What Is a TPM? And Why Do I Need One?

What is a TPM and why do I need one? Hi everyone. Leo Notenboom here for askleo.

com. Ask Leo is supported in large part by its patrons. Visit askleo.

com/patron. for more information about how you can help and get Patreon exclusive content when you sign up. So Windows 11 I talked about it last week.

My first impressions, it brought up something the day it was released in its hardware requirements that has confused a lot of people, and that's this thing called the TPM. What I want to do in this video is talk about what the TPM is at a high level, why it exists, why you might already have one, and what your options are if you don't. Tpm stands for trusted platform module.

It is what's called a crypto processor. It's actually its own little computer, typically on a chip in hardware on your machine, either on your motherboard, potentially as an add on piece of hardware to older machines. And in some cases it's also emulated by some of the other chips on your machine.

It's been around for, Gosh, I think a decade or more. Actually, its role is to as the name kind of infers is to improve your system's security. It does this in a couple of different ways.

One is simply, in a way, simply by existing. It offloads a certain amount of what are typically sensitive calculations related to security and by offloading them. I mean, it takes them away from your CPU, your main CPU that could be programmed to do anything, including run malware onto this closed system that you and I cannot run software on, so we can't get malware onto a TPM.

The TPM can then do its job and do it in greater security than if that job were emulated as it probably has been without TPMS. Until now. The other thing or the important things that it does are typically related to cryptography.

It has, for example, a better random number generator. Random numbers are actually fundamental to cryptography and making sure that cryptography is as secure and as strong as is possible. It's a place to store cryptographic keys, like your BitLocker key.

For example, in a place that you cannot recover the key from a TPM. In that same vein, the TPM can be used to generate really strong cryptographic keys and key pairs. Once again, you would be given the TPM would expose or deliver one of a key pair, but it would keep the other internal and never, ever actually allow that private key, in this case, to be exposed anywhere.

And to be fair, I just touched on it. Really. Those are just the tip of the iceberg.

The idea is that the TPM and the functions it provides are things that ultimately fundamentally allow the software on your machine to be more secure, to do things in a more safe and more secure way. Yes, at a very geeky, very low level, very magical kind of way, but it is what the TPM is all about. Now, do you have a TPM?

Well, chances are you do. Even if software has been telling you you don't at first. Let's take a look at that software.

Hit the Windows key and the letter R and run the program TPM. MSC that runs the trusted platform manager control interface, something like that. And basically all it will really do is tell you whether or not you have a TPM and what version that's running.

You need version two to run Windows 11. Great. If you've got version 1.

2, I'm not sure what to tell you. Your machine may be old enough that it predates TPM 2. 0.

My recommendation is that you check with your computer manufacturer to see what kind of options you might have to get that machine upgraded. Or that TPM specifically upgraded on your machine. If it says you have no TPM, don't panic again.

If your machine has been built within the last, I'll say, decade, there's a really good chance there's a TPM on it. My machine, which I purchased just a year and a half ago, actually, two years ago, it reported no TPM, which surprised me, given how new and ultimately how powerful this particular machine happens to be. As it turns out, it is possible that the TPM needs to be enabled in your BIOS or your UEFI settings.

That's exactly what I had to do with my AMD processor. I had to go in and in my case, turn on something called FTP, and then in another menu, turn on security device support. Once both of those were turned on and I rebooted my machine and I ran TPM MSC, not only did I have a TPM, but it was the correct version to run Windows Eleven.

So if your machine reports not having a TPM, first things first, check with your computer manufacturer to see if there happens to be a setting in your BIOS that needs to be changed in order to enable it. Maybe I can't say that there will be. But if your machine is relatively recent and if not reporting a TPM, that is exactly where I would send you first.

Now, full disclosure on my other two machines, my two Dell laptops, I ran, TPM, MSC, and both of those had TPM 2. 0 out of the box without my having to do a thing. So it is going to vary a lot based on what computer you have, potentially, what CPU you have and so forth.

But that's where I would have you start. Now, the question that I get, of course, is why TPM? More importantly, why is Microsoft insisting that we have a TPM in order to run Windows 11?

I've got three answers to that, two of which are not going to be very satisfactory, and the third one is simply going to have to require some faith. The first one is because they said so. I mean, they can say whatever they want.

They can require whatever they want of the operating systems that they produce. They have decided that a TPM is required for whatever their reasons may be. So be it.

A slightly less cynical view is that they Microsoft probably has customers that are requiring the new machines and the new operating systems that they purchase to have TPM to have this improved security. Large customers, like large corporations or governments have a requirement or may have a requirement that this be part of their future. So in order to be eligible to be servicing those large corporations and governments, and we know that that's where Microsoft gets a fair amount of the revenue from this simply becomes a requirement.

Tpm needs to be in the hardware, and it needs to be enabled in order for these machines to get deployed to these places. Again, we don't know, but this is one of the scenarios that, to me at least makes sense. It makes the most sense.

The real answer, the Pragmatic answer, and probably the reason for the first two answers is that the TPM improves security. That's the bottom line. That's why it exists.

Its purpose is to do cryptography better, to secure things better, to secure your machine better. All of those things mean that security of your PC is better with a TPM. Windows uses it.

Other applications are able to use it for exactly that same purpose. And that would be why governments and large organizations might want it. That would be Microsoft in attempting to improve the security of the Windows operating system, is also now requiring it.

But ultimately, Yep, it's a requirement for Windows Eleven. Now, one of the things I do want to address is the conspiracy theory that this is somehow some kind of collusion between Microsoft and hardware vendors to force more people to buy new machines. Obviously, I could not disagree more.

I think again, that's a conspiracy theory. There really is no basis. In fact, the issue here is that you don't need to do anything.

You don't need to run Windows 11. Windows 10 works just fine and will continue to work just fine on whatever machine you have it running on until 2025. And even beyond that if you want to without Microsoft support, just like people are still running Windows 7, and people or some people are still running Windows XP.

So you're not being forced to upgrade to Windows Eleven. You're not being forced to buy a new machine, you could run a different operating system, you could run Linux, you could get it, install Linux on your older machine, especially the ones that don't have TPM if you like, and just step out of the Microsoft ecosystem completely. So much of what we do these days is online, and there are so many compatible alternatives for much of the Microsoft specific software that again, if this is the Hill you want to die on, great install Linux overwrite Windows 10 with Linux and get your work done that way.

Sure, there'll be a learning curve, but you won't have to buy a new machine, and that's kind of the point of the issue. But manufacturers are in no way trying to force you to buy a new machine. They might want to entice you to buy a new machine, but that's typical marketing.

They've always been doing that. The new machines are always bigger and better and faster with new features and new this's and new that's, but there's never been a requirement that you upgrade or purchase new hardware. So I did want to set that one to bed because TPM seems to be a foot in the door for a lot of the conspiracy theories, and it's just not a thing for updates.

For related links for comments and more, visit askleo. com/137366 I'm Leo Notenboom. This is askleo.