What is TPM 2.0?

A Trusted Platform Module (TPM) is a security chip that is integrated into the motherboard of your laptop or desktop computer. TPM creates a secure environment for checking system integrity, authenticating users, and saving keys and passwords. TPM 2.0 was released in 2018 and comes with a set of new features, including the use of various hash algorithms, PINs, and user-defined key management.

Quick overview: what does TPM do?

Most users are familiar with common defences against malware, rootkits and ransomware. Firewalls, antivirus programs and two-factor authentication are common go-to security measures. A Trusted Platform Module (TPM) is a security chip that provides your system with an extra layer of protection.

The TPM chip is physically integrated into laptops and desktop computers and helps with device and user authentication, checking for system integrity and software licenses. Another important feature is the ability to save cryptographic keys, passwords and certificates. TPM creates a secure environment that’s protected from manipulations, meaning that it can check various software and hardware components to ensure their security during bootup. If the chip finds any manipulations, it will sound an alarm. Whereas TPMs used to come as separate security chips, these days they are usually integrated into new computers.

Where does TPM 2.0 come from?

TPM was developed by the Trusted Computing Group (TCG) and standardised by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 11889:2209 in 2009. The first definitive TPM was released on March 3, 2011, as TPM Version 1.2. TPM 2.0 was released in 2019 as ISO/IEC 11889:2015 with new security features, including updates to the TPM architecture and TPM commands and support routines.

Where is TPM 2.0 located?

Since TPM 2.0 chips function as dedicated processors, they’re integrated directly into the motherboard. Most new laptops and PCs come with factory-integrated TPMs and TPM compatibility. You might also find motherboards that don’t offer a pre-installed TPM 2.0 chip but have a slot for an additional chip. That way you can use a TPM chip separately from the CPU. If you’re purchasing your own TPM chip, you should try to get one from the same manufacturer and year of production as your motherboard.

Does Windows 11 require TPM 2.0?

TPM 2.0 is a hardware requirement for Windows 11. For many Windows users, this was the first time they had heard about TPM. If your computer doesn’t have a TPM or TPM 2.0 isn’t enabled, you’ll get a notification saying that TPM couldn’t be found or isn’t compatible. A UEFI (Unified Extensible Firmware Interface) with secure boot is also required.

TPM 2.0 is used in Windows 11 and other versions for the following:

• Windows Hello: biometric access control and identification using fingerprint and/or iris scan, facial recognition with Endorsement Key (EK) and Attestation Identity Key (AIK)
• BitLocker drive encryption: for encrypting logical volumes and thus entire drives
• Virtual smart cards: similar to physical smart cards, virtual smart cards help with access control for external systems and resources
• TPM start metrics: with TPM metrics about the Windows bootup state, the integrity of system components and Windows configurations can be checked by measuring start sequences
• AIK certificates: AIK certificates saved in TPM compare start data that has been collected with metrics about the devices’ state
• Defence against dictionary attacks: protection from brute force attacks that try to bypass password protection with automated queries of dictionary lists
• Credential guard: isolates login and user data and protects saved keys using virtualisation-based security checks

What are the advantages of TPM 2.0?

TPM comes with the following advantages:

• Generating and saving cryptographic keys, passwords and certificates for extra secure encryption methods
• Detecting manipulations in BIOS code using a check value in the Platform Configuration Register (PCR) 17
• TPM 2.0 has a new algorithm exchange function for simultaneous use of different algorithms
• Verification signatures support PINs and positioning data using biometric or global access controls
• Checking software licences using digital rights management (DRM)
• Ensuring platform integrity using configuration metrics that check startup sequences for security and changes
• Authentication of system hardware with RSA cryptosystems
• Endorsement Keys (EK) and Attestation Keys (AIK) use hashing to check the security and integrity of the system
• Optimising protection from malware, ransomware, brute force attacks and phishing, in combination with firewalls, smart cards, biometric access control and antivirus programs

How can you check for TPM 2.0 on your own device?

Want to know whether your Windows device is already equipped with TPM 2.0? Below we have listed a few different ways you can check for TPM 2.0 and see whether it’s enabled. Note that even factory-installed TPM 2.0 chips aren’t always automatically enabled.

Open the TPM 2.0 management tool

Step 1: enter ‘tpm.msc’ into the search bar. This command will open the integrated TPM management tool.

Step 2: if your computer has a dedicated TPM 2.0 chip, you’ll see information about the TPM version. If you don’t have a TPM 2.0 chip, Windows will inform you that there’s no compatible TPM component.

Open the device manager

Step 1: use the Windows shortcut [Windows] + [X] to open the Quick Link menu. Then go to ‘Device Manager’.

Step 2: navigate to ‘Security devices’ and click on it. If you have TPM 2.0, you’ll see ‘Trusted Platform Module 2.0’ there.

Open command prompt

Step 1: use the shortcut [Windows] + [R] to open the ‘Run’ dialog box. Enter ‘cmd’ and then use the shortcut [Windows] + [Shift] + [Enter]. This will open the command prompt with admin privileges.

Step 2: enter the following command:

wmic /namespace:\\root\cimv2\security\microsoftTPM 2.0 path win32_TPM 2.0 get /value.

If you have TPM 2.0, you’ll see ‘SpecVersion=’ in the last line, with information on the chip’s version.

How can you check for and enable TPM 2.0?

The status of TPM 2.0 on your computer has a lot to do with how old it is. Newer computers typically come with pre-integrated TPMs that are enabled by default. There are no guarantees. In some cases, you might need to update your BIOS or UEFI.

There are a few different ways to disable or enable TPM 2.0:

Disable or enable TPM 2.0 in BIOS

To enable TPM 2.0:

Step 1: restart your computer and open BIOS. Depending on your operating system and device, press [F2], [F12] or [Del] during bootup. Note that you should always make a system backup and back up important keys, passwords and certificates before you make changes in BIOS.

Step 2: once you’re in BIOS, open ‘Security’ and navigate to ‘Trusted Computing’.

Step 3: activate the item ‘Security Device Support’.

Step 4: under ‘TPM 2.0 Device’, navigate to ‘PTT’ and activate that item.

Step 5: after you’ve saved the changes, restart your computer.

To disable TPM, complete the same steps but deactivate the items instead of activating them.

Disable or enable TPM 2.0 using TPM 2.0 management tool

To enable TPM 2.0:

Step 1: enter the command ‘tpm.msc’ in the Windows search bar, then press [Enter].

Step 2: once you’re in the TPM management tool, navigate to ‘Action area > Activate TPM 2.0’. On the page ‘Activate TPM 2.0 security hardware’, you’ll find extensive information about the next steps.

Step 3: click ‘Shut down’ or ‘Restart’. Then follow the indicated UEFI steps.

Step 4: during bootup, agree to the new TPM 2.0 configuration. This is how your system ensures that only authenticated users can make changes. You’ve now enabled TPM 2.0 in Windows.

To disable TPM, open the TPM management tool and go to ‘Action area > Deactivate TPM 2.0’. Select ‘Deactivate TPM 2.0 security hardware’ and decide whether you want to enter the owner password using removable media, enter it manually or deactivate without entering a password.

What happens when you disable TPM 2.0?

Deleting or disabling TPM 2.0 can sometimes lead to an unintentional loss of data, including cryptographic keys, certificates and passwords. To prevent that from happening, take the following security measures:

• Create a backup of the data you have saved on TPM 2.0.
• Only delete or disable TPM 2.0 on your own devices or with permission from the IT admin.
• Check what the owner’s manual has to say about TPM or look it up on the manufacturer’s website.
• Deactivate TPM 2.0 using the TPM management tool. If you make changes in BIOS, create a backup of the system.

What types of TPM 2.0 are out there?

There are a few different types of TPMs, which mostly differ in their implementations:

• Discrete TPM 2.0: discrete TPM 2.0 is a dedicated security chip that provides support for various encryption algorithms and protection from manipulation. It gives rise to very few errors.
• Physical-based TPM 2.0: TPMs integrated in CPUs provide physical security features for protecting from manipulations and malware.
• Firmware-based TPM 2.0: much like physical-based TPM 2.0, firmware-based TPM 2.0 uses a secure CPU environment to prevent manipulations and unauthenticated changes.
• Virtual TPM 2.0: hypervisors can create a virtual TPM 2.0, which generates security keys independent of virtual machines.
• Software-based TPM 2.0: software-based TPM 2.0 is not recommended due to its high susceptibility to errors and malware as well as lack of benefits that warrant such a risk.