Windows 11 requires Trusted Platform Module 2.0 (TPM 2.0). TPM 2.0 is a chip that’s dedicated to handling cryptographic tasks, which Windows 11 leverages for a number of its security features. For example, Windows 11 uses the TPM 2.0 chip on your PC whenever you log in using your fingerprint or facial recognition via Windows Hello, and when encrypting data.
What Is the TPM in Windows 11?
The term Trusted Platform Module (TPM) refers both to an international standard that describes the specifications of a microprocessor dedicated to performing security tasks and to any chip conforming to those standards. When you hear that a PC has TPM, that means the computer has a chip that meets the TPM standards, or it contains firmware that allows the main CPU to perform the same functions. In most cases, the TPM chip will be found mounted directly on a PC’s motherboard, but you can also add TPM to a computer by installing an expansion card.
The TPM standard itself was developed by a group of technology companies that included PC manufacturers like IBM and HP, chip manufacturers like Intel, and software companies like Microsoft. The group released TPM 1.0 in 2001, which was updated to TPM 1.2 in 2009, and TPM 2.0 in 2014.
The idea behind the TPM standard is that it ensures any PC with a TPM chip will be capable of performing specific security tasks. For example, a chip that conforms to the TPM standard needs to, among other things, have a random number generator, needs to be able to generate cryptographic keys, and the ability to encrypt and decrypt data.
What Is TPM 2.0?
TPM 2.0 is the version of the TPM standard that was released in 2014 and was the most recent version of the standard when Windows 11 was released. The term also refers to chips that conform to the standard. When you hear that a computer needs to have TPM 2.0, that means it needs to have a chip or firmware that conforms to the TPM 2.0 standard.
TPM 2.0 is capable of performing a variety of cryptographic tasks like encrypting and decrypting data and authenticating hardware. In computers that have TPM 2.0 firmware instead of a dedicated TPM 2.0 chip, you can typically enable TPM 2.0 in the UEFI.
Since TPM 2.0 was introduced in 2014, computers built prior to that don’t have it. However, it is possible to add TPM 2.0 to a computer by installing an expansion card. It’s also possible to emulate TPM 2.0, which is how you can run Windows 11 on Mac using Parallels.
What Does TPM 2.0 Do in Windows 11?
TPM 2.0 performs a lot of security-related functions in Windows 11, and it starts the moment you turn on your computer. During the boot process, Windows 11 uses the TPM chip to verify the integrity of the operating system before Windows ever loads. If it detects irregularities, the boot process stops and allows you to repair Windows to avoid loading an operating system that may have been altered without your knowledge.
The TPM 2.0 chip also plays a part in the Windows logon process if you use Windows Hello. The chip is instrumental in encrypting and storing your biometric data, which consists of your fingerprint or face scan, and checking against that record when you try to sign in to Windows.
Once you’re signed into Windows 11, TPM 2.0 allows anti-malware software to check the integrity of Windows 11 in the same way that the system is checked during the boot process. Since malware doesn’t start running until Windows has loaded, or loads alongside Windows, this can allow your anti-malware to identify and eliminate rootkits and other malicious software.
How to Tell if Your Computer Has TPM
If your computer was built after 2014, it may have TPM 2.0. If it was built more recently, within the last few years, then it’s likely to have this feature. If you aren’t sure, the easiest way to find out is to perform the Windows 11 compatibility check.
You can also check to see if you have a TPM in Windows Settings by navigating to Update & Security > Windows Security > Device Security. Look for the Specification Version, which will say 1.0, 1.2, or 2.0 if you have a TPM. If you don’t have a TPM at all, then the security processor details section will be blank.
What to Do if You Don’t Have TPM 2.0
If your computer doesn’t have TPM 2.0, then you should continue using Windows 10. There is a workaround that will let you install Windows 11 on a computer that doesn’t have TPM 2.0, but it isn’t safe. Microsoft won’t provide updates and support to users who use the bypass method to install Windows 11 on a PC that lacks TPM 2.0, and a lot of Windows 11 security features won’t work, so using the bypass method leaves you inherently less secure both immediately and in the future.
You can add TPM 2.0 to a computer that doesn’t have it via an expansion card if you can locate one that’s compatible with your motherboard. If you go that route, you can install the card and then enable TPM 2.0 in the BIOS or UEFI. Before you do that though, it’s worth checking to see if your computer supports firmware TPM 2.0 already. You can do that by loading the UEFI and checking to see if there is an option to enable TPM 2.0.
After you have installed a TPM 2.0 card or enabled it in the UEFI, you can upgrade to Windows 11 without any issues. However, if you aren’t able to add TPM 2.0 to your system, you’re better off sticking with Windows 10 as long as Microsoft continues to support it.
How do I enable TPM 2.0?
You can turn on TPM – or verify that it’s on – by entering the UEFI/BIOS at startup. You can find TPM in Advanced or Security. The “on” setting for TPM is On, Enabled, or Firmware TPM, depending on your model of computer.
How do I install Windows 11 without TPM?
TPM is a crucial part of Windows security, so you shouldn’t install the operating system without it unless your computer doesn’t have the chip. You can do a workaround, but understand that it’s risky to your computer and Windows. In the Registry Editor, type HKEY_LOCAL_MACHINE\SYSTEM\Setup, and then right-click Setup > New > Key, and name the new key LabConfig. Then, right-click the key and select New > DWORD (32-bit), and set values for BypassTPMCheck, BypassRAMCheck, and BypassSecureBootCheck to 1. After this, you should be able to install Windows 11.