TPM 2.0 safe with AMD

HR-Crumble · January 13, 2022

Hey everyone,

New system and the health checker from Microsoft via windows update said I need to enable TPM 2 in order to get windows 11.

This is my system AMD 5600x on a Aorus B550M Pro-P.

Two questions - 1. Is it safe to enable TPM in the bios and 2. Anything I should do beforehand? Backups etc?

Cheers all!

Matt.

RONOTHAN## · January 13, 2022

2 minutes ago, HR-Crumble said:

1. Is it safe to enable TPM in the bios

I've done it on many different systems, nothing really happens.

2 minutes ago, HR-Crumble said:

2. Anything I should do beforehand? Backups etc?

Nope. You should do a backup before moving to Windows 11 because the upgrade wizard isn't known for being bulletproof, but you don't really need to do it before you enable TPM.

For reference, a TPM is the Trusted Platform Module. Its job is to make sure that nothing is tampered with on the system, so you the boot device is recognized and everything. Worst that will happen when you enable it would be a warning message showing up when you turn on the system, but you can just select ignore (in my experience). Stuff can go wrong if you disable it, if you have say Bitlocker enabled or some other form of encryption, but you should be able to use a backup key to get through the encryption, but enabling it shouldn't cause you any issue.

GoodBytes · January 14, 2022

On 1/12/2022 at 9:58 PM, HR-Crumble said:

Hey everyone,

New system and the health checker from Microsoft via windows update said I need to enable TPM 2 in order to get windows 11.

TPM is a chip that does cryptography. It is a fancy random number generator that safely store it's generated key used in encryption. That is pretty much all it does. I invite you to read wiki article on TPM, I think it is well written to really understand its role.

But essentially It's purpose is for encryption/decryption and can be used for DRM, and can be used as a platform integrity check.

Anyways, CPUs can emulate the TPM chip including running anything related to TPM In a secure environment on the CPU. This is called fTPM by AMD and PTT (Platform Trusted Technology) by Intel.

The new AMD Ryzen desktop CPU coming later, will go a step forward and actually have Microsoft own TPM variation chip called Pluton in the CPU. Unlike normal TPM 2.0 dedicated chip, this is a dedicated chip which is more secure then the firmware route as of now and can be updated if any critical vulnerability comes out without having people buying new CPUs or new TPM chip

On 1/12/2022 at 9:58 PM, HR-Crumble said:

Two questions - 1. Is it safe to enable TPM in the bios

Yes. Although, it has been noted that for some users, with some system configurations, with some BIOS/UEFI version, fTPM causes problems. Some motherboard manufacturers released new updated to their BIOS/UEFI to fix it. Some have it fixed, other claims no, and opted to turn it off and stick with Windows 10, other claim they bought a TPM chip instead (their board has a connection for it), others live with the problem waiting for a fix (assuming it has not been fixed already).

The performance degradation occured regardless of OS. Lack of info prevents further digging. It could be a power state issue, maybe a small voltage bump is all is needed, I don't know.

Normally, you should not have a problem.

Enabling TPM is like enabling any other hardware on your system (even if it is firmware in reality).

On 1/12/2022 at 9:58 PM, HR-Crumble said:

and 2. Anything I should do beforehand? Backups etc?

To enable TPM? Nope. But to update from Win10 to Win11, I suggest to do a backup. I would also recommend a clean install over an upgrade, to be sure to start with a clean slate.

If you go with the upgrade path, be SURE to install the latest Windows 11 drivers for everything. GPU, Chipset, Audio, and so on once Windows 11 is installed. Windows 11 should still be considered very new, and hardware manufacturers continues to provide bug fixes drivers.

TPM needs to be enabled before Windows 11 is installed or uodated to.

Secure Boot is also a requirement of Windows 11, as well as UEFI mode being enabled (CSM disabled).

If UEFI mode has been set correctly already, first congratulations for taking the time to setup your system correctly and, second you should have smooth sailing in installing Win11.

If UEFI mode (with CSM disabled) wasn't set correctly, then pinned in the forum Windows section is a guide to convert your drive format so that it support UEFI mode. Utility is from Microsoft, part of Windows 10. It does involve the command line. (If you do a clean install of Windows 11, then nothing you need to do, as you would just delete all partitions of your main drive under Windows 11 setup, and restart clean as well, so the drive will be formatted correctly)