A TPM is a dedicated chip or firmware feature on modern motherboards entirely dedicated to encryption. This allow users to encrypt with much smaller keypasses than are otherwise possible; the chip is also used by Windows Hello to protect biometric information.
Windows Hello, for the unfamilar, is an increasingly common feature on recent Windows 10 devices. It uses a fingerprint scanner, or a webcam, to verify your identity and automatically log you into your computer. It’s a lot faster than typing your password. Just look at the camera, or swipe your fingers across the scanner, and you’re in.
But there’s a potential problem. Storing such information on your computer is, in and of itself, a security risk. Without dedicated encryption hardware, such data is processed in the RAM, a common vector for exploits. So while a TPM isn’t required for Windows Hello to function, it is when it comes to locking down that biometric data. Dedicated hardware for encryption is a lot harder to hack than software solutions.
This is likely no small part of why Microsoft is making this change. The company wants to eliminate the password entirely, and is hoping that Windows Hello could in the future be used for more than just logging into Windows, and do things like verify online purchases. Building hardware encryption into every Windows device will help with that goal.
It also helps users who want to encrypt their entire hard drive. Bitlocker, Microsoft’s whole-disk encryption tool, requires TPM in order to function, barring a few hacks that are hard to recommend.
Computers shipping with dedicated encryption hardware is good news even if you don’t plan on using Windows Hello, so we’re glad Microsoft is forcing OEMs’ hands on this one.
