What is a TPM?
A Trusted Platform Module (TPM) is a computer chip designed to store authentication artifacts securely. Learn about this microcontroller and how to check yours.
A Trusted Platform Module (TPM) is a microchip that provides hardware-level encryption to enhance security. It can securely store platform measurements and a variety of authentication artifacts, including the encryption key, certificates, and passwords.
The purpose of a TPM is twofold: authentication and attestation. Authentication allows your laptop or computer to verify its identity, while attestation proves its integrity and the absence of breaches. Not only does a TPM interact with other security systems in your PC, like the fingerprint reader and facial recognition program, it may also be used by other programs, including your browser. Basically, a TPM is like a security alarm system against cybercriminals and malware.
The Trusted Computing Group (TCG), an organization that promotes open security standards, introduced the TPM in 2009. The TCG has updated the standard over the years, and the most recent TPM version (TPM 2.0) was released in 2014.
We’ll explain what you should know about TPMs, including whether you need a TPM, how to check to see if you already have one, what types are available, and how to add a TPM to your existing computer.
Do you need a TPM?
In response to increasing attacks, Microsoft started requiring TPM 2.0 to upgrade to Windows 11. Therefore, if you want to use Windows 11, you need a TPM chip in your computer. Windows Server 2022 also requires a TPM for certain features. Luckily, most recent computers already have a TPM installed.
Even if you’re not concerned with upgrading to Windows 11, it may be worth getting or enabling a TPM. It can enhance Secure Boot, provide ransomware protection, and improve your overall security posture.
How do you check your TPM?
It’s not hard to confirm whether or not your computer has a TPM chip. Using PDQ Inventory makes it a breeze, but the following methods can also help you check.
Check via Command Prompt
Using the Command Prompt is one simple way to see if you have a TPM installed.
Type tpm.msc into the taskbar
If nothing comes up, you may not have a TPM chip. Otherwise, open the TPM management console.
Check the Status to confirm the TPM is “ready to use”
Check the Specification Version to see the version of the chip
Check Settings
You can find the TPM Administration tool via Settings and confirm that you have a TPM and it is enabled.
Open Settings
Go to System
Click About
Scroll to Related settings
Click BitLocker settings
Click TPM Administration
Check the Status to confirm the TPM is “ready to use”
Check the Specification Version to see the version of the chip
Use the Run dialog box
The Run dialog box can help you find the same TPM management console quickly.
Open the Run dialog box using Windows+R
Input tpm.msc
Check the Status to confirm the TPM is “ready to use”
Check the Specification Version to see the version of the chip
Use the Device Manager
Alternatively, you can use the Device Manager to see if you have a TPM and, if so, which version.
In the search bar, search Device Manager and open the control panel
Expand the Security devices list
Look for a Trusted Platform Module entry
Restart your PC into the UEFI settings screen
This method involves accessing motherboard settings and changing firmware settings, so you should only do it if you can’t find a TPM chip using other methods and you truly know what you’re doing. If the TPM is disabled, this will allow you to find it and enable it.
Open Settings
Select Update & Security
Click Recovery
Under the Advanced startup heading, click Restart now
Click Troubleshoot
Select Advanced options
Click UEFI Firmware Settings
Click Restart
Open the security settings
Check for the Trusted Platform Module (TPM)
If present, select it and ensure its enabled
Exit the UEFI settings
Confirm the changes
Restart the computer
How do Windows and TPMs relate?
Microsoft requires TPM chips for PCs to run Windows 11. Apple uses a similar chip called T2, but TPMs are exclusive to PCs. Given that Windows is the most common operating system and has implemented a TPM requirement for its newest version, Windows operating systems and TPMs go hand in hand.
Can you run Linux with a TPM?
You should be able to run Linux with a TPM. Starting with the Linux 3.20 kernel, Linux supports TPM 2.0. That said, support varies between older Linux distributions.
What are the types of TPMs?
TPM typically refers to the most traditional variety, which is the microchip version. However, other options are available. The TCG identifies five variations:
Discrete TPM
A discrete TPM (dTPM) is the standard hardware version. It is designed to be tamper resistant and provide the highest level of TPM security. It’s used for critical systems.
Firmware TPM
A firmware TPM (fTPM) is code executed in the CPU’s trusted execution environment (TEE) to provide a high level of security.
Software TPM
A software TPM (sTPM) is a software emulator used for testing and prototyping. However, software TPMs are not appropriate for public-facing environments because they’re prone to vulnerabilities.
Virtual TPM
A virtual TPM (vTPM), also known as a hypervisor TPM, provides a high level of security for cloud environments with the same commands as physical TPMs.
Integrated TPM
An integrated TPM (iTPM) is a hardware TPM integrated into another chip with other functions. Integrated TPMs provide a very high level of security against software issues, but they are not tamper resistant. They’re often used for network gateways.
Can you add a TPM to your computer?
Depending on your Windows PC and skill level, you might be able to add a TPM to your computer. If you’ve built your own machine in the last few years using current components, it probably won’t be too hard to install a discrete TPM.
Most motherboards have TPM headers. You can find out more about your motherboard by opening the Command Prompt by entering cmd into the search bar, then entering wmic baseboard get product,Manufacturer. Then, research the motherboard online to determine its compatibility, and contact the manufacturer’s support team if necessary.
You can find TPMs for under $30. Make sure the TPM has the same PIN layout and lockout as the TPM header. Before installing, turn off the computer, unplug it, and let it cool. A compatible TPM may work right away after installation. Otherwise, you may need to enable the TPM in your BIOS or UEFI settings.
Since most current computers already have a TPM, just make sure to double-check that you don’t already have one before attempting to install it yourself.