When Microsoft released Windows 11 a few years back, the PC community went into a frenzy over TPM, or Trusted Platform Module, and Microsoft's requirement for one in the then-new operating system. I suspect most people heard about TPM for the first time when Windows 11 first rolled out, but now we're all a few years older and wiser, it's worked its way into the broader PC lexicon.
Although the idea of TPM is familiar, the practical reasons for having one aren't. With Windows 10 slowly descending six feet under, and a TPM requirement on Windows 11 that hasn't changed, it's time to revisit why a TPM is useful, and the practical applications we've seen for one over the past few years.
Windows 10 is almost dead, but this tool can help your old PC upgrade to Windows 11
Your PC still has life left in it
3 It basically makes your hard drive impenitable
Bitlocker provides a good basis for understanding
Let's start with Bitlocker, because it's not only the first thing you often hear about regarding TPM and Windows 11, but also because it demonstrates a big reason why a TPM is so useful. Bitlocker can encrypt your hard drive, and on devices with TPM and Modern Standby, that actually happens automatically. When you power down your PC, your drive is encrypted, and when you power it up, it's accessible to you for as long as you're using your PC. What happens, then, if someone manages to get a hold of your hard drive?
Maybe you donate a laptop without properly wiping it, or, lord forbid, your device is stolen. Maybe you just have an old disk lying around that ends up in the Goodwill pile. The TPM is what facilitates encryption in such a way that you have a seamless experience on your PC, all while locking your data behind a layer of encryption when you aren't. That's because the TPM is a step removed from everything else in your PC, and it stores cryptographic keys. When you enter some secret, such as your password when logging in, it's sent to the TPM, and the TPM sends back either a success or failure. Critically, the TPM never sends the secret key itself back.
How to use BitLocker to encrypt your external drives in Windows
It only takes a minute to secure your device
That's the critical difference that makes TPM more secure than other methods of storing cryptographic keys. You can store them in other ways, like in a file, or in the cloud, and some encrypted data is stored this way. Google Chrome's password manager, for example, stores your passwords in a file locally on your PC, along with the file you need to decrypt those passwords. With TPM, the dependency of decryption is tied to the platform itself. If you take out your hard drive and stick it in another PC, you won't be able to boot into Windows unless you reset the Bitlocker encryption.
The obvious counterpoint to all of this — why? Although using a TPM is more secure, the reality is that most end users don't need that level of security. Businesses may, but most individuals don't. After all, you can decrypt every password stored in Chrome with access to a PC, five minutes, and a little know-how, but it's still by far the most popular browser in the world. The important thing about a TPM isn't Bitlocker, but rather that it can store cryptographic keys in such a way that they never have to interact with the main PC. They never have to be copied over into memory, and they're certainly never stored in a file.
How I turned an old USB drive into a secure unlock key for my PC
Turn your old USB flash drive into a secure unlock key for additional PC security.
2 You can use biometric login with Windows Hello
Even on a desktop
So, a TPM is useful because it can store a cryptographic key completely separate from the rest of your PC. Now, we just need to find some useful keys to keep there. Something you could do is have a secret key tied to your fingerprint or face so that it's super easy to log into your PC. I'm talking about Windows Hello, of course, which allows you to do just that, even on a desktop (given the right peripherals). Windows Hello is also used for the PIN on your device, which is more important than you might suspect.
Even if you don't care about the convenience of biometric login, securing your PIN with Windows Hello and TPM still improves your security. As covered, the TPM only receives and sends responses. It never sends any real data back, just a success or a failure. Given enough bad attempts over a period of time, the TPM can return an error, as well, locking out brute force attacks.
So-called "dictionary attacks" can overwhelm your system with so many attempts, hopefully landing on the right one given enough tries. A TPM locks out future attempts for a period of time. You can accomplish this in other ways, of course, with some as simple as a program that looks at a number of attempts over a period of time and then disables the sign-in option. The important thing about TPM is, once again, that it's separate from the system. Your key isn't copied into memory, and lock-out attempts can't be foiled by workarounds within the OS.
6 essential skills every Windows 11 user needs to master
If you want to ensure you get the most from your Windows 11 PC experience, here are essential skills to master.
1 It offers an interface for cryptographics keys
Laying the foundation for passkeys
In order to handle all of this communication with the TPM, Windows needs a cryptographic framework, and it has exactly that. Cryptographic API: Next Generation, or CNG, is, as you might guess, an API that Microsoft uses to manage the communication between Windows and the TPM. It's useful for things like Bitlocker and Windows Hello, but more recently, it's also been leveraged for passkeys. Last year, Microsoft introduced passkeys to Windows 11, allowing you to authenticate apps with Windows Hello instead of entering a password.
Beyond just Windows Hello, Microsoft says it's already working with services like 1Password and Bitwarden, allowing those apps to tap into the TPM for better security. Regardless of what's able to access the TPM, it provides a homebase for your cryptographic keys away from your PC, and Microsoft has an API in place that allows apps to tap into the TPM. Features like passkeys not only make logging into apps and services easier, it also makes them more secure.
Microsoft is cracking down on people upgrading to Windows 11 on unsupported hardware
Things are getting tricky.
There are levels to it
Regardless of the area of cybersecurity you look at, there are always layers to security. At a certain point, the risk of an attack against you personally isn't worth the hassle of extra security. At a certain point, the precautions go to waste.
However, a TPM in your PC is something that not only improves your security, but it also makes your PC easier to use in several ways. Although it was a tough transition when Microsoft first introduced Windows 11, a lot has changed over the past few years. Now, you should have a TPM in your PC, be it through hardware or firmware. And if you don't, Windows 11 probably isn't the best OS to use anymore — maybe you could give Linux a shot instead.