TPM 2.0 Module For PC
Note: Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the Minimum hardware requirements page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices.
The Windows 11 announcement came with a few very specific requirements from Microsoft in order to run the new OS on a PC, one of which was the need for a TPM 2.0 chip. A Trusted Platform Module (TPM) chip quite simply is a hardware component that adds an extra layer of security to a Windows computer. It creates a physical barrier protecting a device and user credentials from malware and attackers that threaten it. The chips are either integrated into the PC's motherboard or added to the CPU.
Microsoft puts a large emphasis on security within its systems and has done so for a long time. Microsoft claims that $1 billion a year is invested into security measures to ensure the safety of its OS and the user. This is done by ensuring the OS is backed by certain hardware, like the TPM 2.0 chip. With security threats only rising and Windows often at the center of these attacks, it only stands to reason that Microsoft wants to ensure ever-increasing safety for its users.
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. Many TPMs include multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM.
Traditionally, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow you as the original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, you must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs provide security and privacy benefits for system hardware, platform owners, and users. This TPM 2.0 Module can be pluged into computer's motherboard as a trusted platform module.
Why TPM 2.0?
TPM 2.0 products and systems have important security advantages over TPM 1.2, including: The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm. For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
TPM 2.0 enables greater crypto agility by being more flexible with respect to cryptographic algorithms.
TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the TCG Algorithm Registry. Some TPMs don't support all algorithms.
For the list of algorithms that Windows supports in the platform cryptographic storage provider, see CNG Cryptographic Algorithm Providers.
TPM 2.0 achieved ISO standardization (ISO/IEC 11889:2015).
Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
TPM 2.0 offers a more consistent experience across different implementations.
TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
While TPM 1.2 parts are discrete silicon components, which are typically soldered on the motherboard, TPM 2.0 is available as a discrete (dTPM) silicon component in a single semiconductor package, an integrated component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s), and as a firmware (fTPM) based component running in a trusted execution environment (TEE) on a general purpose SoC.
Note TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool MBR2GPT before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
- Easy to install
- Infineon SLB9670 chip
- TPM 2.0
- Good compatibility
- SPI communication
- TPM recommendations: [ https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-recommendations ]
- OEM-TPM: [ https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-tpm ]
- 1 x TPM2.0 module for PC
How to use
- Insert it into your computer's motherboard on `SPI_TPM` position.
Enable TPM 2.0 on your PC
This article is intended for users who are not able to upgrade to Windows 11 because their PC is not currently enabled with TPM 2.0 or their PC is capable of running TPM 2.0 but is not set up to do so. If you are unfamiliar with this level of technical detail, we recommend that you consult your PC manufacturer’s support information for more instructions specific to your device.
Most PCs that have shipped in the last 5 years are capable of running Trusted Platform Module version 2.0 (TPM 2.0). TPM 2.0 is required to run Windows 11, as an important building block for security-related features. TPM 2.0 is used in Windows 11 for a number of features, including Windows Hello for identity protection and BitLocker for data protection.
In some cases, PCs that are capable of running TPM 2.0 are not set up to do so. If you are considering upgrading to Windows 11, check to ensure TPM 2.0 is enabled on your device. Most retail PC motherboards used by people building their own PC, for example, ship with TPM turned off by default even though it is almost alwatys available to be enabled.
- Option 1: Use the Windows Security app
Run Settings > Update & Security > Windows Security > Device Security
If you do not see a Security processor section on this screen your PC may have a TPM that is disabled. see How to enable TPM for more information or check your PC manufacturer’s support information for instructions. to enable the TPM. If you are able to enable a TPM, complete the next step to verify that it is a TPM 2.0.
If you see an option for Security processor details under Security processor, select that and verify that your Specification version is 2.0. If it is less than 2.0, your device does not meet the Windows 11 requirements.
- Option 2: Use the Microsoft Management Console
Press [Windows Key] + R or select Start > Run. Type “tpm.msc” (do not use quotation marks) and choose OK.
If you see a message saying a “Compatible TPM cannot be found,” your PC may have a TPM that is disabled. See How to enable TPM for more information or check your PC manufacturer’s support information for instructions to enable the TPM. If you are able to enable the TPM, complete the next step to verify that it is a TPM 2.0.
If you see a message confirming TPM is ready to use, check Specification Version under TPM Manufacturer Information to verify it is 2.0. If it is less than 2.0 your device does not meet the Windows 11 requirement.
How to enable TPM
If you need to enable TPM, these settings are managed via the UEFI BIOS (PC firmware) and vary based on your device. You can access these settings by choosing:
Settings > Update & Security > Recovery > Restart now.
From the next screen, choose
Troubleshoot > Advanced options > UEFI Firmware Settings > Restart to make the changes.
These settings are sometimes contained in a sub-menu in the UEFI BIOS labeled Advanced, Security, or Trusted Computing. The option to enable the TPM may be labeled Security Device, Security Device Support, TPM State, AMD fTPM switch, AMD PSP fTPM, Intel PTT, or Intel Platform Trust Technology.
If you are unsure how to make any needed changes to the TPM settings, we recommend that you check your PC manufacturer’s support information or contact their support organization.
Get information from PC manufacturers
Below are links to information from some PC manufacturers to help you get started:
- Asus: [ https://www.asus.com/support/FAQ/1046223 ]
- Dell: [ https://www.dell.com/support/kbdoc/en-us/000189676 ]
- HP: [ https://support.hp.com/us-en/document/ish_4300937-4295746-16?openCLC=true ]
- Lenovo: [ https://support.lenovo.com/us/en/solutions/ht512598 ]
- Microsoft surface: [ https://support.microsoft.com/surface/0f5953d2-befa-3617-a0e5-9735945af774 ]
- TPM 2.0 Module for PC, infineon SLB9670