TPM

[pibbuR]

Some time in the future, near or distant, I will probably upgrade to Win 11. To do that, I have to turn on TPM 2. My motherboard supports TPM if i buy a small thingy and install it on the MB. I currently doen't have that thingy, but I think I can get it from my pusher. However, my CPU supports TPM, and I can enable it there.

2 questions:

1. Are there significant differences between MB enabled or CPU enabled TPM? And if so, which one should I go for?
2. Will enableing TPM now cause problems for booting/running Win 10?
3. Other things to consider (OK, that makes 3)?

pibbur who would like to know, and assumes that several watchers do know.

 

[joxer]

1. No difference. The module slot on motherboards is there only because older CPUs didn't have such capability so anyone who needed TPM could easily add it in as a separate hardware gadget. Also, it's cheaper to add the module instead of replacing CPU if the CPU works like a charm except it's TPM part that farted.

2. No unless you enable Bitlocker on the system drive, set PIN for it and then forget PIN in which case the data will be inaccessible and you will need to format the drive (reinstall OS).
In other words, don't use Bitlocker on the system drive unless for some reasons of your own, dunno what could that be, you have to. You can use it on USB drives though so in case those get stolen, a thief can't read anything because they don't have PIN.

3. Noone knows why exactly Microsoft decided that TPM is required in the new OS for everyone. I can understand a security benefit at workplaces, but for a home user it should IMO be a choice, not a requirement.
On the other hand, it might be a step into virtual smart card tech where certificates usually kept on plastic cards can be stored on TPM chip instead.
What does this mean? You buy some software and install it, but the license goes as a certificate on TPM, it is not written on your disk. In case you have to reinstall everything, no need to search where the hell was that license as TPM is not erased by reinstalling.
Note that TPM storage is limited so you can't have TPM certificates for all of the steam catalogue.


In short?
Do not buy the module.
Enable it in BIOS (UEFI actually, but everyone still says BIOS) if there is such option and you want to switch to win11.
If no option, keep using win10.

 

[pibbuR]

Thanks for the thorough and very clear explanation!!!

pibbuR who now knows quite a bit more.

 

[wolfgrimdark]

Great information, I was wondering a bit too.

 

[Carnifex]

I'm sticking with Windows seven until my poor computer has a conniption or something else dire. So far it's been chugging along well for a dozen years, I'm hopeful it might endure another decade or so.

 

[Ripper]

The thing with a TPM is that is can act as a sort of pseudo-independent hardware overseer that cryptographiclally verifies things on your PC. That could be used in a restrictive way to create a walled-garden imposed by whoever controls the OS. But, it can also be used in a very constructive way to harden security on your PC, if we use an OS that ultimately leaves it to the user to determine what is trusted. The hardware itself is neutral in terms of how it can be utilised.