If you're like most people, you didn't think about whether your
computer had a TPM (Trusted Platform Module) until Microsoft made
it part of its system requirements to run Windows 11. Now that
Windows 11 has arrived, it's a vital piece of
whether or not you'll even be able to upgrade. We'll explain what a
TPM is, how you can find out whether your system has one, and how
to enable it if it's turned off.
What is a TPM?
A TPM, or Trusted Platform Module, is a security chip that can
be embedded in a laptop or plugged into most desktop PCs. It's
basically a lockbox for keys, as well as an encryption device a PC
can use to boost its security.
For example, when you boot your PC, one chip wakes up and begins
nudging other components to warm up for the start of the day. Once
all of the hardware is ready, it goes to the storage drive to start
hauling the operating system into memory.
Here's how to get Windows for cheap (or even for
In a secure environment, the PC first makes sure the operating
system is secure. In fact, it may not even trust the surrounding
hardware it woke up earlier, so it checks them as well. But without
a point of reference, the PC has no idea whether any part of the
system has been tampered with. With a TPM, the PC can compare notes
using the information stored in the locked-down TPM. If it all
matches, the boot proceeds as normal. If something is amiss, red
flags go up.
Most newer Intel CPUs feature a TPM inside of the CPU itself,
which it calls Platform Trusted Technology.
TPMs are in most newer
TPMs originally came as standalone chips, and originally they
were used only in corporate computers, where security was more of a
concern and customers would pay the premium for the add-on. More
recently, AMD and Intel have integrated firmware-based TPM into
their CPUs. That's made TPM support far more available.
Pretty much any Intel CPU from 2013 (think 4th-gen Haswell) and
built for Windows 8.1 should have a firmware-based TPM. AMD has
supported firmware TPM for some time as well.
Even if firmware TPM is in place in the CPU, that doesn't mean
every PC has immediate access to it. It may need a BIOS or UEFI
update to support it. While most computers you buy from a large PC
maker typically have it in place, many retail motherboards often
don't have the BIOS support, or don't have it switched on by
This Asus Z87 motherboard made for Intel's 4th-gen Haswell
features a TPM header for an optional TPM module. On most consumer
desktops, there won't be a TPM module installed.
You'll find that many desktop motherboards will have an unfilled
TPM header option available. The header allows for a consumer to
buy a TPM module for the board if they want to enable a discrete
TPM. Most hardware sold directly to consumers doesn't include the
module, because it's always been seen as an extra cost.
If your particular motherboard never implemented firmware TPM
support, and this is one obstacle preventing you from installing
Windows 11, it might be worth hunting for a compatible module. We
recommend that when you shop, you stick to a module from the same
motherboard maker, and within the same vintage of motherboard.
Although the TPM chips in the modules may be off-the-shelf, the
actual physical connections, as well as how the BIOS/UEFI talks to
it, will be unique.
Although the TPM modules are similar, you don't want to buy one
without making sure it works with your computer.
How to check your TPM's
The easiest way to check the state of your TPM on a Windows 10
machine is to go to Device Security. You can do this by pressing
the Windows key and typing device security. From
there, click the Security processor details link. If your
PC has a TPM that Windows 10 can see, you'll get details on it
here. For example, in screenshots from a consumer Core i7-1185G7
laptop and a commercial or business-focused Core i7-8665U, we can
see that the consumer laptop uses the Intel embedded TPM or
Platform Trusted Technology because, well, it's free.
On the commercial laptop, the vendor (HP, in this case) has
embedded an actual discrete Infineon TPM module into the laptop, a
normal practice for corporate laptops.
Which is better? Generally, the discrete or separate TPM module
is believed to be better, as it supports more encryption
algorithms. But it does take up space and add cost.
The consumer 11th-gen laptop (left) uses Intel's embedded TPM,
while the business-focused 8th-gen laptop (right) features a
Why doesn't my TPM show up?
While support for the TPM on a 7-year-old PC to run Windows 11
is going to cause hand-wringing for the next six months, even newer
PCs can have troubles. For example, on an 8th-gen Core i7 PC, we
found the TPM support in its default state of discrete—which, as
with most consumer desktops, means ‘off,' because there was no
optional TPM module installed.
This throws up a flag in Microsoft's Windows 11 requirement
check, saying you need a TPM 2.0 is enabled. As we said, that means
you either go out and buy the appropriate TPM module and plug it
into the header, or you simply flip on the firmware TPM already
built in the 8th-gen CPU. On this particular motherboard, it means
flipping it from discrete to firmware.
Depending on the motherboard or laptop maker, finding this
setting will vary. In this motherboard, for example, it's just
called TPM. In some motherboards it's called Intel Platform Trusted
Technology (PTT). Some AMD motherboards it's called fTPM.
To find it, you'll have to root around through the UEFI of your
PC to turn it on.
Most PCs since 2013 have had firmware-based TPM support built
into them, but it's off by default.
We don't actually recommend you do this on a working PC at this
point without making a backup. While some have reported
success, others have said it has caused sporadic blue-screen errors
that didn't go away even after turning off the firmware TPM in the
With Windows 11 still months away, motherboard vendors will
likely be releasing new UEFI's for their customers. You'll probably
want to wait until a newer UEFI/BIOS is available and the OS itself
is here, before taking a chance on breaking things.
Of course, the TPM is just one of the many things you'll need
before you can install Windows 11. You'll also to enable Secure
Boot and UEFI mode as well. Most computers made in the last three
or four years should manage the process smoothly. Older hardware,
we'll have to wait and see.
Even if your CPU supports a TPM, you'll need to turn it on in
the UEFI/BIOS first.