TPM

A TPM is a dedicated microcontroller that performs cryptographic operations in hardware — isolated from the main CPU and OS. Because the keys it stores never leave the chip, they can't be extracted by malware running on the system, even with administrator access.

What TPMs enable

Full-disk encryption — BitLocker on Windows uses the TPM to seal the encryption key to the specific hardware configuration. If the drive is removed and put in another machine, it won't unlock without the recovery key. This is why BitLocker on TPM-backed devices is meaningfully more secure than software-only encryption.

Secure boot — the TPM participates in verifying that the bootloader and OS haven't been tampered with, protecting against bootkit malware that persists below the OS.

Device attestation — allows the device to cryptographically prove to a management system (like Intune or JumpCloud) that it's a known, managed device running unmodified software. This is the hardware foundation for device trust in Zero Trust architectures.

Certificate storage — private keys for device certificates used in 802.1X, VPN, and code signing can be stored in the TPM, where they're protected from extraction.

TPM 2.0 is required for Windows 11. Any modern business laptop or server purchased in the last several years will have it. For organizations doing 802.1X certificate-based authentication or planning device attestation, verify TPM 2.0 is present and enabled in BIOS.