You shouldn’t buy a TPM for Windows 11. Here’s why

By now, nearly everyone knows you need a Trusted Platform Module 2.0 for Windows 11. But many people still aren’t sure if you have to go out and buy a module to fulfill that requirement.

For the majority of PC users, the answer is no. Either your PC already meets Windows 11’s hardware requirements or you’ve decided to buy new hardware (or a whole new PC) that does. Both scenarios mean you can skip the hunt for a physical TPM. Your CPU already includes a firmware version of TPM 2.0—it just needs to be enabled in your BIOS settings before you install Windows 11. Look for “fTPM” for AMD Ryzen processors and Platform Trust Technology (or PTT) for Intel Core processors. Also make sure your BIOS is set to firmware TPM and not discrete. It’s as simple as that.

As for PC owners with unsupported hardware, you don’t actually need a TPM to clean install Windows 11. And for upgrades from Windows 10, most people have TPM 1.2 and can use the registry hack method to move up to Microsoft’s newest OS. Even for computers that lack firmware TPM all together, buying a module won’t solve a major problem in Windows 11: All systems with unsupported hardware run the risk of being shut out of Windows updates. So sure, you can get a physical module to pair with an older CPU, assuming you have a motherboard with a TPM header. But you won’t stay as secure as supported PCs. In the end you’re winning one battle only to lose another—you get to keep your PC without the assurance of safety from threats.

Gordon Mah Ung

This issue with security also applies to anyone seeking a physical TPM to keep its primary functions separate from your CPU, because you believe isolating components offer more security. That’s only true in some scenarios. A physical module doesn’t protect against every kind of TPM attack. Microsoft doesn’t favor a particular kind of TPM for Windows 11, either—in its recommendations about TPM, the company mentions discrete, integrated, and firmware TPM and specifically says Windows uses all compatible modules in the same way.

And on the off-chance you want a physical module to bypass needing your recovery key for an encrypted drive after a CPU upgrade, stop right there. Having a discrete TPM doesn’t sidestep this kind of headache—you can trigger the need for a recovery key even after motherboard firmware changes. Regardless of what kind of TPM you have, you should always have a backup of your recovery key on hand. If it’s for BitLocker, don’t rely on just the auto-backup saved to the Microsoft account linked to Windows 11. Also keep a copy on a USB drive as well. That said, the safest way to avoid locking yourself out of your data after hardware changes is to decrypt the drive first, then re-encrypt it again after you’re done.

So what should people with unsupported hardware do, if not buy a physical TPM for Windows 11? Stick with Windows 10. You get a hassle-free experience with solid security, and major Windows 11 features like DirectX Storage will still come to it. Windows 10 will also get support for another four years, so you have little pressure to upgrade your hardware in the near future. You’re not missing out on much yet in Windows 11, either—at launch, there’s not a lot to compel an immediate upgrade. Plus, performance issues are still being ironed out, like those on Ryzen systems. By the time Windows 11 becomes robust enough to compel an upgrade, you’ll likely be in the market for compatible hardware anyway. No need to bother yourself with the struggle to even find a discrete TPM that’s available at a reasonable price and compatible with your system. That’s right: Physical TPM pin-outs aren’t standard. Just skip that whole mess and hang tight with Windows 10 for now.