For the upgrade from Windows 10 to 11, Microsoft provides a so-called Trusted Platform Module (TPM) in version 2.0, which must be located in the PC. However, it does not have to be a physical module, i.e. a separate chip. Instead, most systems with TPM 2.0 have a firmware TPM (fTPM 2.0). This is firmware that runs on a separate microcontroller core that is integrated in the processor, chipset or system-on-chip.
This variant has been around for desktop PCs since around 2015 and is available on virtually all platforms that Microsoft has released for Windows 11. However, when the mainboard is delivered, these fTPMs are often deactivated – when you try to upgrade, Windows reports that no module is available.
How-to: Activate TPM
How to activate the fTPM differs from motherboard manufacturer to motherboard manufacturer, sometimes also from series to series. In any case, you have to go to the (UEFI) BIOS setup, which you can access by pressing the delete key when starting the PC (sometimes also F2). How it goes from then on is described or shown by the manufacturers in blog posts:
The setting can either be found in the “Security” tab (ASRock with Intel chipsets, Biostar with AMD chipsets), “Advanced” (Asus, Biostar with Intel chipsets, EVGA) or “Settings” (Gigabyte, MSI). In the case of motherboards with an Intel chipset, the whole thing is usually called Platform Trust Technology or PTT, in AMD models it is called fTPM or TPM. With MSI you have to activate the “Security Device Support” and then select PTT or fTPM.
Partly automated in BIOS updates
For some boards there are BIOS updates that manufacturers advertise with Windows 11 compatibility. These versions change the default settings and activate the fTPM. You can check whether this is the case for you in the Device Manager: The Trusted Platform Module 2.0 then appears under the Security Devices tab.
If the fTPM is activated in the BIOS setup, it appears as “Trust Platform Module 2.0” in the device manager.
(Image: Mark Mantel / heise online)
Other requirements of Windows 11 include Secure Boot. For more information on how to do this, see the following article:
We have summarized everything important about TPM here in an FAQ.
In the first attempts with the final version of Windows 11, the “memory integrity” function (under device security / core isolation, keyword virtualization-based security (VBS) and HVCI) could only be activated on some boards after a BIOS update. A BIOS update before the Windows 11 upgrade can also be useful for this. For “core isolation”, the processor’s virtualization function must also be activated in the BIOS setup (Intel VT-x, AMD SVM / AMD-V), which is not always the case by default.
(mmma)
