We often do not notice many processes while our PC is running. However, that does not mean that those processes and the elements responsible for them are not important. One of these critical pieces of computer tech is the hardware TPM, or Trusted Platform Module, a small chip that we are going to focus on in this article.
A TPM or Trusted Platform Module is a chip that provides cryptographic operations for your computer security, which can be installed as a separate hardware device. The purpose of this computer chip is similar to the purpose of two-factor authentication when entering your personal account on a website. For example – once you enter your login and password on the site, it will send you a confirmation code via SMS, or perhaps you will receive a call and be asked to enter the last digits of that number. If you fail to provide the required information, you will not be able to access your account.
TPM technology works in the same way. If the computer’s motherboard is equipped with hardware based security in the form of TPM to store platform measurements, when you try to turn on such equipment, the Trusted Platform Module will check the status of the PC and compare it to normal status measurements. In the case everything is in order, the computer will continue to function as intended. However, if anything goes wrong during the startup check, for example, attackers are trying to hack the device with a brute force attack, the data will not be decrypted, the PC won’t start working, and the platform will remain secure.
When you press the power button on your PC, the TPM chip checks various indicators of the computer’s status. If the indicators meet the specified security policies and store platform measurements, the computer will load the operating system and work as usual. Alternatively, if it turns out that any of the indicators do not meet the established security policies, the device will not boot and the data will not be decrypted, making it impossible to extract any information from the equipment. Common triggers for TPM are:
The work of the Trusted Platform Module is based on securely storing artifacts and cryptography implementation in a trusted computing group. One of the integrated cryptographic keys is stored in the TPM and another key is stored on the device’s hard drive. Without a key from the TPM header, the PC will not be able to work, since all system data cannot be used – they will be encrypted by disk encryption.
TPM is ubiquitous in equipment of many industries. Moreover, many standards and regulatory mandates, such as FIPS, etc. require organizations to use hardware security equipment to securely store artifacts which have a built-in TPM. Those requirements are directed to counter unauthorized access and guarantee that the platform remains trustworthy with hardware based security. Examples of such industries are the automotive industry and healthcare.
In healthcare, keeping personal data confidential is of the utmost importance, therefore it is vital to ensure complete data protection, including hardware security chips.
When it comes to the automotive industry, cars are increasingly dependent on digital devices inside them. If your car’s electronic system is broken into by an intruder, a variety of problems can occur: from turning off the heated seats to destabilizing the steering. Among other things, TPM can generate encryption keys, play the role of a storage root key, detect malicious software, and secure software licenses.
Starting with Microsoft Windows 7, Microsoft has been actively using TPM for reliable and simple authorization. For example, Windows features that rely on TPM are:
You can find information about whether your device is equipped with a Trusted Platform Module or not in the device’s security settings. For example, if your device has Windows 10 installed, you need:
TPMs are divided into built-in and discrete (they are also called dedicated). The difference between the two is that discrete ones are faster, more secure, and support more cryptographic algorithms and features. However, ordinary users rarely need to take advantage of these more expensive benefits. Therefore, discrete processors are more often found in laptops designed specifically for commercial use, because corporate devices often store more sensitive data, and their protection is often standardized by company security policies as well as local government laws.
If your TPM has stopped showing up or is not working by default on a new device, this could be due to several different reasons. Some processors with a built-in TPM are configured to use discrete or external TPMs by default. In this case, you need to install the appropriate processor firmware, which provides the use of the functionality of the default built-in TPM firmware.
Another reason could be problems with the TPM drivers. If that’s the problem, you need to install the latest drivers for your TPM. You can usually find them on the security chip manufacturer’s website.
In addition, the problem may be in the UEFI settings. Many motherboards based on Intel and AMD chipsets have a built-in TPM disabled by default. You can find information about TPM in the Security section under the Trusted Computing subcategory. Check your UEFI settings and make sure that TPM has not been disabled or hidden in the operating system.
Like all hardware based security equipment, older TPM models no longer meet current safety requirements. Trusted Computing Group proposed the TPM 2.0 Library Specification, which was approved as a formal international standard under ISO/IEC. TPM 2.0 is a chip that performs the same functions as previous versions. They securely store artifacts using the Storage Root Key, which is generated by the TPM and stored in a non volatile memory, that meets modern device’s and data security requirements.
TPM 2.0 added support for new cryptographic algorithms and optimized their execution; improved transaction performance; added new biometric authentication and personal digital signature features; and improved integrated cryptographic keys management processes and store platform measurements system. For example, thanks to the new capabilities of TPM 2.0, the current version of Windows 11 performs all the processes of issuing public key certificates solely on the new generation of TPM chips.
You can view the TPM version installed on your computer by entering the tpm.msc command and opening the Manufacturer Information section in the pop-up window.
TPMs differ from each other in terms of form factor as follows:
Discrete TPM – individual chips from trusted computing groups connected to motherboards with a special connector. The advantages are the low probability of a software failure during operations and the chip’s tamper resistance.
Physical-based – TPMs are integrated into the PC’s CPU, the same as discrete ones implement tamper resistance.
Firmware TPM – such modules operate in the processor’s trusted environment – they are protected in the same way as physically based ones.
Software-based – those TPMs have a higher risk of third-party attacks, software failures and bugs.
Virtual TPMs – are used to provide security in virtual environments, such as virtual machines.
With TPM 2.0, Microsoft plans to introduce a simple and secure Windows 11 experience. For example, many have already appreciated the possibility of fingerprint or face authentication, and there will only be more examples of such innovations in the future. Moreover, TPM 2.0 functions need to be implemented because of the rise of cybercriminal attacks that affect Microsoft products quite frequently. However, some believe that using such devices in the future will limit the capabilities of their PC in the same way that secure versions of Windows 10 or some versions of MAC OS are limited today. These restrictions are unlikely to concern most users when migrating to Windows 11.
The TPM is an integral part of today’s computers that provides important security features for user data. Many features in our devices work securely thanks to TPM and its role will become even more important in future Windows Security Updates. You can learn about other interesting and relevant topics related to the security of PC tech and cryptographic protection by reading the Helenix blog.
TPM or Trusted Platform Module is a chip that is used to secure a computer through encryption and other cryptographic operations. It checks the state of the system and prevents data from being extracted from it if threats are detected.
You can find out about your TPM in Windows by entering the tpm.msc command. If you see information about TPM in the PC you have a TPM. If you see a “Compatible TPM cannot be found” message instead, your PC does not have a TPM. You can also check it in the UEFI device settings.
This can be done both by using the tpm.msc command and in the UEFI settings. In the second case, it will be possible to check if your TPM is enabled, as well as select its configuration when loading the operating system.
Windows Defender Security Center will help you to clear the TPM. Go to Device security, choose the Security processor details and click on Security processor troubleshooting. After that, select Clear TPM. You will be prompted to restart the PC. After you clear the TPM, Windows will automatically re-initialize it.