Skip to content

What is a TPM?

A Trusted Platform Module (TPM) is a computer chip designed to store authentication artifacts securely. Learn about this microcontroller and how to check yours.

Illustration of TPM
Illustration of TPM

A Trusted Platform Module (TPM) is a microchip that provides hardware-level encryption to enhance security. It can securely store platform measurements and a variety of authentication artifacts, including the encryption key, certificates, and passwords

The purpose of a TPM is twofold: authentication and attestation. Authentication allows your laptop or computer to verify its identity, while attestation proves its integrity and the absence of breaches. Not only does a TPM interact with other security systems in your PC, like the fingerprint reader and facial recognition program, it may also be used by other programs, including your browser. Basically, a TPM is like a security alarm system against cybercriminals and malware. 

The Trusted Computing Group (TCG), an organization that promotes open security standards, introduced the TPM in 2009. The TCG has updated the standard over the years, and the most recent TPM version (TPM 2.0) was released in 2014. 

We’ll explain what you should know about TPMs, including whether you need a TPM, how to check to see if you already have one, what types are available, and how to add a TPM to your existing computer. 

What is TPM

Do you need a TPM?

In response to increasing attacks, Microsoft started requiring TPM 2.0 to upgrade to Windows 11. Therefore, if you want to use Windows 11, you need a TPM chip in your computer. Windows Server 2022 also requires a TPM for certain features. Luckily, most recent computers already have a TPM installed. 

Even if you’re not concerned with upgrading to Windows 11, it may be worth getting or enabling a TPM. It can enhance Secure Boot, provide ransomware protection, and improve your overall security posture. 

How do you check your TPM?

It’s not hard to confirm whether or not your computer has a TPM chip. Using PDQ Inventory makes it a breeze, but the following methods can also help you check. 

Check via Command Prompt

Using the Command Prompt is one simple way to see if you have a TPM installed. 

  • Type tpm.msc into the taskbar

  • If nothing comes up, you may not have a TPM chip. Otherwise, open the TPM management console

  • Check the Status to confirm the TPM is “ready to use”

  • Check the Specification Version to see the version of the chip

Check Settings

You can find the TPM Administration tool via Settings and confirm that you have a TPM and it is enabled. 

  • Open Settings

  • Go to System

  • Click About

  • Scroll to Related settings 

  • Click BitLocker settings 

  • Click TPM Administration

  • Check the Status to confirm the TPM is “ready to use”

  • Check the Specification Version to see the version of the chip

Use the Run dialog box

The Run dialog box can help you find the same TPM management console quickly.

  • Open the Run dialog box using Windows+R

  • Input tpm.msc

  • Check the Status to confirm the TPM is “ready to use”

  • Check the Specification Version to see the version of the chip

Use the Device Manager

Alternatively, you can use the Device Manager to see if you have a TPM and, if so, which version. 

  • In the search bar, search Device Manager and open the control panel

  • Expand the Security devices list

  • Look for a Trusted Platform Module entry

Restart your PC into the UEFI settings screen 

This method involves accessing motherboard settings and changing firmware settings, so you should only do it if you can’t find a TPM chip using other methods and you truly know what you’re doing. If the TPM is disabled, this will allow you to find it and enable it. 

  • Open Settings

  • Select Update & Security

  • Click Recovery

  • Under the Advanced startup heading, click Restart now

  • Click Troubleshoot

  • Select Advanced options

  • Click UEFI Firmware Settings

  • Click Restart

  • Open the security settings

  • Check for the Trusted Platform Module (TPM)

  • If present, select it and ensure its enabled

  • Exit the UEFI settings

  • Confirm the changes

  • Restart the computer

Windows 11 logo

How do Windows and TPMs relate?

Microsoft requires TPM chips for PCs to run Windows 11. Apple uses a similar chip called T2, but TPMs are exclusive to PCs. Given that Windows is the most common operating system and has implemented a TPM requirement for its newest version, Windows operating systems and TPMs go hand in hand. 

Can you run Linux with a TPM?

You should be able to run Linux with a TPM. Starting with the Linux 3.20 kernel, Linux supports TPM 2.0. That said, support varies between older Linux distributions.

What are the types of TPMs?

TPM typically refers to the most traditional variety, which is the microchip version. However, other options are available. The TCG identifies five variations

Discrete TPM

A discrete TPM (dTPM) is the standard hardware version. It is designed to be tamper resistant and provide the highest level of TPM security. It’s used for critical systems. 

Firmware TPM

A firmware TPM (fTPM) is code executed in the CPU’s trusted execution environment (TEE) to provide a high level of security. 

Software TPM 

A software TPM (sTPM) is a software emulator used for testing and prototyping. However, software TPMs are not appropriate for public-facing environments because they’re prone to vulnerabilities.

Virtual TPM 

A virtual TPM (vTPM), also known as a hypervisor TPM, provides a high level of security for cloud environments with the same commands as physical TPMs. 

Integrated TPM

An integrated TPM (iTPM) is a hardware TPM integrated into another chip with other functions. Integrated TPMs provide a very high level of security against software issues, but they are not tamper resistant. They’re often used for network gateways. 

TPM man on computer

Can you add a TPM to your computer?

Depending on your Windows PC and skill level, you might be able to add a TPM to your computer. If you’ve built your own machine in the last few years using current components, it probably won’t be too hard to install a discrete TPM. 

Most motherboards have TPM headers. You can find out more about your motherboard by opening the Command Prompt by entering cmd into the search bar, then entering wmic baseboard get product,Manufacturer. Then, research the motherboard online to determine its compatibility, and contact the manufacturer’s support team if necessary. 

You can find TPMs for under $30. Make sure the TPM has the same PIN layout and lockout as the TPM header. Before installing, turn off the computer, unplug it, and let it cool. A compatible TPM may work right away after installation. Otherwise, you may need to enable the TPM in your BIOS or UEFI settings. 

Since most current computers already have a TPM, just make sure to double-check that you don’t already have one before attempting to install it yourself. 

Looking to streamline your patch management
and software deployment processes?