Microsoft announced recently that all new devices that ship with Windows 10 once the operating system's Anniversary Update comes out need to support the Trusted Platform Module 2.0 (TPM) and have it enabled by default.
While this won't affect existing devices or devices that you build yourself, the majority of devices that OEMs produce, including all client PCs and Windows mobile devices, need to ship with TPM 2.0 enabled.
This makes PM 2.0 a hardware requirement for new devices that ship with the Windows 10 Anniversary Update.
Microsoft made the decision to exempt some devices from that
The main reason why Microsoft enforces TPM 2.0 is that several features of the operating system depend on it.
|Windows 10 Feature||TPM 1.2||TPM 2.0||Details|
|UEFI Secure Boot|
|Enterprise Data Protection|
|Windows Defender - Advanced Threat Detection|
|Device Guard / Configurable Code Integrity|
|Credential Guard||Yes||Yes||More secure with TPM 2.0|
|Measured Boot||Yes||Yes||More secure with TPM 2.0|
|Device Health Attestation||Yes||Yes||Requires TPM|
|Virtual Smart Card||Yes||Yes||Requires TPM|
|Passport: Domain AADJ Join||Yes||Yes||Supports both versions, but requires TPM with HMAC and EK certificate for key attestation support.|
|Passport: MSA / Local Account||Yes||Yes||Requires TPM 2.0 for HMAC and EK certificate for key attestation support|
|BitLocker||Yes||Yes||TPM 1.2 or later required or a removable USB memory device such as a flash drive|
|Device Encryption||Yes||For Modern Standby devices, all require TPM 2.0|
Several of the features are for business / Enterprise devices only.
Current devices won't be able to make use of some of the security features listed above if they don't support TPM.
To find out if TPM 1.2 or 2.0 is available and enabled on your Windows device (desktop), do the following:
This opens the Trusted Platform Module (TPM) management on the local computer.
If TPM is supported, you may get options to turn on the TPM Security Hardware, create the TPM owner password, clear the TPM, block or allow TPM commands, or turn off TPM by selecting the option in the actions pane. Please note that you need to enter the owner password to do so.
Information about TPM is also available in the Device Manager but only if the feature is enabled and supported on the device.
You find information there under Security devices.
If TPM is not supported, you get the message compatible TPM cannot be found.
This does not necessarily mean that TPM is not supported on the device as its state is controlled by the BIOS/UEFI.
If you get that message, you need to boot your computer and load the BIOS/UEFI management screen to find out about that.
Where you find that depends largely on the BIOS or UEFI of the computer. If you run a recent Surface device for instance, you find reference to TPM under Security. There you can enable or disable TPM.
If you like our content, and would like to help, please consider making a contribution: