The Function of the TPM
A Trusted Platform Module plays some key roles in the security of your PC. Let’s look at some of them.
1. BitLocker Drive Encryption
BitLocker keeps all your drive partitions encrypted when your PC is at rest. That includes your primary volume, where your boot components and system information are. In the unfortunate case you misplace or lose your hard drive, your data remains confidential. Nobody can boot into the operating system to access your data. TPM works by collaborating with your system firmware to record your system startup parameters, including any software that loads on startup. For instance, It records your system boot sequence, whether from a hard drive or USB stick. The TPM will only allow your private key to decrypt your drive if these recorded parameters are met and booting occurs in an expected way. That way, your system firmware and TPM work together to enhance the security of your data.
2. Windows Hello for Business
Microsoft created Windows Hello for Business as an alternative way to authenticate your logins. Sometimes you may forget your password or lose it to hackers. Many PC users prefer one password for all their accounts, and even their identity could be up for grabs once compromised. Windows Hello allows you to provision several devices one by one combining them and adding additional cryptographic keys to them. That way, you can authenticate yourself better across your devices using only one account. That’s also where your TPM comes in. Your system stores this cryptographic key in the TPM, protecting it from potential trojan-horse attacks from malware pretending to be your TPM.
3. Platform Crypto Provider
Microsoft uses a Cryptographic API: Next Generation (CNG) framework to implement algorithms on your computer and keep it secure. That way, all software and apps that use cryptography can use the CNG API without knowing any details about the algorithm and how it works. Windows supplies an algorithmic implementation of the CNG your system executes through the TPM hardware on your PC motherboard. This implementation uses TPM’s unique properties to protect your private keys from being duplicated by malware. It also protects your device from dictionary attacks that use multiple guesses to crack your PIN code. Unlike software solutions, hackers cannot reverse-engineer TPMs to steal your private keys or copy them off your device.
How to Install and Activate a Hardware TPM Chip on Your PC Motherboard
Before we dive into installing a chip on your computer, here are some essential considerations to make:
If your PC was manufactured long before 2016, there’s a chance it doesn’t support TPM chips. In this case, there isn’t much you can do. We recommend upgrading your laptop/PC to a more modern version.Although your PC may be older yet already have a TPM chip installed, it may be the lower TPM 1.2 version. A simple firmware upgrade can fix that.If your PC was manufactured after 2016, there’s a good chance it already has a TPM chip installed. If that’s the case, all you have to do is activate your TPM chip, and you’ll be good to go. Check out this guide that shows how to do that.Your PC may be newer yet come without a TPM chip installed. You can purchase one and install it on your motherboard.
Upgrading TPM 1.2 to 2.0
As stated earlier, If your PC already has a TPM 1.2 chip installed, an upgrade should be enough. To go about that:
Dell HPHP EnterpriseInfineonLenovoPanasonicToshibaFujitsu
After running the update, clear your TPM using the following instructions:
Installing a TPM Chip on Your Motherboard
Before we proceed, have you checked your device for a TPM chip?
If so, does it have an empty TPM header on its motherboard?
There are two ways to go about this. If you’re savvy with technology, you can open your PC and check your motherboard. Check the manufacturer’s website for more technical details if you’re still unsure. You can also check your motherboard model number online.
What you’re looking for is a port that looks like this:
This TPM port is open, and you can install an aftermarket TPM chip on this motherboard.
Nothing is as essential as getting the TPM chip right, and not all TPM chips are similar. Because of different manufacturer standards, there are four different TPM configurations; 12-1 (12-pin), 14-1 (14-pin), 18-1 (18-pin) and 20-1 (20-pin).
The TPM module you choose should have the same number of pins as the TPM header on your motherboard. A 20-pin TPM will not fit into a 12-pin header, and vice versa. To determine this, count the number of pins on your TPM header.
Often, one hole (called an anti-insertion key) will be blocked off on your TPM module. That’s to be expected. The anti-insertion key should coincide with the TPM header too.
After installing the TPM chip on your PC, activating it will depend on your device. You can activate your TPM from the BIOS or Windows settings.
Please see this helpful video on how to install your TPM module.
1. Can I use BitLocker without TPM?
You can reconfigure BitLocker to work without a TPM module. However, BitLocker will store your encryption keys outside your computer (often a USB drive) that you’ll have to insert each time you restart your computer.
2. Why is TPM disabled by default?
If the TPM is greyed out on your system BIOS by default, that means your Platform Trust Technology feature (PTT) is enabled. You’ll have to disable PTT on your PC BIOS to activate your TPM module.
3. Is TPM on a motherboard or CPU?
You’ll find your TPM chip on the motherboard. Sometimes your PC motherboard may lack a dedicated chip and instead use an integrated TPM or firmware TPM.