Blog Post

Windows IT Pro Blog
5 MIN READ

TPM 2.0 – a necessity for a secure and future-proof Windows 11

Steven_Hosking's avatar
Steven_Hosking
Icon for Microsoft rankMicrosoft
Dec 03, 2024
With Windows 10 end of support approaching, it’s important to revisit a key minimum system requirement for Windows 11: Trusted Platform Module (TPM) 2.0. Let’s discuss the role of TPM and its value f...
Updated Dec 10, 2024
Version 2.0
device management
security
windows 11
Karl-WE's avatar
Karl-WE
MVP
Dec 03, 2024

Thank you for the clarity on this very common question by customers and consumers alike. 

 

One of the key requirements for Windows 11 is the presence of a TPM 2.0 chip on your hardware. 

 

To avoid possible misunderstandings for readers. 

 

 

1. Different types of TPM, not necessarily a discrete chip

A TPM "chip on the hardware", in most modern computers or servers is not a discrete TPM chip on the mainboard, which caused a lot of fuss in 2021 and overpriced chips. And on the top of that allow "easier" local HW attacks.

More likely though, it's a security feature, silicon integrated in your Windows 11 supported processor (CPU).

In modern UEFI BIOS this TPM is often called vTPM or fTPM. 

 

 

2. Why and how-to updating UEFI BIOS (regularly):

If you never updated your BIOS on your OEM device or custom built one, please consider to do so. 

This is what you can expect from UEFI BIOS updates:

  • Security improvements for mainboard, Secure Boot, certificates and CPU. 
  • Intel CPU microcode updates (especially important for Intel 13/14gen) 
  • AMD AGESA updates
  • Intel ME firmware and security updates.
  • Many vendors changed default settings for improved TPM and Secure Boot default settings, to comply with Windows 11 requirements. 

 

Prerequisites:

In all cases make sure that for portable devices, PCs and servers your power remains connected and you do not shutdown, restart (unless prompted) or power off, during the update. 

 

Before starting:

  • Connect Power (esp. portable devices)
  • Make sure to pause / suspend (not disable) Bitlocker, if enabled and make sure you can access your Microsoft Account via mobile to access the Bitlocker recovery key in worst case. 

 

Updating UEFI on OEM Hardware:

OEM hardware vendors often provide validated UEFI updates directly via Windows Update. These also take care of suspending Bitlocker. Power connection advise apply. WU will not prompt you for this. 

 

Security recommendation:

If you can select it, in UEFI security settings, I would disable SHA-1 / SHA-128 and enable SHA-256 and higher. If you have 256 and 384 support. It's fine to enable both. 

For custom built PCs please refer to the mainboard vendors manual. They are worth a read. 

 

 

3. What about VMs? 

If you have a TPM, vTPM / fTPM on your hardware and properly configured in UEFI, on top of that, in modern versions of Hyper-V on Windows Client and Windows Server you can enable vTPM for VMs. These have to be Generation 2, VM Version 9.0 or later and have UEFI enabled.

This vTPM offers the same security layer as on physical hardware. 

Mind that this is also available for recent VMware ESXi 7.0 or later / vSphere but often not enabled or embraced as VM default. 

 

 

4. What about Windows Server 2025? 

Windows Server 2022 and 2025 do benefit from the TPM and Secure Boot, same as Windows 11 Clients, however the setup does not enforce specific settings.