What is a TPM (Trusted Platform Module)?
A Trusted Platform Module (TPM) is a special integrated chip for laptops and other computers. The chip offers important security features for testing the integrity and security of systems and software in a protected environment. If your operating system supports TPM, you can activate it using the BIOS features or deactivate it as needed.
What does Trusted Platform Module mean?
Both companies and private users have an interest in security measures that protect their systems and fight malware and ransomware. There are a number of tools out there for increasing your system’s security, including firewalls, antivirus programs, and the Trusted Platform Module. TPM is an integrated chip for laptops and other computers that offers additional security features for hardware and software, including authentication, user identification, checking software licenses, and saving keys, passwords, and certificates.
A TPM works like a safe. It’s an isolated environment that’s protected from manipulations and malware. The TPM activates software and hardware during the boot process and checks their integrity. This ensures that the operating system isn’t compromised and that that the startup process won’t be dangerous. Even though TPM chips used to be used as standalone chips for corporate computers, most modern AMD and Intel CPUs have TPM functionalities. There are, however, still motherboards that require an additional TPM chip. In the long term, it will be standard for all hardware to have integrated TPMs, since Windows 11 requires TPM 2.0.
Where is a TPM located?
The TPM chip functions as a dedicated processor and is located in the device’s motherboard. Motherboards without a preinstalled TPM chip come with a slot for inserting a chip. You can use this chip slot for installing a TPM independently of your computer’s CPU. If you need a standalone chip for TPM functionality, you should look for a compatible chip from the same year and same manufacturer as the motherboard.
What are the benefits of a Trusted Platform Module?
A TPM comes with the following benefits:
- Creating and saving passwords,- certificates, and crypto keys for more secure encryption processes
- Checking/monitoring platform integrity using metrics and comparison processes in order to recognize manipulations with the boot process
- Hardware authentication of the operating system using RSA cryptosystems
- Protecting the system from malicious changes to the software or firmware using an Attestation Key (AIK), which checks components’ integrity using hashing
- Optimized defense against malware, ransomware, dictionary attacks and phishing with firewalls, smart cards, biometric tests, and antivirus programs
- Checking software licenses using Digital Rights Management (DRM)
How can you check the TPM on your own device?
Since TPM 2.0 is a requirement for Windows 11, a lot of users wonder whether their device has TPM. There are a few ways to check for a TPM chip in your system. Note that even integrated TPM chips aren’t always activated by default.
In Windows, you can check whether you have a TPM chip or check the version of your chip. Here are three ways to do that:
Open TPM Management
One way to check whether you have a TPM chip is using the TPM Management Tool. First, enter the command “tpm.msc” into the Windows search field. This will open the integrated TPM Management Tool. If your device doesn’t have a TPM chip, you’ll be shown a message saying so in the next window. If you do have a TPM chip on your motherboard, the window will display information about the type and version of the chip.
Open Device Manager
You can also check for a TPM chip using the Device Manager. First, use the Windows shortcut [Windows] + [X] and click on “Device Manager”. Then navigate to the side menu on the left, click on “Security Devices”, and open the drop-down menu. If you do have a TPM chip, you’ll see which version it is there.
Check using the command prompt
To check whether you have TPM using this method, you’ll first need to open the command prompt. To do that, open the “Execute” dialog using the shortcut [Windows] + [R]. Then enter the command “cmd” and then use the shortcut [Windows] + [Shift] + [Enter] in order to open the command prompt as an administrator.
Next, to check whether you have a TPM chip, enter the following command:
wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get /value
shellIf you do have a TPM chip, you can see which version you have in the line “SpecVersion=”.
How can you activate and deactivate a TPM chip?
Your TPM chip may or may not be activated by default, depending on the model, version, and age of your computer. Note that even if a TPM chip is integrated, that does not guarantee that it’s been activated by default. Some firmware TPMs might require BIOS or UEFI updates. If the TPM isn’t activated by default, there are a couple of options for activating it manually or for deactivating it.
Activating and deactivating TPM in BIOS
Step 1: Start up your system and open BIOS. (Depending on your operating system, you can do that by pressing [F2], [F12], or [DEL] during startup.)
Step 2: In the menu, go to “Security” and then to “Trusted Computing.”
Step 3: Activate the item “Security Device Support”.
Step 4: Activate “PTT” from under “TPM Device”.
Step 5: Save the changes and restart the computer. To deactivate TPM, follow the same steps and deactivate items instead of activating them
Activating and deactivating TPM using the TPM Management Tool
Step 1: Enter “tpm.msc” and press [Enter] to open the TPM tool.
Step 2: Navigate to “Action area****Activate TPM”. Read the page “Activate TPM security software” carefully.
Step 3: Go to “Shut down” or “Restart” and follow the UEFI steps.
Step 4: When the computer starts up again, accept the new TPM configuration. This is how the system ensures that only authenticated users make changes.
Step 5: TPM will then be activated for Windows.
Step 6: To deactivate, go to “Action area****Deactivate TPM”. Under “Deactivate TPM security software”, select whether you want to enter your password using removable media, enter it manually, or deactivate without entering your password.
What happens when you deactivate TPM?
If you delete or deactivate TPM, you might end up losing data. This applies to keys, passwords, certificates, virtual smart cards, and login PINs. To prevent any unintentional losses, take the following precautions:
- Make sure you have a backup of the data saved in the TPM chip.
- Only delete or deactivate TPMs on your own devices, or make sure you have the IT admin’s permission to do so.
- Check what the owner’s manual has to say about TPM or look it up on the manufacturer’s website.
- If possible, use the TPM Management Tool when you deactivate and/or create a system backup before you make changes in BIOS and UEFI mode.
What types of TPMs are out there?
There are a number of different types of TPMs, which mostly differ in the way they’re implemented.
- Discreet TPM: A discreet Trusted Platform Module is a dedicated chip and is usually the best type of TPM. It offers support for more encryption algorithms, provides protection from manipulation, and gives rise to very few errors. The downside is that it requires more space.
- Physical-based TPM: This type is integrated into the CPU and provides physical security features that protect you from manipulations and malware.
- Firmware-based TPM: Like physical-based TPMs, firmware-based TPMs work in a secure CPU execution environment and prevent manipulations.
- Virtual TPM: Virtual TPMs can be created using a hypervisor. The TPM will generate security keys independent of the virtual machine.
- Software-based TPM: Software-based TPMs aren’t advisable, as they only offer limited security benefits and are more open to errors and malware.