What Is a TPM, and Why Do I Need One for Windows 11? | #microsoft | #hacking | #cybersecurity


Microsoft’s upcoming Windows 11 operating system will require a heretofore little-known PC security feature, the Trusted Platform Module (TPM), which is cause for concern among early adopters who can’t wait to get their hands on the new OS.

“Do I have a TPM that works with Windows?” is a question you probably never thought you’d need to ask. But the good news for people who have a PC bought in the last few years is that the answer is almost certainly “Yes.” For everyone else looking to upgrade to Windows 11, especially people who built or upgraded their own Windows desktop, the answer could be more complicated. 

Let’s take a look at what TPMs do and how Microsoft is incorporating them into the next version of Windows, based on what we know so far. 


What Is a TPM?

At its most basic, the TPM is a tiny chip on your computer’s motherboard, sometimes separate from the main CPU and memory. The chip is akin to the keypad you use to disable your home security alarm every time you walk in the door, or the authenticator app you use on your phone to log in to your bank account. In this scenario, turning on your computer is analogous to opening the front door of your home or entering your username and password into the login page. If you don’t key in a code within a short period of time, alarms will sound or you won’t be able to access your money.

Likewise, after you press the power button on a newer PC that uses full-disk encryption and a TPM, the tiny chip will supply a unique code called a cryptographic key. If everything is normal, the drive encryption is unlocked and your computer starts up. If there’s a problem with the key—perhaps a hacker stole your laptop and tried to tamper with the encrypted drive inside—your PC won’t boot up. 

A Trusted Platform Module (TPM) add-on for Asus mainboards. (Photo: Asus)

While that’s how modern TPM implementations function on a most basic level, it’s far from all they can do. In fact, many apps and other PC features make use of the TPM after the system has already booted up. The Thunderbird and Outlook email clients use TPM to handle encrypted or key-signed messages. The Firefox and Chrome web browsers also employ the TPM for certain advanced functions, such as maintaining SSL certificates for websites. Plenty of consumer tech besides PCs uses TPMs, as well, from printers to connected-home accessories. 

Just as TPMs can perform many other functions besides their basic purpose of providing boot-up protection for PCs, so too can they take many different forms besides a standalone chip. The Trusted Computing Group (TCG), responsible for maintaining TPM standards, notes that there are two additional types of TPMs. TPMs can be integrated into the main CPU, either as a physical addition or as code that runs in a dedicated environment, known as firmware. This method is nearly as secure as a standalone TPM chip, since it uses a trusted environment that’s discrete from the rest of the programs that use the CPU. 

The third type of TPM is virtual. It runs completely in software. This is not recommended for real-world use, the TCG warns, because it’s vulnerable to both tampering and any security bugs that might be present in the operating system. 

For a more in-depth (but still accessible) look at how TPMs work, the short book A Practical Guide to TPM 2.0A Practical Guide to TPM 2.0 is worth a read. For an example of all the ways TPMs are used in consumer PCs, also check out Apple’s guide to the T2 security chips for Macs. (Although Apple doesn’t use the term, the T2 is essentially a TPM.)


What’s the Deal With Windows and TPMs?

Windows 7 and Windows 10 both have extensive support for TPMs. Laptops and desktops meant for use in large organizations with strict IT security requirements have been the main adopters. In many cases, TPMs have replaced the cumbersome smart cards that IT departments once issued to employees. Smart cards must be inserted into a slot or tapped against a built-in wireless reader, to verify that the system hasn’t suffered from tampering. 

Security features at the operating system level also already make use of TPMs. Ever used the Windows Hello face-recognition login feature on a newer laptop? That requires a TPM. 

TPMs are efficient alternatives to older methods of securing Windows PCs. In fact, since July 2016 Microsoft has actually required TPM 2.0 support on all new PCs that run any version of Windows 10 for desktop (Home, Pro, Enterprise, or Education). Likewise, Windows 11 will only run on PCs that have TPM capabilities. Microsoft has been strict on this requirement ahead of the Windows 11 general availability, which is scheduled to arrive as a free upgrade this holiday season for Windows 10 PCs. If you download the Windows 11 compatibility tool now, it will only indicate that your system is ready if TPM 2.0 is up and running. (Microsoft notes that it will be tweaking the tool in the coming days and weeks to be more helpful in explaining compatibility specifics.)

However, Microsoft has quietly noted that Windows 11 will run on PCs that have TPMs older than version 2.0 in certain situations. The company’s support documents indicate that TPM 2.0 is more of a “soft floor” requirement, and that PCs with TPM 1.2 will also be able to run Windows 11. But “devices that meet the soft floor will receive a notification that upgrade is not advised,” Microsoft warns. 


Does My PC Already Have TPM 2.0? 

If you’ve got a computer that meets the other Windows 11 minimum system requirements, there’s a chance that it supports TPM 2.0. The standard is relatively recent, however. If you bought your PC after 2016, it almost certainly comes with TPM 2.0. If your computer is older than a few years, it likely either has the older TPM 1.2 version (which Microsoft says is not recommended for Windows 11) or has no TPM at all. 

Microsoft attempts to simplify the situation by referring to its 2016 deadline for implementing TPM 2.0. The company notes in its Windows 11 FAQs that “many PCs that are less than four years old will be able to upgrade to Windows 11.”

Because TPMs take so many forms, as mentioned earlier, there isn’t a way to verify at a single glance whether your PC has an enabled TPM 2.0-compatible chip or firmware. Windows offers a generic “security processor” status indicator, but to be sure, you’ll have to check with the company that made your desktop or laptop.

Most of the larger vendors have straightforward support articles published on their website that explain which products have TPM 2.0 support. For example, Dell publishes a handy chart that indicates which type of TPM is installed in which system. The company uses three different types of TPM 2.0 in modern Latitude, Precision, OptiPlex, and consumer laptops and desktops. 


Can I Add a TPM to My PC? 

If you built your own desktop PC in the last few years and you’re comfortable tinkering with hardware and software security settings in the system’s BIOS, you can probably add a discrete TPM 2.0 chip to your motherboard. Many motherboards come with a cluster of header pins clearly labeled “TPM.” And, as ExtremeTech notes, you can pick up a TPM module for some motherboard models for less than $50. 

But it’s not as simple as buying a TPM 2.0 add-on module and plugging it into the header. Even if you’ve got a hardware TPM installed in your home-built computer, you’ll need to ensure that it’s properly set up in the BIOS for the Windows operating system to recognize it. This process varies widely based on which motherboard and CPU you’re using. Even Microsoft acknowledges that turning on TPM isn’t necessarily a straightforward process. Microsoft VP of Product Management Steve Dispense suggests that it may be necessary to enable a setting like Platform Trust Technology (PTT) in the BIOS of Intel-based computers, or fTPM for AMD-based ones.

This Aorus Z490 motherboard has a TPM header located on the edge. (Photo: John Burek)

And if you’re one of the many people who spent significant money to build a top-of-the-line gaming PC years back, with a motherboard or CPU that may lack TPM capabilities or the ability to add them, your system still likely has years of life left, but it may not be able to run Windows 11. A firmware-based TPM 2.0 solution might be an option for some PCs without TPM capability on the motherboard, though implementing one yourself will almost certainly require some trial and error.


Will a TPM Prevent Me From Running Linux?

Conversely, plenty of PC enthusiasts have computers that do support TPMs but who have chosen to disable them for a variety of reasons. If this is you, Windows 11 brings good news and bad news. 

The good news is that pretty much anything you want to do with a PC these days can be done with TPMs enabled. Yes, there are exceptions, but they’ll only affect a tiny percentage of users. For example, the TCG has long specified TPM requirements for the open-source Linux operating system, which means that people who want to switch their PCs between running Windows 11 and various Linux distributions should be able to do so. Support will vary depending on which Linux distribution you’re using, and how the TPM requirement may interact with dual-boot environments is not yet 100% clear.


Will a TPM Limit Which Windows 11 Features I Can Use?

One of the many tricky parts of the TPM 2.0 requirement in Windows 11 is that Microsoft may take a page out of Apple’s playbook and introduce additional limitations related to TPM security in future Windows updates. For instance, Macs with the T2 chip have many capabilities that Apple computers without it do not, including fingerprint recognition and enhanced image signal processing. This situation also exists in the Windows 10 world, with the Windows Hello face-recognition mentioned earlier being a prime example. 

With Windows 11 and future TPM versions, Microsoft could further segment the Windows experience. This could include adding new features that require the TPM, but it could also include bringing additional locked-down versions of Windows akin to the current Windows 10 S Mode. For most consumers, this won’t be an issue, but it’s something to keep in mind if you’re planning to upgrade to Windows 11 as soon as it becomes available. 





Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

eleven − 5 =