A TPM, or Trusted Platform Module, is a small security chip built into (or integrated with) your computer that stores encryption keys and verifies that no one has tampered with your system. Think of it as a vault inside your computer that handles sensitive cryptographic operations in a space that’s isolated from the rest of your hardware and software. If you’ve heard of TPM recently, it’s likely because TPM 2.0 is a hard requirement for running Windows 11.
How a TPM Works
A TPM is a low-cost, tamper-resistant chip specifically designed as a building block for what the industry calls “trusted computing.” It generates, stores, and manages cryptographic keys in a protected environment that even malware running on your operating system can’t reach. The chip has its own processor and non-volatile memory, meaning it retains information even when your computer is powered off.
Two permanent keys live inside the TPM and never leave it. The first is the Endorsement Key, a unique identity baked into the chip during manufacturing. The private half of this key is embedded in the TPM and cannot be extracted, which makes it possible to prove that a specific TPM (and by extension, a specific computer) is genuine. The second is the Storage Root Key, which the TPM generates when you first take ownership of it. This key sits at the top of a hierarchy that protects all the other keys and secrets the TPM manages on your behalf.
Because these keys never leave the chip, an attacker who steals your hard drive or clones your operating system still can’t decrypt data that was sealed by the TPM. The secrets are bound to that specific piece of hardware.
What a TPM Actually Does for You
The most visible use of a TPM on a Windows PC is BitLocker drive encryption. BitLocker binds your encryption keys to the TPM so that your drive can only be unlocked on the original device, and only if the system hasn’t been tampered with while it was off. On devices with a compatible TPM, BitLocker can unlock your drive automatically when the TPM confirms everything looks normal, making the sign-in experience identical to an unencrypted system. For higher security, you can also require a PIN, a USB startup key, or both in addition to the TPM check.
Windows Hello, the feature that lets you sign in with your face, fingerprint, or PIN, also relies on the TPM to store your biometric credentials securely. Instead of sending your fingerprint data to a remote server, the TPM keeps it locked on your device. The NSA has also highlighted TPMs as useful for unique system identification and protecting full-disk encryption keys, reinforcing that these aren’t just consumer convenience features.
Measured Boot: Catching Tampering Early
One of the TPM’s most important jobs happens before your operating system even loads. During a process called measured boot, each stage of the startup sequence is cryptographically measured, meaning a hash (a digital fingerprint) of the code is recorded into special registers on the TPM called Platform Configuration Registers, or PCRs. If someone modifies your boot software, the measurements won’t match, and the TPM can refuse to release encryption keys.
BitLocker uses this directly. When Windows seals the BitLocker key to the TPM, it does so with a specific PCR value. If a rogue bootloader tries to take over during startup, it changes that PCR value, and the TPM won’t hand over the key. The attacker is locked out before they ever reach the operating system.
Discrete TPM vs. Firmware TPM
Not all TPMs are separate physical chips. There are three ways a TPM can be implemented:
- Discrete TPM (dTPM): A standalone chip in its own semiconductor package, typically soldered onto the motherboard. This is the traditional approach and offers the strongest physical isolation since the security logic is completely separate from the main processor.
- Integrated TPM: Dedicated security hardware built into a larger chip package alongside other components, but logically separate from them.
- Firmware TPM (fTPM): TPM functionality running as firmware inside a trusted execution environment on your main processor. Intel calls its version Platform Trust Technology (PTT), and AMD calls it simply fTPM.
Windows treats all three identically. If your computer was built in the last several years and doesn’t have a discrete TPM chip, it almost certainly has a firmware TPM available. You may just need to enable it in your BIOS settings.
Why Windows 11 Requires TPM 2.0
Microsoft made TPM 2.0 a non-negotiable requirement for Windows 11, calling it “an important building block for security-related features.” The older TPM 1.2 standard, which was limited to discrete chips, supported fewer cryptographic algorithms and couldn’t handle the broader range of security functions that Windows 11 features like BitLocker and Windows Hello depend on. TPM 2.0 is also an international standard (ISO/IEC 11889), which ensures consistent behavior across manufacturers.
If your device has a TPM version below 2.0, it does not meet the Windows 11 requirement, and the installer will block the upgrade.
How to Check Your TPM Status
On a Windows PC, right-click the Start menu, select “Run,” and type tpm.msc. This opens the TPM Management console. Under the Status section, look for the message “The TPM is ready for use.” Under TPM Manufacturer Information, check that the Specification Version reads 2.0.
If the TPM is not detected, it may be disabled in your BIOS or UEFI settings. The exact menu location varies by manufacturer, but it’s commonly found under Security or Advanced settings. On Intel systems, look for “Platform Trust Technology” or “PTT.” On AMD systems, look for “fTPM” or “AMD PSP fTPM.” Enable it, save your settings, and reboot. Running tpm.msc again should now show the TPM as ready.
Pluton: The Next Step
Microsoft Pluton is a newer security processor built directly into the CPU on some recent laptops and desktops. It supports the TPM 2.0 standard, so Windows features that rely on a TPM work with Pluton out of the box. The key difference is that Pluton’s firmware is maintained and updated by Microsoft through Windows Update, closing a gap where discrete TPMs could be vulnerable to physical attacks on the communication bus between the chip and the processor.
Device manufacturers can choose whether Pluton acts as the system’s TPM or runs alongside a discrete TPM as an additional security processor. On some systems, Pluton ships disabled by default, with the discrete TPM handling standard duties while Pluton is available for other security tasks.