One of the requirements for Windows 11 update is that your PC supports TPM 2.0. You can check TPM status before doing the upgrade. If it does not meet the criteria, then you will need to enable or upgrade your TPM.
Here you will learn more about what TPM is, and how to check and enable TPM 2.0 for Windows 11 update.
What is TPM and what is its role
TPM (Trusted Platform Module) is an international standard for a secure processor, and a specialized microcontroller to protect hardware with an integrated cryptographic key. For now, the latest version of TPM is 2.0.
TPM has a wide range of roles as a hardware security key, such as device identification, authentication, encryption and integrity verification. In a nutshell, TPM does 2 main things:
Key calculation. That is, the generation or verification of passwords in the computer using its built-in encryption algorithms. These passwords can be encryption locks for hard disks, feature codes used by operating systems to verify their integrity (to check if programs have been tampered with), or activation codes for specialized software.
Key storing. TPM itself is also a piece of encryption storage unit in the computer, which can not only calculate the key, but also store the key. And since TPM uses a completely dedicated circuit, the whole process of calculating and storing can be done without going through the memory and leaving traces in the hard disk, so the security of key generation, verification and storage is very high.
Why Windows 11 needs TPM 2.0
Back in the Windows 8 era, there was already a demand for TPM chips in computers. At that time, the main role of the TPM was to verify the integrity of the system when Windows was booted, as well as to stores the key files needed for security functions.
But while the previous version of TPM (TPM 1.2) was as old as 2011, TPM 2.0 is the latest version. Compared with its predecessor, it has significantly increased the variety and security of the module's built-in encryption algorithms, with more compatible software and scenarios.
According to David Weston, the TPM module has been given more functions in Windows 11. It can now not only serve to accelerate facial recognition, fingerprint recognition, disk encryption, but also be used to defend against the current popular ransomware virus and even sophisticated hacking attacks. So as stated in the system requirement list, the PC must support TPM 2.0 for Windows 11 update.
The following are more detailed differences of TPM 2.0 compared to 1.2.
|Contrast items||TPM 1.2||TPM 2.0|
|Algorithm||SHA-1 and RSA required||SHA-1 and SHA-256 required, and vendors are free to add new algorithms using TCG IDs.|
|Encryption||Requires random number generator, public-key cryptographic algorithm, cryptographic hash function, mask generation function, digital signature generation and verification, and Direct Anonymous Attestation, as well as key generation.||Uses Barreto-Naehrig 256-bit curve random number generator, public-key cryptographic algorithms, cryptographic hash functions, symmetric-key algorithms, digital signature generation and verification, mask generation function. Key generation and key derivation functions are also required.|
|Platform Configuration Register (PCRs)||Uses PCR to recover unsealing BitLocker keys, if there is any small change in the system startup process, user intervention is required to recover.||Operate multiple PCRs banks in a standardized way, all PCRs in a bank use the same algorithm for expansion operation, different banks can be assigned different PCRs, different banks are independent of each other in expansion operation, no interference.|
|Key||There is only one key (EK), which is preset in the chip by the manufacturer at the time of shipment, so it is very difficult to replace it.||Divided into parent and child keys, the master key is generated by the master seed, using the key derivation algorithm KDF; the key storage is based on symmetric encryption.|
|Root Key||One（SRK RSA-2048）||Multiple keys and algorithms per hierarchy.|
|Authorization||HMAC, PCR, Location, Physical Presence||Cryptography, HMAC and policies (covering HMAC, PCR, location and physical presence), asymmetric digital signatures|
How to check TPM 2.0 status on your computer
Microsoft announced that it will release Windows 11 on October 5, which is a very exciting event for Microsoft users, but it comes with a lot of problems, such as the PC must support TPM 2.0 to install Windows 11.
As one of the system requirements for updating, you may want to know if your computer supports TPM 2.0. If not, then your computer will not be able to update Windows 11; if it does, you still need to check if whether it's disabled, and if it is, you need to enable TPM 2.0.
First, please choose one of the following methods to check if TPM 2.0 is available on your computer.
Method 1: Check TPM in Microsoft Management Console
1. Press the Win + R key combination on your keyboard, and launch the Run window.
2. In the Run window, type “tpm.msc”, and click OK.
3. After opening Trusted Platform Module on Local Computer (TPM) Management, you may see the following two scenarios:
☛ The TPM Management on Local Computer module shows “Configures the TPM and its support by the Windows platform”, and the status reads “The TPM is ready for use” (which means it is enabled). To check if the TPM version is "2.0", just view the TPM Manufacturer Information and find “Specification Version”, if the value is 2.0, then your computer is ready to upgrade to Windows 11.
☛ Your computer shows the message “Compatible TPM cannot be found”, which means that your computer does not meet the criteria for upgrading to Windows 11.
Method 2: Check TPM through Windows security application
1. Click Start button at the bottom right corner of your computer, and select Settings.
2. Then select Update & Security.
3. Go to Windows Security tab.
4. Find and expand Devices security, and check if there’s a Security processor section on this screen.
- If not, then your PC may have a TPM that is disabled, in which case you will need to enable the TPM, or check the computer manufacturer's support information
- If there is a Security processor details option under Security processor, select it and make sure the Specification version is 2.0. If it is lower than 2.0, your computer will not be able to update Windows 11.
How to enable TPM 2.0 on your computer
What if the computer supports TPM 2.0, but it is disabled? Try following method to enable TPM 2.0 by yourself.
1. Click on Start > Settings (or press Win + I）and select Update & Security. Then you can navigate to Recovery tab and hit Restart now under Advanced startup.
2. This way the computer will reboot into recovery environment, and you can choose Troubleshoot > Advanced options.
3. Select UEFI Firmware Settings under this menu, and hit Restart in the next interface.
4. Thus the computer will restart into BIOS. Switch to Secure tab and select TPM Configuration. If it’s disabled, just enable it here.
5. After that, you can tap F10 to save the settings and exit, and your computer will reboot with TPM 2.0 enabled.
How to upgrade TPM 1.2 to TPM 2.0
If we check that the TPM version of the computer is 1.2, then the computer cannot update the system to Windows 11, so we need to upgrade the TPM version to 2.0. How can we do this? This depends on your computer vendor's TPM update policy, and you can find help on their official website.
Below I will show you how to update TPM 1.2 to 2.0 on your computer using Dell as an example.
(Example) Upgrade TPM 1.2 to 2.0 on Dell computer
1. Open Dell's official website, and find the Dell Product Support page.
2. Then enter your Dell service tag or product model number in the box of “Search support”.
3. Click the Drivers & Downloads tab.
4. Select Security from the drop-down category box.
5. Look for the Dell TPM 2.0 Firmware Update Utility.
6. If a Dell TPM 2.0 update is listed, then you can run the update of TPM.
How to install Windows 11 without TPM 2.0
TPM 2.0 is one of the system requirements for Windows 11 upgrade, if a computer does not support TPM 2.0, is it possible to install Windows 11?
The answer is YES. You can use the installation disk to install Windows 11 and boot into the process of installing Windows 11 from the installation disk. At this time, you can choose to overwrite the original system upgrade installation, which means to bypass the UEFI boot detection and achieve the purpose of installing Windows 11.
Or you can edit registry entries to bypass Secure Boot or TPM check. Steps are listed in This PC can’t run Windows 11.
TPM is an important device to protect your system security, and TPM 2.0 is a mandatory version to update your system to Windows 11.
If you are considering upgrading your computer and have some questions about TMP related issues, please read this article. It explains what is TPM, why Windows 11 requires TPM 2.0, and how to check and enable TPM 2.0 for Windows 11 update.