Windows 11 TPM Explained

What is TPM?

A Trusted Platform Module is security device which can be used to store cryptographic keys, namely for Disk Encryption for an Operating system. This is a requirement for many business and consumers alike in order to support encryption to protect against data theft. The idea being, that if someone stole a laptop and removed the hard drive/SSD, they wouldn't be able to read the data, as the encryption keys are held on the TPM chip. Without they "key", you can't "unlock" the data held on the hard drive/SSD. So this makes TPM a very useful utility in the security world for data protection.

Why is everyone talking about TPM all of a sudden?

TPM is now a requirement to run Windows 11; the soon-to-be released operating system from Microsoft came with a series of new requirements including dropping support for older CPUs (no surprises there), but the biggest change is the requirement for a TPM chip. This signals Microsoft's direction for a more security conscious platform and by making it a requirement, it definitely means people will have to either upgrade to a device which comes with a TPM chip, or, go out and by a chip to install.

Does my device have a TPM chip?

This, I am sure, is the question on everybody's mind. The best way to check is to open the tpm console with tpm.msc:

This console indicates the presence of a TPM chip, meaning my device is ready for disk encryption and subsequently, "Ready for Windows 11".

Also, notice something interesting here; the manufacturer is Intel. What does this mean exactly? As my CPU is an i7 9700 CPU, it comes with Intel Trusted Execution Technology (TXT), which utilises a firmware Trusted Platform Module. This all runs in Intel's Trusted Execution Environment - Essentially, it is built right into CPU.

Supported Devices

The full list of supported CPUs for Windows 11 is listed here:

What you might want to do, is head over to https://ark.intel.com and search for your particular CPU to check if it supported on Microsoft's list and if it comes with TXT.

My Computer tells me I have no TPM Chip!

There is some confusion surrounding whether you need to go out and buy a TPM chip. You may have checked the compatibility list, found your device supports Windows 11, as well as supporting Intel TXT, only to go to the TPM console to find you don't have a TPM chip being detected! Some people have already rushed out and bought every one of these devices, thinking they need it, but, do they?

Panic Buying - A 2021 Problem

As with "The Great Chip Shortage" affecting the ability to buy games consoles, graphics cards and CPUs alike, we now have a new shortage of TPM Chips. That's right, people have gone out and purchased every TPM chip in sight, either thinking that they need it, or that they can profit from selling at inflated prices.

Check your BIOS first!

Like many, I don't have a TPM chip on a motherboard, but i have a TPM header. Most motherboard manufacturers give customers a variety of options on motherboards, so it makes sense why the header exists, however due to limited uptake of encrypting desktop PCs, it makes sense why no TPM chip installed. (This may change as motherboard manufacturers may choose to pre-install a TPM chip if Microsoft requires it, in order to qualify for the Windows 11 support badge on the motherboard box).

So this begs the question, my motherboard supports TPM, my CPU supports TPM, but why doesn't my current Windows 10 show me as having TPM chip installed? The answer, it is disabled in the BIOS and you need to enable it to support windows 11.

You have to enable TPM support in the BIOS for Windows 11

I am hopeful motherboard vendors will release a "TPM update / Windows 11 readiness patch" which will essentially send a instruction to the BIOS to enable this setting, all from the convenience of the Windows 10 desktop, which would be of significant help to those who are unfamiliar of how a BIOS works. But for those who are keen to upgrade on the day of release, you will have to do as I did - Configure this yourself.

Enable TPM - A quick guide

Every motherboard is different, but the options may be named something similar - this is my BIOS from my MSI motherboard. The setting I had to enable was found under the Settings / Security menu, there is an option enable TPM, although in my case it is called Security Device Support, by default mine was set to disabled. Once I changed it to enabled, rebooted, all the remaining TPM options became available and now I had a working firmware based TPM chip.

Summary

This is no doubt going to cause confusion and panic for less tech savvy consumers, who have probably never seen a BIOS, so let's hope that the motherboard manufacturers do the right thing and give people the option to update their BIOS settings by way of an update file from the safety of the Windows desktop. Let's hope they don't use this as a way to force people to buy new motherboards, rather than providing a 2 minute fix!