Windows 11 Requires TPM – What is TPM and Why it Matters?

With Microsoft’s announcement of Windows 11 releasing later this year and a requirement for systems to have a Trusted Platform Module (TPM) to be able to run Win11, I’ve been getting a lot of questions what TPM is and why it’s important.

What is TPM?

TPM, or Trusted Platform Module, is a cryptoprocessor integrated into hardware systems (laptops, desktops, datacenter servers, etc) that operating systems (like Microsoft Windows 7 and higher)) leverage for enhanced security.

A highly important component of security is Encryption, the ability of taking data, scrambling it up using a key that can only be unscrambled with the same key. TPM provides the operating system and applications a random number generator that creates a "key" that is universally unique to each system.

How Does TPM Make my System More Secure?

A simple use of TPM encryption in Microsoft Windows is their Bitlocker drive encryption technology that encrypts the hard drive and all data on the hard drive using the TPM chip to generate a unique security key. A Bitlocker protected hard drive cannot be removed from one computer, and put into another computer to be booted and accessed. To access the data off an encrypted hard drive, it must be booted and accessed FROM the computer with the TPM chip in it, or you need a backup of your TPM "key" that can be used on another computer system to unlock the drive.

This drive encryption solves an age old problem with password-based system logons. As much as you might think your computer (and the data on it) is secure because it requires you to type in a logon and password to "boot" and access your system, password-based systems simply require someone to take the hard drive out of a system, boot (and successfully) logon to another computer, and mount the (seemingly secured password protected drive) as a second (D>) drive, and all files and data on the drive are easily accessible. This is the easiest way of accessing a password-protected laptop, desktop, or mobile phone. Passwords mean nothing when you can mount the drive and bypass the cute logon screen.

TPM helps Bitlocker in Windows scramble the data, so even if the drive were mounted on another system, the data is still encrypted until you decrypt the drive using the TPM generated key.

Why is TPM in Windows 11 Important?

Unless you've been living under a rock the past year, cyberattacks cover the headlines of news daily these days whether it's ransomware, phishing attacks, database theft, etc. Encryption-based security has existed for years with organizations able to buy various tools to encrypt emails, files, servers, logon credentials, data transmission, etc. So this whole encryption thing isn't new, and TPM has been supported by Microsoft since Windows 7.

However in the past, the challenge with the use of encryption is all the varying "standards" (from hundreds of vendors) as well as the management of the encryption keys. Until now, encryption was done product by product, and many times the crucial storing of these "keys" were left to users that are administrators of their own laptop devices. If the user's system dies, if they didn't backup their encryption key(s), they completely lose access to ALL of their data.

In the enterprise, it gets challenging for organizations to help their users with the varying tools, standards, and key management, especially when users own their own laptops (BYOD) or users go out and buy/install their own encryption software.

With Microsoft requiring TPM in Windows 11, ALL Windows 11 systems will have TPM hardware, and the enterprise will be able to enable a single technology for encryption of laptops, desktops, and servers AND Microsoft's Active Directory (and Azure Active Directory) provides the ability for the device keys to be backed up "over the air" to the enterprise's security vault.

If the user's laptop crashes, an authorized security administrator (including the user themselves) can access their keys and decrypt their data to be transferred to another system. Or if an employee leaves an organization, the security administrator can decrypt a user's drive to access critical business information.

Isn't Centralized Key Management a Security Risk in Itself?

Absolutely, with keys stored in Active Directory or Azure Active Directory, an organization can't just allow "any" system administrator access to the key vault, AND the organization should implement Privileged Access Management (PAM) to control who has access to the information, from where, and even layer on a full workflow involving multiple layers of approval for access to the keys.

So an organization needs to improve the maturity of their security process and procedures, however the benefit of a unified use of keys on EVERY laptop and system in an organization provides a universal key and encryption system that can greatly improve the security throughout the enterprise.

Can I Add TPM to an Older System?

Systems need to come "with" TPM built-in to the system. While desktops and servers without TPM "can" sometimes simply have a $50 TPM module "added" to the system, laptops typically don't have the extra space and socket to pop in the module. So you would need to buy a system that has TPM (2.0 is the current version) included.

While most systems sold in the past 4-5 years have TPM chips built-in to them, don't be too concerned if your system doesn't have a TPM chip right now as Microsoft has stated they will continue to support Windows 10 through October/2025. So just keep in mind for the next purchase of laptops, desktops, or servers that you plan to keep around to support the next generation of Windows operating systems, just make sure those systems come with TPM 2.0 chips embedded.