Microsoft confirms: Windows 11 requires TPM 2.0 in all machines... even virtual ones

AdrielBruno

Posts: 11   +0
In context: With the release of Windows 11 right around the corner, Microsoft continues its TPM requirement campaign, seemingly extending the need for the security module for any type of Windows installation. As the Redmond giant tries to clarify why we need TPM 2.0 enabled to run its latest operating system, the company states that it will also be necessary for virtual machines.

Since the announcement of Windows 11, Microsoft hasn’t been entirely upfront in terms of what users would need to run the new OS. Things like Secure Boot and TPM 2.0 weren’t mentioned during Microsoft’s presentation back in June, causing confusion when people wanted to know if they could have Windows 11 installed on their machines. Thankfully, this problem appears to be solved.

Recently, though, the company has tried to make things clear, stating that “we need to talk about TPM 2.0”:

Aside from mentioning that Windows 11 requires TPM for security-related features, the memo informs us that many recent PCs can actually run TPM 2.0, but the module comes disabled by default. Furthermore, there are instructions on how to enable the feature by accessing the UEFI BIOS setup and looking for labels such as “Security Device, Security Device Support, TPM State, AMD fTPM switch, AMD PSP fTPM, Intel PTT, or Intel Platform Trust Technology.”

The reason for mentioning Intel and AMD is that CPUs can have embedded TPMs. That means that you might be able to run Windows 11 even if your motherboard doesn’t feature the module.

Additionally, the requirement has been extended further. Virtual machines also need to have TPM 2.0 enabled, since the Windows 11 Insider Preview update to Build 22458.

The update notes also say that “previously created VMs running Insider Preview builds may not update to the latest preview builds,” and explain that the OS will still run normally in VMs created in virtualization products from the likes of VMware and Oracle, as long as hardware requirements are met.

With little more than two weeks before Windows 11 is released, it's clear Microsoft won’t back down with the controversial system requirement and perhaps that's for good reason (we will have to wait and see). If you intend to upgrade your OS and still want to learn more about TPM, take a look here.

Permalink to story.

 
I haven't tested it yet but I assume Server 2022 has the same restrictions. Also, why do articles like these just have a negative tone to them? Requiring TPM isn't a bad thing, it's never mentioned that Apple Mac's have had their own version of TPM (T2 security chip) for a while now as well and you don't see forum's filled with "we're boycotting Apple" because of it...
 
Boy they're really committing to excluding as many users as they can to support their performance and security claims: The requirement is nonsense: Linux is less vulnerable and not only due to the smaller install base but due to basic design flaws and non-centralized maintenance by being open source.
 
Linux is less vulnerable and not only due to the smaller install base but due to basic design flaws and non-centralized maintenance by being open source.
https://www.cvedetails.com/top-50-products.php

1. Linux
2. Linux
3. Linux
4. Linux
5. Linux
6. Linux
7. Windows

As a single vendor, Microsoft may win (or lose) by virtue of how many products they push. But overall Linux is *not* in any way more secure than Windows.

Disclaimer: I work on a Macbook writing software running on Linux servers before spending my evening gaming on my Windows machine. I have zero OS favouritism. They all have their situational pros and cons.
 
https://www.cvedetails.com/top-50-products.php

1. Linux
2. Linux
3. Linux
4. Linux
5. Linux
6. Linux
7. Windows

As a single vendor, Microsoft may win (or lose) by virtue of how many products they push. But overall Linux is *not* in any way more secure than Windows.

Disclaimer: I work on a Macbook writing software running on Linux servers before spending my evening gaming on my Windows machine. I have zero OS favouritism. They all have their situational pros and cons.
Total known vulnerabilities is kind of a meaningless number to show: How many of those remain unpatched? How fast are they patched in Linux? How easy are those patches to deploy vs Windows?

This is not even getting into the fundamental difference: If anybody can look at the source code, anybody can detect vulnerabilities and patch them. If only Microsoft can look at their code then people can't as easily look for them and more important, if someone does find a vulnerability it's unlikely to be also found by somebody willing to disclose it to be patched vs just using it for whatever purpose they see fit.

Open source doesn't needs to trust any single entity to discover and patch the vulnerabilities, there's more inherent and widespread cooperation and many companies recognize this as a strategic advantage and they put a lot of money into supporting Linux that's still very widely used on the server world.
 
That "ummm....yeahhh" patronizing manner of talking about TPM is sure to piss people off.

"As the Redmond giant tries to clarify why we need TPM 2.0 enabled to run its latest operating system, the company states that it will also be necessary for virtual machines."

Yeah they haven't cleared up anything. They havent explained why the virtual method of doing whatever "security" they want through TPM cant be dont on older hardware despite offering almost 0 performance penalty. They cant even describe how TPM will help "secure" their systems other then "muh ransomware" which, dude, ask any server admin, TPM doesnt do jack to stop ransomware. You cant fix stupid users who willingly click on things.

They cant manage to move all of control panel intot he settings menu for going on 10 years now, keep breaking their OS with updates, but hey you need TPM 2.0 to run our new UI update.

Perhaps MS should focus on actually fixing their broken network printing vulnerabilites, AGAIN:

https://www.bleepingcomputer.com/news/security/new-windows-security-updates-break-network-printing/
I haven't tested it yet but I assume Server 2022 has the same restrictions. Also, why do articles like these just have a negative tone to them? Requiring TPM isn't a bad thing, it's never mentioned that Apple Mac's have had their own version of TPM (T2 security chip) for a while now as well and you don't see forum's filled with "we're boycotting Apple" because of it...
You also cant run apple software on non apple hardware. Apples and oranges comparison.
 
This will be just as poorly-adopted as Vista was.

The amount of people out there running Coffee Lake+, with all the options turned-on is probably less than 10% of all Windows users.

Business Users are likely to be the biggest draw for this (super secure Bitlocker), but given the fact that many Businesses Desktops get replaced once every 5 years, you're going to have to wait 3 or more years for anyone ready to transition over (no exceptions OR VMs to work-around , so you wait for the numbers to change)

My Skylake i5 from my hardware 2018 refresh does not support Windows 11. Two more years to replace MY hardware, then another year for anyone who got Kaby Lake (also not supported) then another for actually porting a hundred thousand PCs - going to be a mess getting it all done by 2025!
 
Last edited:
The end-game here is MS wants to move towards a fully locked down platform so they can eventually have an exclusive app store with fat tax on all software like Apple's, right? (Plus probably a desktop that displays ads and gathers enough data to make Google look quaint.)

If they can't explain any benefits to users, assume the benefit is for Microsoft.
 
Am I missing something here? The TPM chip / T2 Security Chip are there to encrypt the drives and store decryption keys for other software. They do the same thing, it's not Apples to oranges at all.
The simple fact of the matter is that Windows has run for many years without this TPM requirement, and many users out there are rather tired of having stuff foisted on them by Microsoft because "because we said so" along with their habit of sending out "updates" that are broken for various reasons.

As far as Macs go, as far as I understand, you cannot buy a Mac OS license to run on custom hardware meaning that if you are going the Mac route, then you have to buy hardware on which the OS is installed, and is also guaranteed to run. You get the entire package.

It isn't TPM itself. It is having it foisted on the user base by Microsoft. If you cannot find an add-on TPM module that will run with your hardware, then this TPM requirement will require that many Windows users will need to buy new hardware - and if that means buying a new motherboard, then that also means buying a copy of 11 to run on that new motherboard.

Microsoft simply has not done anything to tell us exactly why TPM is needed - as if they think that the reason for needing TPM is some over-arching secret such that if they were to divulge that secret, they would be opening a gateway for hackers. If divulging why it is needed is such a security threat, then maybe TPM is not all that secure anyway, and not worth the effort of buying new hardware to just run Windohs 11.
 
What could go wrong right ? It's not like M$ is known from pushing faulty software to end user... oh wait.
It's also not like M$ admits that their Windows kernel is POS by using Linux for their IoT.
 
That "ummm....yeahhh" patronizing manner of talking about TPM is sure to piss people off.

"As the Redmond giant tries to clarify why we need TPM 2.0 enabled to run its latest operating system, the company states that it will also be necessary for virtual machines."

Yeah they haven't cleared up anything. They havent explained why the virtual method of doing whatever "security" they want through TPM cant be dont on older hardware despite offering almost 0 performance penalty. They cant even describe how TPM will help "secure" their systems other then "muh ransomware" which, dude, ask any server admin, TPM doesnt do jack to stop ransomware. You cant fix stupid users who willingly click on things.

TRUE -

Microsoft has provided Zero explanation for ANYTHING.

What is the threat? (I'll give you a hint.... there is no threat).
What exactly does TPM do?
Why can't they implement it in software?

Meanwhile, it's bloody obvious that MS and the computer hardware industry will be making billions off this maneuver. In one stroke, MS has obsoleted ALL PREVIOUS HARDWARE.

Think about it. It's like Toyota, Ford, GMC, Nissan, VW, etc., conspiring to make your cars obsolete. Oh wait! They're doing that with EVs....
 
Am I missing something here? The TPM chip / T2 Security Chip are there to encrypt the drives and store decryption keys for other software. They do the same thing, it's not Apples to oranges at all.
People dont complain about apple doing this because apple is a closed ecosystem with expected shorter lifes for hardware. Running 15 year old machines ont he newest OSX is not considered normal. See, when apple depreciated hardware, it was due to them running a legacy CPU (PowerPC), or running 32 bit EFI (core 2 duos), or running UEFIs that didnt have the ROM space to hold the recovery system (pre 2011 macs).

In the windows world keeping legacy hardware around for a decade+ is the norm, and the TPM requirement is cutting the legs off of quite good hardware. There is 0 reason a 10th gen celeron can run windows 11 but a core i7 4790k cant, other then TPM 2.0, which MS still cant seem to describe why it's necessary.

Comparing these two enviroments is like comparing apples and oranges. Apple had a reson to abandon their old CPU arch (althougha rguably still to early) and earlier EFI designs (inability ot use new recovery system). MS has provided 0 justification for their Widnows 11 requirements.
 
Dear Adriel. Crank the restrictions up even more. My PC has TPM 2.0. Yet according to the people at Microsoft, that still does not make it Windows 11 compliant.

"Ummmm…. yeah.... we need to talk to you about TPM 2.0 and Windows 11."

No we don't. We REALLY need to talk about this:

2021-09-18_073816.jpg
 
Last edited:
I haven't tested it yet but I assume Server 2022 has the same restrictions. Also, why do articles like these just have a negative tone to them? Requiring TPM isn't a bad thing, it's never mentioned that Apple Mac's have had their own version of TPM (T2 security chip) for a while now as well and you don't see forum's filled with "we're boycotting Apple" because of it...

Current MacOS supports systems as old as 2013: https://en.wikipedia.org/wiki/MacOS

No one's saying TPM is bad, here's what comes to mind "I'm an adult, I know what I'm doing, let me click the disclaimer in which you cover your arse by saying my system is insecure, and I install. Then we're friends - you get my money and I get the new OS". It ran like this just fine for months in the Insider ring, so it's clearly safe, right? Then they say, ah all 7th gen Core are banned *except for the ones used in Surface Studio, those are fine. Why? That system has 1.2 like everyone else running a 7th gen Core. Why ban Ryzen 1, say a 2yo R5 1600AF in a brad new state of the art TPM 2.0 supporting mobo? Pure arbitrary. Unless of course some MS execs had stock in TPM chip producing companies - then it's not arbitrary, just pork.


 
why do articles like these just have a negative tone to them?
Unlike Apple, Microsoft doesn't control the hardware platform. There are a lot of computers out there without TPM, and this upgrade to the operating system will inconvenience their owners. It would be different if Microsoft continued to support Windows 10 with security updates indefinitely.
 
The end-game here is MS wants to move towards a fully locked down platform so they can eventually have an exclusive app store with fat tax on all software like Apple's, right? (Plus probably a desktop that displays ads and gathers enough data to make Google look quaint.)

If they can't explain any benefits to users, assume the benefit is for Microsoft.
Pffft, they'll never get away with that. They're not Apple :p
 
Dear Adriel. Crank the restrictions up even more. My PC has TPM 2.0. Yet according to the people at Microsoft, that still does not make it Windows 11 compliant.

"Ummmm…. yeah.... we need to talk to you about TPM 2.0 and Windows 11."

No we don't. We REALLY need to talk about this:

View attachment 87953
You know... that's exactly the same situation I'm in, and I'm running the Windows 11 Insider Preview build regardless. We can't really understand some of these moves Microsoft is making. The official system requirements simply don't reflect what we see in reality. I've heard of people installing and running this OS without hassle in dated hardware, and I am one of these people too, it seems.

What worries me the most is the possibility of PCs with "unsupported hardware" not receiving Windows 11 updates. I think they should at least let everyone have updates for features that don't rely on specific hardware characteristics.
 
Total known vulnerabilities is kind of a meaningless number to show: How many of those remain unpatched? How fast are they patched in Linux? How easy are those patches to deploy vs Windows?

This is not even getting into the fundamental difference: If anybody can look at the source code, anybody can detect vulnerabilities and patch them. If only Microsoft can look at their code then people can't as easily look for them and more important, if someone does find a vulnerability it's unlikely to be also found by somebody willing to disclose it to be patched vs just using it for whatever purpose they see fit.

Open source doesn't needs to trust any single entity to discover and patch the vulnerabilities, there's more inherent and widespread cooperation and many companies recognize this as a strategic advantage and they put a lot of money into supporting Linux that's still very widely used on the server world.

That still doesn't make it any more secure the creators themselves are worried about the security aspect of Linux. Google said that its pretty darn terrible too and our even creating their own OS to replace it on their devices.

Linux is not secure and finally no system is
 
People dont complain about apple doing this because apple is a closed ecosystem with expected shorter lifes for hardware. Running 15 year old machines ont he newest OSX is not considered normal. See, when apple depreciated hardware, it was due to them running a legacy CPU (PowerPC), or running 32 bit EFI (core 2 duos), or running UEFIs that didnt have the ROM space to hold the recovery system (pre 2011 macs).

In the windows world keeping legacy hardware around for a decade+ is the norm, and the TPM requirement is cutting the legs off of quite good hardware. There is 0 reason a 10th gen celeron can run windows 11 but a core i7 4790k cant, other then TPM 2.0, which MS still cant seem to describe why it's necessary.

Comparing these two enviroments is like comparing apples and oranges. Apple had a reson to abandon their old CPU arch (althougha rguably still to early) and earlier EFI designs (inability ot use new recovery system). MS has provided 0 justification for their Widnows 11 requirements.

THEY DID say why its over a instruction set needed to accelerate the process
without it its easily 40% as slow.
 
Back