What is a TPM?

Put simply, aTrusted Platform Module (aka TPM) is physical chip on your computers’ motherboard that contains a number which can be used to encrypt (scramble) data to keep your information private.  A modern TPM can also contain some passwords and certificates used on everything from your BIOS/UEFI to network communications.

For instance, if you use BitLocker to encrypt your hard drive, then someone steals that drive and puts into into a their computer, they will not be able to read any of the files because their computers TPM contains a different encryption code.

With a TPM everything from VPN’s to corporate networks can be certain that your computer is the computer they authorized.

A TPM is like hardware based serial number that is very hard to fake.

TPM chips have evolved so TPM 1.2 has mostly been replaced by the TPM 2.0 standard which started to be shipped on new hardware in 2015.


Why Does Windows 11 Require TPM 2.O?

As we explained above, any TPM allows the computer to be locked down.  As we explain below TPM 2.0 provides MANY more ways to keep your computer and itself more secure.

Windows 11 TPM 2 0

Here is an excerpt from Microsoft explaining that computer companies were supposed to produce only devices that support TPM 2.0 since the summer of 2016, if they want to be certified as working with Windows 10:

…Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of an existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0… SOURCE

In fact, in the 55 pages of minumum specifications for Windows 10 hardware TPM is mentioned 60 times.

A requirement for Windows 11 to need TPM 2.0 should not be a surprise to any of the hardware manufacturers like Dell, Foxcon, HP, Gigabyte, Asus and Lenovo.

If you want to know if your computer has a TPM and if it is TPM v2.0, click HERE for our short article: 5 Ways To Determine Your TPM


Do All Computers Have a TPM?

No,  TPM chips are optional.   One of the differences between corporate brands like Dell OptiPlex and retail brands like Dell Inspiron can be a TPM.  OptiPlex’s always have TPM’s but not all Inspirons do.

This could be a stumbling block for Microsoft getting Windows 11 adopted.  While Microsoft has not clarified the point, we think that they are likely to settle on requiring TPM 2.0 for Windows 11 Pro, Education and Enterprise and TPM 1.2 on Windows 11 Home.


Whats the Difference Between TPM 1.2 & TPM 2.0?

Most computers today have either a TPM 1.2 chip (released in 2011) or a TPM 2.0 (released in 2014) and the four big improvements between the two are:

1: TPM Encryption Standards:

TPM 1.2 supports only SHA-1 encryption which has been deprecated because it is now far too weak for real security.  TPM 2.0 uses SHA-256, AES-128 and HMAC which are all still solid encryption standards

2: TPM Use Cases:

TPM 1.2 can only be used to encrypt storage (i.e. your hard drive) where as TPM 2.0 can be used on storage, endorsement (i.e. apps) and the hardware platform itself

3: TPM Flexibility:

TPM 1.2 lockout policy is fixed but TPM 2.0’s lockout policy is set in Windows which means companies are free to set their own standards which might vary by region.

TPM 2.0 can respond to queries that combine values with both ANDs and ORs.  For example if Windows asks the TPM about some counter OR if a time limit has expired, it can respond with a single YES or NO.

4: TPM Hardware:

The TPM 1.2 standard is usually a number of chips soldered together on a tiny circuit board that is then added to the motherboard.  In contrast, TPM 2.0 requires all of the components to be contained in a single chip making it far less likely to fail and further reducing the attack surface for hackers.


Windows Features Requiring a TPM:

We have a the complete list of Windows features requiring a TPM features below but the big ones are:

  1. Windows Hello (face, fingerprint, biometric recognition)
  2. PIN number encyption
  3. locally stored passwords encryption
  4. BitLocker file encyption

Also, many other companies like HP, Juniper, and Extreme Networks have hardware and software that will use a TPM to encrypt network traffic.

Windows FeaturesTPM RequiredSupports TPM 1.2Supports TPM 2.0Details
Measured BootYesYesYesMeasured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.
BitLockerNoYesYesTPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. Automatic Device Encryption requires Modern Standby including TPM 2.0 support
Device EncryptionYesN/AYesDevice Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
Windows Defender Application Control (Device Guard)NoYesYes
Windows Defender System Guard (DRTM)YesNoYesTPM 2.0 and UEFI firmware is required.
Credential GuardNoYesYesBeginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. Paired with Windows Defender System Guard, TPM 2.0 provides enhanced security for Credential Guard. Windows 11 requires TPM 2.0 by default to facilitate easier enablement
Device Health AttestationYesYesYesTPM 2.0 is recommended since it supports newer cryptographic algorithms.
Windows Hello/Windows Hello for BusinessNoYesYesAzure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator will take advantage of TPM 2.0 for key storage.
UEFI Secure BootNoYesYes
TPM Platform Crypto Provider Key Storage ProviderYesYesYes
Virtual Smart CardYesYesYes
Certificate storageNoYesYesTPM is only required when the certificate is stored in the TPM.
AutopilotNoN/AYesIf you intend to deploy a scenario which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required.
SecureBIOYesNoYesTPM 2.0 and UEFI firmware is required.

 

 


2 Comments

Shlomi · July 7, 2021 at 11:38 am

Amazing info. thank you so much!

    Ian Matthews · July 8, 2021 at 4:04 pm

    Thanks for the kind words Shlomi. We try 🙂

Questions or Comments?