Microsoft unveiled Windows 11 this summer and, when system requirements for the update were later released, one, in particular, drew considerable attention: the Trusted Platform Module (TPM) version 2.0. TPM 2.0 is required to run Windows 11 as an important building block for security-related features. The move is part of Microsoft’s broader push for security by design, a concept that is central to several data protection laws, such as the EU’s General Data Protection Regulation (GDPR). The company’s overall aim is to create chip-to-cloud Zero Trust out of the box.
TPM, also known as ISO/IEC 11889-1, is an international standard for secure cryptoprocessors, dedicated microcontrollers designed to secure hardware through integrated cryptographic keys. A TPM chip is a chip that conforms to that standard and can either be integrated into a computer’s motherboard or can be added separately into the CPU. According to David Weston, Microsoft’s Director of Enterprise and OS Security, it helps protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data.
TPM chips have been around for a while but have only been widely used in IT-managed business laptops and desktops. It’s not a particularly new feature for Windows either: it was actually made a requirement for Windows 10 as well but was not enforced the way it has been for Windows 11. Both Windows 10 and Windows 7, however, supported TPM and used it for a variety of functions.
Why does Windows need TPM?
Windows is the most widely used operating system in the world. While it has gained some competition from macOS, Linux and Chrome OS in recent years, it still dominates the global market, running on no less than 75% of all PCs currently in use. As such, it’s also the number one target for cyberattacks, with some of the world’s biggest headline-grabbing ransomware and malware attacks targeting Windows-running devices.
With the enforcement of TPM, but also new features such as Secure Boot and Virtualization-based security (VBS), Microsoft is taking a proactive approach to security, trying to offer users the highest level of security straight out of the box.
Security upgrades can be applied at both the software and hardware level. While security software can be an effective prevention tool against hacking, it is also more susceptible to outsider interference. An unpatched vulnerability or a new type of exploit can be leveraged by a seasoned hacker to bypass or compromise security software and gain access to systems and the sensitive data stored on them. Hardware security meanwhile is hardcoded, meaning that the cryptographic keys cannot be modified unless an intruder knows them in advance.
TPM 2.0 elevates the Windows standard for hardware security by requiring a built-in root-of-trust which is an effective protection tool from common and sophisticated attacks like ransomware. It will be used, among others, while encrypting disks using BitLocker and to protect identity when using Windows Hello.
The advent of the widespread implementation of TPM has been embraced by organizations such as Trusted Computing Group (TCG), an NGO that was formed to develop, define and promote open, vendor-neutral, global industry specifications and standards such as TPM.
“The application of TPM as a hardware-based root of trust will play a vital role in determining the operational state, its trustworthiness, and the authenticity of Windows systems,” Joerg Borchert, President of Trusted Computing Group, says. “Windows 11 will benefit from being much more secure and will pave the way for further security adoption across the industry. The adoption of TPM hardware-based security and the implementation of Zero Trust Architecture elements strengthens the overall security of the operating system.”
The TPM requirement’s impact on older PCs
How big of an inconvenience will TPM enforcement prove for companies who operate computers running on Windows? It really depends on how old their machines are. Most computers that have shipped in the last five years are capable of running TPM 2.0. This means that most CPUs already include a firmware version of TPM 2.0. Admins just need to ensure it is enabled before they start Windows 11 installations.
Older hardware that does not have TPM 2.0 will be excluded from the Windows 11 update. Microsoft confirmed in a Q & A session that it is taking a hardline approach to TPM enforcement as it is seen as a necessity for a more secure Windows experience moving forward. While TPM can be added separately into the CPU, older computers still run the risk of being shut out of future updates as Microsoft said in August that unsupported PCs running Windows 11 wouldn’t be entitled to receive updates.
Companies must therefore check whether they meet Microsoft’s requirements for Windows 11, enable TPM where it is disabled and look into upgrading older machines. Pairing a physical TPM module with older CPUs may prove more trouble than its worth and ultimately only provide organizations with a short-term solution.
Zero-Day support for Windows 11
TPM is not the only problem companies need to worry about. Before upgrading to Windows 11, they should also check that their existing security software will be compatible with the new version of the operating system. Interruption of security policies can spell disaster for companies, so it is crucial their security products provide uninterrupted service.
Our own Data Loss Prevention (DLP) solution, Endpoint Protector, offers zero-day support for Windows 11. Through it, companies can proceed with OS migration without delay or disruption to existing data protection policies, ensuring that sensitive information is continuously monitored and controlled.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.