Differences between fTPM vs dTPM – Does it support TPM 2.0 on Windows 11?

What are the differences between ftpm and dtpm? Does it support Windows 11?

What is TPM (Trusted Platform Module)? 

TPM is a cryptographic module that provides additional encryption, security, and privacy to computing devices. Its main purpose is to prevent attackers from gaining access to sensitive data files without the credential and private keys stored in the TPM. The Trusted Computing Group, or TCG, is an organization that manages the TPM specifications and international standards. Currently, TCG has released TPM 2.0, the latest version of TPM. The objective of the TPM is to consolidate and strengthen computer security where software-based security is vulnerable. Software, by itself, cannot identify data breaches or hardware tampering during system boot. TPM addresses these issues by being physically implemented onto the motherboard. To learn more about TPM 2.0 and its relationship with IoT, read more here.

TPM Features 

 Description

Platform Crypto Storage 

Credential and private keys are stored onto the TPM instead of the boot drive. This prevents unauthorized access to copy/export the keys out of the device. 

BitLocker (Key Encryption) 

Bitlocker encrypts passwords and keys that unlock only upon a proper boot. Hardware tampering and other offline attacks, such as attempting to boot from a different harddrive, will not unlock the Bitlocker and the operating system becomes unreadable. 

Credential Guard 

A secondary defense system to prevent attackers from accessing additional computers if a computer has been compromised.

Measured Boot 

A boot up process that analyzes the computer’s hardware to ensure it had not been tampered with.

Device Encryption 

Encrypts and secures non-volatile data stored on the device.


What is dTPM? What is fTPM?  

Discrete TPM, or dTPM, is a separate component that is physically connected onto the motherboard to provide hardware-based encryption. FTPM stands for Firmware Trusted Platform Module and is implemented into a semiconductor’s chipset. Leading semiconductor manufacturers, like AMD and Intel, offer fTPM within their later generation chipsets to allow for additional protection and convenience without the need for a separate physical module.

What are the differences between dTPM and fTPM? 

Both dTPM and fTPM have the same objectives, to provide additional encryption and secure sensitive data. However, dTPM are usually utilized in enterprise and industrial applications due to organizations requiring TCG-certified or FIPS certification. FTPM, on the other hand, gravitates towards general-purpose uses for everyday consumers and organizations that do not require specific certifications. In addition, leading chipset manufacturers have developed their own fTPM, Intel’s PTT (Platform Trust Technology) and AMD’s fTPM, that both offer the option to disable their fTPM and enable access to a dTPM through the motherboard BIOS in event that there is a need for a dTPM. The bottom line is that dTPM has certifications for specific requirements within an organization while fTPM is general-purpose.

What is Intel PTT? What is AMD fTPM? What are the differences? 

The two leading semiconductor manufacturers, Intel and AMD, have developed their own TPM to provide further protection and security against malicious attacks. Intel PTT (Platform Trust Technology) and AMD fTPM are both firmware-based trust platform modules that are alternatives to the physical TPM 2.0. Intel and AMD’s primary goal is to allow their end users to have an additional layer of security within their own chipset without the need to purchase a separate module. There are little to no differences between Intel PTT or AMD fTPM as both tech giants follow the same principle and guidelines as TCG standards.

Windows 11 TPM 2.0 Requirement – Benefits of Intel PTT and AMD fTPM

Microsoft has announced that TPM and Secure Boot will be mandatory to utilize their latest operating system, Windows 11. Although frustrating and confusing to many users, Microsoft is taking preventative measures to ensure data integrity as system hacks have become more prevalent. The reason for all the confusion is that certain CPUs, mainly older generations, are not compatible with Windows 11's requirements. This is one reason why Intel PTT and AMD fTPM were introduced. Intel or AMD CPUs that have Intel PTT or AMD fTPM meet the TPM 2.0 requirements and are able to upgrade to the latest operating system hassle-free. Older generation CPUs that do not have Intel PTT or AMD fTPM require a separate dTPM to be connected onto the motherboard in order to satisfy the requirement to upgrade to Windows 11. Luckily, Microsoft has made it very simple and clear to let users know whether they are able to upgrade to Windows 11 with the PC Health Check application.

Checking for TPM 2.0

FAQ

Which is better fTPM or dTPM for TPM 2.0 on Windows 11? 

Both fTPM and dTPM are satisfactory for TPM 2.0 on Windows 11. They both perform similarly and have near identical features such as Bitlocker and Disk Encryption. As mentioned previously, the only differentiator is that dTPM is FIPS certified, which can be required in certain organizations that deal with ultra-sensitive data.

How to check if TPM 2.0 is enabled for Windows 11? 

Users can check if they have TPM 2.0 enabled by opening the start menu, then typing “tpm.msc”, and pressing OK. In the Status section, it should say “The TPM is ready for use.” and in TPM Manufacturer Information, the Specification Version should say “2.0”. This means TPM 2.0 is enabled and meets the Windows 11 installation requirements. If your computer says that there is no TPM 2.0 recognized, it would be wise to check if your CPU supports fTPM. This way, you can enable it within the UEFI BIOS and not need to buy a dTPM. However, remember that discrete TPM are FIPS certified and are necessary for specific operations. Firmware-based TPM do not have these certifications and attempt to stay mirrored to the standards of dTPM.

Does TPM 2.0 Affect Performance? 

No, both fTPM and dTPM do not affect performance at all. Once the computer start up protocols are completed and everything is checked, the TPM enters an idle state. There is little to no disadvantages of enabling TPM 2.0, and greatly improves the overall data security of the system.


Sources:

Intel
(https://www.intel.com/content/www/us/en/business/enterprise-computers/resources/trusted-platform-module.html)

Microsoft
(https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm)
(https://www.microsoft.com/en-us/windows/windows-11-specifications?r=1)
(https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm)