What Is a TPM?
TPM stands for “Trusted Platform Module.” It’s a technology that provides security-related functions at the hardware level. It generates and stores encryption keys and performs functions in a tamper-resistant manner. It provides additional protection against malware and other types of attacks.
In a blog post, Microsoft explains that Windows 11 systems will all have “a hardware root-of-trust.” The TPM is a tamper-resistant element at the core of the computer that can be used for security features like disk encryption and secure biometric sign-ins with Windows Hello.
TPM “attestation” can be used to remotely authenticate hardware and software. The TPM has a unique endorsement key (EK) burned into the hardware. Organizations can remotely check and verify that a device is what it says it is and that the hardware and software haven’t been tampered with. For example, this might be particularly useful for a company managing a fleet of work laptops.
The TPM includes a hardware random number generator that the system can depend on, too. Modern smartphones have security chips that perform specialized functions, so why shouldn’t computers?
Why Does Windows 11 Need It?
Here’s one example: BitLocker encryption can store encryption keys in the TPM to protect your files. When your computer boots, the key stored in the TPM is used to unlock your drive. If an attacker yanks your system drive and inserts it into another computer, the attacker can’t decrypt it and access your files without the keys stored in the TPM. The TPM is tamper-resistant, so an attacker can’t just plug it into another computer or easily extract the decryption key from it.
Even on Windows 10, BitLocker normally won’t work without a TPM. If all Windows 11 PCs have a TPM, then all Windows 11 PCs can natively support Device Encryption. That’s a lot better than the situation with some Windows 10 PCs coming with disk encryption while others don’t include encryption.
A TPM will give each Windows 11 system a baseline of hardware security for Microsoft to build on top of. Windows 11 can always assume that it has this baseline of hardware security. Microsoft won’t have to build software-based hacks on top of Windows 11 or leave important functionality like disk encryption disabled on many PCs.
RELATED: Windows 11: What’s New In Microsoft’s New OS
Why Isn’t TPM 1.2 Good Enough?
Microsoft’s messaging was all over the place in the days after Windows 11’s announcement. Initially, Microsoft’s Windows 11 compatibility page said that some systems with TPM 1.2 would be able to upgrade. Later, Microsoft edited that page and said that TPM 2.0 would be required.
A Microsoft web page dating to 2018 points out a variety of security advantages that TPM 2.0 has over TPM 1.2, including support for more modern cryptographic algorithms. Since TPM 2.0 has these advantages and has been common for several years now, Microsoft clearly feels that it makes sense to require TPM 2.0.
Microsoft Has Required a TPM on Some New PCs Since 2016
Microsoft has required TPM 2.0 on Windows 10 PCs for several years—kind of.
Since July 28, 2016, all new Windows PCs being manufactured have required TPM 2.0 to be enabled by default. If you’re buying a laptop, desktop, 2-in-1, or any other device that comes with Windows 10 preinstalled, Microsoft requires that the manufacturer include TPM 2.0 and have it enabled.
However, this is a requirement for the computer manufacturer to license and ship Windows on a PC. If you were building your own computer, you could have purchased a motherboard without TPM hardware and installed Windows 10 on it. Or, your motherboard manufacturer might have shipped the hardware with the TPM disabled.
Windows 10 would have functioned happily without a TPM, whereas Windows 11 will refuse to install on such a system.
Does Your PC Have a TPM? Is It Disabled?
If you’ve purchased a PC that came with Windows 10 in 2016 or later, there’s a good chance that it has TPM 2.0 already enabled—unless that model was originally made before the cutoff date.
If your PC is older than that, it might or might not have the TPM that Windows 11 requires. Many PCs have updated from Windows 7 to Windows 10, and those PCs will likely be left behind by this requirement.
However, people who built their own PCs—a crowd that includes a lot of PC gamers—might be in a strange situation. If you built your own PC (or purchased it from a company that built it for you), your PC might or might not have TPM 2.0. Even if Windows says that TPM 2.0 isn’t present, it could just be disabled by default, and you might need to enable it in your computer’s BIOS.
To find out, you might need to visit your computer’s BIOS (technically, now a UEFI firmware settings screen on modern computers, but often still called the BIOS) and look for an option named “TPM,” or something similar that enables this feature.
Some computers have a firmware-based TPM. Intel calls this feature iPPT (Intel Platform Protection Technology), while AMD calls it fTPM (Firmware Trusted Platform Module). You might need to find an option called something like this in your BIOS/UEFI settings screen. It could be called something else, too—consult your motherboard’s manual for more information.
There’s a good chance that many people with newer PCs will be able to enable TPM 2.0 in the BIOS without purchasing a separate TPM hardware module—a component that scalpers are already buying up. However, some gaming motherboards haven’t included this feature and it might not be available. Prior to Microsoft’s announcement, this would be required for Windows 11, but this wasn’t necessarily considered a must-have feature for people building their own PCs.
RELATED: What Does a PC’s BIOS Do, and When Should I Use It?
Microsoft Made the Situation a Confusing Mess
The requirement to have TPM 2.0 as a hardware security baseline that Microsoft can design around makes sense. Remember that Microsoft will continue supporting Windows 10 until October 14, 2025, so you can keep using your current computer and operating system for years to come.
The real problem, once again, is Microsoft’s poor communication. For example, if Microsoft had warned people that a TPM 2.0 would one day be required, motherboard manufacturers likely wouldn’t have skimped on adding it to gaming boards. PC enthusiasts would have ensured that their builds had a TPM. Hardware manufacturers could have enabled it by default rather than disabling it by default. Microsoft might say that it sent this signal to its hardware partners, but many motherboard manufacturers clearly didn’t get the message.
Windows 11’s announcement was also a mess: Microsoft initially said that TPM 1.2 would be partially supported and then changed its mind. Microsoft didn’t even bother trying to explain why TPM was required at first. After Microsoft tried to build hype for the upgrade, the official PC Health Check tool mysteriously failed without telling people why their PC wasn’t supported.
Microsoft could also have explained the situation and provided information on enabling TPM 2.0 in your computer’s BIOS—but the company didn’t do any of that.