Find out if your computer supports TPM
Microsoft announced recently that all new devices that ship with Windows 10 once the operating system's Anniversary Update comes out need to support the Trusted Platform Module 2.0 (TPM) and have it enabled by default.
While this won't affect existing devices or devices that you build yourself, the majority of devices that OEMs produce, including all client PCs and Windows mobile devices, need to ship with TPM 2.0 enabled.
This makes PM 2.0 a hardware requirement for new devices that ship with the Windows 10 Anniversary Update.
Microsoft made the decision to exempt some devices from that
- Windows Desktop: all desktop PCs need to ship with Trusted Platform Module 2.0 and have it enabled.
- Windows Server: TPM 2.0 is optional unless certain criteria are met.
- Windows Mobile: all Windows Phones and tablets require TPM 2.0.
- Windows IoT: TPM 2.0 remains an optional component.
The main reason why Microsoft enforces TPM 2.0 is that several features of the operating system depend on it.
| Windows 10 Feature | TPM 1.2 | TPM 2.0 | Details |
| UEFI Secure Boot | |||
| Conditional Access | |||
| Enterprise Data Protection | |||
| Windows Defender - Advanced Threat Detection | |||
| Device Guard / Configurable Code Integrity | |||
| Windows Hello | |||
| Credential Guard | Yes | Yes | More secure with TPM 2.0 |
| Measured Boot | Yes | Yes | More secure with TPM 2.0 |
| Device Health Attestation | Yes | Yes | Requires TPM |
| Virtual Smart Card | Yes | Yes | Requires TPM |
| Passport: Domain AADJ Join | Yes | Yes | Supports both versions, but requires TPM with HMAC and EK certificate for key attestation support. |
| Passport: MSA / Local Account | Yes | Yes | Requires TPM 2.0 for HMAC and EK certificate for key attestation support |
| BitLocker | Yes | Yes | TPM 1.2 or later required or a removable USB memory device such as a flash drive |
| Device Encryption | Yes | For Modern Standby devices, all require TPM 2.0 |
Several of the features are for business / Enterprise devices only.
Find out if TPM is supported on Windows
Current devices won't be able to make use of some of the security features listed above if they don't support TPM.
To find out if TPM 1.2 or 2.0 is available and enabled on your Windows device (desktop), do the following:
- Use Windows-R to open the run box.
- Type tpm.msc and hit enter.
- Confirm the UAC prompt that appears.
This opens the Trusted Platform Module (TPM) management on the local computer.
If TPM is supported, you may get options to turn on the TPM Security Hardware, create the TPM owner password, clear the TPM, block or allow TPM commands, or turn off TPM by selecting the option in the actions pane. Please note that you need to enter the owner password to do so.
Information about TPM is also available in the Device Manager but only if the feature is enabled and supported on the device.
You find information there under Security devices.
If TPM is not supported, you get the message compatible TPM cannot be found.
This does not necessarily mean that TPM is not supported on the device as its state is controlled by the BIOS/UEFI.
If you get that message, you need to boot your computer and load the BIOS/UEFI management screen to find out about that.
Where you find that depends largely on the BIOS or UEFI of the computer. If you run a recent Surface device for instance, you find reference to TPM under Security. There you can enable or disable TPM.
This article was first seen on ComTek's "TekBits" Technology News
- Log in to post comments