One of the more controversial and polarizing requirements of Windows 11 is weird, and somehow never really heard of (in practical terms) TPM 2.0.
From an implementation perspective, it seems that Microsoft is quite confident that many systems can fulfill this hardware requirement, given that Windows 11 should be a straightforward upgrade from Windows 10.
But we all know that’s not the case.
What in the world is TPM anyway? And why does Microsoft seem way too adamant with its mandatory inclusion for Windows 11?
The ‘Cryptic’ Basics of TPM
TPM stands for Trusted Platform Module, and it is technically known as a design standard for a particular set of cryptoprocessors. In basic terms, TPM is something included in a system to provide hardware-level encryption to anything that it is installed with.
According to Microsoft itself, the major advantages of TPM include:
- Low-level (machine-level) generation and storage of cryptographic keys*. This feature includes restricting cryptographic keys as well.
- Facilitate device authentication using the TPM’s unique RSA key.
- Enhance “platform integrity” via security features built into itself (as a microcontroller)
*algorithmic combinations of characters that scramble plaintext into ciphertext, unintelligible when read directly.
As hinted by these advantages, the nature of TPM being hardware-based alone is already a significant advantage for the theoretical level of security of any PC using it. Because, unlike software-based security measures, it can never be completely bypassed, or worse be made ineffective in the event any malicious action does occur that targets its system. It would require manually disabling the module itself, which is only technically possible if you have physical access to the computer.
As for TPM 2.0, it is basically an overhaul of TPM 1.2, which means that it is not backward compatible with older TPM versions. One of the most prominent changes for TPM 2.0 compared to previous versions, is its platform-specific architecture, three-part hierarchy (as opposed to just storage), and subsequently multiple root keys for each of the available hierarchies.
Ways to check TPM 2.0 Compatibility
The reason why Microsoft is quite confident that many people probably wouldn’t have too many problems with TPM 2.0, is that for the last few years its compatibility is actually available for most PC motherboards by default.
Take note, most. Not all. You probably won’t be reading this article at all if your PC has default TPM 2.0 compatibility in the first place.
The first form for such compatibility is the manual setting, meaning TPM 2.0 in the form of actual hardware to be plugged into the motherboard’s TPM header. Upon plugging the card, the BIOS of that particular mobo would then have the option to toggle the TPM 2.0 option on or off (not listed if no TPM is plugged). As such, without the TPM 2.0 card physically installed as separate hardware, there is no way to access the feature. Oh and, the card itself is only about as wide as the header.
The second form is an integrated TPM 2.0 chip that is embedded in the motherboard itself. As you would expect, this will only require turning it on or off in the BIOS, before confirming the upgrade to Windows 11 (after all other requirements have been met).
If you don’t want to manually look at your motherboard or check the BIOS for any default TPM settings, you may simply refer to the instruction manual of the motherboard and look for any TPM 2.0 related stuff. You should then know quite easily whether it’s the installable card type, or the embedded type.
Needless to say, if there are no references to TPM 2.0 (either it is using an older version or there’s none at all), then the PC is straight non-TPM 2.0 compatible.
Applications/Software that require or benefit from TPM
Due to the extended hardware-level security features of TPM 2.0, any software that deals with encrypted data may be capable of enhancing its security features even further. A couple of these that easily come to mind are:
- Web browsers
- VPNs (maybe effective only to some degree)
- Authentication tools, especially those used for networks (Cisco AnyConnect)
- Disk data encryptors (BitLocker, SecureDoc, etc.)
- Directory encryptors (Open PGP)
Why Microsoft is so obstinate about TPM 2.0
Despite the significant backlash from Windows 10 users around the world, Microsoft has so far remained firm that TPM 2.0 is absolutely required to upgrade (not install!) to Windows 11. For one thing, this sort of additional hardware-level security integration has been long sought for, ever since the discovery of major security exploits Spectre and Meltdown, (both of which are also hard-coded, hardware-level issues and as such can’t easily be patched or fixed with a software update).
But the more important reason, at least according to Microsoft, is that TPM 2.0 adds an additional layer of protection against unauthorized access of any Windows-supported system. Most sensational on the list, of course, are ransomware, which can still be made to execute on an infected system if a malicious user manages to successfully brute force the password.
In fact, some creepier exploits might even sneak into other types of authorization checking methods. Targeted malware, for example, might be able to bypass fingerprint recognition systems, which is now a very common method of authorizing access to mobile devices. With TPM 2.0 (in conjunction with Secure Boot and Trusted Boot), this type of unauthorized entry is effectively halted.
Maybe just stick to Windows 10? We have until 2025 anyway
Of course, with a compatibility issue this huge for a significant number of Windows PCs worldwide, many people have come up with different ways to bypass the TPM 2.0 requirement. However, most of these solutions are only made so that Windows 11 would forego checking TPM 2.0 during installation, not to disable the function altogether during regular use.
As such, using Windows 11 on hardware without proper TPM 2.0 support holds a certain level of compatibility risk to the user. Unintended errors might occur for basic OS features that should be using TPM normally, and at times, might even cause BSoDs (black, not blue anymore, by the way).
And what about the missed security features when bypassing TPM 2.0? In all practicality, you may not actually be missing out too much on its supposed higher-level security features.
… unless you’re using a workstation, of course.