Windows 11 demands TPM 2.0 and here's what that means for you
Plenty of users have had their excitement about Windows 11 dampened by confusion surrounding its requirement for TPM 2.0 support. Running the Windows 11 PC Health Check (which has now been updated to report why your machine has failed the test) has seen users confused that their new and otherwise capable machine apparently can't run Microsoft's new OS.
This confusion certainly hasn't been helped by Microsoft itself which had system requirements listed online, detailing a soft and hard floor for Window 11. That was basically the difference between being able to install and being advised not to.
But that has been corrected now to state that the only way you're going to be able to get Windows 11 on your home PC is if it's got specific TPM 2.0 support.
What is TPM 2.0?
TPM stands for Trusted Platform Module, and its job is to protect data used to authenticate the PC your using. TPMs can actually be found in lots of different types of devices, but we'll focus on PCs here. The TPM can also be used to maintain platform integrity, facilitate disk encryption, store password and certificates, the list goes on.
TPM chips are useful, from a total system security perspective, and that's something Microsoft feels it needs to enforce with Windows 11.
While Windows 11's TPM requirement has brought the technology to the forefront, it isn't a particularly new idea, and Windows 10 and Windows 7 both support TPM and have used it for a variety of functions. Windows 10 even goes as far as to say it's a requirement, but actually doesn't enforce the issue too much.
Which begs the question, why?
Why is TPM 2.0 a requirement for Windows 11?
Windows is the most popular OS in the world, and that has made it a relatively easy target for hackers. By making TPM 2.0 a requirement, Microsoft is hoping to make the life of hackers just that little bit harder.
As David Weston, Director of Enterprise and OS security says on this blog:
"Today, we are announcing Windows 11 to raise security baselines with new hardware security requirements built-in that will give our customers the confidence that they are even more protected from the chip to the cloud on certified devices."
DO YOU HAVE IT ALREADY?
Does my PC have TPM 2.0 support already?
If your machine is relatively up to date (less than four years old), then there's a very good chance that you do, although pedants may argue over whether that's true hardware TPM support or the firmware based TPM, which is basically offered by your CPU. You may need to enable TPM 2.0 in your UEFI/BIOS, but there's a very good chance it's there.
Intel has various technologies that offer TPM 2.0 support, under a variety of names, but keep an eye out for PTT (Platform Trust Technology) and IPT (Identity Protection Technology) before trying to turn on TPM 2.0 in your UEFI/BIOS. Essentially though, Intel has supported TPM 2.0 on all its chips since Skylake, and on selected chips up to two generations before that.
AMD has supported TPM 2.0 since the Ryzen 2500, with its fTPM (Firmware TPM). So all of its Zen 2 and Zen 3 processors are also covered.
Microsoft has produced a full list of supported CPUs, here's the Intel list and the AMD CPU one. If your processor is on there, then you're good—or at least your CPU is not the reason Windows 11 refuses to play ball.
One option, if your CPU doesn't natively support TPM 2.0, is that you can add a separate physical module to your machine to upgrade its support. You need to check your motherboard manual to make sure there is an SPI TPM 2.0 header present, and then it's a case of tracking down a compatible module. Your CPU will still need to be on that aforementioned list though, so if it isn't, there's not much point adding a TPM separately.
HOW DO I CHECK IF IT'S ENABLED?
How can I check if TPM 2.0 is enabled?
If you've switched on your PC's TPM in the BIOS, then you can check what it's capable of using the Windows Powershell. You'll need to run this in Administrator mode, which you can do by right-clicking the Start menu and select Windows PowerShell (Admin), then simply type get-tpm. The main things you want to check here is that it is present, ready, and enabled.
For a slightly prettier way of checking this, you hit [Win]+R and type tpm.msc into the run windows before hitting return. You'll find whether you've got TPM enabled and working via this window, with the version supported at the bottom.
It's worth noting that all the uncertainty around TPM 2.0 support is largely focused either on machines you've built yourself and bespoke gaming rigs from boutique vendors. Laptops will generally support TPM off the bat, as are plenty of machines that are intended to be used in managed office environments. Obviously, if you have any doubts, you should run the PC Health Check tool and see what it says.
Could this ultimately mean that you're going to need to buy a new PC in order to run Windows 11? It could, and that seems like utter madness right now. Microsoft needs a healthy installed userbase for its latest OS, no matter what, and right now it feels like there's a barrier in place to dissuade potential upgraders.