What is TPM and why does Windows 11 require it?
By now you may know that Microsoft's new operating system Windows 11 requires a TPM chip. But why does Windows 11 require a TPM chip, and what is its purpose. In this guide, we will provide answers to these questions.
What is TPM?
TPM stands for Trusted Platform Module. It comes in the form of a chip on the computer's motherboard or as part of the processor, and serves a number of purposes, including device authentication, encryption, identification and integrity verification. It may be used by the operating system to better protect devices against advanced threats.
A TPM device is therefore any device with a TPM chip.
What is the main function of a TPM chip?
The TPM chip is a secure crypto-processor that is designed for cryptographic operations. It is designed to be tamper-resistant, and includes a unique key that may be used for platform device authentication.
TPM can check the integrity of the system during the boot process to make sure it has not been tampered with.
Microsoft Director of Enterprise and OS Security, David Weston, described the main function of the TPM chip in the following way:
[..] to help protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data.
Why does Windows 11 require a TPM 2.0 chip?
Microsoft decided to raise the security baseline of the Windows 11 operating system by making TPM 2.0 a mandatory system requirement.
TPM is designed to protect PCs better against advanced forms of attacks, according to Microsoft.
PCs of the future need this modern hardware root-of-trust to help protect from both common and sophisticated attacks like ransomware and more sophisticated attacks from nation-states. Requiring the TPM 2.0 elevates the standard for hardware security by requiring that built-in root-of-trust.
Several security features of Windows 11 rely o TPM as well. Components such as the disk encryption feature BitLocker or the authentication feature Windows Hello, make use of TPM for improved security.
Tip: find out how to enable TPM 2.0 on your Windows PC here. Did you know that there is a way to install Windows 11 on PCs that don't support TPM?
Hmmm
The operative word in the description of TPM is “unique identifier” which in plain English functions very much like the mythical SIXSIXSIX mark of the beast… Don’t laugh people. Everyone will be bearing a permanent “unique identifier” physically implanted in/on their body sooner rather than later. Well, not everyone, like COVID-19 Vaccination “mandates”, there will of course be “exceptions”…This is a not terribly very subtly way of taking us another big step closer…
I seem to recall another evil empire, though in many ways not as powerful and pervasive as Billy’s, that used “unique identifiers”. You can bet your life that Billy’s intentions are just as dangerous…
in fact TPM stands for Trusted Publicity and Marketing, it’s used to display unique ads on the taskbar.
TPM…Mandatory chip….encryption…bitlocker – from the land of the USA Patriot Act with who knows what what kind of government back doors? No thanks.
Glad I moved to Linux years ago.
Many Gigabyte motherboards support Firmware TPM (fTPM), although it is disabled per default. It can be enabled in the BIOS. Just tested this on my B365 mboard and it’s now ready for W11.
I’d rather have VISTA and run Windows ME on it in virtualbox as my daily driver than use Windows 11.
The worst living nightmare Vista OS known to mankind, it seems the operating system skip every one good two bad one good two bad always adding a bunch of crap.?
@Martin
Perhaps you should write up a guide on how to “disable” TPM?
Dave this will show you how to disable TPM nerdschalk.com/windows-11-without-tpm-how-to-bypass-tpm-requirement-and-install-the-os/
“trusted” refers to being trusted by Microsoft, government, thieves, extortionists, search engine providers etc. to prevent the owner of the PC totally controlling the PC. A TPM should be totally untrusted by the owner of the device containing it
Let them call it just “Windows” and let the updates happen in the background. Let the transformation happen in bits and pieces slowly. Dont just keep calling it windows 11, 12,13 etc and I find only the themes change. Atleast this time they are not asking extra money for upgrading from 10 to 11
What we want is a fast booting, low memory usage, safe, stable OS.
Not fancies. Probably the Microsoft guys have to do something every year to prove they are “improving”.
Just install the damn thing and block every Microsoft bit in it that the tech-savvy users will find and show you how. There will 100% certain be drivers for your machine too. Then after 6 months or a year, grab the latest updated .iso and reinstall. Repeat. Repeat. Repeat. Your “incompatible” system will chug along just fine. Unless you installed with a Microsoft account, then you’ll be in for a living nightmare. That’s like having a house in the worst neighbourhood, but your house has no doors, it’s all windows. Open windows that you can’t close. Welcome to Redmond City.
TPMs allow 3rd parties to control your device. What you can run is up to them. It’s no longer your PC, even though you might have spent $1000s to buy it. Been heading this way for some time. W11 is just the latest attempt to completely wrench any control you had of your pwn hardware away from you.
Jeez. Face it buddy, you have absolutely NO IDEA what an effing TPM does. Pardon my French but you really gotta stop talking outta your posterior!
I will never use windows 11. By the way will be sticking with Widows 10 Enterprise LTSC 1809 which will receive update support until January 9th of 2029. After support ends I might continue using Windows 10 or switch over to Linux if its still around after 8 years. I do have TPM completely disabled through my bios setting. I also disabled TPM with gpedit and turned it off with Task Scheduler too. So no TPM 2.0 crap running on my machine.
Yeah that’s cute. Will it stop your teenager from installing cracked games and various stolen pro versions of software? Will it stop indian microsoft-men from calling you? Didn’t think so. But it WILL make it impossible to dodge microsofts ads and datacollection. It also WILL tie YOU to all them illegally downloaded movies and albums on your harddrive. Windows 11 is a surveillance OS.
> “Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself.”
Refs:
* https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/jj131725(v=ws.11)
It tags each device so if malware is created whatever “authority” can identify you uniquely from recorded purchase history and collection of online use.
While I’m still 50/50 on this privacy invasion vs. security overkill there are much better ways of doing this imho without having the equivalent of “browser local storage”. When was the last time you read someone else’s storage values?
Typically the IP of a portable device changes wherever you may be at however usually the TPM RSA key is permanent and any other sub-identifier can be placed into TPM 2.0. See the game Valorant _(no I don’t own it or play it but the news is out there for requirement)_.
Latest news is that Win11 sucks donkey’s ba**s on the latest AMD CPUs. This HAS to be deliberate; old Wintel raising its head again! Throughout Win11 development both MS and Intel have been bragging about how the new scheduling algorithms are optimized for Intel’s latest chips, so how come MS didn’t work with AMD as well to the same extent (or at all)? Even if it weren’t for the TPM 2.0 and CPU requirements (which I know can be bypassed officially with the MAJOR caveat that the system becomes unsupported and might/will not receive any further security updates), Win11 is still a complete mess. The taskbar’s basic functionality has been crippled so badly that only casual, undemanding (or downright whacko) users can tolerate Win11 or worse think it’s actually an improvement over its much maligned predecessor. (Pop Quiz: How did MS improve people’s opinion of Win10 drastically overnight? Ans: Simple, it released Win11!)
Initially like many folks I too was mighty pi**ed off with what were initially mentioned as hard TPM and CPU requirements by MS for upgrading, which meant lots of perfectly capable systems would be left out (including some but not all of my own). Slowly however as I tested Win11 builds I realised what a blessing in disguise this was in reality. This way most people on Win10 currently can stick with a supported and more functional OS till 2025 at least. And while some users might make grand noisy declarations about switching to Linux (which they make with every new Windows release) but actually won’t, for most it’s great news that they have a supported and official way to delay downgrading to Win11 for 4 more precious years, by which time hopefully the OS will be in some sort of better shape, or at least third party devs will have released free utilities to overcome the flaws and regressions in functionality deliberately introduced by MS.
[ Quick note for Martin or whoever’s the site maintainer: On clicking the “Windows 11 News” tag the description on the page goes – “Windows 11 provides much better functionality and security over previous Microsoft operating systems.” While “much better security” might be debatable, “much better functionality”? Seriously?! At least TRY not to appear like MS fanboys who blindly believe that every new Windows release is the best thing since sliced bread and oh so much better than the preceding versions. :( ]
TPM will be used to create a wall garden, force you to upgrade hardware every certain amount of years. Also, push attestation and DRM.
The main function of TPM is to track (bind) users and their activities to devices unique ID so in the near future cookies won’t be necessary anymore. NSA can track you so easily with that.
In that path, I wouldn’t do any illegal activity using a PC that has TPM chip on it, even through TOR or VPNs.
this is exactly what they are pushing. EU is banning face recognition, they should do the same for devices too. This is fingerprinting at the higher level, because it’s difficult to spoof
Still don’t know exactly what TPM is. I’ve had it enabled and disabled and there was no difference, as expected I suppose.
This David Weston was saying, months ago, that Memory Integrity
(Settings>Security>Core Isolation>Memory Integrity) was the key, just turn it on. I had that link but deleted it because the whole Win 11 debacle is a moving roadblock, week after week.
In the end, MS is not, ever, going to release an OS that takes some weird combination of CPU, TPM, HDR (gone!) and whatever else they remove from their “requirements” for general adoption.
Unless MS is sooooo overrun with Phone Culture Clowns that no one’s left to remember Vista’s “a few bits don’t matter” disaster that was magically fixed.
“It’s OK to stay on Win 10 but we have Win 11 if you want it…” ain’t gonna happen. Wait a few months and all will be good if you want this repackaged Win 10 thing.
The worst living nightmare Vista OS known to mankind, it seems the operating system skip every one good two bad one good two bad always adding a bunch of crap.?
>built-in root-of-trust
And who deemed what is trustworthy and what isn’t? I have to assume consoles (XBox/PlaySttaion) use similar technology to lock everything down for the end user. I’m sorry, but I do not trust Microsoft, game and commercial software publishers not to abuse this.
I strongly adivce anyone to disable TPM and SecureBoot from BIOS. If you’re affraid of malware/viruses think about this: when was the last time you’ve encountered one? Maybe check your antivirus’ history. Chances are it’s blank. For how complex and convoluted the whole thing is, do not think for one second that is not exploitable, if, for some reason, you really are the target of any form of attack. Your own computer knowledge, although essential, should be more than enough; and an antivirus for your normie friends.
Even Chromebooks depend on TPM for Security. That’s why Win11 has adapted this.
Your logic is flawed. Microsoft implemented it to increase security, not because Google put it into Chromebooks.
The best security is to avoid Microsoft and Google products. Prove me wrong.
I’m curious; would this help against something like the Spectre attack? I understand some sophisticated malware actually embeds a “reboot” mechanism of sorts in motherboard firmware, allowing it to re-install itself after it has supposedly been removed. Would this help in such an instance?
UEFI supposed to do the thing and what we see that there are always ways to bypass such protection. And more then that. If such protection has an issue then it is much more harder to fix it than with old approaches. As an example of that we can remember viruses that uses UEFI to save itself even after system is reinstalled. You can google such viruses by names LoJax, ESPecter.
We can imagine what if such virus can modify or emulate TPM and forbid your system to delete the virus because system+virus unit is signed and cannot be modified.