What is a TPM and why do
I need one? Hi everyone. Leo Notenboom here for askleo.com. Ask Leo is supported in large
part by its patrons. Visit askleo.com/patron. for more information about how you can help and get Patreon exclusive
content when you sign up. So Windows 11 I talked
about it last week. My first impressions, it brought up something the day it was
released in its hardware requirements that has confused a lot of people,
and that's this thing called the TPM. What I want to do in this video is talk
about what the TPM is at a high level, why it exists, why you might already
have one, and what your options are if you don't.
Tpm stands for trusted platform module. It is what's called a crypto processor. It's actually its own little computer, typically on a chip in hardware on your
machine, either on your motherboard, potentially as an add on piece
of hardware to older machines.
And in some cases it's also emulated by
some of the other chips on your machine. It's been around for, Gosh,
I think a decade or more. Actually, its role is to as the name kind of infers is to improve
your system's security. It does this in a couple of different ways. One is simply, in a way, simply by existing.
It offloads a certain amount of what are typically sensitive calculations related
to security and by offloading them.
I mean, it takes them away from your CPU,
your main CPU that could be programmed to do anything, including run malware onto
this closed system that you and I cannot run software on, so we can't
get malware onto a TPM. The TPM can then do its job and do it
in greater security than if that job were emulated as it probably
has been without TPMS. Until now. The other thing or the important things that it does are typically
related to cryptography. It has, for example,
a better random number generator. Random numbers are actually
fundamental to cryptography and making sure that cryptography is as secure
and as strong as is possible.
It's a place to store cryptographic keys,
like your BitLocker key. For example, in a place that you
cannot recover the key from a TPM. In that same vein, the TPM can be used to generate really
strong cryptographic keys and key pairs. Once again, you would be given the TPM
would expose or deliver one of a key pair, but it would keep the other internal
and never, ever actually allow that private key,
in this case, to be exposed anywhere. And to be fair, I just touched on it.
Really. Those are just the tip of the iceberg. The idea is that the TPM and the functions it provides are things that ultimately
fundamentally allow the software on your machine to be more secure, to do things
in a more safe and more secure way. Yes, at a very geeky, very low level, very magical kind of way,
but it is what the TPM is all about. Now, do you have a TPM? Well, chances are you do. Even if software has been telling you you don't at first.
Let's take a look at that software.
Hit the Windows key and the letter R
and run the program TPM.MSC that runs the trusted platform manager
control interface, something like that. And basically all it will really do is tell you whether or not you have a TPM
and what version that's running. You need version two
to run Windows 11. Great. If you've got version 1.2,
I'm not sure what to tell you. Your machine may be old enough
that it predates TPM 2.0. My recommendation is that you check
with your computer manufacturer to see what kind of options you might
have to get that machine upgraded. Or that TPM specifically
upgraded on your machine. If it says you have no TPM,
don't panic again. If your machine has been built within the last, I'll say, decade, there's
a really good chance there's a TPM on it.
My machine, which I purchased just a year
and a half ago, actually, two years ago, it reported no TPM,
which surprised me, given how new and ultimately how powerful
this particular machine happens to be. As it turns out,
it is possible that the TPM needs to be enabled in your BIOS
or your UEFI settings. That's exactly what I had
to do with my AMD processor. I had to go in and in my case,
turn on something called FTP, and then in another menu,
turn on security device support. Once both of those were turned on and I rebooted my machine and I ran TPM MSC,
not only did I have a TPM, but it was the correct version
to run Windows Eleven. So if your machine reports not having a TPM,
first things first, check with your computer manufacturer
to see if there happens to be a setting in your BIOS that needs to be
changed in order to enable it. Maybe I can't say that there will be. But if your machine is relatively recent and if not reporting a TPM, that is
exactly where I would send you first.
Now, full disclosure on my other two
machines, my two Dell laptops, I ran, TPM, MSC, and both of those had TPM 2.0 out of
the box without my having to do a thing. So it is going to vary a lot based on what computer you have, potentially,
what CPU you have and so forth. But that's where I would have you start. Now, the question that I get,
of course, is why TPM? More importantly, why is Microsoft insisting that we have a TPM
in order to run Windows 11? I've got three answers to that,
two of which are not going to be very satisfactory, and the third one is simply
going to have to require some faith.
The first one is because they said so. I mean, they can say whatever they want. They can require whatever they want of
the operating systems that they produce. They have decided that a TPM is required
for whatever their reasons may be. So be it. A slightly less cynical view is that they
Microsoft probably has customers that are requiring the new machines
and the new operating systems that they purchase to have TPM to have
this improved security. Large customers, like large corporations
or governments have a requirement or may have a requirement that this
be part of their future. So in order to be eligible to be
servicing those large corporations and governments, and we know that that's
where Microsoft gets a fair amount of the revenue from this
simply becomes a requirement.
Tpm needs to be in the hardware,
and it needs to be enabled in order for these machines to get
deployed to these places. Again, we don't know, but this is one of the scenarios that,
to me at least makes sense. It makes the most sense. The real answer, the Pragmatic answer, and probably the reason for the first two
answers is that the TPM improves security. That's the bottom line. That's why it exists. Its purpose is to do cryptography better, to secure things better,
to secure your machine better.
All of those things mean that security
of your PC is better with a TPM. Windows uses it. Other applications are able to use
it for exactly that same purpose. And that would be why governments
and large organizations might want it. That would be Microsoft in attempting
to improve the security of the Windows operating system,
is also now requiring it. But ultimately, Yep,
it's a requirement for Windows Eleven. Now, one of the things I do want
to address is the conspiracy theory that this is somehow some kind
of collusion between Microsoft and hardware vendors to force
more people to buy new machines. Obviously, I could not disagree more. I think again, that's a conspiracy theory. There really is no basis. In fact, the issue here is that you
don't need to do anything.
You don't need to run Windows 11. Windows 10 works just fine and will continue to work just fine on whatever
machine you have it running on until 2025. And even beyond that if you want to without Microsoft support,
just like people are still running Windows 7, and people or some
people are still running Windows XP. So you're not being forced
to upgrade to Windows Eleven. You're not being forced to buy a new
machine, you could run a different operating system, you could run Linux,
you could get it, install Linux on your older machine,
especially the ones that don't have TPM if you like, and just step out
of the Microsoft ecosystem completely.
So much of what we do these days is
online, and there are so many compatible alternatives for much of the Microsoft
specific software that again, if this is the Hill you want to die on,
great install Linux overwrite Windows 10 with Linux and get your
work done that way. Sure, there'll be a learning curve, but you won't have to buy a new machine,
and that's kind of the point of the issue. But manufacturers are in no way trying
to force you to buy a new machine. They might want to entice you to buy a new
machine, but that's typical marketing. They've always been doing that. The new machines are always bigger and better and faster
with new features and new this's and new that's, but there's never been a requirement that you upgrade
or purchase new hardware. So I did want to set that one to bed
because TPM seems to be a foot in the door for a lot of the conspiracy theories,
and it's just not a thing for updates. For related links for comments
and more, visit askleo.com/137366 I'm Leo Notenboom.
This is askleo.com.
