Security | Vulnerability Scans and Assessment Windows

When Should I Use TPM or TPM + PIN

Trusted Platform Module (TPM)

One of the main requirements in Microsoft’s Windows, particularly Windows 11, operating system is a little-known PC security feature known as the Trusted Platform Module. If you are looking to build your own Windows 11 PC or upgrade one that is running an earlier version of Windows, this might be cause for concern. Please see this detailed guide on how to Get TPM information: How to determine if TPM is present and how to enable TPM in the BIOS.

For more related information on TPM and other interesting guide please read: Enable or Disable TPM Auto-provisioning: How to fix waiting for TPM auto-provisioning, How to Enable Secure boot and TPM on HyperV: How to fix “This PC Can’t Run Windows 11” on Hyper V, How to clear, enable or disable TPM in Windows via the BIOS or UEFI, and Enable BitLocker without Compatible TPM: How to enable Bitlocker Pre-Boot authentication password via the Group Policy.

So, let’s have a look at what TPM is and how it operates in Windows, and when we should use it or activate a TPM + PIN.

What is a TPM?

According to Microsoft, a Trusted Platform Module (TPM) is a microprocessor designed to perform basic security operations, most notably encryption key management. A TPM is installed on a computer’s motherboard and connects with the rest of the system through a hardware bus. Physically, TPMs are designed to be tamper-proof. If an attacker tries to physically retrieve data directly from the chip, they’ll probably destroy the chip in the process. The TPM chip functions similarly to the authenticator software on your phone that you use to log into your bank account. Turning on your computer is equivalent to putting your username and password into the login screen in this instance. You will be unable to access your money if you do not enter a code within a short period of time.

Similarly, when you turn on a modern PC with full-disk encryption and a TPM, the small chip will offer a unique code known as a cryptographic key. If everything is in order, the disk encryption will be unlocked, and your machine will boot up. Your PC won’t start if there is an issue with the key, such as if a hacker hijacked your laptop and attempted to tamper with the encrypted disk within. 

Though on the most fundamental level, that is how modern TPM systems work, there is much more they are capable of. The TPM is used by several applications and other PC functionalities once the operating system has booted. TPM is used by Outlook and Thunderbird email clients to manage encrypted or key-signed communications. The TPM is also used by Firefox and Chrome’s web browsers for certain more advanced tasks, such as keeping track of websites’ SSL certificates. TPMs are used by a wide range of consumer electronics products outside of PCs, including printers and linked home devices. 

Why Should I Enable TPM + PIN

Simply having TPM only enabled on your system is not enough to protect against malicious acts, which is why pre-boot authentication with full-disk encryption properly configured with the TPM is required. Pre-boot authentication is designed to prevent the encryption key from being loaded to system memory on devices that are vulnerable to certain types of cold boot attacks.

If you use BitLocker to encrypt your Windows system disk, you may add a PIN for extra security. Before Windows will even start, you must input the PIN every time you switch on your PC. This is different from a login PIN, which you input after Windows boots up. By binding the BitLocker encryption key with the TPM and properly configuring the device, it is extremely hard for an attacker to gain access to BitLocker-encrypted data without having an authorized user’s credentials. As a result, computers fitted with a TPM can offer a high level of security against attackers attempting to directly obtain the BitLocker encryption key.

If Windows is unable to access the encryption key, the device will be unable to read or edit the data on the system disk. Even if an attacker steals the entire PC or removes the disk, they will be unable to view or alter the contents without the encryption key. The only way to avoid pre-boot authentication is to input the highly complex 48-digit recovery key.

Does My PC Already Have TPM 2.0? 

If your machine fulfills the other Windows 11 minimum system requirements, it may support TPM 2.0. The standard, however, is very new. If you bought your PC after 2016, it almost definitely came with TPM 2.0. If your machine is more than a few years old, it most likely has the outdated TPM 1.2 version (which Microsoft states is not recommended for Windows 11) or no TPM at all.

To know if your system meets the Windows 11 installation requirements, you can use the Microsoft PC Health Check app.  

PC Health Check

However, you can still bypass this requirement to install and enjoy the new Windows 11 look and features. Here is a detailed article on how to use install Windows 11 without TPM 2.0. If you have a TPM 2.0 but it’s not currently enabled, here is a detailed guide on how you can enable it: Get TPM information: How to determine if TPM is present and how to enable TPM in the BIOS.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x