TPM or Trusted Platform Module chips are special chips built into laptops or desktop computers. They provide important security features for the integrity and security of systems and software in a protected environment. An operating system that supports TPMs can be enabled or disabled as needed through BIOS functions.
Trusted Platform Module: what does it mean?
Security devices to protect the system as well as to protect against malware or ransomware play a decisive role in both private and professional IT. Firewalls and antiviruses are among the classic tools, to which should be added the Trusted Platform Module. A TPM is a chip integrated into the machine and which offers an additional level of security for hardware and software. These functions include device authentication, user identification, software license verification and the storage of keys, passwords or certificates.
We can imagine the TPM as a security safe, an isolated environment and protected from malicious intent and software. Thus, at startup, the TPM activates the software and hardware components and verifies their integrity. This helps ensure that an operating system is not compromised and that the boot process is safe. Although TPM chips were once used as standalone chips for business computers, most modern AMD and Intel processors have TPM capabilities. However, there are motherboards that require an additional TPM chip. If today only the Windows 11 operating system imposes a TPM 2.0it is very likely that in the long term every machine will have a TPM by default.
Where is the TPM located?
A TPM chip functions as a dedicated processor placed on the motherboard of the machine. Motherboards without a TPM chip, however, provide a slot for an optional TPM chip. This allows you to install a TPM independently of the computer’s central unit. If you need an independent chip to play the role of TPM, it is advisable to use compatible modules of the same year and from the same manufacturer as the motherboard.
What are the advantages of a Trusted Platform Module?
TPMs have many benefits, including:
- Generation and storage of passwords, certificates or cryptographic keys for increased security of encryption methods;
- Control and monitoring of the integrity of the platform using indicators and comparative processes to detect intrusions at startup;
- Hardware authentication of the operating system using RSA encryption;
- Protects the system against malicious intrusions of the software or firmware using an Attestation Identity Key (AIK) that verifies the integrity of components by hashing;
- In combination with firewalls, smart cards, biometric testing or antivirus programs, optimized defense against malware, ransomware, dictionary attacks and phishing;
- Verification of software licenses through digital rights management (DRM).
Does my computer have a TPM?
As TPM 2.0 is notably a hardware requirement for Windows 11, how do you know if a device is equipped with TPM technology? There are two simple methods to check for the presence of TPM in the system. Note that even the integrated TPM chips are not always enabled by default.
Here is the procedure to follow in Windows to determine the presence of a TPM chip and its version:
Access the TPM-Manager
Step 1 : In the Windows search bar, type the command “ tpm.msc » to access the integrated TPM management tool.
2nd step : if the PC or laptop does not have a dedicated TPM chip, you will read a corresponding message in the window that opens. If the motherboard contains a TPM chip, the window will indicate the TPM chip type and version.
Access Device Manager
Step 1 : press Windows shortcut [Windows] + [X] and go to “Device Manager”.
2nd step : In the left side menu, go to “ Security devices » and open the drop-down menu. If a TPM is present, the current version of the TPM will be displayed.
Check by command prompt
Step 1 : open the “Run” dialog box with the shortcut [Windows] + [R]enter the command “cmd” and then press the shortcut [Windows] + [Maj] + [Entrée] to open Command Prompt as administrator.
2nd step : To check for the presence of a TPM chip, enter the following command:
wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get /valueshell
If your device has a TPM chip, the version number will appear in the “SpecVersion=” line.
Can TPM activate and deactivate itself?
The default activation of TPM depends on the age, version and type of computer (laptop or desktop) used. Even in the case of integrated TPM chips, there is no certainty that the TPM functionality is enabled by default. For some TPM firmwares, a BIOS or UEFI update may be required. If TPM is not enabled by default, there are several methods to enable or disable it.
Here is the procedure to follow :
Enable or disable TPM in BIOS
Step 1 : boot your system and enter BIOS (depending on the system, by pressing the key [F2], [F12] Or [Suppr] during startup).
2nd step : go to the Security > Trusted Computing menu.
Step 3: activate the option Security Device Support.
Step 4: activate PTT under “TPM-Device”.
Step 5: save the changes and restart the computer. Follow the strict reverse procedure to deactivate it.
Enable or disable TPM via the TPM management tool
Step 1 : type “tpm.msc” in the Windows search bar and press [Entrée] to launch the TPM management tool.
2nd step : Navigate to Status > Action and carefully read the “Enable TPM” page displayed.
Step 3: Go to “Shut down” or “Restart” and follow the corresponding UEFI steps.
Step 4: When booting, accept the TPM reconfiguration. The system thus ensures that only authenticated people can make modifications.
Step 5: TPM is now enabled in Windows.
Step 6: to disable it, go back to the Status > Action section then in the “Disable TPM” dialog box, choose whether you want to enter your TPM owner password via removable media, manually, or disable without a password .
What happens after deactivating TPM?
Removing or disabling the TPM, for example to troubleshoot a problem or reinstall the system, may in some cases cause a problem. data loss. This concerns in particular stored keys, passwords, certificates, virtual smart cards or connection PIN codes. This is why some important precautions are required:
- Create a recovery method or backup for the data stored in the TPM.
- Only remove/disable TPMs on your own devices or in agreement with the appropriate IT administrator.
- Check the TPM information in the manufacturer’s manual or on the manufacturer’s company website.
- If possible, disable it via TPM management tool or create a system backup before making changes in BIOS and UEFI mode.
What are the different types of TPM?
Depending on the type of assembly, the following TPMs are distinguished:
- Discrete TPM: a discrete Trusted Platform Module is considered the best variant of the TPM with a dedicated chip. This variant offers more room for more encryption algorithms, better intrusion protection and high stability. On the other hand, it needs more space for the TPM.
- Physical TPM: integrated into the central unit, it offers physical security functions that protect against intrusions and malware.
- TPM firmware: similar to the physical variant, it operates in a secure CPU execution environment and protects against malicious intrusions and modifications.
- Virtual TPM: a hypervisor allows you to create a virtual TPM that generates security keys independently of a virtual machine.
- Software TPM: Software TPMs are the least recommended because they offer few security benefits and remain more vulnerable to malware.
