What is TPM 2.0?

A Trusted Platform Module (TPM) is a security chip that is in­te­grat­ed into the moth­er­board of your laptop or desktop computer. TPM creates a secure en­vi­ron­ment for checking system integrity, au­then­ti­cat­ing users, and saving keys and passwords. TPM 2.0 was released in 2018 and comes with a set of new features, including the use of various hash al­go­rithms, PINs, and user-defined key man­age­ment.

Quick overview: What does TPM do?

Most users are familiar with common defenses against malware, rootkits and ran­somware. Firewalls, antivirus programs and two-factor au­then­ti­ca­tion are common go-to security measures. A Trusted Platform Module (TPM) is a security chip that provides your system with an extra layer of pro­tec­tion.

The TPM chip is phys­i­cal­ly in­te­grat­ed into laptops and desktop computers and helps with device and user au­then­ti­ca­tion, checking for system integrity and software licenses. Another important feature is the ability to save cryp­to­graph­ic keys, passwords and cer­tifi­cates. TPM creates a secure en­vi­ron­ment that’s protected from ma­nip­u­la­tions, meaning that it can check various software and hardware com­po­nents to ensure their security during bootup. If the chip finds any ma­nip­u­la­tions, it will sound an alarm. Whereas TPMs used to come as separate security chips, these days they are usually in­te­grat­ed into new computers.

Where does TPM 2.0 come from?

TPM was developed by the Trusted Computing Group (TCG) and stan­dard­ized by the In­ter­na­tion­al Or­ga­ni­za­tion for Stan­dard­iza­tion (ISO) and the In­ter­na­tion­al Elec­trotech­ni­cal Com­mis­sion (IEC) as ISO/IEC 11889:2209 in 2009. The first de­fin­i­tive TPM was released on March 3, 2011, as TPM Version 1.2. TPM 2.0 was released in 2019 as ISO/IEC 11889:2015 with new security features, including updates to the TPM ar­chi­tec­ture and TPM commands and support routines.

Where is TPM 2.0 located?

Since TPM 2.0 chips function as dedicated proces­sors, they’re in­te­grat­ed directly into the moth­er­board. Most new laptops and PCs come with factory-in­te­grat­ed TPMs and TPM com­pat­i­bil­i­ty. You might also find moth­er­boards that don’t offer a pre-installed TPM 2.0 chip but have a slot for an ad­di­tion­al chip. That way you can use a TPM chip sep­a­rate­ly from the CPU. If you’re pur­chas­ing your own TPM chip, you should try to get one from the same man­u­fac­tur­er and year of pro­duc­tion as your moth­er­board.

Does Windows 11 require TPM 2.0?

TPM 2.0 is a hardware re­quire­ment for Windows 11. For many Windows users, this was the first time they had heard about TPM. If your computer doesn’t have a TPM or TPM 2.0 isn’t enabled, you’ll get a no­ti­fi­ca­tion saying that TPM couldn’t be found or isn’t com­pat­i­ble. A UEFI (Unified Ex­ten­si­ble Firmware Interface) with secure boot is also required.

TPM 2.0 is used in Windows 11 and other versions for the following:

• Windows Hello: Biometric access control and iden­ti­fi­ca­tion using fin­ger­print and/or iris scan, facial recog­ni­tion with En­dorse­ment Key (EK) and At­tes­ta­tion Identity Key (AIK)
• BitLocker drive en­cryp­tion: For en­crypt­ing logical volumes and thus entire drives
• Virtual smart cards: Similar to physical smart cards, virtual smart cards help with access control for external systems and resources
• TPM start metrics: With TPM metrics about the Windows bootup state, the integrity of system com­po­nents and Windows con­fig­u­ra­tions can be checked by measuring start sequences
• AIK cer­tifi­cates: AIK cer­tifi­cates saved in TPM compare start data that has been collected with metrics about the devices’ state
• Defense against dic­tio­nary attacks: Pro­tec­tion from brute force attacks that try to bypass password pro­tec­tion with automated queries of dic­tio­nary lists
• Cre­den­tial guard: Isolates login and user data and protects saved keys using vir­tu­al­iza­tion-based security checks

What are the ad­van­tages of TPM 2.0?

TPM comes with the following ad­van­tages:

• Gen­er­at­ing and saving cryp­to­graph­ic keys, passwords, and cer­tifi­cates for extra secure en­cryp­tion methods
• Detecting ma­nip­u­la­tions in BIOS code using a check value in the Platform Con­fig­u­ra­tion Register (PCR) 17
• TPM 2.0 has a new algorithm exchange function for si­mul­ta­ne­ous use of different al­go­rithms
• Ver­i­fi­ca­tion sig­na­tures support PINs and po­si­tion­ing data using biometric or global access controls
• Checking software licenses using digital rights man­age­ment (DRM)
• Ensuring platform integrity using con­fig­u­ra­tion metrics that check startup sequences for security and changes
• Au­then­ti­ca­tion of system hardware with RSA cryp­tosys­tems
• En­dorse­ment Keys (EK) and At­tes­ta­tion Keys (AIK) use hashing to check the security and integrity of the system
• Op­ti­miz­ing pro­tec­tion from malware, ran­somware, brute force attacks and phishing, in com­bi­na­tion with firewalls, smart cards, biometric access control and antivirus programs

How can you check for TPM 2.0 on your own device?

Want to know whether your Windows device is already equipped with TPM 2.0? Below we have listed a few different ways you can check for TPM 2.0 and see whether it’s enabled. Note that even factory-installed TPM 2.0 chips aren’t always au­to­mat­i­cal­ly enabled.

Open the TPM 2.0 man­age­ment tool

Step 1: Enter “tpm.msc” into the search bar. This command will open the in­te­grat­ed TPM man­age­ment tool.

Step 2: If your computer has a dedicated TPM 2.0 chip, you’ll see in­for­ma­tion about the TPM version. If you don’t have a TPM 2.0 chip, Windows will inform you that there’s no com­pat­i­ble TPM component.

Open the device manager

Step 1: Use the Windows shortcut [Windows] + [X] to open the Quick Link menu. Then go to “Device Manager”.

Step 2: Navigate to “Security devices” and click on it. If you have TPM 2.0, you’ll see “Trusted Platform Module 2.0” there.

Open command prompt

Step 1: Use the shortcut [Windows] + [R] to open the “Run” dialog box. Enter “cmd” and then use the shortcut [Windows] + [Shift] + [Enter]. This will open the command prompt with admin priv­i­leges.

Step 2: Enter the following command:

wmic /namespace:\\root\cimv2\security\microsoftTPM 2.0 path win32_TPM 2.0 get /value.

If you have TPM 2.0, you’ll see “SpecVer­sion=” in the last line, with in­for­ma­tion on the chip’s version.

How can you check for and enable TPM 2.0?

The status of TPM 2.0 on your computer has a lot to do with how old it is. Newer computers typically come with pre-in­te­grat­ed TPMs that are enabled by default. There are no guar­an­tees. In some cases, you might need to update your BIOS or UEFI.

There are a few different ways to disable or enable TPM 2.0:

Disable or enable TPM 2.0 in BIOS

To enable TPM 2.0:

Step 1: Restart your computer and open BIOS. Depending on your operating system and device, press [F2], [F12] or [Del] during bootup. Note that you should always make a system backup and back up important keys, passwords and cer­tifi­cates before you make changes in BIOS.

Step 2: Once you’re in BIOS, open “Security” and navigate to “Trusted Computing”.

Step 3: Activate the item “Security Device Support”.

Step 4: Under “TPM 2.0 Device”, navigate to “PTT” and activate that item.

Step 5: After you’ve saved the changes, restart your computer.

To disable TPM, complete the same steps but de­ac­ti­vate the items instead of ac­ti­vat­ing them.

Disable or enable TPM 2.0 using TPM 2.0 man­age­ment tool

To enable TPM 2.0:

Step 1: Enter the command “tpm.msc” in the Windows search bar, then press [Enter].

Step 2: Once you’re in the TPM man­age­ment tool, navigate to “Action area > Activate TPM 2.0”. On the page “Activate TPM 2.0 security hardware”, you’ll find extensive in­for­ma­tion about the next steps.

Step 3: Click “Shut down” or “Restart”. Then follow the indicated UEFI steps.

Step 4: During bootup, agree to the new TPM 2.0 con­fig­u­ra­tion. This is how your system ensures that only au­then­ti­cat­ed users can make changes. You’ve now enabled TPM 2.0 in Windows.

To disable TPM, open the TPM man­age­ment tool and go to “Action area > De­ac­ti­vate TPM 2.0”. Select “De­ac­ti­vate TPM 2.0 security hardware” and decide whether you want to enter the owner password using removable media, enter it manually, or de­ac­ti­vate without entering a password.

What happens when you disable TPM 2.0?

Deleting or disabling TPM 2.0 can sometimes lead to an un­in­ten­tion­al loss of data, including cryp­to­graph­ic keys, cer­tifi­cates and passwords. To prevent that from happening, take the following security measures:

• Create a backup of the data you have saved on TPM 2.0.
• Only delete or disable TPM 2.0 on your own devices or with per­mis­sion from the IT admin.
• Check what the owner’s manual has to say about TPM or look it up on the man­u­fac­tur­er’s website.
• De­ac­ti­vate TPM 2.0 using the TPM man­age­ment tool. If you make changes in BIOS, create a backup of the system.

What types of TPM 2.0 are out there?

There are a few different types of TPMs, which mostly differ in their im­ple­men­ta­tions:

• Discrete TPM 2.0: Discrete TPM 2.0 is a dedicated security chip that provides support for various en­cryp­tion al­go­rithms and pro­tec­tion from ma­nip­u­la­tion. It gives rise to very few errors.
• Physical-based TPM 2.0: TPMs in­te­grat­ed in CPUs provide physical security features for pro­tect­ing from ma­nip­u­la­tions and malware.
• Firmware-based TPM 2.0: Much like physical-based TPM 2.0, firmware-based TPM 2.0 uses a secure CPU en­vi­ron­ment to prevent ma­nip­u­la­tions and unau­then­ti­cat­ed changes.
• Virtual TPM 2.0: Hy­per­vi­sors can create a virtual TPM 2.0, which generates security keys in­de­pen­dent of virtual machines.
• Software-based TPM 2.0: Software-based TPM 2.0 is not rec­om­mend­ed due to its high sus­cep­ti­bil­i­ty to errors and malware as well as lack of benefits that warrant such a risk.