How to install Windows 11: enable TPM and Secure Boot
The most recent version Windows is finally here, but there’s a confusing new requirement if you want to upgrade from Windows 10: Your computer will need to have a security feature enabled called TPM. You’ve probably never heard of it before, but your machine might already have it – it might be turned off by default. If you’re having trouble upgrading an otherwise compatible device, a small switch could be to blame.
What are TPM and Secure Boot?
Microsoft’s Windows 11 system requirements mention a new requirement that was not present in earlier versions of the operating system: a Trusted Platform Module (TPM). Specifically, it requires TPM 2.0, which was first released in 2014.
Sometimes TPM is a chip that is built directly into your device’s hardware or, more commonly for consumer PCs, a type of firmware supported by your processor. TPMs are tamper-proof, making it incredibly difficult for someone to steal the data they store or the cryptographic keys they generate.
The reliability and security of this chip forms what is called a “hardware root of trust”. Essentially, TPM is something your system can always trust to be secure, like the fireproof safe in your home where you store important documents. This activates security features that can help protect your computer, such as encrypting your storage drives or using connections such as fingerprints or facial recognition. This is only possible because there is a safe place on your computer to store encryption keys or biometric data that would not be stored securely otherwise.
One of the many features that a TPM enhances is Secure Boot. This feature prevents malware from running when you start your computer for the first time by only allowing cryptographically signed software to run when you enable it (although you can disable it if necessary).
Why it’s required for Windows 11
Despite all the confusion about this new requirement, it is not actually this New. Microsoft has required TPM 2.0 in new prefabricated PCs manufactured since 2016 that run any version of Windows 10 for desktop. If you’ve bought a Windows 10 device at a store in the past few years, there’s a good chance you’ve already got coverage and can install Windows 11 right now. Just head to Settings> Windows Update> Check for updates.
However, this still leaves out a large number of computers in the market. Custom PCs, for example, can use motherboards and processors that don’t include TPM or don’t enable it by default. Many Windows devices are protected, but some are not, making it more difficult to constantly deploy security features.
A major example of this is Microsoft’s attempts to terminate passwords for Microsoft accounts. Passwords are, paradoxically, difficult for humans to remember and often easy to circumvent for attackers. The company has come up with alternatives to passwords that use credentials on your phone, biometric data, or even a PIN which, if stored in a TPM, can be more secure than a password and easier. use.
While some of these features are possible on devices without a TPM, they are more secure if you have one. Requiring the TPM on all Windows 11 devices allows Microsoft to set a security threshold. The downside is that it might leave some people with otherwise capable computers behind. For Microsoft, it is a compromise to be made.
How to enable TPM and secure boot
Leaving older PCs behind when a new version of Windows comes out isn’t new, but this particular requirement has left many people confused because some computers that do should being able to run Windows 11 properly are believed to be incompatible.
This is partly because early versions of the PC Health Check app, which is Microsoft’s downloadable tool that tells you if your hardware is eligible for the upgrade, simply returned an error if TPM was not. activated on your device. Fortunately, the most recent version will tell you if TPM is the problem. You might run into this problem if you built your PC yourself or if you had someone else build it for you. Many motherboards are TPM compatible, but some gaming motherboards have skimped on functionality in favor of other bells and whistles.