Find out if your computer supports TPM

[Batu69]

Microsoft announced recently that all new devices that ship with Windows 10 once the operating system's Anniversary Update comes out need to support the Trusted Platform Module 2.0 (TPM) and have it enabled by default.

 

While this won't affect existing devices or devices that you build yourself, the majority of devices that OEMs produce, including all client PCs and Windows mobile devices, need to ship with TPM 2.0 enabled.

 

This makes PM 2.0 a hardware requirement for new devices that ship with the Windows 10 Anniversary Update.

 

Microsoft made the decision to exempt some devices from that

• Windows Desktop: all desktop PCs need to ship with Trusted Platform Module 2.0 and have it enabled.
• Windows Server: TPM 2.0 is optional unless certain criteria are met.
• Windows Mobile: all Windows Phones and tablets require TPM 2.0.
• Windows IoT: TPM 2.0 remains an optional component.

The main reason why Microsoft enforces TPM 2.0 is that several features of the operating system depend on it.

 

Windows 10 Feature	TPM 1.2	TPM 2.0	Details
UEFI Secure Boot
Conditional Access
Enterprise Data Protection
Windows Defender - Advanced Threat Detection
Device Guard / Configurable Code Integrity
Windows Hello
Credential Guard	Yes	Yes	More secure with TPM 2.0
Measured Boot	Yes	Yes	More secure with TPM 2.0
Device Health Attestation	Yes	Yes	Requires TPM
Virtual Smart Card	Yes	Yes	Requires TPM
Passport: Domain AADJ Join	Yes	Yes	Supports both versions, but requires TPM with HMAC and EK certificate for key attestation support.
Passport: MSA / Local Account	Yes	Yes	Requires TPM 2.0 for HMAC and EK certificate for key attestation support
BitLocker	Yes	Yes	TPM 1.2 or later required or a removable USB memory device such as a flash drive
Device Encryption		Yes	For Modern Standby devices, all require TPM 2.0

 

Several of the features are for business / Enterprise devices only.

Find out if TPM is supported on Windows

 

Current devices won't be able to make use of some of the security features listed above if they don't support TPM.

 

To find out if  TPM 1.2 or 2.0 is available and enabled on your Windows device (desktop), do the following:

1. Use Windows-R to open the run box.
2. Type tpm.msc and hit enter.
3. Confirm the UAC prompt that appears.

 

This opens the Trusted Platform Module (TPM) management on the local computer.

If TPM is supported, you may get options to turn on the TPM Security Hardware, create the TPM owner password, clear the TPM, block or allow TPM commands, or turn off TPM by selecting the option in the actions pane. Please note that you need to enter the owner password to do so.

 

Information about TPM is also available in the Device Manager but only if the feature is enabled and supported on the device.

You find information there under Security devices.

 

If TPM is not supported, you get the message compatible TPM cannot be found.

This does not necessarily mean that TPM is not supported on the device as its state is controlled by the BIOS/UEFI.

 

If you get that message, you need to boot your computer and load the BIOS/UEFI management screen to find out about that.

Where you find that depends largely on the BIOS or UEFI of the computer. If you run a recent Surface device for instance, you find reference to TPM under Security.  There you can enable or disable TPM.

 

Article source