Windows IT Pro Blog:
With Windows 10 end of support approaching, it’s important to revisit a key minimum system requirement for Windows 11: Trusted Platform Module (TPM) 2.0. Let’s discuss the role of TPM and its value for those of you who have made the transition to Windows 11. You’ll also learn how to check your TPM status and how to prepare for Windows 11.
What is TPM?
TPM refers to a dedicated chip or firmware that offers hardware-level security services for your device. It securely houses encryption keys, certificates, passwords, and sensitive data, shielding them from unauthorized access. Additionally, TPM is tasked with cryptographic operations such as producing random numbers, encrypting and decrypting data, and confirming digital signatures. TPMs are available from many different manufacturers, including Microsoft on supported CPUs with Pluton. To learn more, read Trusted Platform Module Technology Overview.You know that Windows 10 is approaching end of support. In Windows 11, TPM 2.0 advanced encryption techniques offer more versatile and critical key management for contemporary IT infrastructures, as compared to its predecessor, TPM 1.2. Integrating with features like Secure Boot and Windows Hello for Business, TPM 2.0 enhances security by ensuring that only verified software is executed and protecting confidential details. It’s true that its implementation might require a change for your organization. Yet it represents an important step toward more effectively countering today’s intricate security challenges.
New security challenges addressed by TPM 2.0
TPM 2.0 helps keep your identities more secure and your data protection more robust. Can you ensure operating system integrity upon startup? Yes. Can you better protect sensitive information, data, and secrets? Yes. It provides a vastly more efficient and secure platform for Windows 11 to use through advanced encryption methods, improved industry standard cryptography, increased isolation, and greater interoperability with other security functions.Improved industry standard cryptography
A notable enhancement is that TPM 2.0 aligns to ISO standard. This means that TPM 2.0 can accommodate an extensive array of cryptographic algorithms, encryption keys, and certificates that a wide range of industries need. Crucially, protocols like Secure Boot validate operating system integrity upon startup. TPM 2.0 helps you ensure that only trusted software launches.Increased isolation
TPM 2.0 isolates cryptographic processes like the storage and use of keys from the main CPU. This way, it helps create a secure domain for critical operations and reduces the risk of interference and manipulation. This level of isolation helps ensure that sensitive information remains protected from potential threats.Seamless integration with Windows security capabilities
TPM 2.0 also seamlessly integrates with newer security functionalities such as Credential Guard and Windows Hello for Business. Credential Guard helps protect secrets using virtualization-based security, while Windows Hello for Business replaces passwords with robust two-factor authentication.The Microsoft BitLocker disk encryption tool uses TPM 2.0 to provide enhanced data protection in several important ways.
- Encryption key storage. BitLocker uses TPM 2.0 to help securely store encryption keys. This way, the keys are protected from unauthorized access and tampering.
- Secure Boot. When BitLocker is enabled on a TPM 2.0 system, it helps ensure that the system boots securely. The boot process is verified and any unauthorized changes to the boot environment are detected.
- Multifactor authentication (MFA). BitLocker supports MFA, which can be combined with TPM 2.0 for added security. This provides an extra layer of protection for the operating system drive.
The value of TPM 2.0 on Windows 11 today and tomorrow
These augmented capabilities largely drove the decision to update hardware and system requirements exclusively for Windows 11. In an age where cybersecurity threats constantly evolve, our safeguard measures need to advance just as rapidly.Today. From supporting more intricate encryption algorithms to adding cryptographic functionality, TPM 2.0 is essential to counteracting present-day cyber risks. As such, you should not disable TPM checks on Windows 11 endpoints. Using TPM functionality for hardware-based endpoint security and Zero Trust offers organizations a powerful tool to mitigate significant security risks and potential data breaches.
Tomorrow. TPM 2.0 also helps future-proof Windows 11. One way it does so is by helping to protect sensitive information as more AI capabilities come to physical, cloud, and server architecture. The long-term benefits of enhanced security contribute to more than one of your compliance goals. It prepares you for evolving regulatory standards and industry best practices.
By instituting TPM 2.0 as a non-negotiable standard for the future of Windows, we elevate the security benchmark. It allows you and us to better align with the growing need for formidable data protection in the modern digital sphere.
Check the TPM status of your devices
As an IT admin, you’re responsible for ensuring the security and compliance of your organization's IT infrastructure. One of the key requirements for Windows 11 is the presence of a TPM 2.0 chip on your hardware. This chip provides encryption and authentication capabilities that help protect your data and devices from unauthorized access.Unsure whether and which devices in your organization already meet this hardware requirement? Follow these steps to find out.
Check TPM version in Windows 10 and Windows 11
This tutorial will show you how to check which Trusted Platform Module (TPM) version you have on your Windows 10 and Windows 11 PC. Windows 11 requires a Trusted Platform Module (TPM) version 2.0 or higher. Trusted Platform Module (TPM) technology is designed to provide hardware-based...
www.elevenforum.com
If you’re using Microsoft Intune:
- Open the Intune Portal.
- Navigate to Devices > All devices.
- Select a device from the list.
- In the device Properties, navigate to Hardware.
- Locate the Security section to find TPM information, including the version and status.
- Open the Configuration Manager console.
- Navigate to Assets and Compliance > Overview > Device Collections.
- Select the desired device collection.
- Select a device and select Start > Resource Explorer.
- In the Resource Explorer, expand Hardware > Security > TPM.
- Check the version information and status from the TPM resource.
Steps toward TPM 2.0 and Windows 11
For devices that don’t already have TPM 2.0, here is how you can prepare for the Windows 11 upgrade:- Evaluate current hardware for TPM 2.0 compatibility. Conduct a thorough assessment of existing hardware with tools like Microsoft Intune. Determine which systems meet the TPM 2.0 requirements and identify any upgrades needed.
- Plan and budget for upgrades. Develop a detailed plan and budget for upgrading non-compliant hardware to TPM 2.0. Consider the long-term benefits of enhanced security and compliance with regulatory standards.
- Review security policies and procedures. Update the organization's security policies and procedures to incorporate the use of TPM 2.0. Facilitate team member training on new protocols and the importance of maintaining a secure IT environment.
In conclusion, TPM 2.0 is not just a recommendation—it’s a necessity for maintaining a secure and future-proof IT environment with Windows 11. And it’s an important part of the larger Zero Trust strategy, alongside Secure Boot, Credential Guard, and Windows Hello for Business. Learn more about it by watching Windows 11 Security—Our Hacker-in-Chief Runs Attacks and Shows Solutions. Embracing this change better protects your systems against evolving cyber threats, ultimately helping to safeguard your organization's data and reputation.
Source:
TPM 2.0 – a necessity for a secure and future-proof Windows 11 - Windows IT Pro Blog
Learn why Trusted Platform Module (TPM) 2.0 is a non-negotiable standard for Windows 11 now and in the future.
techcommunity.microsoft.com
