TPM 2.0 must be present and enabled by default for all new Win 10 PC`s

I'm confused by this thead. I have a home built 2012 desktop PC using a Gigabyte GA-77X-UD5H motherboard. It has a TPM header but I don't have the module and doubt if I can buy one now.

I'm running Windows 8.1 Pro and I'm considering upgrading to Widows 10 before the deadline. Do I need TPM support to be able to install and support Windows 10 on this motherboard?

Also, I'm currently running Windows 10 on my Dell Inspiron 7537 laptop which doesn't have TPM support. What will happen when this laptop is updated at the end of July?

logicearth said:

Did it come with Windows 10? No? This only applies to NEW OEM computers that want to have the Windows 10 certified (a sticker).

Let me expand on this please: This only applies to FUTURE(yet to be made/built) NEW OEM computers that want to have the Windows 10 certified (a sticker).

TPM 2.0 Compliance for Windows 10

Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)

• As of July 28, 2016, all new device models, lines or seriesor if you are updating the hardware configuration of a existing model, line or serieswith a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/w...(v=vs.85).aspx)

  ---

  Why TPM 2.0?
  
  TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
  
  • The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
  • For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
  • TPM 2.0 enables greater crypto agility by being more flexible with respect to cryptographic algorithms.
    
    • TPM 2.0 supports SHA-256 as well as ECC, the latter being critical to drive signing and key generation performance.
    • TPM 2.0 achieved ISO standardization (ISO/IEC 11889:2015).
    • Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
    
    
  • TPM 2.0 offers a more consistent experience across different implementations.
    
    • TPM 1.2 implementations across both discrete and firmware vary in policy settings. This may result in support issues as lockout policies vary.
    • TPM 2.0 standardized policy requirement helps establish a consistent lockout experience across devices, as such, Windows can offer a better user experience end to end.
    
    
  • While TPM 1.2 parts were discrete silicon components typically soldered on the motherboard, TPM 2.0 is available both as a discrete (dTPM) silicon component and as a firmware (fTPM) based component running in a trusted execution environment (TEE) on the system’s main SoC:
    
    • On Intel chips, it is the Intel Management Engine (ME) or Converged Security Engine (CSE).
    • For AMD chips, it is the AMD Security Processor
    • For ARM chips, it is a Trustzone Trusted Application (TA).
    • In the case of firmware TPM for desktop Windows systems, the chip vendor provides the firmware TPM implementation along with the other chip firmware to OEMs.

TPM recommendations (Windows 10)

3.7 Trusted Platform Module (TPM)

As of July 28, 2016, all new device models, lines or series must implement and be in compliance with the International Standard ISO/IEC 11889:2015 or the Trusted Computing Group TPM 2.0 Library and a component which implements the TPM 2.0 must be present and enabled by default from this effective date.
The following requirements must be met:

• All TPM configurations must comply with local laws and regulations.
• Firmware-based components that implement TPM capabilities must implement version 2.0 of the TPM specification.
• An EK certificate must either be pre-provisioned to the TPM by the hardware vendor or be capable of being retrieved by the device during the first boot experience.
• It must ship with SHA-256 PCR banks and implement PCRs 0 through 23 for SHA-256. Note that it is acceptable to ship TPMs with a single switchable PCR bank that can be utilized for SHA-256 measurements.
• It must support TPM2_HMAC command.

A UEFI firmware option to turn off the TPM is not required. OEM systems for special purpose commercial systems, custom order, and customer systems with a custom image are not required to ship with a TPM support enabled.
For detailed TPM information, see Trusted Platform Module topic on TechNet and for TPM 1.2 and 2.0 version comparisons, please reference this article here.

---

2.8 Trusted Platform Module (TPM)

Devices that run Windows 10 Mobile must include a Trusted Platform Module (TPM) that implements version 2.0 of the TPM specification. The TPM can be a firmware-based solution integrated into the SoC or included as a discrete component in the device. The TPM 2.0 must meet the following requirements:

• An EK certificate must be either pre-provisioned to the TPM by the hardware vendor or be capable of being retrieved by the device during the first boot experience.
• It must ship with SHA-256 PCR banks and implement PCRs 0 through 23 for SHA-256. Note it is acceptable to ship TPMs with a single switchable PCR bank that can be used for both SHA-1 and SHA-256 measurements.
• It must support TPM2_HMAC command.

For detailed TPM information, see Trusted Platform Module topic on TechNet.

Minimum hardware requirements - Windows 10 hardware dev

Thanks Cliff, couldn't be more clearer tbh

swarfega said:

Thanks Cliff, couldn't be more clearer tbh

You're welcome.
I prefer to go to the source, follow any links at that source, after reading something in a blog post, written by a writer, that doesn't know the difference between his "BASH and a hole in the ground."