TPM 2.0, it’s still worth knowing the difference between the two.
Microsoft states, “The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.” Likewise, it follows that up by saying, “TPM 2.0 enables greater crypto agility by being more flexible with respect to cryptographic algorithms. TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance.”
Simply put, TPM 2.0 tech is newer than that of TPM 1.2, the latter of which has been around since 2011. Its encryption is stronger and more secure, and is better able to support newer algorithms. And as with most things in tech, the newer thing is usually better.
First of all, if you purchased your PC any time after July 28, 2016, it most likely already has a TPM 2.0 chip that is already enabled. If your device is older than that, however, or if you built your own, that may not be the case.
Regardless, our sister site How-to-Geek has shared a few ways to check for yourself, like by checking the TPM Management tool or the UEFI firmware settings screen. It’s also possible that you might need to contact your computer’s manufacturer to find out, or see if they have a FAQ section on their site that lists the devices that do.
If you built your own PC, there’s a slight chance that it might say it doesn’t have TPM 2.0, or that it does but it isn’t enabled. So if that’s the case, you’ll need to hop into the UEFI or BIOS settings screen and enable it there. Also, sometimes a computer may say it doesn’t have TPM 2.0 outright, but it’s really just disabled when you look it up in the settings; you can still enable it if needed.
You’ll be looking for any option named “TPM Support,” “Trusted Platform Module,” “Intel PTT,” “PSP fTPM,” or something similar. From there, simply enable it, save your settings, and reboot your computer. Be aware that there’s a chance that your PC’s TPM chip is also listed and disabled in your Device Manager (however unlikely), so be sure to check there as well if it can’t be enabled elsewhere.
For those that do need to buy a TPM chip for their rig, make sure to search for one that’s sold as an add-on module. Double-check that the chip supports your computer’s exact motherboard before clicking buy, and that you also snag any other hardware components, as well.
As we mentioned earlier, scalpers wasted no time hoarding TPM chips (or marking them up for resell on eBay) upon hearing Microsoft’s initial Windows 11 requirements. Your best bet would be to try and buy one directly from PC-building stores or part picker websites. Typically they retail for around $20-$30, so avoid paying much more than that if you can. And, of course, avoid eBay wherever possible.
If you are able to find one, be sure to enable its encryption in your laptop or desktop’s BIOS. Most computer manufacturers offer software that can help you access TPM features, too.
This is, understandably, a lot of information to process, especially because TPM chips are a niche component that Microsoft has never made a big deal about before. But don’t fret, it’s entirely possible that the tech giant will lower its hardware requirements for Windows 11 or decide to drop the TPM requirement altogether. Here’s hoping, at least.