There are different types of TPMs (more on that below), but in its simplest form, a TPM (Trusted Platform Module) is a small security chip that attaches to your computer’s motherboard.
To understand what it does, you need to know a bit about full disk encryption.
Full disk encryption is a form of hardware-based security. When a PC using an encrypted disk (hard drive) is turned off, all the files on that disk are encrypted into an unreadable code and they’re not decrypted until the PC is turned on again.
An unauthorised user (hacker) or even someone who may have stolen your device would need both physical access and the master password to access the encrypted drive. If your PC is stolen, the hard drive cannot be decrypted even if it’s removed from the device and put into another machine.
This is more secure than software based security because software (VPNs, passwords) is significantly easier to hack because its code and code can be manipulated from any location.
The TPM is a critical component for full disk encryption to work. The best way to think of a TPM is like a key to your drive, or an alarm system that requires a unique code.
If your PC has a TPM and an encrypted drive, when you turn it on, the TPM will send a cryptographic key (a unique code) to your encrypted drive, which will unlock the computer and boot the device. If someone steals your laptop or PC, and tampers with your encrypted drive, the TPM will no longer send a compatible code, and the device won’t turn on.
That’s not all a TPM does, though. There are a number of apps and features that use the TPM after the PC has been turned on.
Outlook, for example, uses TPM to deal with encrypted messages, Google Chrome uses TPM to maintain SSL certificates on websites, and even consumer technology like printers utilise the PC’s TPM.
There are also different forms a TPM can take. It can be a physical chip, it can also come as firmware integrated into the main CPU. This isn’t as secure as a physical chip, but it’s still incredibly secure. It can also come as software. However, this is not recommended. The other forms are much safer, and it goes against the point of having a TPM.
Microsoft has stated that a TPM is required for Windows 11 because it is used to “protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data.”
It’s basically a better level of security. Windows Hello’s passwordless authentication, facial recognition and Windows Defender all utilise the TPM to make Microsoft based devices more secure.
Unfortunately, if you don’t have a TPM, installing one on your PC is difficult. It’s not a case of simply downloading a program. Microsoft has stated that a TPM version 2.0 is required. However, a TPM version 1.2 will be compatible as well.