UK’s trusted IT infrastructure partner since 2003
sales@servnetuk.com
0800 987 4111
Servnet
ConfiguratorGet in Touch
What is TPM, and why Windows 11 insists on it — networkWhat is TPM, and why Windows 11 insists on it — reach
Storage & Hardware

What is TPM, and why Windows 11 insists on it

Marcus Hale · Security Lead, Servnet8 min read

When businesses started moving to Windows 11, one requirement caused more confusion than any other: a thing called TPM 2.0. Plenty of perfectly good PCs were suddenly declared 'not supported', and few people could explain why a tiny security chip had become non-negotiable. With Windows 10 now out of free mainstream support, this matters for every UK business. Here is what TPM actually is, what it does for you, and why Microsoft refuses to budge on it.

What the TPM does for you
4Secure sign-inBacks Windows Hello + passwordless3Boot integrityChecks the machine was not tampered with2Key storageEncryption keys held in tamper-proof chip1Tamper resistanceSecrets stay locked even if device stolen

TPM in one sentence

A TPM - Trusted Platform Module - is a small, dedicated security chip built into your computer (or built into the processor) whose entire job is to guard secrets like encryption keys and to verify that your machine has not been tampered with. Think of it as a tiny, tamper-resistant safe soldered into the device, separate from the main system, that holds the keys to your data.

The 2.0 simply refers to the modern version of the standard. Almost every business PC sold in the last several years already has TPM 2.0 - often switched off in the settings rather than absent - which is why many machines that 'failed' the Windows 11 check just needed it enabled. It is not exotic hardware; it has quietly been standard for years.

What the TPM actually does for you

Three jobs, all of which run silently in the background. First, it stores encryption keys securely - so that when your drive is encrypted, the key that unlocks it lives inside the tamper-resistant chip rather than sitting on the disk where a thief could copy it. Second, it checks the integrity of the system as the machine starts up, helping detect whether malware has tampered with the boot process. Third, it underpins modern sign-in methods like Windows Hello, keeping the credentials that prove who you are locked away in hardware.

The thread running through all three is keys never leaving the chip. Even if someone steals the laptop, pulls the drive out and plugs it into another machine, the data stays encrypted because the key is locked inside the TPM of the original device. That single property - hardware that protects secrets even when the rest of the computer is compromised or stolen - is why the TPM has become a cornerstone of device security.

  • Securely stores the encryption keys that protect your drive
  • Verifies the system has not been tampered with at startup
  • Backs secure sign-in like Windows Hello and passwordless login
  • Keeps secrets locked in hardware even if the device is stolen

Why Windows 11 made it mandatory

Microsoft's reasoning is straightforward: it wanted to raise the baseline security of every Windows machine, not just the ones whose owners chose to turn protections on. By requiring TPM 2.0, Windows 11 can assume that features like drive encryption and tamper-checking are available on every supported device, and build security around them by default rather than as an optional extra.

This is a deliberate shift from 'security if you opt in' to 'security as standard'. It reflects the reality that lost and stolen laptops, and attacks on the start-up process, are everyday threats rather than edge cases. Whether or not you love being told your old PC is unsupported, the direction - encryption and integrity-checking on by default for everyone - is genuinely good for businesses, which lose laptops and face theft far more often than they would like.

Why a stolen drive stays locked
unlocksremovedfailsTPM chipholds the keyEncrypted drivein laptopStolen + movedto another PCStays encryptedno key, no data

What it means for your hardware

In practice you fall into one of three camps. Most business PCs from the last few years already have TPM 2.0 and simply need it enabling in the firmware settings, after which they meet the requirement. Some need both the TPM and a related setting (Secure Boot) switched on together. And genuinely older machines may lack TPM 2.0 entirely, in which case they cannot run Windows 11 in a supported way and are due for replacement.

Because Windows 10 has now reached the end of its free mainstream support, sticking with unsupported machines means running without security updates - a growing risk over time. For most businesses the sensible path is to check each machine, enable TPM where it exists, and plan a refresh for the ones that genuinely cannot make the move rather than leaving them exposed. Every business laptop in our current range ships Windows 11-ready with TPM 2.0 as standard.

Is the TPM a privacy risk?

A reasonable question, and the answer is no - the TPM is a protective component, not a surveillance one. It does not track what you do, report on your activity, or send your data anywhere. Its job is the opposite: to keep your secrets locked away from anyone who should not have them, including a thief who has physically taken your device.

The thing it protects most directly is your data at rest. With drive encryption switched on and the key held in the TPM, a lost or stolen laptop is a lost piece of hardware rather than a data breach - the files on it cannot be read without the key sealed in the chip. For a business that has to take data protection seriously, that is precisely the outcome you want, and it pairs naturally with the wider controls in our endpoint security service.

Key takeaways
  • A TPM is a small, tamper-resistant security chip that guards encryption keys and verifies the machine hasn't been tampered with.
  • It keeps secrets locked in hardware, so a stolen laptop's data stays encrypted even if the drive is removed.
  • Windows 11 requires TPM 2.0 so that strong security - encryption, integrity checks - is on by default for everyone.
  • Most recent business PCs already have TPM 2.0; it often just needs enabling in the firmware settings.
  • The TPM is protective, not a privacy risk - it turns a lost laptop into lost hardware rather than a data breach.
Frequently asked

FAQs — What is TPM, and why Windows 11 insists on it

The basics

Does my computer have a TPM?

Most business PCs sold in the last several years do - often it is simply switched off in the firmware (BIOS/UEFI) settings rather than missing. On Windows you can check by running 'tpm.msc', which reports whether a TPM is present and which version. If it shows TPM 2.0, your machine meets the Windows 11 requirement once it is enabled.

Can I enable TPM myself?

Often, yes - it is usually a setting in the firmware screen you reach when the machine first powers on, sometimes labelled TPM, PTT (Intel) or fTPM (AMD). It is straightforward but worth doing carefully, ideally as part of a managed rollout, since you may also need to enable Secure Boot for Windows 11.

Windows 11

What if my PC doesn't have TPM 2.0?

Then it cannot run Windows 11 in a supported way. With Windows 10 now past its free mainstream support, the sensible course is to replace genuinely incompatible machines rather than run them without security updates. Many PCs that appear unsupported actually have a TPM that simply needs turning on, so check before assuming a machine is due for replacement.

Related

Got a question this article didn't answer?

One conversation with an engineer who's done this before. No sales script.

Talk to Servnet →