When Microsoft introduced Windows 11 in 2021, its new, stringent hardware compatibility test included checking for the presence of a Trusted Platform Module (TPM) — specifically, one that meets the TPM 2.0 standard.
So, what is a TPM, and why does Windows insist that you need one? The simple answer is that a TPM is a secure cryptoprocessor, a dedicated microcontroller designed to handle security-related tasks and manage encryption keys in a way that minimizes the ability of attackers to break into a system. But the full answer is, as with anything related to computer security, slightly more complicated.
The TPM architecture is defined by an international standard (formally known as ISO/IEC 11889), which was created by the Trusted Computing Group. The standard deals with how different cryptographic operations are implemented, with an emphasis on “integrity protection, isolation and confidentially.”
A TPM can be implemented as a discrete chip soldered onto a computer motherboard, or it can be implemented within the firmware of a PC chipset, as Intel, AMD, and Qualcomm have done. If you use a virtual machine, you can even build a virtual TPM chip into it.
The overwhelming majority of PCs built during the past 15 years include TPM technology, and most PCs designed in 2015 or later include the TPM 2.0 version that is required by Windows 11. On some older PCs, a TPM might be disabled by default, so check the system firmware to enable this feature.
The technology is meant to be a super-secure location for processing cryptographic operations and storing the private keys that make strong encryption possible. The TPM works with the Secure Boot feature, which verifies that only signed, trusted code runs when the computer starts up. If someone tries to tamper with the operating system — to add a rootkit, for example — Secure Boot prevents the changed code from executing.
The TPM also holds the BitLocker keys that encrypt the contents of a Windows system disk, making it nearly impossible for an attacker to break that encryption and access your data without authorization. For a detailed technical explanation, you can read this primer.
Windows 10 and Windows 11 initialize and take ownership of the TPM as part of the installation process. You don’t need to do anything special to set up or use a TPM beyond making sure it’s enabled for use by the PC. And it’s not just a Windows feature. Linux PCs and IoT devices can initialize and use a TPM as well.
Apple devices use a different hardware design called the Secure Enclave, which performs some of the same cryptographic operations as a TPM, and also provides secure storage of sensitive user data.
The extra level of security that a TPM enforces in tamper-resistant hardware is a very good thing. To see details about the TPM in your Windows PC, open Device Manager and look under the Security Devices heading.