Blog Post

Windows IT Pro Blog

5 MIN READ

TPM 2.0 – a necessity for a secure and future-proof Windows 11

Microsoft

Dec 03, 2024

With Windows 10 end of support approaching, it’s important to revisit a key minimum system requirement for Windows 11: Trusted Platform Module (TPM) 2.0. Let’s discuss the role of TPM and its value for those of you who have made the transition to Windows 11. You’ll also learn how to check your TPM status and how to prepare for Windows 11.

What is TPM?

TPM refers to a dedicated chip or firmware that offers hardware-level security services for your device. It securely houses encryption keys, certificates, passwords, and sensitive data, shielding them from unauthorized access. Additionally, TPM is tasked with cryptographic operations such as producing random numbers, encrypting and decrypting data, and confirming digital signatures. TPMs are available from many different manufacturers, including Microsoft on supported CPUs with Pluton. To learn more, read Trusted Platform Module Technology Overview.

You know that Windows 10 is approaching end of support. In Windows 11, TPM 2.0 advanced encryption techniques offer more versatile and critical key management for contemporary IT infrastructures, as compared to its predecessor, TPM 1.2. Integrating with features like Secure Boot and Windows Hello for Business, TPM 2.0 enhances security by ensuring that only verified software is executed and protecting confidential details. It’s true that its implementation might require a change for your organization. Yet it represents an important step toward more effectively countering today’s intricate security challenges.

New security challenges addressed by TPM 2.0

TPM 2.0 helps keep your identities more secure and your data protection more robust. Can you ensure operating system integrity upon startup? Yes. Can you better protect sensitive information, data, and secrets? Yes. It provides a vastly more efficient and secure platform for Windows 11 to use through advanced encryption methods, improved industry standard cryptography, increased isolation, and greater interoperability with other security functions.

Improved industry standard cryptography

A notable enhancement is that TPM 2.0 aligns to ISO standard. This means that TPM 2.0 can accommodate an extensive array of cryptographic algorithms, encryption keys, and certificates that a wide range of industries need. Crucially, protocols like Secure Boot validate operating system integrity upon startup. TPM 2.0 helps you ensure that only trusted software launches.

Increased isolation

TPM 2.0 isolates cryptographic processes like the storage and use of keys from the main CPU. This way, it helps create a secure domain for critical operations and reduces the risk of interference and manipulation. This level of isolation helps ensure that sensitive information remains protected from potential threats.

Seamless integration with Windows security capabilities

TPM 2.0 also seamlessly integrates with newer security functionalities such as Credential Guard and Windows Hello for Business. Credential Guard helps protect secrets using virtualization-based security, while Windows Hello for Business replaces passwords with robust two-factor authentication.

The Microsoft BitLocker disk encryption tool uses TPM 2.0 to provide enhanced data protection in several important ways.

Encryption key storage. BitLocker uses TPM 2.0 to help securely store encryption keys. This way, the keys are protected from unauthorized access and tampering.
Secure Boot. When BitLocker is enabled on a TPM 2.0 system, it helps ensure that the system boots securely. The boot process is verified and any unauthorized changes to the boot environment are detected.
Multifactor authentication (MFA). BitLocker supports MFA, which can be combined with TPM 2.0 for added security. This provides an extra layer of protection for the operating system drive.

In summary, TPM 2.0 plays a crucial role in enhancing identity and data protection on Windows devices, as well as maintaining the integrity of your system. Paired with the device attestation service from Microsoft Intune, TPM 2.0 can help your company move forward on your Zero Trust journey. This hardware-based security feature, alongside security features built into Windows, enhances defense against evolving cyber hazards. More than ever before, it helps safeguard your organization's data integrity and reputation.

The value of TPM 2.0 on Windows 11 today and tomorrow

These augmented capabilities largely drove the decision to update hardware and system requirements exclusively for Windows 11. In an age where cybersecurity threats constantly evolve, our safeguard measures need to advance just as rapidly.

Today. From supporting more intricate encryption algorithms to adding cryptographic functionality, TPM 2.0 is essential to counteracting present-day cyber risks. As such, you should not disable TPM checks on Windows 11 endpoints. Using TPM functionality for hardware-based endpoint security and Zero Trust offers organizations a powerful tool to mitigate significant security risks and potential data breaches.

Tomorrow. TPM 2.0 also helps future-proof Windows 11. One way it does so is by helping to protect sensitive information as more AI capabilities come to physical, cloud, and server architecture. The long-term benefits of enhanced security contribute to more than one of your compliance goals. It prepares you for evolving regulatory standards and industry best practices.

By instituting TPM 2.0 as a non-negotiable standard for the future of Windows, we elevate the security benchmark. It allows you and us to better align with the growing need for formidable data protection in the modern digital sphere.

Check the TPM status of your devices

As an IT admin, you’re responsible for ensuring the security and compliance of your organization's IT infrastructure. One of the key requirements for Windows 11 is the presence of a TPM 2.0 chip on your hardware. This chip provides encryption and authentication capabilities that help protect your data and devices from unauthorized access.

Unsure whether and which devices in your organization already meet this hardware requirement? Follow these steps to find out.

If you’re using Microsoft Intune:

Open the Intune Portal.
Navigate to Devices > All devices.
Select a device from the list.
In the device Properties, navigate to Hardware.
Locate the Security section to find TPM information, including the version and status.

If you’re using Microsoft Configuration Manager:

Open the Configuration Manager console.
Navigate to Assets and Compliance > Overview > Device Collections.
Select the desired device collection.
Select a device and select Start > Resource Explorer.
In the Resource Explorer, expand Hardware > Security > TPM.
Check the version information and status from the TPM resource.

Devices that have TPM 2.0 can already use the defaults of Windows 11 and realize the benefits of the most secure Windows ever.

Steps toward TPM 2.0 and Windows 11

For devices that don’t already have TPM 2.0, here is how you can prepare for the Windows 11 upgrade:

Evaluate current hardware for TPM 2.0 compatibility. Conduct a thorough assessment of existing hardware with tools like Microsoft Intune. Determine which systems meet the TPM 2.0 requirements and identify any upgrades needed.
Plan and budget for upgrades. Develop a detailed plan and budget for upgrading non-compliant hardware to TPM 2.0. Consider the long-term benefits of enhanced security and compliance with regulatory standards.
Review security policies and procedures. Update the organization's security policies and procedures to incorporate the use of TPM 2.0. Facilitate team member training on new protocols and the importance of maintaining a secure IT environment.

Tip: For additional information and resources, see How to prepare for Windows 10 end of support by moving to Windows 11.

In conclusion, TPM 2.0 is not just a recommendation—it’s a necessity for maintaining a secure and future-proof IT environment with Windows 11. And it’s an important part of the larger Zero Trust strategy, alongside Secure Boot, Credential Guard, and Windows Hello for Business. Learn more about it by watching Windows 11 Security—Our Hacker-in-Chief Runs Attacks and Shows Solutions. Embracing this change better protects your systems against evolving cyber threats, ultimately helping to safeguard your organization's data and reputation.

Updated Dec 10, 2024

Version 2.0

Microsoft

Joined September 20, 2020

View Profile

Windows IT Pro Blog

Follow this blog board to get notified when there's new activity

48 Comments

John A
Copper Contributor
Feb 12, 2025
This has to be a bot. It's completely oblivious to the fact that Windows 11 is a disaster and that people actively hate it and are willing to go to Linux, instead of downgrading to this malware/adware utter garbage.
jarvsrzr
Copper Contributor
Dec 19, 2024
As soon as Windows 10 dies, I will migrate to Linux, it's already decided.
Jay_Libove_Fe
Copper Contributor
Dec 14, 2024
Pure environmentally-destructive, classist, Microsoft-spewing bunk. Of course having a TPM 2.0 is security-better than not having it, but Microsoft's insistence that only people who can afford to spend money replacing still-functional hardware for whom just-plain-having-it is far more important than the somewhat theoretical security benefits of having-it-even-more-secure is both a social and environmental crime, for which governments worldwide should be applying political and legal pressure against Microsoft to drop this requirement.
devnull1024
Copper Contributor
Dec 13, 2024
Excuse me sir. but what universe do you stay in? Please try imagine there is high number people living out of US with significant difference in income and change of HW has for them serious impact to budget. Please return on the Earth
dr_orange
Copper Contributor
Dec 10, 2024
And just like that...

This entire post is moot, destroyed, out of date, WRONG.
I knew these insane requirements for EVERYONE to adhere to would not last in the face of a BILLION Windows 10 installs out there like a world-wide ticking time bomb.
Expecting people to just throw away a billion perfectly good computers to take an OS that people are... at best fairly indifferent to, is completely laughable if it were not such a dangerous precedent to set.
You may dangle the 'not supported' moniker like it matters to all but < 1% of your install base out there, and making it difficult means more people will end up getting it from nefarious malware'd sources (I wonder how many already have), and you're doing this under the badge of 'security'!?!?!?!?
I'll be honest compared to many - I don't know why you're doing this. You built up so much good reputation with Windows 10 that pretty much the world got onboard, and now you have spent the last 2 years completely destroying that carefully built-up earned reputation by holding the world to this. Windows 11 could have been seen as the next-gen Windows 10 for performance / security / AI etc, but if you keep playing Russian Roulette... expect more Macbook / Linux / Chromebook uptake, because people won't keep playing your game.
Lastly... GREEN!!! - How can you possibly claim ANY green credentials by condemning SO many computers to landfill!?!? It's an ecological disaster.
PS - I'm writing this on my PERFECTLY WORKING 4th gen i4790k running Windows 11 since the beginning. I do actually like Windows 11 and would not go back... just don't give any reason to!
- AgentOrange96
  Brass Contributor
  Dec 11, 2024
  If you're referring to this:
  https://support.microsoft.com/en-us/windows/installing-windows-11-on-devices-that-don-t-meet-minimum-system-requirements-0b2dc4a2-5933-4ad4-9c09-ef0a331518f1
  
  They are not committing to security updates, which is the entire issue to begin with. Obviously we cannot TPM specific security updates, but the rest should not be withheld. Until Microsoft allows older PCs to update to Windows 11 with a commitment of as much support as Windows 10 has now, these systems are still in danger.
  Also, my main desktop has a 4770k and runs very well, so I have no doubts your 4790k is doing quite well too! :D
  - dr_orange
    Copper Contributor
    Dec 11, 2024
    That is the correct post which is in fair contrast to this one. Reducing the barrier from using something like Rufus or registry tweaking to pressing a single 'Accept' button is only one step away from pressing the green light.
    
    In terms of updates, especially the big ones (23H2, 23H2 etc), time will tell.
    
    Glad you're having a good time on that legend processor! 🙂
AstroKev
Copper Contributor
Dec 10, 2024
It's impossible to ignore the fact that security is of the ut-most importance now more than ever, so these requirements for better hardware security are difficult reality to ignore. If it is something a consumer either doesn't care about or doesn't think is important, well thats fine, but perhaps they should reevaluate depending on how they use their device(s).

From a business perspective data loss is much more expensive than hardware replacement. So for businesses this seems like a no-brainer. The discussion around e-waste is hard to ignore however, but there is an oppurtunity for these devices to enter the consumer world running some flavour of Linux, for example. I hope this occurs, as it does seem like a huge waste for these devices to not be properly recycled or just repurposed completely in a non-enterprise context.

And again for myself as an individual, I don't necessarily want businesses that control my data in some capacity to be running hardware that can be more easily exploited-- it feels as if people are not looking at it in this way.

This article is clearly targetted towards enterprises and IT Admins, it's important for those managing these devices in a business to understand how and why this is happening. But as an individual I think it is important to consider things like TPM and the role it plays in your everyday computing life-- but also if that matters to you.
There are other options from Windows 10 that are just as viable for consumers to adopt, and I think that should be a larger part of the conversation rather than "Microsoft bad", which just feels unproductive.
- floyd
  Copper Contributor
  Dec 10, 2024
  In general, I agree with you.
  But the decision should remain with the user.
  Forcing a TPM 2.0 during installation or just demanding it are different approaches.
  the first claims “i know what you need (because i am omniscient)” the second says “i strongly advise you to...”
  every vehicle has an airbag installed. but if i deactivate the airbag, no manufacturer would think of deactivating the ignition
  Translated with DeepL.com (free version)
- AgentOrange96
  Brass Contributor
  Dec 10, 2024
  I agree that businesses should be running up to date hardware and value security highly. This should be factored into their cost. And used enterprise machines are wonderful deals for consumers. And that's all well and good. But you are way too dismissive of the home user. Whether this post is intended for IT admins or not, this applies to non-commercial users as well. People, so their situation matters.
  
  You mentioned Windows 10 and Linux as options. Linux cannot run all software a consumer may need well, and even those you can make work with WINE will often be above the average consumer's ability. Windows, unfortunately, is a requirement for many. Windows 10 loses support in a year without paying a fee. And then it loses support a year later regardless.
  
  By not allowing individuals to upgrade without a TPM and ending support for older versions of Windows, Microsoft is taking these old systems from not top-notch secure to very insecure. Right now, it is mostly safe for the average customer to connect their Windows 10 machine to the internet without a TPM. The risk of something bad happening is low. However if you connect a Windows XP system to the internet, which is long unsupported, the risk is quite high. This makes Windows 10, right now, a viable OS for most individuals and Windows XP not. Without support, Windows 10 will become more like Windows XP, and there is NOTHING an end user can do about it. That is what everyone is up in arms about. That should not just be brushed away with a "but enterprise."
  - Karl-WE
    MVP
    Feb 13, 2025
    Connecting XP to the Internet, last tried in 2023, results into
    
    have fun to install it in the first place. Not possible on newer HW.
    
    When installed Internet barely works as XP cannot handle TLS 1.2. At Least not without licensing violations making it fit.
- SouthFresh
  Copper Contributor
  Dec 10, 2024
  Any enterprise IT Admin worth the title is keeping their inventory within warranty cycles and this article is completely unimportant.
  
  It's hard to understand who the actual target demographic is, but I find the idea that any enterprise admin wouldn't already know this stuff...
  
  TPM 2.0 and Bitlocker are both side-channel vulnerable, so harping on their security as a necessary ingredient for any OS is just weird.
dahappychappy
Copper Contributor
Dec 06, 2024
Absolutely terrible to force people to buy new hardware. More e-waste. Microsoft is not a good company.
RainerB
Copper Contributor
Dec 05, 2024
It's ridiculous which amount of electronic waste Microsoft forces to be produced with this and similar preconditions for W11 which are forced on the user absolutely without real needs. I can just hope that users with a sane mind don't follow this dictatorship of Microsoft and look for better alternatives.
floyd
Copper Contributor
Dec 05, 2024
it's not up to microsoft to decide how much security i want or don't want on my computer.
this is part of the new culture of paternalism that has been developing for years, including at microsoft. (example “https everywhere” in general, NuGet's HTTPS enforcement, even if it is not necessary for the purpose and sometimes only comes after a long protest)
the solution would be so simple: if certain functions require a TPM2, then I simply can't use them.
- SouthFresh
  Copper Contributor
  Dec 11, 2024
  Not to mention the overbearing school mum who likes to by default hide menu options from admins in web-based admin panels. Or forces admins to constantly dismiss information-blocking popups that could have been an email.
- AgentOrange96
  Brass Contributor
  Dec 05, 2024
  Honestly nowadays the last thing anyone cares about when developing software or how their business operates is choice and consent from the customers. It's an extremely disturbing trend that Microsoft is not immune from. Although Microsoft in particular may value it a tinge more than quality control to be fair, but that bar is burried so far beneath the ground that it's not really saying much.
myron99
Copper Contributor
Dec 05, 2024
Windows 11 is the worst os from Microsoft (yes even worse than me and vista) and it's not gonna be any better from now on (unless Windows becomes open source)