Differences between firmware-based TPM and hardware-based TPM
Differences between firmware-based TPM and hardware-based TPM
Hello, I'm looking for a comparison chart showing the differences between a FTPSM and a dedicated TPM. It would help to know what issues might arise if you switch CPUs or change your motherboard, especially regarding Windows 11 and TPM requirements. Unfortunately, I haven't found this information again. Apologies if it's a simple question—I usually see discussions about Windows 11 and TPM needs rather than the actual hardware choices. Thanks for your help!
Summary: For most users, the choice doesn't really matter. Windows offers strong security options that work whether or not a TPM is enabled. A dedicated TPM chip uses more power and takes up extra space on the board, which can be a problem for compact devices like tablets and phones. It also adds complexity if you're updating BIOS/UEFI, especially without proper support from manufacturers. On the other hand, fTPM is simpler but may cause performance issues in some setups, particularly on AMD systems. A dedicated TPM chip helps with security and avoids needing to update firmware manually, though it comes with higher cost and limited support options. Microsoft Pluton offers a more affordable alternative by integrating the chip directly into the CPU, making it easier for some users. There are other players like OpenTitan trying to provide similar solutions, but adoption is still growing.
I'm starting to understand why I needed more details. Usually, I don't enjoy it when searching and forums are tailored for specific situations rather than general topics. Thank you really for the thorough explanation! While some clarifications were unnecessary since I already grasped them, I still value your help. How can you determine what I already know and what I don’t? I’ll share my full strategy now.
Explanation: 1) I’m using unactivated Windows 10. I have one SSD drive ("A"). I recently bought two new SSDs (B) and an NVMe unit that will serve as my boot drive. Drive "C" is the same model as "A" but will function as a RAID setup on my Pi NAS.
2) Besides, CPU and GPU upgrades are already planned but not fixed to a specific timeline. Right now I have a Ryzen 1600; I might switch to a 3800X (my brother might change his mind) or opt for a Zen 3 CPU. My motherboard is compatible—though a BIOS update might be necessary if I go with something like a 5800X3D.
(For your reference: https://www.gigabyte.com/Motherboard/B45...upport-cpu)
Side note: I’ve heard that because the motherboard has limited storage, some systems can only support a certain number of CPU generations at once. With one BIOS, you risk losing compatibility with older CPUs if you switch to a newer one. Does this apply to my setup? I’m not sure.
Before anyone suggests avoiding new CPUs, here are my reasons for planning this:
1) Eventually, I’ll benefit from a newer CPU once enough time has passed.
2) Having an APU would provide backup in case the GPU fails; I won’t focus on that unless it’s more cost-effective.
3) My old CPU is aging—after about five years it could be unreliable. Replacing it now would prevent potential trouble later, especially since it broke unexpectedly.
4) Last time it failed, it disrupted my routine because I needed the PC daily; now I’m better prepared.
5) There are three main reasons: long-term benefit, backup option, and hardware swap flexibility.
6) My Windows activation tends to be less strict when hardware changes frequently, so keeping it minimal helps.
7) I’m considering a new OS because I need to replace drives soon due to the NAS setup.
8) My current drive "A" should be swapped with the same model ("C") for RAID on my Pi NAS, while drive "B" becomes the NVMe storage.
9) I’m uncertain about using a TPM chip since I have an older Ryzen 1600; I don’t want to risk compatibility if I update BIOS. I usually avoid security features unless necessary.
I’m weighing these points carefully. The timeline is important: I’ll disconnect everything, update BIOS, install Windows 11 on the NVMe drive, set up RAID with the old drive, and then restore data from the new drive temporarily. After testing, I can revert to my previous configuration if needed.
I also want to know if I should go ahead with a TPM for extra security, but since my CPU is not supported by the BIOS order, I’m unsure if it’s compatible. I’d prefer to skip it unless it really helps protect my system.
Lastly, I’m open to adjusting the plan if things don’t go as expected—maybe splitting tasks over several days while keeping my current setup functional.
It varies by motherboard design. Usually they employ 16 MB chips for BIOS/UEFI. These are common in both hardware and various uses, making them affordable, which explains their popularity. Within the motherboard area, Intel often needs frequent replacements because of changing sockets, so 16MB has never caused a problem. AMD’s AM4 socket is distinctive for its manufacturing, and they didn’t anticipate these requirements would arise. I’m uncertain if 32 MB chips are now standard on high-end boards. Also, remember that UEFI includes substantial graphics, all fitting within the same 16MB slot. Some makers opt to omit older CPUs to keep a cleaner, simpler UEFI look reminiscent of earlier BIOS interfaces. Unknown is which CPU models will be phased out for newer support. Windows 10 and 11 handle hardware updates well, but conflicts can arise with drivers. It’s wise to perform a clean install to avoid issues. This approach is recommended because it minimizes risks and ensures stability.
Driver issues often stem from outdated software, so clearing them is crucial. Users should verify old drivers are removed properly for optimal performance. A fresh start is usually the safest path.
Regarding system updates, Windows 11 requires TPM 2.0 for enhanced security. While workarounds exist, they can complicate future upgrades. Microsoft no longer provides support for unsupported CPUs, and security patches may become unavailable. If you encounter problems, you’ll be responsible for resolving them.
Backups are essential, especially with changes to system files. Windows 11 keeps the default C:\ drive, but partition letters might shift post-installation. You can adjust these via Disk Management before adding new drives.
For security, TPM 2.0 is vital for Windows 10/11. If you upgrade from Windows 10 to 11, you’ll likely receive a warning about limited features. Microsoft stops supporting unsupported CPUs and won’t offer updates or fixes. This means engineers won’t test or improve those chips. If you face crashes or errors, you’ll be on your own.
Security enhancements may require newer CPU capabilities, which unsupported models can’t handle. This could lead to instability or lack of access to critical updates. While this situation has occurred before, it’s possible it won’t recur. Microsoft keeps the option open but doesn’t guarantee support.
For sensitive data, BitLocker adds extra protection against theft, especially for laptops. If your PC is at risk of being stolen, consider additional safeguards.
RAID setups can complicate things—drive labels shift when adding new drives. Windows 11 will automatically rename them, but managing this requires familiarity with Disk Management. RAID controllers may need special drivers to appear correctly.
If you’re unsure about specific configurations or need further clarification, consulting a storage expert or the official forum is advisable.
I'm sorry, but I'm not very familiar with forum questions. I understand you're looking for information on hardware parts that can be swapped with firmware or TPMs. You mentioned concerns about upgrading a CPU, replacing a motherboard, and changing storage. It would help to know if there are specific steps or preparations needed before making these changes. Thanks for reaching out!
You're asking about which hardware parts you can swap out, not which features you can use. You seem to be confused about whether you can change storage and if that requires turning off BitLocker beforehand. Clarify your question for a more accurate answer.
It varies based on your needs and the chip type you're using—whether it's a dedicated TPM or an fTPM/Pluton module. A software that relies on TPM for encryption, like Windows BitLocker, lets you adjust several aspects: the encrypted drive, the TPM chip itself, or even the motherboard. For dedicated soldered chips, similar changes apply, though you must consider the drive and its security. With fTPM/Pluton, the options are comparable, as long as you're comfortable managing the data.
Keep in mind that for OEM products, the situation is more complex. Manufacturers often integrate TPM/fTPM into UEFI/BIOS to secure systems, which can be upgraded but requires specific procedures. This helps prevent malware from exploiting security flaws in these chips. Ultimately, most discussions focus on OEM workstations and servers, where support is usually handled through warranties.
As an IT professional managing company hardware, you'd likely opt for longer-term protection, paying a small premium for reliability, since extended support is common after purchase.
You didn’t mention clearing the TPM key(s) inside itself. This action will render any TPM used for previous operations inoperable. For instance, if Windows Hello was involved and the keys are removed, you’ll lose access to your system. With BitLocker, all data becomes unrecoverable due to its strong encryption. In this scenario, a key is automatically saved to your linked Microsoft account, which can help recover the lost information—but this introduces a security risk, especially if the account is weak or auto-login is enabled. It’s generally safer to keep sensitive data protected rather than relying on automatic backups.
Confirming your understanding: you're asking about the TPM module and its role in booting. It seems you want to know if changing the operating system while plugging in the TPM header allows switching drives securely, even if they aren't encrypted. Regarding the FTPM or Pluton chip, you're curious whether it enables OS installation without encryption issues. Lastly, you're wondering about the implications of not using TPM at all and whether a non-TPM system can still recognize certificates from websites or drivers.