By Dervish / Last Updated October 27, 2022

One of the necessary conditions for updating Windows 11 is that your computer must support TPM 2.0. If you want to know whether your computer supports TPM 2.0, you can first check your computer to see if it supports TPM 2.0. If it is not supported, then you need to upgrade the TPM. Below we will learn more about what TPM is and how to check and enable TPM for Windows 11 update.

What is TPM?

TPM, we usually call it Trusted Platform Module (Trusted Platform Module), also called ISO/IEC 11889, is an international standard for secure encryption Key to protect the hardware.

In 1999, many IT giants such as Compaq, HP, IBM, Intel, and Microsoft jointly initiated the establishment of the Trusted Computing Platform Alliance (TCPA).

In 2003, Nokia, Sony and other companies joined TPCA, and TPCA was renamed the Trusted Computing Group (Trusted Computing Group, TCG). These companies hope to specify the relevant standards and specifications of trustworthy computers in terms of cross-platform and operating environment hardware and software., and proposed TPM specifications. The latest version of TPM is currently 2.0.

The role of TPM

TPM has a wide range of functions. As a hardware protection key, it is mainly used for device identification, identity verification, encryption, and device integrity verification. The following are some important functions of TPM.

Protect the integrity of the platform

Regardless of the operating system of the TPM, it is to ensure the integrity of the platform. This is to ensure that when the computer starts, it starts with a combination of trusted hardware and software and continues until the operating system is fully started and the application program starts to run.

TPM can also achieve platform integrity through Microsoft Office 365 licensing and Outlook Exchange, and ensuring the integrity of TPM mainly lies in the firmware and operating system. The Unified Extensible Firmware Interface (UEFI) can use TPM to form a root of trust. For example, TPM creates a trust chain for the Trusted Execution Technology (TXT), which can remotely prove that the computer is using the software of the specified hardware.

 ● TPM can encrypt the entire disk or any partition of the hard disk

We can use TPM to encrypt the entire hard disk on our computer, or to encrypt any partition of the hard disk. If you have enabled TPM on your computer, you can use this technology as a key to protect your computer’s storage devices. Some large software companies also use TPM to encrypt partitions, such as BitLocker.

In addition to being used for the startup process and hard disk encryption, TPM can also encrypt system logins and application software logins. For example, the login information and passwords of our commonly used MSN can be encrypted by TPM before transmission. This can effectively prevent our personal information and passwords from being stolen.

The difference between the old version (1.2) and the new version (2.0) of TPM

TPM 2.0 was officially released in April 2014, and it has been revised and updated since then, and its function is also more powerful than the previous TPM 1.2. So what are the differences compared with the old version 1.2? Let's compare their algorithms, encryption, platforms, keys, platform configuration registers PCRs, and authorization. Please refer to the figure below.

Comparison item

TPM1.2

TPM2.0

algorithm

SHA-1 and RSA are required.

SHA-1 and RSA are required. SHA-1 and SHA-256 are required. Manufacturers can use TCG IDs to add new algorithms at will.

encryption

Require random number generator, public-key cryptographic algorithm, cryptographic hash function, mask generation function, digital signature generation and verification, Direct Anonymous Attestation, also need to generate a key

Random number generator using Barreto-Naehrig 256-bit curve, public-key cryptographic algorithms, cryptographic hash functions, symmetric-key algorithms,  digital signature generation and verification, mask generation function. Key generation and key derivation functions are also required

Platform Configuration Register PCRs

Use PCR to restore the unsealing Bitlobker’s key. If there are any minor changes during the system startup process, user intervention is required to restore it.

Run multiple PCRs banks in a standard manner. All PCRs in a bank use the same algorithm for expansion operations. Different banks can be assigned different PCRs. Different banks are independent of each other during expansion operations and do not interfere with each other.

Key

There is only one key (EK), which is pre-installed in the chip by the manufacturer at the factory, and it is difficult to replace

Divided into parent and child keys, the master key is generated by the master seed using the key derivation algorithm KDF; the storage of the key is mainly based on symmetric encryption

Root key

One (SRK RSA-2048)

Each hierarchy has multiple keys and algorithms.

Authorization

HMAC, PCR, location, physical presence

Password, HMAC and policy (covering HMAC, PCR, location and physical presence), asymmetric digital signature

Note: PCRs are mainly used to store measurement values during system startup and operation to prevent the measurement log from being tampered with. The PCRs value not only guarantees that the same code is executed every time the system is started, it guarantees that the same code is executed in the same order.

It can be seen from the table that TPM 2.0 has an additional SHA-256 in the algorithm compared to TPM 1.2, and in terms of authorization, in addition to the original HMAC, location, physical presence and PCR of TPM 1.2, it also adds authorization based on asymmetric digital signatures. TPM 2.0 is more detailed and more secure than TPM 1.2 in terms of encryption and keys.

How to detect if there is TPM 2.0 on the computer

Microsoft announced that it will release Windows 11 on October 5th. This is a very exciting thing for Microsoft users, but there are also many problems that follow. For example, the computer is not compatible with Windows 11. The update requirements can know that if you need to update your computer system to Windows 11, then your computer must support TPM 2.0 and UEFI secure boot, because they are necessary conditions for updating Windows 11.

TPM 2.0 was put into use on a small number of computers in 2015, and was officially used in computers in 2016. If you need to update your computer system to Windows 11, you need to check whether your computer supports one of the requirements for updating Windows 11 One TPM 2.0. If it does not exist, your computer cannot update the system to Windows 11; if it does, please check whether it is disabled. If it is disabled, please enable TPM 2.0 to upgrade to Windows 11. if you want to check and enable TPM for Windows 11 update. Please follow the following two methods to check if there is TPM 2.0 on your computer.

Method 1: Enter tpm.msc in the run window

1. Press “Windows+R” key on the keyboard to start the running window.

2. Enter “tpm.msc” in the run window, and then click “OK”.

3. After opening the local computer trusted platform module (TPM) management, you may see the following two situations:

One situation is that Configures the TPM and it's support by the Windows platform are displayed in the TPM Management on Local Computer module, and the status is: The TPM is ready for use (representing enabled). How to check if it is TPM 2.0 version? Just check that the Specification Version value in the TPM Manufacturer Information is 2.0, then it means that your computer supports the use of TPM 2.0 to upgrade to Windows 11.

One situation is that Compatible TPM cannot be found appears on your computer, which means that your computer does not meet the standards for upgrading Windows 11.

Method 2: Check for TPM for Windows 11 through the Windows Security

1. Click the Windows icon in the lower right corner of the computer and select Settings.

2. Then select “Security & Update”.

3. Then select “Windows Security”.

4. Find the security device to see if there is a TPM displayed.

Note:
● If you do not find the secure processor, it may be that your computer has a disabled TPM. In this case, you need to enable TPM or check the manufacturer’s support information of your computer to obtain information about the secure processor.
● If you can enable TPM, please verify whether it is TPM 2.0. If the TPM version is lower than 2.0, your computer cannot update Windows 11.

Tip: For how to upgrade TPM 1.2 to TPM 2.0, please read the following “How to Upgrade TPM 1.2 to TPM 2.0 for Windows 11”.

How to enable TPM 2.0 on the computer

When the computer supports TPM 2.0, but it is disabled, what should I do at this time?  You can Enable TPM 2.0 on the computer Settings. The specific operation is as follows:

1. Press “Windows+I” to, then open Security & Update, click “Recovery” in the left menu bar, and then click "Restart now" in the advanced startup.

2. After clicking Restart now, the system will enter the option stage, and then select “Troubleshoot”.

3. Select "Advanced options".

4. Select "UEFI Firmware Settings".

5. Click "Restart".

6. After restarting, enter the BIOS, and then go to the Security Settings, this time select the TPM Configuration option.

7. If you find that TPM 2.0 is disabled, you can enable it. After enabling TPM, you can exit the settings and restart the computer.

How to upgrade TPM 1.2 to TPM 2.0?

If we check that the TPM version of the computer is 1.2, then the computer cannot update the system to Windows 11, so we need to upgrade the TPM version to 2.0. How to upgrade TPM 1.2 version to 2.0? This depends on your computer supplier’s upgrade countermeasures for TPM. For this, you can ask for help on the official website of the computer. Below we will take Dell as an example to show you how to update the TPM 1.2 on your computer to 2.0.

Steps to upgrade TPM 1.2 to 2.0 on Dell:

1. Open the Dell official website and find the Dell product support page.

2. Then enter your service tag or enter your product model.

3. Click the Driver and Download tab.

4. Select Security from the drop-down category box.

5. Find the Dell TPM 2.0 firmware update utility.

6. If the Dell TPM 2.0 update list is listed, you can run the update TPM.

How to install Windows 11 without TPM 2.0

In the previous content, we talked about how the computer supports TPM 2.0 to update Windows 11. What should I do if my computer does not support TPM 2.0 for Windows 11? We can use the installation disk to install Windows 11, and boot from the installation disk to enter the process of installing Windows 11. At this time, you can choose to overwrite the original system upgrade installation, which means that we can bypass the UEFI boot detection to achieve the purpose of installing Windows 11.

Conclusion

In this article, we explained what TPM is and the relevant information about TPM 2.0 necessary to upgrade Windows 11, and demonstrated how to check and enable TPM for Windows 11 update, and how to upgrade TPM 1.2 to 2.0 to update Windows 11 method. TPM is an important device to protect the security of the system, and TPM 2.0 is a version that must exist when the system is updated to Windows 11. Therefore, how to check whether your computer is compatible with Windows 11, and how to start TPM, please read this article carefully, there are answers you want .