What is a TPM?
Put simply, aTrusted Platform Module (aka TPM) is physical chip on your computers’ motherboard that contains a number which can be used to encrypt (scramble) data to keep your information private. A modern TPM can also contain some passwords and certificates used on everything from your BIOS/UEFI to network communications.
For instance, if you use BitLocker to encrypt your hard drive, then someone steals that drive and puts into into a their computer, they will not be able to read any of the files because their computers TPM contains a different encryption code.
With a TPM everything from VPN’s to corporate networks can be certain that your computer is the computer they authorized.
A TPM is like hardware based serial number that is very hard to fake.
TPM chips have evolved so TPM 1.2 has mostly been replaced by the TPM 2.0 standard which started to be shipped on new hardware in 2015.
Why Does Windows 11 Require TPM 2.O?
As we explained above, any TPM allows the computer to be locked down. As we explain below TPM 2.0 provides MANY more ways to keep your computer and itself more secure.
Here is an excerpt from Microsoft explaining that computer companies were supposed to produce only devices that support TPM 2.0 since the summer of 2016, if they want to be certified as working with Windows 10:
…Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of an existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0… SOURCE
In fact, in the 55 pages of minumum specifications for Windows 10 hardware TPM is mentioned 60 times.
A requirement for Windows 11 to need TPM 2.0 should not be a surprise to any of the hardware manufacturers like Dell, Foxcon, HP, Gigabyte, Asus and Lenovo.
If you want to know if your computer has a TPM and if it is TPM v2.0, click HERE for our short article: 5 Ways To Determine Your TPM
Do All Computers Have a TPM?
No, TPM chips are optional. One of the differences between corporate brands like Dell OptiPlex and retail brands like Dell Inspiron can be a TPM. OptiPlex’s always have TPM’s but not all Inspirons do.
This could be a stumbling block for Microsoft getting Windows 11 adopted. While Microsoft has not clarified the point, we think that they are likely to settle on requiring TPM 2.0 for Windows 11 Pro, Education and Enterprise and TPM 1.2 on Windows 11 Home.
Whats the Difference Between TPM 1.2 & TPM 2.0?
Most computers today have either a TPM 1.2 chip (released in 2011) or a TPM 2.0 (released in 2014) and the four big improvements between the two are:
1: TPM Encryption Standards:
TPM 1.2 supports only SHA-1 encryption which has been deprecated because it is now far too weak for real security. TPM 2.0 uses SHA-256, AES-128 and HMAC which are all still solid encryption standards
2: TPM Use Cases:
TPM 1.2 can only be used to encrypt storage (i.e. your hard drive) where as TPM 2.0 can be used on storage, endorsement (i.e. apps) and the hardware platform itself
3: TPM Flexibility:
TPM 1.2 lockout policy is fixed but TPM 2.0’s lockout policy is set in Windows which means companies are free to set their own standards which might vary by region.
TPM 2.0 can respond to queries that combine values with both ANDs and ORs. For example if Windows asks the TPM about some counter OR if a time limit has expired, it can respond with a single YES or NO.
4: TPM Hardware:
The TPM 1.2 standard is usually a number of chips soldered together on a tiny circuit board that is then added to the motherboard. In contrast, TPM 2.0 requires all of the components to be contained in a single chip making it far less likely to fail and further reducing the attack surface for hackers.
Windows Features Requiring a TPM:
We have a the complete list of Windows features requiring a TPM features below but the big ones are:
- Windows Hello (face, fingerprint, biometric recognition)
- PIN number encyption
- locally stored passwords encryption
- BitLocker file encyption
Also, many other companies like HP, Juniper, and Extreme Networks have hardware and software that will use a TPM to encrypt network traffic.
|Windows Features||TPM Required||Supports TPM 1.2||Supports TPM 2.0||Details|
|Measured Boot||Yes||Yes||Yes||Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.|
|BitLocker||No||Yes||Yes||TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. Automatic Device Encryption requires Modern Standby including TPM 2.0 support|
|Device Encryption||Yes||N/A||Yes||Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.|
|Windows Defender Application Control (Device Guard)||No||Yes||Yes|
|Windows Defender System Guard (DRTM)||Yes||No||Yes||TPM 2.0 and UEFI firmware is required.|
|Credential Guard||No||Yes||Yes||Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. Paired with Windows Defender System Guard, TPM 2.0 provides enhanced security for Credential Guard. Windows 11 requires TPM 2.0 by default to facilitate easier enablement|
|Device Health Attestation||Yes||Yes||Yes||TPM 2.0 is recommended since it supports newer cryptographic algorithms.|
|Windows Hello/Windows Hello for Business||No||Yes||Yes||Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator will take advantage of TPM 2.0 for key storage.|
|UEFI Secure Boot||No||Yes||Yes|
|TPM Platform Crypto Provider Key Storage Provider||Yes||Yes||Yes|
|Virtual Smart Card||Yes||Yes||Yes|
|Certificate storage||No||Yes||Yes||TPM is only required when the certificate is stored in the TPM.|
|Autopilot||No||N/A||Yes||If you intend to deploy a scenario which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required.|
|SecureBIO||Yes||No||Yes||TPM 2.0 and UEFI firmware is required.|