Microsoft requires some hardware requirements for Windows 11, which are not new and have been installed in many desktop PCs and notebooks since about 2015, but in Windows 10 were not mandatory. A Trusted Platform Module (TPM) belongs to these requirements, according to the 2012 specification TPM 2.0.
For most Windows computers from the past 4 to 5 years, such a TPM 2 is.0 Built-in and active, how to easily find out: the device manager (call on the start search box, via Windows key + x or with devmgmt.MSC) shows a TPM under "Safety access" at. More detailed information provides the Windows Control Panel under "Reliability".
A TPM 2.0 does not have to be available as a separate physical chip on the mainboard. This is usually only the case with business notebooks and buro computers with AMD Ryzen Pro or Intel VPro. For the vast majority of systems with TPM 2.0 is a so-called firmware TPM (FTPM 2.0). This is firmware that runs on a separate microcontroller core integrated in the processor, chipset or system-on-chip.
Microsoft has been requiring a (f) TPM 2 since 2015.0 for notebooks with Windows 10 logo.
Trusted Platform Module 2.0 – TPM 2.0
The Infineon Chip SLB 9665TT2.0 is a widespread TPM-2.0-chip
Processors and chipset with FTPM 2.0
AMD integrates an arm core of type Cortex-A5 in all processors, starting with the 2014 tablet chips BEEMA and MULLINS and the Carrizo of 2015. The FTPM 2.0 atticives to the functions of this Platform Security Processor (PSP), later "AMD Secure Processor" called.
For desktop PCs with AMD processors, you can find about the platform AM4 (Bristol Ridge) FTPMS introduced in 2016, if the respective motherboard manufacturer has installed the function in the BIOS and also unlocked.
At Intel is the FTPM 2.0 Part of the Platform Trust Technology (PTT) based on the Converged Security and Management Engine (CSME, Fruher Me). Depending on the platform, a ME / CSME is installed with PTT in the chipset or in the processor; For desktop PCs, for example, since the 2015 CPU Generation Skylake (Core I-6000, 100 Series Chipset). As with AMD systems, the FTPM is only enabled if the BIOS provides it.
TPM chips on the mainboard
Since 2013 there are some Windows tablets with arm chips and Intel Atom Z2000 and FTPM 2.0. In 2013, Infineon then brought the first TPM-2.0 chips on the market. These were mainly used in the already mentioned business laptops (series Lenovo Thinkpad, Dell Latitude, HP Elite) and VPro Burocomputers, but not in "Consumer"-Computers for private individuals.
Some motherboards have post plugs to refuse a small board with a TPM chip. Unfortunately, there is no general standard and, depending on the board, the TPM uses either the low-pincount (LPC) interface or the Serial Peripheral Interface (SPI), in rare falls also I²C. The BIOS must also recognize the TPM, so be prepared for a TPM. Unfortunately, there is often no documentation.
The Trusted Computing Group (TCG) leads to your website a list of certified TPMs.
The ages TPM-1.2 chips are only available as discrete chips, not as FTPM. Compared to TPM 2.0, among other things, they have the disadvantage that the specification requires only RSA and the obsolete SHA-1 algorithm; AES is optional. In some (f) TPM 2.0 was discovered the safety chucks TPM Fail.
Activate existing TPM
If Windows does not recognize TPM, it may be switched off via BIOS. For many (but not all) PCs and notebooks you can then reactivate it in the BIOS setup. The up necessary options can often be found in Menus named "Security" or "Security chip".
The question remains, for Windows 11 the TPM 2.0 uses exactly. However, this does not document Microsoft so far. The most prominent TPM application under Windows has previously been the drive caption Bitlocker of the Pro and Enterprise versions of Windows. Here is a TPM use to bind the key to the seal to the platform (Key Sealing). Also for them "Detention" (Device Encryption) uses Windows a TPM; But it’s about a kind of bitlocker for the dissolute flash memory in tablets.
Windows 10 can integrate a TPM for multiple functions, but many of them can only be used for Pro and Enterprise versions or with additional software.
Unlike some think, a TPM has nothing to do with UEFI Secure Boot. However, a TPM can be used in addition to recognizing manipulations on the BIOS code (Measured Boat). An optimized method is called Dynamic Root of Trust for Measurement (DRTM), in which a PruR value is written to the Platform Configuration Register (PCR) 17 of the TPM.
These DRTM methods uses Microsoft for the so-called "Secured-Core PCs", which have been on the market since 2019 and promise stronger protection against firmware manipulation. Some notebook manufacturers have developed their own firmware additional functions that go in similar directions, HP about sure start.
Microsoft builds more and more protective functions in the system to make malware attacks more difficult. For virtualization-based security (VBS, Virtualization-Based Security) and Kernel Data Protection (KDP), a trustworthy firmware basis is important.
However, a TPM can also be used as a security factor for biometric identification with Windows Hello for Business and to provide virtual smart cards. The Windows Defender features Device Guard and Credential Guard can also use TPMS. It is also obvious to use a TPM for two-factor authentication (2fa), which is possible under Windows for certain VPN functions (Always on VPN).
Horen to the TPM 2.0 Also the audio podcast bit noise, episode 2021/14.