Windows 11 brings the Trusted Platform Module (TPM) security function into focus. We explain what TPM is, how to find out if your system has a TPM chip, and how to enable it when it is powered off.
A Trusted Platform Module (TPM) is a security chip that can be integrated into a laptop or PC. It’s basically a locker for keys, as well as an encryption device that a PC can use to increase its security: for example, when you start your PC, the TPM chip wakes up and starts warming up other components to start the day. Once all the hardware is ready, it goes to the hard drive or SSD to load the operating system into memory.
Windows 11 for download here:
Now for all users
In a safe environment, the PC first determines whether the operating system is safe. In fact, it may not even trust the surrounding hardware that woke it up earlier, so it will check them as well. But with no clue, the pc has no idea whether any part of the system has been tampered with. With a TPM, the PC can compare the charging data with the information stored in the TPM. If everything matches, the boot process will continue normally. If something is wrong, red flags are raised and the boot process is stopped.
TPMs are included in most newer CPUs
TPMs originally came as standalone chips and were only used in corporate computers where security was a major concern. More recently, AMD and Intel have incorporated firmware-based TPM into their CPUs. This means that TPM support is probably already available in your computer: Pretty much every Intel CPU from 2013 (Haswell) should already have a firmware-based TPM. AMD has also supported firmware TPM for some time.
Windows 11 in the mega test:
Unnecessary Windows 10 successor?
Even if there is firmware TPM in the CPU, it does not mean that every PC can access it immediately. A BIOS or UEFI update may be required to support the feature. While most PCs you buy from major PC manufacturers will usually have them installed, many retail motherboards often don’t have BIOS support or don’t have BIOS support turned on by default.
Buy Windows 10 Pro with a discount of over 80 percent
If your particular motherboard has never implemented firmware TPM support and this is an obstacle that prevents you from installing Windows 11, it may be worth upgrading your motherboard with a compatible one
upgrade. We recommend that you buy a module from the same motherboard manufacturer and stay within the same motherboard year. Although the TPM chips in the modules may be standard, the actual physical connections and the way the BIOS / UEFI communicates with them are unique.
How to check the status of your TPM
The easiest way to check the status of your TPM on a Windows 10 computer is to switch to device security. You can do this by right-clicking the Windows button, selecting “Search” and then searching for “Device Security”. It says “Standard hardware security is not supported.” TPM is not available or not activated. As I said, that means that you either have to buy the appropriate TPM module and plug it into the header – or you just turn on the firmware TPM, which is already built into numerous CPUs:
Check your TPM status in the “Device Security” menu
This setting can vary depending on the motherboard or laptop manufacturer. Often the function in the BIOS / UEFI is simply called TPM. On some motherboards, it’s called Intel Platform Trusted Technology (PTT). On some AMD motherboards, it is called fTPM. To search for the TPM function, you need to switch to the BIOS / UEFI of your PC or notebook. To do this, restart the computer and immediately press the F2 or DEL key.
We do not recommend doing this on a working PC at this point without taking a backup. While some have reported success, others have said that there were sporadic blue screen errors that did not go away even after turning off the firmware TPM in the UEFI. Incidentally, it is currently also the case that the TPM 2.0 restriction in Windows 11 can also be circumvented using a registry trick.
Of course, the TPM is just one of the many things you need to do before you can install Windows 11. You also need to enable Safe Boot and UEFI mode. Most computers made in the past three or four years should handle the process without a hitch. With older hardware, the first thing to do is to wait and see!
This article is a translation of our sister publication PC-World, which you can read here in the original.