Wednesday, March 27, 2024
SECURITY

What is a TPM and why isn’t mine working?

If you’re like most people, you didn’t think about whether your PC had a TPM (Trusted Platform Module) until Microsoft made it part of its system requirements to run Windows 11, the upcoming new version of its operating system. We’ll explain what a TPM is, how you can find out whether your system has one, and how to enable it if it’s turned off.

What is a TPM?

A TPM, or Trusted Platform Module, is a security chip that can be embedded in a laptop or plugged into most desktop PCs. It’s basically a lockbox for keys, as well as an encryption device a PC can use to boost its security.

For example, when you boot your PC, one chip wakes up and begins nudging other components to warm up for the start of the day. Once all of the hardware is ready, it goes to the storage drive to start hauling the operating system into memory.

In a secure environment, the PC first makes sure the operating system is secure. In fact, it may not even trust the surrounding hardware it woke up earlier, so it checks them as well. But without a point of reference, the PC has no idea whether any part of  the system has been tampered with. With a TPM, the PC can compare notes using the information stored in the locked-down TPM. If it all matches, the boot proceeds as normal. If something is amiss, red flags go up.

Most newer Intel CPUs feature a TPM inside of the CPU itself, which it calls Platform Trusted Technology.

TPMs are in most newer CPUs

TPM’s originally came as standalone chips, and originally they were used only in corporate computers, where security was more of a concern and customers would pay the premium for the add-on. More recently, AMD and Intel have integrated firmware-based TPM into their CPUs. That’s made TPM support far more available.

Pretty much any Intel CPU from 2013 (think 4th-gen Haswell) and built for Windows 8.1 should have a firmware-based TPM. AMD has supported firmware TPM for some time as well.

Even if firmware TPM is in place in the CPU, that doesn’t mean every PC has immediate access to it. It may need a BIOS or UEFI update to support it. While most PCs you buy from a large PC maker typically have it in place, many retail motherboards often don’t have the BIOS support, or don’t have it switched on by default.

This Asus Z87 motherboard made for Intel’s 4th-gen Haswell features a TPM header for an optional TPM module. On most consumer desktops, there won’t be a TPM module installed.

What is a TPM header?

You’ll find that many desktop motherboards will have an unfilled TPM header option available. The header allows for a consumer to buy a TPM module for the board if they want to enable a discrete TPM. Most hardware sold directly to consumers doesn’t include the module, because it’s always been seen as an extra cost.

If your particular motherboard never implemented firmware TPM support, and this is one obstacle preventing you from installing Windows 11, it might be worth hunting for a compatible module. We recommend that when you shop, you stick to a module from the same motherboard maker, and within the same vintage of motherboard. Although the TPM chips in the modules may be off-the-shelf, the actual physical connections, as well as how the BIOS/UEFI talks to it, will be unique.

Although the TPM modules are similar, you don’t want to buy one without making sure it works with your computer.

How to check your TPM’s status

The easiest way to check the state of your TPM on a Windows 10 machine is to go to Device Security. You can do this by pressing the Windows key and typing device security. From there, click the Security processor details link. If your PC has a TPM that Windows 10 can see, you’ll get details on it here. For example, in screenshots from a consumer Core i7-1185G7 laptop and a commercial or business-focused Core i7-8665U, we can see that the consumer laptop uses the Intel embedded TPM or Platform Trusted Technology because, well, it’s free.

On the commercial laptop, the vendor (HP, in this case) has embedded an actual discrete Infineon TPM module into the laptop, a normal practice for corporate laptops.

Which is better? Generally, the discrete or separate TPM module is believed to be better, as it supports more encryption algorithms. But it does take up space and add cost.

The consumer 11th-gen laptop (left) uses Intel’s embedded TPM, while the business-focused 8th-gen laptop (right) features a discrete TPM.

Why doesn’t my TPM show up?

While support for the TPM on a 7-year-old PC to run Windows 11 is going to cause hand-wringing for the next six months, even newer PCs can have troubles. For example, on an 8th-gen Core i7 PC, we found the TPM support in its default state of “discrete”—which, as with most consumer desktops, means ‘off,’ because there was no optional TPM module installed.

This throws up a flag in Microsoft’s Windows 11 requirement check, saying you need a TPM 2.0 is enabled. As we said, that means you either go out and buy the appropriate TPM module and plug it into the header, or you simply flip on the firmware TPM already built in the 8th-gen CPU. On this particular motherboard, it means flipping it from discrete to firmware.

Depending on the motherboard or laptop maker, finding this setting will vary. In this motherboard, for example, it’s just called TPM. In some motherboards it’s called Intel Platform Trusted Technology (PTT). Some AMD motherboards it’s called fTPM.

To find it, you’ll have to root around through the UEFI of your PC to turn it on.

Most PCs since 2013 have had firmware-based TPM support built into them, but it’s off by default.

We don’t actually recommend you do this on a working PC at this point without making a backup. While some have reported success, others have said it has caused sporadic blue-screen errors that didn’t go away even after turning off the firmware TPM in the UEFI.

With Windows 11 still months away, motherboard vendors will likely be releasing new UEFI’s for their customers. You’ll probably want to wait until a newer UEFI/BIOS is available and the OS itself is here, before taking a chance on breaking things.

Of course, the TPM is just one of the many things you’ll need before you can install Windows 11. You’ll also to enable Secure Boot and UEFI mode as well. Most computers made in the last three or four years should manage the process smoothly. Older hardware, we’ll have to wait and see.

Even if your CPU supports a TPM, you’ll need to turn it on in the UEFI/BIOS first.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *