What is TPM 2.0?

A Trusted Platform Module (TPM) is a security chip that is integrated into the motherboard of your laptop or desktop computer. TPM creates a secure environment for checking system integrity, authenticating users, and saving keys and passwords. TPM 2.0 was released in 2018 and comes with a set of new features, including the use of various hash algorithms, PINs, and user-defined key management.

Quick overview: What does TPM do?

Most users are familiar with common defenses against malware, rootkits and ransomware. Firewalls, antivirus programs and two-factor authentication are common go-to security measures. A Trusted Platform Module (TPM) is a security chip that provides your system with an extra layer of protection. The TPM chip is physically integrated into laptops and desktop computers and helps with device and user authentication, checking for system integrity and software licenses. Another important feature is the ability to save cryptographic keys, passwords and certificates. TPM creates a secure environment that’s protected from manipulations, meaning that it can check various software and hardware components to ensure their security during bootup. If the chip finds any manipulations, it will sound an alarm. Whereas TPMs used to come as separate security chips, these days they are usually integrated into new computers.

Where does TPM 2.0 come from?

TPM was developed by the Trusted Computing Group (TCG) and standardized by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 11889:2209 in 2009. The first definitive TPM was released on March 3, 2011, as TPM Version 1.2. TPM 2.0 was released in 2019 as ISO/IEC 11889:2015 with new security features, including updates to the TPM architecture and TPM commands and support routines.

Where is TPM 2.0 located?

Since TPM 2.0 chips function as dedicated processors, they’re integrated directly into the motherboard. Most new laptops and PCs come with factory-integrated TPMs and TPM compatibility. You might also find motherboards that don’t offer a pre-installed TPM 2.0 chip but have a slot for an additional chip.

Does Windows 11 require TPM 2.0?

TPM 2.0 is a hardware requirement for Windows 11. For many Windows users, this was the first time they had heard about TPM. If your computer doesn’t have a TPM or TPM 2.0 isn’t enabled, you’ll get a notification saying that TPM couldn’t be found or isn’t compatible. A UEFI (Unified Extensible Firmware Interface) with secure boot is also required.

TPM 2.0 is used in Windows 11 and other versions for the following:

• Windows Hello: Biometric access control and identification using fingerprint and/or iris scan, facial recognition with Endorsement Key (EK) and Attestation Identity Key (AIK)
• BitLocker drive encryption: For encrypting logical volumes and thus entire drives
• Virtual smart cards: Similar to physical smart cards, virtual smart cards help with access control for external systems and resources
• TPM start metrics: With TPM metrics about the Windows bootup state, the integrity of system components and Windows configurations can be checked by measuring start sequences
• AIK certificates: AIK certificates saved in TPM compare start data that has been collected with metrics about the devices’ state
• Defense against dictionary attacks: Protection from brute force attacks that try to bypass password protection with automated queries of dictionary lists
• Credential guard: Isolates login and user data and protects saved keys using virtualization-based security checks

What are the advantages of TPM 2.0?

TPM comes with the following advantages:

• Generating and saving cryptographic keys, passwords, and certificates for extra secure encryption methods
• Detecting manipulations in BIOS code using a check value in the Platform Configuration Register (PCR) 17
• TPM 2.0 has a new algorithm exchange function for simultaneous use of different algorithms
• Verification signatures support PINs and positioning data using biometric or global access controls
• Checking software licenses using digital rights management (DRM)
• Ensuring platform integrity using configuration metrics that check startup sequences for security and changes
• Authentication of system hardware with RSA cryptosystems
• Endorsement Keys (EK) and Attestation Keys (AIK) use hashing to check the security and integrity of the system
• Optimizing protection from malware, ransomware, brute force attacks and phishing, in combination with firewalls, smart cards, biometric access control and antivirus programs

Closing thoughts...

Clearly, the future of cybersecurity is more than just protecting yourself from email scammers and hackers getting your credentials. TPM 2.0 equipped PCs & Laptops provide a new line of defense to secure your hardware and machines lacking this feature, should be addressed immediately. All APEX Technologies customers can receive a free machine inventory report that can show you which machines need to be upgraded for TPM 2.0!