TPM recommendations (2024)

Table of Contents
In this article TPM design and implementation TPM 1.2 vs. 2.0 comparison Why TPM 2.0? Discrete, Integrated, or Firmware TPM? Is there any importance for TPM for consumers? TPM 2.0 Compliance for Windows Windows for desktop editions (Home, Pro, Enterprise, and Education) IoT Core Windows Server 2016 TPM and Windows Features OEM Status on TPM 2.0 system availability and certified parts FAQs

This article provides recommendations for Trusted Platform Module (TPM) technology for Windows.

For a basic feature description of TPM, see the Trusted Platform Module Technology Overview.

TPM design and implementation

Traditionally, TPMs are discrete chips soldered to a computer's motherboard. Such implementations allow the computer's original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Discrete TPM implementations are common. However, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.

See Also
How to Troubleshoot and Resolve Common Issues with Trusted Platform Module (TPM) and BitLockerHow to Fix TPM Not Showing in BIOS? Here Are 4 WaysTPM 2.0 Buffer Overflow Vulnerabilities | DatapriseHow to Enable TPM 2.0 for League of Legends

TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform's owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user is planning to reinstall the operating system, they may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM.

The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards. These standards support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone can't achieve. For example, software alone can't reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust-that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly can't leave the TPM.

The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments clearly define security requirements for TPMs whereas others don't.

TPM 1.2 vs. 2.0 comparison

From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization, and NV RAM.

See Also
[NUC] How to enable Trusted Platform Module (TPM2.0) on NUC with Visual BIOS? | Official Support | ASUS USA

Why TPM 2.0?

TPM 2.0 products and systems have important security advantages over TPM 1.2, including:

  • The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
  • For security reasons, some entities are moving away from SHA-1. Notably, NIST requires many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have removed support for SHA-1 based signing or certificates in 2017.
  • TPM 2.0 enables greater crypto agility by being more flexible with respect to cryptographic algorithms.
    • TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the TCG Algorithm Registry. Some TPMs don't support all algorithms.
    • For the list of algorithms that Windows supports in the platform cryptographic storage provider, see CNG Cryptographic Algorithm Providers.
    • TPM 2.0 achieved ISO standardization (ISO/IEC 11889:2015).
    • Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
  • TPM 2.0 offers a more consistent experience across different implementations.
    • TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
    • TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
  • While TPM 1.2 parts are discrete silicon components, which are typically soldered on the motherboard, TPM 2.0 is available as a discrete (dTPM) silicon component in a single semiconductor package, an integrated component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s), and as a firmware (fTPM) based component running in a trusted execution environment (TEE) on a general purpose SoC.

Note

TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.

Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool MBR2GPT before changing the BIOS mode which will prepare the OS and the disk to support UEFI.

Discrete, Integrated, or Firmware TPM?

There are three implementation options for TPMs:

  • Discrete TPM chip as a separate component in its own semiconductor package.
  • Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components.
  • Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit.

Windows uses any compatible TPM in the same way. Microsoft doesn't take a position on which way a TPM should be implemented and there's a wide ecosystem of available TPM solutions, which should suit all needs.

Is there any importance for TPM for consumers?

For end consumers, TPM is behind the scenes but is still relevant. TPM is used for Windows Hello, Windows Hello for Business and in the future, will be a component of many other key security features in Windows. TPM secures the PIN, helps encrypt passwords, and builds on our overall Windows experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage.

TPM 2.0 Compliance for Windows

Windows for desktop editions (Home, Pro, Enterprise, and Education)

  • Since July 28, 2016, all new device models, lines, or series (or if you're updating the hardware configuration of an existing model, line, or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the Minimum hardware requirements page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see TPM and Windows Features.

IoT Core

  • TPM is optional on IoT Core.

Windows Server 2016

  • TPM is optional for Windows Server SKUs unless the SKU meets the other qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.

TPM and Windows Features

The following table defines which Windows features require TPM support.

Windows FeaturesTPM RequiredSupports TPM 1.2Supports TPM 2.0Details
Measured BootYesYesYesMeasured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm, which is being deprecated.
BitLockerNoYesYesTPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. Device Encryption requires Modern Standby including TPM 2.0 support
Device EncryptionYesN/AYesDevice Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
Windows Defender Application Control (Device Guard)NoYesYes
System Guard (DRTM)YesNoYesTPM 2.0 and UEFI firmware is required.
Credential GuardNoYesYesWindows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. Paired with System Guard, TPM 2.0 provides enhanced security for Credential Guard. Windows 11 requires TPM 2.0 by default to facilitate easier enablement of this enhanced security for customers.
Device Health AttestationYesYesYesTPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm, which is being deprecated.
Windows Hello/Windows Hello for BusinessNoYesYesMicrosoft Entra join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsem*nt Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator takes advantage of TPM 2.0 for key storage.
UEFI Secure BootNoYesYes
TPM Platform Crypto Provider Key Storage ProviderYesYesYes
Virtual Smart CardYesYesYes
Certificate storageNoYesYesTPM is only required when the certificate is stored in the TPM.
AutopilotNoN/AYesIf you intend to deploy a scenario, which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required.
SecureBIOYesNoYesTPM 2.0 and UEFI firmware is required.

OEM Status on TPM 2.0 system availability and certified parts

Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. For more information, contact your OEM or hardware vendor.

TPM recommendations (2024)

FAQs

Should I accept or reject clear TPM? ›

Clearing the TPM can result in data loss. To protect against such loss, review the following precautions: Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a sign-in PIN.

Read On
Should I press F12 to clear the TPM? ›

Click Clear TPM and restart the system. Press F12 to clear the TPM. The system will continue to boot and the TPM will be cleared.

Discover More Details
Is TPM 2.0 really necessary? ›

TPMs are efficient alternatives to older methods of securing Windows PCs. In fact, since July 2016 Microsoft has actually required TPM 2.0 support on all new PCs that run any version of Windows 10 for desktop (Home, Pro, Enterprise, or Education). Likewise, Windows 11 will only run on PCs that have TPM capabilities.

Continue Reading
Is TPM 1.2 good enough for Windows 11? ›

Windows 11 requires TPM 2.0 by default to facilitate easier enablement of this enhanced security for customers. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm, which is being deprecated.

See Details
Should I clear TPM when selling my laptop? ›

In Summary. Personal Use: For personal resets, you can skip clearing TPM. Selling or Transferring: Clear TPM to protect privacy and ensure a clean slate for the new owner.

Find Out More
Does clearing TPM remove BitLocker? ›

TPM is a security chip that provides additional security to your credentials so that they cannot be accessed by malware/3rd party outside the OS. Clearing the TPM does not remove the data, however, you may be asked for a Bitlocker code. Please do note it down before from your Microsoft account before clearing the same.

Tell Me More
What happens when you clear TPM reddit? ›

Warning clearing erases information stored on the TPM you will lose all created keys and access to data encrypted by these keys.

Show Me More
What happens if I turn off TPM in BIOS? ›

Note: Disabling TPM may affect the security and functionality of your system.

Explore More
Why would I clear TPM? ›

According to the above analysis, we can conclude that it would be better to clear TPM if you want to sell a used computer. If you had encrypted your hard disk using BitLocker, the BitLocker recovery key could be restored from TPM. In this case, clearing TPM can prevent privacy leaks.

Continue Reading
Can Windows 11 run without TPM? ›

You may install Windows 11 on system without TPM 2.0 but your system will be unsupported and not recommended.

Show Me More

What is the downside of TPM? ›

The TPM is a good idea to have enabled on any system. However, beware of certain potential usability issues (automatic Device Encryption — if you boot your system in a different way, like even a system firmware update that isn't Bitlocker aware, you may need to enter a recovery key).

Read The Full Story
Does TPM 2.0 slow down computer? ›

It will not affect the computer in anyway, the chip will lay dormant, until activated. Once activated, a user may notice a slower boot up process with the OS.

See Details
Does TPM require UEFI? ›

If you need to enable TPM, these settings are managed via the UEFI BIOS (PC firmware) and vary based on your device.

Get More Info Here
What is the difference between TPM and Secure Boot? ›

Secure boot makes sure that your server starts with trusted software by verifying the signatures for all code in the boot process. So, your images need to support secure boot with a signed boot loader. Trusted Platform Module (TPM) provides hardware-based security functions.

Continue Reading
Does Windows 12 require TPM? ›

System requirements for Windows 12 is definitely higher than Windows 11. Windows 12 still require TPM 2, Secure Boot support, and processor that capable to use hardware accelerated VBS properly, such as processor that released on 2018 and later.

View More
Is it good to have TPM on? ›

The TPM also enables biometric authentication with Windows Hello, and it holds the BitLocker keys that encrypt the contents of a Windows system disk, making it nearly impossible for an attacker to break that encryption and access your data without authorization.

View Details
What happens if I disable TPM reddit? ›

disabling TPM reduces your protection but doesn't eliminate it; but you can subsitute it with others, e.g. a complex password. but if it malfunctions there is nothing more you can do other than change the CPU or the PC, you have to risk running without it or have a pc that is erratic.

See More
What does TPM do? ›

A TPM, or a trusted platform module, is a physical or embedded security technology (microcontroller) that resides on a computer's motherboard or in its processor. TPMs use cryptography to help securely store essential and critical information on PCs to enable platform authentication.

Learn More
Top Articles
Microsoft Visio Download for Free - 2023 Latest Version
Scalping: Small Quick Profits Can Add Up
3 Tick Granite Osrs
Ups Customer Center Locations
Xre-02022
Libiyi Sawsharpener
Jailbase Orlando
Craigslist Benton Harbor Michigan
Poplar | Genus, Description, Major Species, & Facts
Craigslist Dog Sitter
Tanger Outlets Sevierville Directory Map
Cinepacks.store
Does Pappadeaux Pay Weekly
Aita Autism
Purple Crip Strain Leafly
Med First James City
Craigslist Alabama Montgomery
Dumb Money
Labor Gigs On Craigslist
Cinebarre Drink Menu
Richland Ecampus
Hewn New Bedford
Hannaford To-Go: Grocery Curbside Pickup
Mta Bus Forums
Restored Republic
Imagetrend Elite Delaware
Nurofen 400mg Tabletten (24 stuks) | De Online Drogist
Prévisions météo Paris à 15 jours - 1er site météo pour l'île-de-France
Angel del Villar Net Worth | Wife
APUSH Unit 6 Practice DBQ Prompt Answers & Feedback | AP US History Class Notes | Fiveable
Promatch Parts
Kaiser Infozone
Emiri's Adventures
Puerto Rico Pictures and Facts
Despacito Justin Bieber Lyrics
Labyrinth enchantment | PoE Wiki
2020 Can-Am DS 90 X Vs 2020 Honda TRX90X: By the Numbers
Nba Props Covers
Appraisalport Com Dashboard Orders
13 Fun & Best Things to Do in Hurricane, Utah
Makes A Successful Catch Maybe Crossword Clue
Haunted Mansion (2023) | Rotten Tomatoes
Gary Vandenheuvel Net Worth
Sandra Sancc
Missed Connections Dayton Ohio
Fallout 76 Fox Locations
Sj Craigs
Deviantart Rwby
Lsreg Att
Bomgas Cams
Inloggen bij AH Sam - E-Overheid
Escape From Tarkov Supply Plans Therapist Quest Guide
Latest Posts
General Information & FAQ | Crypto.com Arena
Border Crossing Rules For Mexico & The U.S.
Article information

Author: Gov. Deandrea McKenzie

Last Updated:

Views: 5663

Rating: 4.6 / 5 (46 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Gov. Deandrea McKenzie

Birthday: 2001-01-17

Address: Suite 769 2454 Marsha Coves, Debbieton, MS 95002

Phone: +813077629322

Job: Real-Estate Executive

Hobby: Archery, Metal detecting, Kitesurfing, Genealogy, Kitesurfing, Calligraphy, Roller skating

Introduction: My name is Gov. Deandrea McKenzie, I am a spotless, clean, glamorous, sparkling, adventurous, nice, brainy person who loves writing and wants to share my knowledge and understanding with you.