TPM 2.0: what is it?

The term Trusted Platform Module refers to security chips integrated into a computer’s motherboard. With its basic security functions, the TPM creates a safe environment that verifies system integrity, authenticates users, or stores cryptographic keys or passwords. Released in 2018, TPM 2.0 adds new features, including the use of different hashing algorithms, personal identification numbers, and custom key management.

Introduction: what does Trusted Platform Module mean?¶

We know almost all the classic protection devices against malware, rootkits or ransomware. Among them, we can cite firewalls, antiviruses or even two-factor authentication. In the same vein, the Trusted Platform Module is a security chip that adds an additional level of protection to the system.

The TPM chip is hardware that is found in laptops and desktops, both to authenticate devices and profiles, but also to verify the integrity of the system or software licenses. Another important function of TPM chips is to store cryptographic keys, passwords and certificates. By creating a secure and tamper-proof environment, TPM verifies the security of software and hardware components one after the other at startup. By comparison with statistical models of recorded data, the TPM issues an alert if it detects an intrusive pattern. While previously TPMs were generally used as separate security chips, newer computers most often have TPM features built-in from the factory.

What is TPM 2.0?¶

TPM was developed by the IT consortium TCG (Trusted Computing Group) and standardized in 2009 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the reference ISO/IEC 11889:2009. The first definitive TPM was published on March 3, 2011 under the name TPM version 1.2. With TPM 2.0, the new TPM standard released in 2019, under the reference ISO/IEC 11889:2015, includes new security functions. Optimizations have been made, among other things, to the TPM architecture and structure as well as to TPM commands and support routines.

Where is TPM 2.0 located?¶

As the TPM 2.0 chip functions as a dedicated processor, it is directly integrated into the computer motherboard, whether portable or desktop. Typically, most new PCs and laptops have factory built-in TPMs and TPM compatibility. Additionally, it is possible to find motherboards that do not come with a pre-installed TPM 2.0 chip, but contain the dedicated slot for an additional chip. It is thus possible to subsequently integrate a TPM security chip independently of the central unit. When purchasing separate TPM chips, it is recommended to preferably use chips that come from the same manufacturer as the motherboard and of the same year.

Is a TPM 2.0 required for Windows 11?¶

With the release of Windows 11, TPM 2.0 has become a hardware requirement of the new version of the famous operating system. Many people who work on Windows every day did not notice the existence of TPM 2.0 before upgrading to Windows 11. If the computer does not have TPM or the TPM feature is disabled, a message will appear. displays that the TPM was not found or is not compatible. Additionally, it is necessary to have a UEFI (Unified Extensible Firmware Interface) with secure boot function.

Under Windows 11, TPM 2.0 provides the following functions in particular:

• Windows Hello :biometric access control and identification by fingerprint and/or iris scan, facial recognition by means of the endorsement key (EKPub) and the attestation identity key (AIK);
• BitLocker Drive Encryption: for encryption of logical volumes and entire drives;
• Virtual smart cards: like physical smart cards, a Virtual Smartcard serves to control access to external systems and resources;
• Measurement of the status at TPM startup: Windows Boot Status TPM metrics help verify the integrity of system components and Windows configurations by measuring boot sequences;
• AIK certificates: AIK certificates stored in the TPM compare measured boot data with expected device health metrics;
• Defense against dictionary attacks: protects against brute force attacks that attempt to bypass password protection by automatically querying dictionary lists;
• CredentialGuard: isolates login data and user data and protects stored keys with virtualization-based security control.

What are the benefits of Trusted Platform Module 2.0?¶

TPM 2.0 features provide many benefits, including:

• Generate and store cryptographic keys, passwords and certificates for multi-secure encryption systems;
• Detect BIOS manipulations via a check value in the Platform Configuration Register (PCR) 17;
• TPM 2.0 offers a new algorithm exchange function to use different algorithms in parallel;
• Verification signatures support personal identification numbers as well as location data based on biometric or global access controls;
• Manage Keys in TPM 2.0 allows limited or conditional use of cryptographic keys;
• More flexible, TPM 2.0 can be used in devices with fewer resources;
• Verify software licenses using digital rights management (DRM);
• Ensure platform integrity through configuration metrics that verify boot sequences for security and changes;
• Authenticate operating system hardware using RSA encryption;
• Use hashing for Endorsement Keys (EKPub) and Attestation Identity Keys (AIK) to verify system integrity and security;
• Combine secure firewalls, smart cards, biometric access protection and antivirus programs to optimize protection against malware, ransomware, brute force attacks and phishing.

Does my computer have a TPM 2.0?¶

To find out if your Windows device already has TPM 2.0, use the following methods to check for TPM 2.0 in the system. Note that even the integrated TPM 2.0 chips are not always enabled by default.

Access the TPM 2.0-Manager¶

Step 1 : In the Windows search bar, type the command “ tpm.msc » to access the integrated TPM management tool;

2nd step : If your computer has a dedicated TPM 2.0 chip, the TPM version information is displayed in the menu window. If there is no TPM 2.0, Windows will inform you that there are no compatible TPM components.

Access Device Manager¶

Step 1 : press Windows shortcut [Windows] + [X] and go to “Device Manager”.

2nd step : In the left side menu, go to “ Security devices » and open the drop-down menu. If so, you will see “Trusted Platform Module 2.0”.

Check by command prompt¶

Step 1 : open the “Run” dialog box with the shortcut [Windows] + [R]enter the command “cmd” and then press the shortcut [Windows] + [Maj] + [Entrée] to open Command Prompt as administrator.

2nd step : enter the following command and press [Entrée] :

wmic /namespace:\\root\cimv2\security\microsoftTPM 2.0 path win32_TPM 2.0 get /value.

If your device has a TPM 2.0 chip, the version number will appear in the “SpecVersion=” line.

How to enable or disable TPM 2.0?

The status of TPM 2.0 depends on the year of your computer. Although newer machines usually have built-in TPMs that can be enabled by default, there is no guarantee that this is the case. Sometimes a BIOS or UEFI update may be necessary.

If necessary, there are several methods to enable or disable TPM 2.0 :

Enable or disable TPM 2.0 in BIOS¶

Step 1 : restart your machine and enter BIOS. Depending on the operating system or device, use the keys to do this. [F2], [F12] Or [Suppr] when the engine starts. Caution: It is advisable to always make a system backup as well as a backup for your important keys, passwords and certificates before making any changes in the BIOS.

2nd step : go to the Security > Trusted Computing menu.

Step 3: activate the option Security Device Support.

Step 4: activate PTT under “TPM 2.0-Device”.

Step 5: save the changes and restart the computer. Follow the strict reverse procedure to deactivate it.

Enable or disable TPM 2.0 via the management tool¶

Step 1 : enter “ tpm.msc » in the Windows search bar and press [Entrée].

2nd step : Navigate to Status > Action and carefully read the “Enable TPM 2.0 Trusted Platform Module” page displayed.

Step 3: Go to “Shut down” or “Restart” and follow the corresponding UEFI steps.

Step 4: When booting, accept the TPM 2.0 reconfiguration. The system thus ensures that only authenticated people can make modifications. You have now enabled TPM 2.0 on Windows 11.

Step 5: to deactivate it, go back to the Status > Action section then in the “Deactivate TPM 2.0 Trusted Platform Module” dialog box, choose whether you want to enter your owner password via removable media, manually, or deactivate without a password. pass.

What are the consequences after deactivating TPM?¶

When troubleshooting, reinstalling, or upgrading, removing or disabling TPM 2.0 may, in some cases, result in an involuntary loss data: cryptographic keys, certificates and passwords stored in TPM 2.0. To avoid this type of unpleasant surprise, follow these security measures following as a preventive measure:

• Create a backup or restore method for data stored through TPM 2.0.
• Only remove/disable TPM 2.0 on your own devices or in agreement with the appropriate IT administrator.
• Check the information about TPM 2.0 in the manufacturer’s manual or on the manufacturer’s company website.
• If possible, disable TPM 2.0 using the TPM management tool or back up the system before making any changes in the BIOS.

What are the different types of TPM 2.0?¶

Depending on the type of assembly, here are the different TPM 2.0:

• Discrete TPM 2.0: with its dedicated security chip, the “discreet” TPM 2.0 offers different encryption algorithms, protection against intrusions as well as great stability;
• Physical TP M 2.0: integrated into the central unit, it offers physical security functions that protect against intrusions and malware;
• TPM 2.0 firmware: Like the physical TPM 2.0 variant, the firmware TPM 2.0 uses a secure CPU environment and protects against intrusions and unauthenticated modifications;
• Virtual TPM 2.0: a hypervisor can create a virtual TPM 2.0 to generate security keys independently of virtual machines;
• TPM 2.0 software: Software TPMs 2.0 are the least recommended due to their low level of security, vulnerability to malware and instability.