Calvin Wankhede / Android Authority
When Microsoft unveiled its latest Windows 11 desktop operating system in 2021, it drew a new surprising line in the sand. Windows 11 would only run on computers containing a Trusted Platform Module (TPM) chip. This restriction would apply to existing and new systems, meaning millions of older computers would be forever ineligible to upgrade to the latest desktop operating system. Fast forward a few years later and that restriction hasn’t proven as disruptive to the average PC user, but it’s still worth asking: what is a TPM and why does it matter?
What is TPM and what does it do?
Calvin Wankhede / Android Authority
A Trusted Platform Module (TPM) is an independent security chip that’s typically integrated into the motherboard of a computer. That said, some motherboards also allow you to slot in a discrete or independent TPM via an internal port or header.
As for its function, Microsoft states that a TPM’s purpose is to “help protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data.”
A TPM stores cryptographic keys, identity data, and other sensitive info in a secure location.
Several Windows features rely on the presence of a TPM to function securely. The most obvious example is Windows Hello, which allows you to login into your device using a fingerprint or facial recognition. The module helps keep this data isolated from the rest of your computer so that nobody can copy your biometric data. Likewise, PCs with BitLocker encryption use a TPM to ensure your data stays encrypted at all times. Even if an attacker unplugs your computer’s storage and plugs it into another system, they won’t be able to decrypt the data without the original TPM.
Until Windows 11, computers didn’t need a TPM so many didn’t ship with one from the factory. However, older versions of the module (notably TPM 1.2) have been a mainstay of corporate laptops and computers since the early 2010s. We’ve also seen smartphones embrace the concept of a trusted security chip, with companies like Google building the Titan M2 chip for Pixel devices.
How does a TPM work?
As mentioned earlier, a TPM is an independent chip that lives alongside your computer’s main processor or CPU. This introduces a layer of isolation, helping it stay secure at all times. Moreover, common apps cannot control a TPM directly, only the operating system and certain trusted apps can. This makes TPMs quite resistant to malware and many other common software attacks.
A TPM safeguards your PC against some of the most common attack vectors.
Let’s understand how TPM works with an example. Say you enable BitLocker encryption within Windows. In this case, BitLocker will ask the TPM to generate a new cryptographic key. Simultaneously, the TPM will also record the system’s current configuration. The next time you boot up the computer, its integrated TPM will check if the system’s configuration has changed. And it will only reveal the BitLocker decryption key if the system remains unchanged. The TPM will not release the key if it detects unexpected changes like a different hard drive partition layout or an attacker trying to boot into a different operating system.
In summary, a TPM kicks into action even before you even reach the Windows login screen and it acts as a watchdog to prevent unauthorized entry or tampering.
How to check if TPM is enabled on a Windows PC
Calvin Wankhede / Android Authority
If you purchased a PC sometime within the last five years or so, chances are that it includes a Trusted Platform Module. That would also make it compatible with Windows 11, which requires TPM 2.0. That said, there are ways to overcome this restriction if you’re still looking for a way to upgrade your older computer to the latest version of Windows. More on bypassing Windows 11’s TPM requirement in a later section.
In order to check whether your Windows computer has a working TPM, simply press the Windows + R keys on your keyboard. Then type in “tpm.msc” and hit the Enter key. A window containing the details of your computer’s TPM chip (if present) should now show up. The above screenshot shows the window that appeared on my Surface Laptop 4. At the bottom right, you can confirm that the laptop includes a TPM 2.0 chip.
You can also check your computer’s TPM status via the Windows Security app. Simply follow these steps:
- Press the Start button and type Security. Open the Windows Security app — it’s the one with a blue shield icon.
- In the left sidebar, click on the “Device security” tab.
- Finally, click on the “Security processor details” link. You should see the same set of TPM-related information as earlier.
How to enable TPM
Most recent computers ship with the TPM enabled by default, but older ones did ship with it disabled. So if Windows doesn’t report a TPM, you may have to turn it on manually. In order to do that, you’ll have to dive into your motherboard’s BIOS menu. Follow these steps:
- Restart your computer and look for the splash screen prompt that reads “Press [key] to enter setup”. For my motherboard, I had to mash the F2 or Del key on startup to enter the BIOS menu.
- Once inside the BIOS, you’ll need to navigate to the Advanced, Security, or Trusted Computing tab. Once again, the label may differ slightly from one motherboard to the next.
- Finally, look for a setting labeled either “AMD fTPM switch”, “Intel PTT” or “Intel Platform Trust Technology”. Some ASUS motherboards also label this feature “PTT” with no mention of TPM.
- Enable the TPM functionality. Finally, select “Save and exit changes” in the Exit tab. You may also find this option available via a hotkey like F10 or F12, look for a key guide along the bottom line of your screen.
Can you install Windows 11 without TPM?
Calvin Wankhede / Android Authority
Yes, you can install Windows 11 without a hardware TPM chip but you will have to do so unofficially. Microsoft’s official stance is that you need a motherboard with TPM 2.0 support to install or even upgrade to Windows 11. However, with some tweaking, you can override the Windows 11 installer’s checks to overlook the lack of a TPM chip.
Keep in mind that Windows 11 also has a few other hardware requirements besides TPM support. For example, Microsoft has only whitelisted newer AMD and Intel CPUs, so you won’t be able to install the OS if you’re running hardware from a decade ago.
Luckily, bypassing Windows 11’s installation restrictions doesn’t take much effort. Here’s an easy way to do it by creating a bootable drive via Rufus. You’ll temporarily need an existing Windows computer and a 16GB flash drive (or larger).
- Plug in your flash drive and download the Rufus tool.
- Open Rufus and select your USB drive from the dropdown menu. In the “Boot selection” section, click on the little arrow to the right of “Select” and click on Download instead.
- After a few seconds, you should see a window asking you to select which operating system you wish to download. We’ll continue with the defaults: Windows 11 and all other dropdown menus untouched.
- Once downloaded, you can now hit the Start button. At this point, you should see another window asking if you wish to customize your Windows installation. Simply ensure you select the option that reads “Remove requirement for Secure boot and TPM 2.0” (pictured above). Finally, hit OK and watch Rufus start copying over the files to your flash drive.
- In the end, you’ll have a Windows 11 installation USB that bypasses Microsoft’s CPU and TPM requirements.
There are other workarounds to install Windows 11 on unsupported hardware but many of those involve complex registry tweaks. If you’re not comfortable editing the registry or using a third-party tool like Rufus, your only other option is to continue using Windows 10. While it’s no longer the newest and shiniest, it’s still going to receive updates for the next few years.
FAQs
Yes, you should enable TPM if your computer supports the feature as it can provide an extra layer of security. Having TPM support also helps improve compatibility with newer operating systems like Windows 11.
A TPM is a trusted security chip on modern computers that helps encrypt data and store other sensitive information. It helps prevent an unauthorized user from accessing your computer.
No, you should not clear TPM unless you know what you’re doing. A TPM stores your computer’s keys so if you’ve enbaled full-device encryption, clearing it will result in you no longer having access to your data. However, it’s safe to reset TPM if you have already backed up the keys elsewhere.