What is a TPM and how to enable it for Windows 11

When Microsoft unveiled its newest Windows 11 desktop working system in 2021, it drew a new stunning line within the sand. Windows 11 would solely run on computer systems containing a Trusted Platform Module (TPM) chip. This restriction would apply to present and new programs, that means hundreds of thousands of older computer systems could be eternally ineligible to improve to the most recent desktop working system. Fast ahead a few years later and that restriction hasn’t confirmed as disruptive to the typical PC consumer, however it’s nonetheless price asking: what is a TPM and why does it matter?

A Trusted Platform Module (TPM) is an unbiased safety chip that’s sometimes built-in into the motherboard of a pc. That mentioned, some motherboards additionally enable you to slot in a discrete or unbiased TPM through an inner port or header.

As for its operate, Microsoft states that a TPM’s objective is to (*11*)

Several Windows options depend on the presence of a TPM to operate securely. The most blatant instance is Windows Hello, which permits you to login into your machine utilizing a fingerprint or facial recognition. The module helps preserve this knowledge remoted from the remainder of your pc in order that no person can copy your biometric knowledge. Likewise, PCs with BitLocker encryption use a TPM to guarantee your knowledge stays encrypted always. Even if an attacker unplugs your pc’s storage and plugs it into one other system, they gained’t have the option to decrypt the info with out the unique TPM.

Until Windows 11, computer systems didn’t want a TPM so many didn’t ship with one from the manufacturing facility. However, older variations of the module (notably TPM 1.2) have been a mainstay of company laptops and computer systems for the reason that early 2010s. We’ve additionally seen smartphones embrace the idea of a trusted safety chip, with corporations like Google constructing the Titan M2 chip for Pixel units.

How does a TPM work?

As talked about earlier, a TPM is an unbiased chip that lives alongside your pc’s most important processor or CPU. This introduces a layer of isolation, serving to it keep safe always. Moreover, widespread apps can not management a TPM instantly, solely the working system and sure trusted apps can. This makes TPMs fairly resistant to malware and many different widespread software program assaults.

Let’s perceive how TPM works with an instance. Say you enable BitLocker encryption inside Windows. In this case, BitLocker will ask the TPM to generate a new cryptographic key. Simultaneously, the TPM will even document the system’s present configuration. The subsequent time you boot up the pc, its built-in TPM will verify if the system’s configuration has modified. And it will solely reveal the BitLocker decryption key if the system stays unchanged. The TPM won’t launch the important thing if it detects surprising modifications like a totally different arduous drive partition format or an attacker attempting to boot into a totally different working system.

In abstract, a TPM kicks into motion even earlier than you even attain the Windows login display and it acts as a watchdog to stop unauthorized entry or tampering.

If you bought a PC someday throughout the final 5 years or so, chances are high that it consists of a Trusted Platform Module. That would additionally make it suitable with Windows 11, which requires TPM 2.0. That mentioned, there are methods to overcome this restriction in the event you’re nonetheless wanting for a manner to improve your older pc to the most recent model of Windows. More on bypassing Windows 11’s TPM requirement in a later part.

In order to verify whether or not your Windows pc has a working TPM, merely press the Windows + R keys in your keyboard. Then sort in “tpm.msc” and hit the Enter key. A window containing the small print of your pc’s TPM chip (if current) ought to now present up. The above screenshot exhibits the window that appeared on my Surface Laptop 4. At the underside proper, you possibly can affirm that the laptop computer consists of a TPM 2.0 chip.

You can even verify your pc’s TPM standing through the Windows Security app. Simply observe these steps:

1. Press the Start button and sort Security. Open the Windows Security app — it’s the one with a blue protect icon.
2. In the left sidebar, click on on the “Device security” tab.
3. Finally, click on on the “Security processor details” hyperlink. You ought to see the identical set of TPM-related info as earlier.

Most current computer systems ship with the TPM enabled by default, however older ones did ship with it disabled. So if Windows doesn’t report a TPM, you’ll have to flip it on manually. In order to try this, you’ll have to dive into your motherboard’s BIOS menu. Follow these steps:

1. Restart your pc and look for the splash display immediate that reads “Press [key] to enter setup”. For my motherboard, I had to mash the F2 or Del key on startup to enter the BIOS menu.
2. Once contained in the BIOS, you’ll want to navigate to the Advanced, Security, or Trusted Computing tab. Once once more, the label might differ barely from one motherboard to the subsequent.
3. Finally, look for a setting labeled both “AMD fTPM switch”, “Intel PTT” or “Intel Platform Trust Technology”. Some ASUS motherboards additionally label this function “PTT” with no point out of TPM.
4. Enable the TPM performance. Finally, choose “Save and exit changes” within the Exit tab. You may additionally discover this selection accessible through a hotkey like F10 or F12, look for a key information alongside the underside line of your display.

Yes, you possibly can set up Windows 11 with out a {hardware} TPM chip however you’ll have to accomplish that unofficially. Microsoft’s official stance is that you just want a motherboard with TPM 2.0 assist to set up and even improve to Windows 11. However, with some tweaking, you possibly can override the Windows 11 installer’s checks to overlook the dearth of a TPM chip.

Keep in thoughts that Windows 11 additionally has a few different {hardware} necessities apart from TPM assist. For instance, Microsoft has solely whitelisted newer AMD and Intel CPUs, so that you gained’t have the option to set up the OS in the event you’re operating {hardware} from a decade in the past.

Luckily, bypassing Windows 11’s set up restrictions doesn’t take a lot effort. Here’s a straightforward manner to do it by creating a bootable drive through Rufus. You’ll briefly want an present Windows pc and a 16GB flash drive (or bigger).

1. Plug in your flash drive and obtain the Rufus device.
2. Open Rufus and choose your USB drive from the dropdown menu. In the “Boot selection” part, click on on the little arrow to the precise of “Select” and click on on Download as a substitute.
3. After a few seconds, you need to see a window asking you to choose which working system you would like to obtain. We’ll proceed with the defaults: Windows 11 and all different dropdown menus untouched.
4. Once downloaded, now you can hit the Start button. At this level, you need to see one other window asking if you want to customise your Windows set up. Simply guarantee you choose the choice that reads “Remove requirement for Secure boot and TPM 2.0” (pictured above). Finally, hit OK and watch Rufus begin copying over the recordsdata to your flash drive.
5. In the top, you’ll have a Windows 11 set up USB that bypasses Microsoft’s CPU and TPM necessities.

There are different workarounds to set up Windows 11 on unsupported {hardware} however lots of these contain complicated registry tweaks. If you’re not comfy modifying the registry or utilizing a third-party device like Rufus, your solely different choice is to proceed utilizing Windows 10. While it’s now not the most recent and shiniest, it’s nonetheless going to obtain updates for the subsequent few years.