BitLocker—Windows Drive & Device Encryption
Why Does Windows 11 Require the TPM 2.0 Chip? The short answer, to enable a Windows computer security feature called BitLocker. Windows 11’s hardware requirements are notably different from previous versions of Windows. One of the Windows 11 system requirements that often causes confusion is a Trusted Computing feature known as the TPM chip. TPM stands for Trusted Platform Module. The Trusted Platform Module makes it possible for the Windows operating system to protect the user’s sensitive data. Different PC hardware manufacturers may have their own type of TPM. But, to support Windows 11, they must meet the TPM 2.0 security standard.
TPM 2.0 Simplified
To use an analogy, the TPM is like a secure vault that helps to keep sensitive data like your Windows PIN, or anything that you store on your PC, secure from unauthorized access. That is why Windows 11 requires the TPM 2.0 chip, or a Firmware (software) version of the TPM chip also known as fTPM. Intel also has its own version of TPM known as Intel Platform Trust Technology (Intel PTT). While Windows 11 system requirements may add unwelcome expenses for users, the demand to protect Windows users from sophisticated computer threats necessitates these system requirements for Windows 11. The TPM 2.0 security standard and the secure boot requirements on the new Windows operating system is a security measure that helps to keep Windows safer to use, especially with malicious software attacks that can compromise your computer as it starts up.
The TPM Chip Before Windows 11
TPM technology has been around since 2009. Until Windows 11, Microsoft used early versions of the TPM chip with their drive encryption feature known as BitLocker. This security feature was only available on the Professional and Enterprise versions of the Windows operating system. But since Windows 8.1, Microsoft added another type of BitLocker called Device Encryption. So now Microsoft enables Device Encryption by default on all eligible devices from Windows 8.1 to Windows 11.
Device Encryption Pros and Cons
Pros: Whether you handle sensitive data or you don’t want your data falling into the wrong hands, device encryption is a great solution for that. It’s quite easy to access data on an unencrypted device. But that is not the case when you encrypt your device. Device Encryption comes in handy in the event of theft or loss of your computer. Unless you put a sticky note with your password on your computer, you can rest easy knowing that you encrypted your device. Data privacy and security is the biggest pro for device encryption. If you also have your data backed up to Microsoft’s One Drive, or your preferred back up method, you can resume your normal operations with minimum loss.
Cons: The biggest issue that I’ve seen come up with device encryption is that most home users are unaware of this feature. Microsoft has Device Encryption turned on by default for any eligible PCs set up with a Microsoft account. Since some users are reluctant to create a Microsoft account to begin with, they don’t keep track of their Microsoft account information. Sometimes the users are surprised to learn that their device has encryption on it. As a result, there is a potential for data loss for users unfamiliar with the Device Encryption that has become standard on most Windows 11 PCs.
The Two Types of BitLocker
BitLocker is available for all eligible devices for Windows 11 Home, Pro, and Enterprise editions. If your PC’s hardware meets Microsoft’s system requirement for BitLocker, you will have one of the following types of BitLocker:
Device Encryption: this type of BitLocker is available on Windows 11 system set up with a Microsoft account. If Windows should ever prompt you to enter your BitLocker recovery key, you will find it under your Microsoft account, your School, or Business account, depending on how or who set up your Windows 11 machine.
Drive Encryption: this BitLocker type is available on the Pro and Enterprise Versions of Windows. It allows you to encrypt your Windows system drive and gives you the option to encrypt specific storage devices, including removable drives. The Drive encryption BitLocker also gives you the option to choose how you want to save your recovery key. If you choose to print or save your recovery key to a thumb drive, be sure to keep them somewhere safe. Otherwise, you will lose access to your data without BitLocker’s recovery key.
While what Microsoft is trying to achieve with Windows 11 is understandable, I think they should make the Microsoft account and Device Encryption BitLocker optional during the initial setup, especially for Windows 11 home users. Based on the feedback that we get from our customers; the mandatory Microsoft account is one of the least favored features of Windows 11. If there are features that you think make Windows less user friendly, you can play a proactive role by sending Microsoft your feedback.
