Even the Surface Laptop Studio doesn’t come with a hardware TPM chip

Microsoft just announced the new Surface Laptop Studio at its fall Surface event. Sandwiched between updates to the Surface Pro and the Surface Duo, the Laptop Studio is an entirely new product that balances powerful hardware with the design language of the Surface range. And it even looks like a decent gaming machine.

One of the specs raises an eyebrow, though. The Surface Laptop Studio comes with firmware TPM, not hardware TPM. This tiny processor has been the center of some controversy since the Windows 11 announcement, and the launch of the new Surface Laptop Studio shows that the buzz around hardware TPM was mostly hot air.

Firmware TPM is the right call

Internals of Surface Laptop Studio.

Before getting too deep into this issue, some background is important. A Trusted Platform Module (TPM) is a processor that serves as a root of trust on your device. It’s basically a vault for highly sensitive data like cryptographic keys. The best implementation for security is a dedicated chip that lives on your motherboard, separated from other parts of the machine so it can’t be breached.

However, many consumer TPM implementations don’t use hardware. They use firmware instead. Firmware TPM does the same thing as hardware TPM, but it stores the sensitive data in secured parts of software and uses the CPU’s power to handle any cryptographic functions. As the Trusted Computing Group says, “the downside to the … firmware TPM is that now the TPM is dependent on many additional aspects to keep it secure.”

Basically, there’s a trade-off. Firmware TPM is easier to use and cheaper to implement, but it’s less secure than a dedicated chip.

For consumer devices, firmware TPM is all you need. Things like passwords and biometric data aren’t valuable enough for attackers to use sophisticated attacks to get them. Hardware TPM is meant for the data center and enterprises, where hacking groups are more likely to utilize complex tactics to steal data.

The Surface Laptop Studio comes with firmware TPM on the consumer version and hardware TPM on the enterprise version — and that’s the right call. The irony is that TPM caused a big fuss when Windows 11 was announced, with dedicated TPM modules shooting up to four times their price on the secondhand market. The Surface Laptop Studio shows that even Microsoft knows that hardware TPM isn’t necessary for most people.

Poetic justice

asus tpm chip in motherboard.
A TPM is usually soldered to the motherboard, but add-on modules are available, too.
When Microsoft announced Windows 11, DIY PC builders were sent into a frenzy when they thought they couldn’t run the new operating system on their high-end hardware. They could by enabling firmware TPM, but Microsoft’s PC Health Check app said otherwise at the time. Microsoft quickly removed its Windows 11 compatibility checking app to avoid further confusion.

A couple of months later, Microsoft resurfaced and held its ground on the TPM requirement. To be clear, Windows 11 supports hardware and firmware TPM — the OS recognizes them as the exact same thing. As scalpers showed around the time of the announcement, though, there were a lot of people that didn’t understand that.

The announcement of the Surface Laptop Studio is a bit of poetic justice, and a recognition from Microsoft that the TPM requirement is less important than it was portrayed. I still have issues with the TPM requirement in the first place, but I’ve written about that plenty in the past.

Firmware TPM doesn’t change anything about the Surface Laptop Studio. It still looks as secure as it needs to be, and it uses TPM for the latest security features. Firmware TPM is also cheaper — it doesn’t require a separate processor on the motherboard — so it’s nice to see some level-headed thinking when extra manufacturing cost is on the table.

Security isn’t everything

Microsoft surface Laptop 4
Microsoft

Although security is vital in a world of increasing cyber threats, it comes at a cost. Sometimes it’s a time cost, like having to enter complex passwords manually, and other times it’s a monetary cost, like adding a dedicated security processor when software does the trick almost as well. Cybersecurity is inherently a risk assessment.

As the Surface Laptop Studio shows, the trade-off between firmware and hardware TPM isn’t relevant for the vast majority of people. Even Microsoft, the company pushing hard for updated security measures on the what’s been called the most secure version of Windows, recognizes that fact.

You don’t need to worry about TPM if you plan on picking up a Surface Laptop Studio. Before you go to check out, though, make sure to glance at the spec sheet so you know that TPM isn’t as important as Microsoft made it out to be.

Editors' Recommendations