Trusted Platform Module (TPM) is a hardware-based security feature that provides additional security for your Windows 11 device. TPM 2.0 is the latest version that includes enhanced encryption and storage capabilities. Enabling TPM 2.0 in Windows 11 provides several security benefits:
Table of Contents
Benefits of TPM 2.0
- Hard drive encryption – TPM can securely generate and store encryption keys used by BitLocker drive encryption to help protect your data.
- Prevents unauthorized access – TPM authenticates hardware during boot to ensure only authorized Windows 11 systems can access encrypted data. This prevents unauthorized access if the hard drive is removed.
- Malware protection – TPM validates the integrity of critical boot components to prevent certain types of malware, like rootkits, from infecting the system.
- Supports advanced authentication – TPM enables more secure login using FIDO2 security keys and Windows Hello biometric authentication.
Check TPM 2.0 Status
Before enabling TPM 2.0, you should check if it is already available and activated on your Windows 11 device:
- Step 1: Open Windows Settings and go to “Windows Security”.
- Step 2: Click on “Device security” and then scroll down to the Security processor section.
- Step 3: Here you can see the TPM status along with specification version. If enabled, it will show as “Security processor is enabled”.
Enable TPM 2.0 in BIOS
If TPM shows as unavailable or disabled in Windows Security, you need to enable it in the BIOS:
- Step 1: Restart your computer and press the BIOS key during boot to enter BIOS setup. Common BIOS keys are F1, F2, DEL, ESC.
- Step 2: Once in the BIOS, go to the Security or Advanced menu.
- Step 3: Look for an option called something like “TPM Security” or “TPM State”.
- Step 4: Set the option to “Enabled” to turn on TPM 2.0 support.
- Step 5: Save changes and exit BIOS. Allow your system to reboot.
Clear TPM
If you previously disabled TPM or changed motherboards, you may need to clear existing TPM data:
- Step 1: Go to Windows Settings > “Windows Security” > “Device security”
- Step 2: Under the Security processor section, click “Security processor details”.
- Step 3: Scroll down and click “Clear TPM”. Restart your PC.
- Step 4: After rebooting, Windows will automatically provision and initialize the TPM 2.0 chip.
Configure TPM 2.0
Once TPM 2.0 shows as enabled and activated in Windows Security, you can enable enhanced security features:
Enable BitLocker Drive Encryption
BitLocker protects all data stored on the Windows drive by encrypting it. TPM provides the encryption key storage to help secure BitLocker:
- Step 1: Go to Windows Settings > “System” > “Storage”.
- Step 2: Under “Disks & volumes”, click on your primary system drive (usually C:)
- Step 3: Click “Turn on BitLocker”. Follow the wizard to save the recovery key.
Use TPM for Windows Hello Sign-in
You can set up Windows Hello facial or fingerprint recognition, which stores sign-in data in the TPM chip:
- Step 1: Go to Windows Settings > “Accounts” > “Sign-in options”
- Step 2: Under Windows Hello, click “Set up” to add face, fingerprint, or security key.
Manage TPM Ownership
Taking ownership of the TPM locks access to shielded secrets and keys to only your Windows account:
- Step 1: Go to Windows Settings > “Windows Security” > “Device security”
- Step 2: Under “Security processor details”, click “Security processor troubleshooting”
- Step 3: Take ownership of TPM and provide the owner auth value it generates.
