„Windows 11 requires TPM“. Don’t panic, just do this in BIOS

That TPM 2.0 required by Windows 11? You might already have it without knowing. Today's processors have it integrated in BIOS/UEFI

Microsoft has unveiled Windows 11. In addition to new features and improvements, it also has higher HW requirements than Windows 10. It’s not performance that’s needed, but rather special features that not every PC may have. W11 requires TPM 2.0 (or Trusted Platform Module), which many people are now looking for. But there’s no need to get nervous, because in fact you probably already have it, just need to enable it. How to do it?

If you’re worried about the requirements of Windows 11, the first and general advice is to stay calm. It is not yet clear whether some requirements wouldn’t eventually be lowered, for example if Microsoft decided to apply them only to newly released computers and laptops, while users upgrading older computers, especially custom setups, would get much more lenient treatment. If you look at the lists of supported CPUs, they are very strict at the moment, they are even lacking the first generation Ryzen (and generation 2000 APU) or Intel Core 7th generation. At least on some of these processors, however, it could be possible to use an older CPU unofficially, or at least we hope it will end up like that.

TPM modules and TPM Headers

Anyway, now we’re just going to focus on the TPM 2.0 requirement, which seems to have triggered a minor panic, and people have started looking for TPM 2.0 modules in shops. There have even been cases of price increases and “scalpers” ramping up prices of TPM modules normally selling for a few dollars/euros enormously.

Trusted Platform Module is a small chip used to store encryption keys, certificates and similar sensitive pieces of data, it is used for Bitlocker encryption and it is possible that in Windows 11, more parts of the system will rely on it—which is probably why Microsoft would require it. The problem is that not every PC has it. Years ago, motherboards—unfortunately not all of them—used to have a special connector, into which a small module with a TPM chip was inserted. You can find it on the PCB or in the manual under “TPM Header”.

TPM add-on used on select Gigabyte motherboards (Source: Heureka.cz)

It is these modules that people have started to look for a lot and are wondering about their compatibility. But you better not buy them in a hurry. The problem is that the connectors differ from manufacturer to manufacturer. And the versions of the interfaces they use also differ. Older motherboards for Intel, for example, have TPMs connected via the LPC bus (as a Super I/O chip), but newer ones via the SPI bus—this will not be compatible and you might even damage something.

TPM for some other Gigabyte motherboards. You can see that the connector is different and apparently incompatible (Source: Heureka.cz)

If you would like to connect this module to a motherboard with a vacant TPM header, you have to find out the exact type of module that is compatible with the board (from the manual or the manufacturer’s website) and purchase that particular type. Definitely do not try to buy a random module from one manufacturer if you have a board from another.

Header for mounting the TPM. You will usually find it somewhere at the bottom edge of the motherboard (Source: Gigabyte)

In fact, you probably don’t have to buy TPM 2.0. You have it in the firmware

But the fact is that if you have a recent processor or one just few years old, you probably don’t have to buy a TPM at all. For several years now, processors have been directly supporting the so-called fTPM (Firmware TPM) feature, which implements the functions of the TPM 2.0 module within the firmware of the motherboard and processor. No additional hardware is needed, you just have to find this option in the BIOS and turn it on. It’s usually not active by default, so your PC may look like it doesn’t have TPM 2.0 at first, but all you have to do is go to the firmware settings and turn on the option you need.

First, it’s good to see if you even have to bother with anything. Maybe you already have fTPM turned on, or you have an older OEM computer or laptop that has a fixed hardware TPM chip. Therefore, first verify that TPM 2.0 is present and turned on. Open Windows 10 Settings, “Update & security” section, select “Windows security”, then “Device security” and in the window that pops up, look for “Security Processor”, click on “Security processor details”. If this option is not visible, it means that you do not have TPM or it is not enabled.

If TPM is not present in your computer or is not turned on/enabled, you will find only these items, or even less, in the security settings (Source: Cnews.cz)

On the other hands for those fortunate and TPM-endowed, it will look like this.

If you see the “Security Processor” option, TPM is already enabled (Source: Cnews.cz)

By entering that sub-menu, you can see the details of your TPM. If you are shown what I was and at the line “Specification version” it says “2.0”, then you’re all set, you already have TPM 2.0 – hardware or firmware.

TPM information window in Windows 10. This is what it looks like if you already have fTPM or another TPM version active and you’re good to go (Source: Cnews.cz)

Another and faster method to get to this information is to press the Windows key and “R” at the same time, which opens a prompt to run a command. Type “tpm.msc” without the quotes and press enter to open the following window. Again, you can see the “Specification Version”, if 2.0, you’re lucky.

TPM message window invoked by the tpm.msc command (Source: Cnews.cz)

How to enable TPM 2.0 in BIOS (UEFI)

If you do not have the option active, you will have to go to the motherboard’s BIOS, more precisely to the settings of its UEFI firmware, because while today computers always use UEFI instead of BIOS, we just often still call it BIOS. See the motherboard’s manual or the Internet for instructions on how to access the UEFI settings, usually you do it by holding or repeatedly hitting a certain key (Del, F2, F10, etc.) while the computer is booting (not when waking up from sleep, you must restart). An alternative is to use an option from Windows (this is done via the “Advanced Startup” option you can find in Windows Settings).

Guide for AMD platforms

The option to turn on fTPM or Firmware TPM can be located in different places. For example, my Gigabyte motherboard has it in the “Peripherals” settings under “AMD CPU fTPM”. For Asus, the option seems to be in the “Advanced” and “AMD fTPM configuration” sections.

Option to enable fTPM in Gigabyte motherboard settings (Source: Cnews.cz)

These options can either offer the option to enable or disable fTPM, but there can alternatively be an option of “Discrete TPM” and “Firmware TPM”. If you do not have a physical TPM, you naturally want to enable the Firmware TPM option.

Option to enable fTPM in Asus motherboard settings (Source: Asus)

Guide for Intel platforms

On Intel motherboards the feature is also sometimes referred to as “Firmware TPM”, but you may not be able to find an option under that name in the BIOS, as Intel renamed it to “Platform Trust Technology,” or PTT. Therefore, the option usually appears under this name in BIOSes, so look for PTT (or the long name – Platform Trust Technology). In the case of Intel, this function is not operated by the processor by the way, but instead by the chipset (same as Intel ME is), but that is just an implementation detail. However, for this reason, you will find the fTPM or PTT settings among the options for the chipset, under “Platform Controller Hub” or PCH Options/Settings, and so on.

Options to enable PTT in Gigabyte motherboard settings (Source: TenForums)

For example, on Asus boards, this form of firmware TPM can be enabled in the “Advanced” section, then “PCH-FW Configuration” and there you should (hopefully) find the PTT option.

Options to enable PTT in MSI motherboard settings (Source: TenForums)

Some of you will probably be able to simply enable PTT, others may have to choose between “fPTT”, i.e. firmware PTT and “dPTT” or discrete PTT, which means a separate module. Selecting fPTT turns on the firmware TPM we want.

Options to enable PTT in Asus motherboard settings (Source: Asus)

Options that turn on fTPM or (f)PTT can be labelled differently, so if you don’t find them right away, don’t despair. Try to google your motherboard model name and add “PTT” or “fTPM”. Alternatively, you can ask the manufacturer’s support for the location of this option in the BIOS, but searching the Internet will usually be faster.

Which processors allow you to enable TPM 2.0 in the BIOS (UEFI)?

Before you try the previous procedure, we should probably first discuss for which generations of processors and their platforms is this option available at all. You won’t have success with hardware that is too old. For example, the AMD FX processors and older APUs based on Piledriver, Steamroller and Excavator (various A6, A8, A10) did not yet have the fTPM feature.

The AMD platform should support firmware TPM 2.0 from the AM4 motherboards onwards, with Ryzen or Athlon processors based on a Zen architecture. It should be usable on A320/B350/X370 boards and newer.

Processors before Zen might actually require purchasing that hardware module and fitting it to the header on the motherboard—if you are lucky and there is one, that is.

It should be even better on the Intel platform. It seems that PTT (Platform Trust Technology) should already be supported by some Haswell processors or their chipsets (but sadly this only seem to be laptop models) and also modern out-of-order Atom SoCs, and Celerons and Pentium based on them, should support it since the 22nm Bay Trail chip (with Silvermont architecture) onwards. Therefore, even later low-end and energy-efficient SoCs should be able to provide PTT—on the condition that this option is provided by the board or laptop manufacturer to enable in UEFI. It is possible that sometimes the manufacturer has neglected to implement it and for that reason some of you will not have a chance to turn it on,unfortunately, even if the hardware is absolutely capable.

For desktop computers, the PTT option seems to be present in the Skylake processor generation and boards for them. The B150, Z170 and H110 chipsets all support this technology. So if you have a computer based on Skylake (Intel Core 6th generation) and newer, be sure to look for PTT, your board and its BIOS/UEFI could already offer this option.

Older computers with Haswell or Sandy Bridge/Ivy Bridge processors will again likely have to rely on a dedicated hardware TPM inserted in their TPM header (if present). However, again, I would opt to wait and see until the situation is clarified, in case it by a chance turns out that Windows 11 will run even without TPM. Or who knows, maybe you’ll in the end decide that you don’t even need Windows 11, at all.

Microsoft has confirmed that support for Windows 10 will be maintained all the way until 2025, so after the release of Windows 11, it will be possible to continue using the current operating system for a relatively long time without any need to upgrade to W11. All popular applications should continue to work on W10, so you’ll just have to reconcile with the harsh fact that your OS will have outdated looks and lack some new, but often not that vital elements.

Also be aware that TPM is not the only problematic requirement of Windows 11. Microsoft also mentions a requirement for UEFI. So if you have a board with a standard BIOS, which could happen with a Phenom, AMD FX or Intel Core 2 processor, you fall outside the requirements for this reason already and it is useless to try to get a TPM. Graphics with DirectX 12 support and a WDDM 2.0 driver are also another item listed in the requirements. This means GeForce of at least the 400/500/600 (Fermi or later) generation, Radeon HD 7000 or later (GCN architecture—this means you need Kabini or Kaveri APU or later for integrated graphics), or Intel graphics from the generation of Skylake processors (Haswell iGPUs used to support DX12, but Intel removed the support because of a security vulnerability that it was exposing). If you do not meet this requirement, it again makes no sense to bother with TPM for now.

Windows 11 hardware and other requirements (Source: Microsoft)

TPM 2.0 or just TPM 1.2?

Although most news and documents say that TPM 2.0 will be required, contradictory messages have appeared that even older TPM 1.2 devices might suffice. So again, we probably don’t need to freak out yet. There are many months left until the release of Windows 11, it is quite possible that some requirements will change. Therefore, it will be better to postpone any preparations done to your PC until all this clears up, because else you may worry a lot and later find it was all unnecessarily. Note that if you are building or buying a new PC now and choosing components and specifications, then that’s another story completely. In such case it is a good idea to se yourself up so that Microsoft’s current requirements for RAM size, UEFI Secure Boot support, DirectX 12 graphics and also TPM 2.0 (again, no need for hardware variant, the firmware TPM is all you need) are met.

Sources: Microsoft, TenForums, Asus, MSI, Heureka.cz, Gigabyte, our own

Translated, original text by:
Jan Olšan, editor for Cnews.cz

Flattr this!

Leave a Reply

Your email address will not be published. Required fields are marked *