Blog Post

Windows IT Pro Blog
5 MIN READ

TPM 2.0 – a necessity for a secure and future-proof Windows 11

Steven_Hosking's avatar
Steven_Hosking
Icon for Microsoft rankMicrosoft
Dec 03, 2024

With Windows 10 end of support approaching, it’s important to revisit a key minimum system requirement for Windows 11: Trusted Platform Module (TPM) 2.0. Let’s discuss the role of TPM and its value for those of you who have made the transition to Windows 11. You’ll also learn how to check your TPM status and how to prepare for Windows 11.

What is TPM?

TPM refers to a dedicated chip or firmware that offers hardware-level security services for your device. It securely houses encryption keys, certificates, passwords, and sensitive data, shielding them from unauthorized access. Additionally, TPM is tasked with cryptographic operations such as producing random numbers, encrypting and decrypting data, and confirming digital signatures. TPMs are available from many different manufacturers, including Microsoft on supported CPUs with Pluton. To learn more, read Trusted Platform Module Technology Overview.

You know that Windows 10 is approaching end of support. In Windows 11, TPM 2.0 advanced encryption techniques offer more versatile and critical key management for contemporary IT infrastructures, as compared to its predecessor, TPM 1.2. Integrating with features like Secure Boot and Windows Hello for Business, TPM 2.0 enhances security by ensuring that only verified software is executed and protecting confidential details. It’s true that its implementation might require a change for your organization. Yet it represents an important step toward more effectively countering today’s intricate security challenges.

New security challenges addressed by TPM 2.0

TPM 2.0 helps keep your identities more secure and your data protection more robust. Can you ensure operating system integrity upon startup? Yes. Can you better protect sensitive information, data, and secrets? Yes. It provides a vastly more efficient and secure platform for Windows 11 to use through advanced encryption methods, improved industry standard cryptography, increased isolation, and greater interoperability with other security functions.

Improved industry standard cryptography

A notable enhancement is that TPM 2.0 aligns to ISO standard. This means that TPM 2.0 can accommodate an extensive array of cryptographic algorithms, encryption keys, and certificates that a wide range of industries need. Crucially, protocols like Secure Boot validate operating system integrity upon startup. TPM 2.0 helps you ensure that only trusted software launches.

Increased isolation

TPM 2.0 isolates cryptographic processes like the storage and use of keys from the main CPU. This way, it helps create a secure domain for critical operations and reduces the risk of interference and manipulation. This level of isolation helps ensure that sensitive information remains protected from potential threats.

Seamless integration with Windows security capabilities

TPM 2.0 also seamlessly integrates with newer security functionalities such as Credential Guard and Windows Hello for Business. Credential Guard helps protect secrets using virtualization-based security, while Windows Hello for Business replaces passwords with robust two-factor authentication.

The Microsoft BitLocker disk encryption tool uses TPM 2.0 to provide enhanced data protection in several important ways.

  • Encryption key storage. BitLocker uses TPM 2.0 to help securely store encryption keys. This way, the keys are protected from unauthorized access and tampering.
  • Secure Boot. When BitLocker is enabled on a TPM 2.0 system, it helps ensure that the system boots securely. The boot process is verified and any unauthorized changes to the boot environment are detected.
  • Multifactor authentication (MFA). BitLocker supports MFA, which can be combined with TPM 2.0 for added security. This provides an extra layer of protection for the operating system drive.

In summary, TPM 2.0 plays a crucial role in enhancing identity and data protection on Windows devices, as well as maintaining the integrity of your system. Paired with the device attestation service from Microsoft Intune, TPM 2.0 can help your company move forward on your Zero Trust journey. This hardware-based security feature, alongside security features built into Windows, enhances defense against evolving cyber hazards. More than ever before, it helps safeguard your organization's data integrity and reputation.

The value of TPM 2.0 on Windows 11 today and tomorrow

These augmented capabilities largely drove the decision to update hardware and system requirements exclusively for Windows 11. In an age where cybersecurity threats constantly evolve, our safeguard measures need to advance just as rapidly.

Today. From supporting more intricate encryption algorithms to adding cryptographic functionality, TPM 2.0 is essential to counteracting present-day cyber risks. As such, you should not disable TPM checks on Windows 11 endpoints. Using TPM functionality for hardware-based endpoint security and Zero Trust offers organizations a powerful tool to mitigate significant security risks and potential data breaches.

Tomorrow. TPM 2.0 also helps future-proof Windows 11. One way it does so is by helping to protect sensitive information as more AI capabilities come to physical, cloud, and server architecture. The long-term benefits of enhanced security contribute to more than one of your compliance goals. It prepares you for evolving regulatory standards and industry best practices.

By instituting TPM 2.0 as a non-negotiable standard for the future of Windows, we elevate the security benchmark. It allows you and us to better align with the growing need for formidable data protection in the modern digital sphere.

Check the TPM status of your devices

As an IT admin, you’re responsible for ensuring the security and compliance of your organization's IT infrastructure. One of the key requirements for Windows 11 is the presence of a TPM 2.0 chip on your hardware. This chip provides encryption and authentication capabilities that help protect your data and devices from unauthorized access.

Unsure whether and which devices in your organization already meet this hardware requirement? Follow these steps to find out.

If you’re using Microsoft Intune:

  1. Open the Intune Portal.
  2. Navigate to Devices > All devices.
  3. Select a device from the list.
  4. In the device Properties, navigate to Hardware.
  5. Locate the Security section to find TPM information, including the version and status.

If you’re using Microsoft Configuration Manager:

  1. Open the Configuration Manager console.
  2. Navigate to Assets and Compliance > Overview > Device Collections.
  3. Select the desired device collection.
  4. Select a device and select Start > Resource Explorer.
  5. In the Resource Explorer, expand Hardware > Security > TPM.
  6. Check the version information and status from the TPM resource.

Devices that have TPM 2.0 can already use the defaults of Windows 11 and realize the benefits of the most secure Windows ever.

Steps toward TPM 2.0 and Windows 11

For devices that don’t already have TPM 2.0, here is how you can prepare for the Windows 11 upgrade:

  • Evaluate current hardware for TPM 2.0 compatibility. Conduct a thorough assessment of existing hardware with tools like Microsoft Intune. Determine which systems meet the TPM 2.0 requirements and identify any upgrades needed.
  • Plan and budget for upgrades. Develop a detailed plan and budget for upgrading non-compliant hardware to TPM 2.0. Consider the long-term benefits of enhanced security and compliance with regulatory standards.
  • Review security policies and procedures. Update the organization's security policies and procedures to incorporate the use of TPM 2.0. Facilitate team member training on new protocols and the importance of maintaining a secure IT environment.

Tip: For additional information and resources, see How to prepare for Windows 10 end of support by moving to Windows 11.

In conclusion, TPM 2.0 is not just a recommendation—it’s a necessity for maintaining a secure and future-proof IT environment with Windows 11. And it’s an important part of the larger Zero Trust strategy, alongside Secure Boot, Credential Guard, and Windows Hello for Business. Learn more about it by watching Windows 11 Security—Our Hacker-in-Chief Runs Attacks and Shows Solutions. Embracing this change better protects your systems against evolving cyber threats, ultimately helping to safeguard your organization's data and reputation.

Updated Dec 02, 2024
Version 1.0
device management
security
windows 11
  • hoyty76's avatar
    hoyty76
    Steel Contributor
    Dec 03, 2024

    One thing that you neglect to mention here that I think is a useful detail is that most if not all of the major OEM shipped devices with TPM 2.0 since 2018. This applies to both desktop and laptops. Just to give people a time frame.

    • Steven_Hosking's avatar
      Steven_Hosking
      Icon for Microsoft rankMicrosoft
      Dec 03, 2024

      Agreed, unfortunately there isn't a definitive timeframe that we could point to for this without highlighting each of the vendors etc. so it was excluded from the commentary. but it is a very valid point.

  • k3dm's avatar
    k3dm
    Occasional Reader
    Dec 04, 2024

    This is a good explanation, though given the timeframe it's still hard for the consumer to see it as anything more than planned obsolescence... perhaps especially since even relatively recent computers still don't meet the CPU requirements. I don't want to toss my perfectly good 2019 i7 with 64gb RAM AND TPM 2.0 that someone decided still wasn't worthy of OS support.

    • Karl-WE's avatar
      Karl-WE
      MVP
      Dec 04, 2024

      k3dm would you like to share your CPU model, please. Also a screenshot from the latest compatibility would be helpful.

      • k3dm's avatar
        k3dm
        Occasional Reader
        Dec 04, 2024

        It's an Intel Core i7-7700T @ 2.9 GHz. The CPU is the only item that fails the compatibility check. I believe this is a 7th generation Kaby Lake CPU and Windows 11 supports "some" 7th gen and all 8th gen, so this machine missed viability by the thinnest hair. When W10 goes out of support I'll have to put Linux on it (and use Windows on another PC) because it's pure waste to replace it.

  • Karl-WE's avatar
    Karl-WE
    MVP
    Dec 03, 2024

    Thank you for the clarity on this very common question by customers and consumers alike. 

     

    One of the key requirements for Windows 11 is the presence of a TPM 2.0 chip on your hardware. 

     

    To avoid possible misunderstandings for readers. 

     

     

    1. Different types of TPM, not necessarily a discrete chip

    A TPM "chip on the hardware", in most modern computers or servers is not a discrete TPM chip on the mainboard, which caused a lot of fuss in 2021 and overpriced chips. And on the top of that allow "easier" local HW attacks.

    More likely though, it's a security feature, silicon integrated in your Windows 11 supported processor (CPU).

    In modern UEFI BIOS this TPM is often called vTPM or fTPM. 

     

     

    2. Why and how-to updating UEFI BIOS (regularly):

    If you never updated your BIOS on your OEM device or custom built one, please consider to do so. 

    This is what you can expect from UEFI BIOS updates:

    • Security improvements for mainboard, Secure Boot, certificates and CPU. 
    • Intel CPU microcode updates (especially important for Intel 13/14gen) 
    • AMD AGESA updates
    • Intel ME firmware and security updates.
    • Many vendors changed default settings for improved TPM and Secure Boot default settings, to comply with Windows 11 requirements. 

     

    Prerequisites:

    In all cases make sure that for portable devices, PCs and servers your power remains connected and you do not shutdown, restart (unless prompted) or power off, during the update. 

     

    Before starting:

    • Connect Power (esp. portable devices)
    • Make sure to pause / suspend (not disable) Bitlocker, if enabled and make sure you can access your Microsoft Account via mobile to access the Bitlocker recovery key in worst case. 

     

    Updating UEFI on OEM Hardware:

    OEM hardware vendors often provide validated UEFI updates directly via Windows Update. These also take care of suspending Bitlocker. Power connection advise apply. WU will not prompt you for this. 

     

    Security recommendation:

    If you can select it, in UEFI security settings, I would disable SHA-1 / SHA-128 and enable SHA-256 and higher. If you have 256 and 384 support. It's fine to enable both. 

    For custom built PCs please refer to the mainboard vendors manual. They are worth a read. 

     

     

    3. What about VMs? 

    If you have a TPM, vTPM / fTPM on your hardware and properly configured in UEFI, on top of that, in modern versions of Hyper-V on Windows Client and Windows Server you can enable vTPM for VMs. These have to be Generation 2, VM Version 9.0 or later and have UEFI enabled.

    This vTPM offers the same security layer as on physical hardware. 

    Mind that this is also available for recent VMware ESXi 7.0 or later / vSphere but often not enabled or embraced as VM default. 

     

     

    4. What about Windows Server 2025? 

    Windows Server 2022 and 2025 do benefit from the TPM and Secure Boot, same as Windows 11 Clients, however the setup does not enforce specific settings. 

  • APL45's avatar
    APL45
    Occasional Reader
    Dec 04, 2024

    HMMM, sounds like a Ma Bell/Standard Oil monopoly all over again?

  • AgentOrange96's avatar
    AgentOrange96
    Occasional Reader
    Dec 04, 2024
    • Microsoft used to charge for Windows upgrades to newer versions
    • Windows 10 was a free upgrade with the idea of getting people from Windows 7 to Windows 10 where they can start using the Windows Store, a new revenue source
    • The Windows store never ended up taking off to make the anticipated revenue
    • People now have the expectation that Windows upgrades are free and would likely be upset if Microsoft reverted to charging for upgrades
    • By creating an arbitrary hardware requirement and enforcing it as a blocker, Microsoft can claim their upgrade is free while forcing users to purchase new PCs
    • New PCs are sold with new Windows licenses, which are a revenue source for Microsoft
    • People are able to bypass the block and run on older hardware without issue, showing that this is an arbitrary requirement
    • This path will cause the generation of an insane amount of ewaste for the sake of saving face

    My PC was very high end when new and still easily outperforms budget PCs sold today. I have absolutely no reason to need to replace it. I am okay with not getting a bump in security afforded by TPM 2.0, which this system in no way supports. I am willing to pay for an upgrade to Windows 11 on my PC. Why should my system be turned into ewaste?