Microsoft: Windows 11 requirement for a TPM 2.0 chip is "non-negotiable"

Alfonso Maruccia

Posts: 2,571   +956
Staff
A hot potato: The Trusted Platform Module standard describes a dedicated cryptography chip designed to manage many security-related tasks in a computer. The standard was introduced in 2009, but Microsoft recently decided to enforce a TPM requirement on every Windows 11 PC, which has seen heavy pushback since launch.

While announcing Windows 11, Microsoft made a very controversial move to change hardware requirements significantly. The latest edition of the most popular PC operating system cannot run or even be installed under normal conditions if the CPU is a few years old or the motherboard doesn't include a specialized piece of crypto-hardware (or related firmware emulation) known as Trusted Platform Module (TPM).

Senior Product Manager Steven Hosking recently revealed that Microsoft is reinforcing the idea that the TPM requirement is here to stay, and there will be no compromises even after the end of mainstream support for Windows 10. Redmond believes TPM technology is crucial to safeguarding Windows security and is even more essential when considering the future of the Windows ecosystem.

Hosking explained that TPM's primary role is to offer hardware-level security features for a compatible computing device. The chip can securely store encryption keys and certificates. It can also shield passwords and sensitive data against misuse and unauthorized access. The TPM chip can also provide a random number generation engine, encrypt or decrypt data, and verify digital signatures.

Windows 10 users will not receive security updates after October 2025 unless they pay for them. Microsoft concedes that the almost aging operating system is approaching the end of support. Still, the company is unwilling to remove or weaken the TPM 2.0 requirement from Windows 11 hardware specs to facilitate the upgrade from Windows 10.

Hosking said that a TPM 2.0 chip addresses many security challenges in a constantly evolving digital world, providing improved support for industry-standard cryptographic algorithms and increased isolation for security processes. Furthermore, TPM 2.0 offers a "seamless" integration with Windows 11 security capabilities, including encryption key storage, Secure Boot, and multifactor authentication.

"By instituting TPM 2.0 as a non-negotiable standard for the future of Windows, we elevate the security benchmark," Hosking stated.

The TPM chip is essential for the present, especially future Windows platforms, providing enterprise customers with additional management options. Pardon the sarcasm, but this must be why people are still flocking to Windows 10 in droves, regardless of the operating system's waning lifecycle.

Permalink to story:

 
Rufus can remove the requirements from the installer. But I do wonder if they'll crack down with OTA updates. I have heard that they are sending notifications to 'incompatible' installations.
 
Dear Microsoft,
We don't care what your reasonings are. TPM is not something you should be forcing on people and there are many reasons why. The push back you're experiencing is not going away and you will lose on this and many other points of contention concerning the crazy crap you're attempting with Windows 11. Back off and make these things optional, the way you're supposed to.
 
I am finding Microsoft's position on this difficult to reconcile with my anecdotal memories of how most real world security problems are reported in the press, where TPM and/or Win 11 are not differentiating factors.

Further, one wonders if these functions were truly so essential, how a global computing environment of hundreds of millions (or billions?) of devices came to be satisfactorily deployed and operating without it.

It is almost as if there is some other unstated reason behind this determination to turn hundreds of millions of Windows devices into either e-Waste, or vulnerable systems with known but un-patched vulnerabilities despite Microsoft's readily available paths to mitigate them (talk about a security problem!)

Maybe one day we'll get a fuller picture via a leak, or discovery process, or some other method.
 
Dear Microsoft,
We don't care what your reasonings are. TPM is not something you should be forcing on people and there are many reasons why. The push back you're experiencing is not going away and you will lose on this and many other points of contention concerning the crazy crap you're attempting with Windows 11. Back off and make these things optional, the way you're supposed to.
You seem to be a classic troll, increase in security is crazy crap!? And you are fine with swiss-cheese linux - unsecured, with even basic firewall off by default or not bundled with distro and big security players like ESET completely abandoning linux!? Then switch to it and leave us alone. Windows 10 was crap - 11 is better in every way, and I don't need to change the location of my taskbar. Also when Apple does it, nobody complains.
 
You seem to be a classic troll, increase in security is crazy crap!? And you are fine with swiss-cheese linux - unsecured, with even basic firewall off by default or not bundled with distro and big security players like ESET completely abandoning linux!? Then switch to it and leave us alone. Windows 10 was crap - 11 is better in every way, and I don't need to change the location of my taskbar. Also when Apple does it, nobody complains.
Wow, that is quite the projection argument you've managed.

TPM does not increase security for home users, neither does bitlocker. Unless you are targeted by state actors or deal with thousands of bitcoin these things to NOT increase security.

They do, OTOH, make it impossible to retrieve your data when you arbitrarily get locked out of your always online MS account or your motherboard fails and of course you dont know the bitlocker password. Also ignore that windows 11 runs fine without it right now.....

Also, someone want to tell him that "swiss-cheese linux - unsecured" runs most of the modern internet? And that linux ships with all ports blocked by default so the firewall serves no purpose until you need to actually open something? Poor guy.
I am finding Microsoft's position on this difficult to reconcile with my anecdotal memories of how most real world security problems are reported in the press, where TPM and/or Win 11 are not differentiating factors.

Further, one wonders if these functions were truly so essential, how a global computing environment of hundreds of millions (or billions?) of devices came to be satisfactorily deployed and operating without it.

It is almost as if there is some other unstated reason behind this determination to turn hundreds of millions of Windows devices into either e-Waste, or vulnerable systems with known but un-patched vulnerabilities despite Microsoft's readily available paths to mitigate them (talk about a security problem!)

Maybe one day we'll get a fuller picture via a leak, or discovery process, or some other method.
The unstated reason is pretty clear: control, control, control. MS is the same company that pays Phil Spencer, who has made it clear he and his bosses envision a world where if you say a naughty or doa bad, you should be banned not just from a game, but have all your internet accounts disabled. Real 1984 tier stuff. And the only way they can do that is if they can ban your hardware. Media companies have also long salivated at the idea of being able to track users regardless of accounts or IP address or network used to enforce DRM.

Now if there was a way to assign a hardware key to a PC to track everything you do and lo.....oh hey there TPM and Recall!

They have no issue with creating billions of tons of e-waste. All their "green" virtue signaling is for show, they can just cut down a forest and install some solar panels then brag about how "green" they are again. They'll keep pushing their arbitrary hardware list so long as people go along with it. Of course, with windows market-share steadily decreasing, who knows when they will start to sweat.
 
Wow, that is quite the projection argument you've managed.

TPM does not increase security for home users, neither does bitlocker. Unless you are targeted by state actors or deal with thousands of bitcoin these things to NOT increase security.

They do, OTOH, make it impossible to retrieve your data when you arbitrarily get locked out of your always online MS account or your motherboard fails and of course you dont know the bitlocker password. Also ignore that windows 11 runs fine without it right now.....

Also, someone want to tell him that "swiss-cheese linux - unsecured" runs most of the modern internet? And that linux ships with all ports blocked by default so the firewall serves no purpose until you need to actually open something? Poor guy.

The unstated reason is pretty clear: control, control, control. MS is the same company that pays Phil Spencer, who has made it clear he and his bosses envision a world where if you say a naughty or doa bad, you should be banned not just from a game, but have all your internet accounts disabled. Real 1984 tier stuff. And the only way they can do that is if they can ban your hardware. Media companies have also long salivated at the idea of being able to track users regardless of accounts or IP address or network used to enforce DRM.

Now if there was a way to assign a hardware key to a PC to track everything you do and lo.....oh hey there TPM and Recall!

They have no issue with creating billions of tons of e-waste. All their "green" virtue signaling is for show, they can just cut down a forest and install some solar panels then brag about how "green" they are again. They'll keep pushing their arbitrary hardware list so long as people go along with it. Of course, with windows market-share steadily decreasing, who knows when they will start to sweat.
Linux security for any serious company works in a way that you have to pay someone to monitor everything that goes on in the background 24/7. Linux will never break through for home users at this state, it's neither practical or secure - this is just classic misinformation you get everywhere on the internet.

Heck I would rather recommend people go outright for a Macbook, than to replace Windows laptop with linux distros. Ubuntu got some traction few years ago, and they displayed it would be faaar worse OS than Windows, and company worse then Microsoft if they had it's marketshare. Ubuntu is now at a state when pretty much anything can be bundled with app installer(snaps), malware or worse and we don't have controll over it, still people call linux a saviour.
 
Linux security for any serious company works in a way that you have to pay someone to monitor everything that goes on in the background 24/7. Linux will never break through for home users at this state, it's neither practical or secure - this is just classic misinformation you get everywhere on the internet.

Heck I would rather recommend people go outright for a Macbook, than to replace Windows laptop with linux distros. Ubuntu got some traction few years ago, and they displayed it would be faaar worse OS than Windows, and company worse then Microsoft if they had it's marketshare. Ubuntu is now at a state when pretty much anything can be bundled with app installer(snaps), malware or worse and we don't have controll over it, still people call linux a saviour.
Dude I want some of what you're smoking.

Any "serious" company will pay someone to monitor their PC security 24/7, such software has existed for generations now, regardless of what OS you run. You act like linux has zero protections which, just ROFL no.

You can bundle malware with any app for any operating system. IDK why you think linux is special there.
 
Dear Microsoft,
We don't care what your reasonings are. TPM is not something you should be forcing on people and there are many reasons why. The push back you're experiencing is not going away and you will lose on this and many other points of contention concerning the crazy crap you're attempting with Windows 11. Back off and make these things optional, the way you're supposed to.
Tpm 1.2 uses insecure sha1 is the root cause of tpm 2 requirement.

Windows uses tpm to store bitlocker keys, enterprise client certificates auth, online streaming audio video encryption keys etc.
Despite bad publication of bitlocker, there is no free and easy to use alternative now.
 
Dear Microsoft,
We don't care what your reasonings are. TPM is not something you should be forcing on people and there are many reasons why. The push back you're experiencing is not going away and you will lose on this and many other points of contention concerning the crazy crap you're attempting with Windows 11. Back off and make these things optional, the way you're supposed to.
Tpm 1.2 max at insecure sha1 is the cause of tpm 2 requirement.

Windows needs tpm to store bitlocker keys, enterprise client certificates auth, online streaming audio video offline encryption keys etc.
Despite bad publication of bitlocker, there is no free and easy to use alternative now.
 
Microsoft should simply explain that older tpm 1.2 max at insecure sha1.

And windows needs tpm to store encryption keys of
bitlocker, enterprise client certificate, spotify & netflix offline encryption keys etc.
 
Wow, that is quite the projection argument you've managed.

TPM does not increase security for home users, neither does bitlocker. Unless you are targeted by state actors or deal with thousands of bitcoin these things to NOT increase security.

They do, OTOH, make it impossible to retrieve your data when you arbitrarily get locked out of your always online MS account or your motherboard fails and of course you dont know the bitlocker password. Also ignore that windows 11 runs fine without it right now.....

Also, someone want to tell him that "swiss-cheese linux - unsecured" runs most of the modern internet? And that linux ships with all ports blocked by default so the firewall serves no purpose until you need to actually open something? Poor guy.

The unstated reason is pretty clear: control, control, control. MS is the same company that pays Phil Spencer, who has made it clear he and his bosses envision a world where if you say a naughty or doa bad, you should be banned not just from a game, but have all your internet accounts disabled. Real 1984 tier stuff. And the only way they can do that is if they can ban your hardware. Media companies have also long salivated at the idea of being able to track users regardless of accounts or IP address or network used to enforce DRM.

Now if there was a way to assign a hardware key to a PC to track everything you do and lo.....oh hey there TPM and Recall!

They have no issue with creating billions of tons of e-waste. All their "green" virtue signaling is for show, they can just cut down a forest and install some solar panels then brag about how "green" they are again. They'll keep pushing their arbitrary hardware list so long as people go along with it. Of course, with windows market-share steadily decreasing, who knows when they will start to sweat.
Bitlocker useless???

Storage encryption for personal devices such as laptop, smartphone, etc. is a must today.
So thief can't easily access your files when those devices are stolen.
 
All Intel based PCs from the 8th gen or newer have TPM2.0. All AMD based PCs with Ryzen 2000 or higher have TPM2.0. This is hardware from 2017. I think it's fair to say if you have hardware older than that, you just don't get to run windows 11 on it.
 
All Intel based PCs from the 8th gen or newer have TPM2.0. All AMD based PCs with Ryzen 2000 or higher have TPM2.0. This is hardware from 2017. I think it's fair to say if you have hardware older than that, you just don't get to run windows 11 on it.
The thing is that people whining about all this are the ones who expect to run the latest OS on their 15+ year old hardware. When it doesn't work they rant about it on the internet and make whatever company (MS in this case) out to be the Devil himself.
 
All Intel based PCs from the 8th gen or newer have TPM2.0. All AMD based PCs with Ryzen 2000 or higher have TPM2.0. This is hardware from 2017. I think it's fair to say if you have hardware older than that, you just don't get to run windows 11 on it.
Except that is not fair. Microsoft allows several 7th gen intel processors, which do NOT have TPM 2.0, to run 11, simply because they were used in surface devices. Therefore, the TPM requirement is entirely arbitrary.

Besides, TPM 2.0 hardware keys exist, and can just plug into older motherboards. So that is still a totally BS excuse.

This may shock you, but there is a whole world outside america and western europe where core 2 duos are still commonly used. They cannot afford skylake or newer hardware. So they will be condemned to running obsolete OSes and we have another XP botnet scenario on our hands.
Bitlocker useless???

Storage encryption for personal devices such as laptop, smartphone, etc. is a must today.
So thief can't easily access your files when those devices are stolen.
99.999% of people today do not use bitlocker. Unless you are the target of a national actor, nobody is going to crawl through your drive to get your passwords. A street thief is gonna flip your hardware at a pawn shop for a quick buck. If someone else wants in, they can bypass that encryption if they really want to. OR they could just boot your stolen PC and use a cold boot attack to get the encryption key. Womp Womp.

Again, windows 11 runs fine without TPM. It is not a "requirement" to run the OS. That is BS MS invented to force the sales of new licenses, to make $$$.
The thing is that people whining about all this are the ones who expect to run the latest OS on their 15+ year old hardware. When it doesn't work they rant about it on the internet and make whatever company (MS in this case) out to be the Devil himself.
Because it runs perfectly fine on said hardware, the restrictions are entirely arbitrary. But please, continue to meatshield for the multi trillion dollar corpo, I'm sure that could never go wrong.
 
Security requirements are okay as long as end users don't have to put any time, work or money into them.

Shocker.
 
Let's see what they are gonna be saying in a couple of years when they realize that millions of ppl will still stay with their old rigs and Windows 10.

It's gonna be fun.
 
Wow, that is quite the projection argument you've managed.
I could not have said that better myself. Excellent!

You seem to be a classic troll
Wonderful statement.
increase in security is crazy crap!?
TPM2.0 is not all that secure. It's crackable and it's a PITA to work with in some ways. So yeah, crazy crap.

Also when Apple does it, nobody complains.
Apple users are a special breed and I'll leave that one right there.

Tpm 1.2 uses insecure sha1 is the root cause of tpm 2 requirement.
TPM2.0 has it's own problems and, as was said above, can be cracked. It's not all that secure. Microsoft using it as a base for their security platform isn't just foolish and incompetent, it's a headache for normal users as well.
Bitlocker useless???
Yup, useless. And like TPM it's a PITA in many ways.

additionally he could not show one iota of proof it has made security better for Win 11.
There is a reason for that: It doesn't improve security.

I am never going to use either one, ever.
 
MS stopped listening to their customers about 5 years ago and it's been all downhill since then. Windows 11 has become a billboard with every opportunity to monetize, scrape and generally exploit users now taken.
 
Linux security for any serious company works in a way that you have to pay someone to monitor everything that goes on in the background 24/7. Linux will never break through for home users at this state, it's neither practical or secure - this is just classic misinformation you get everywhere on the internet.

Heck I would rather recommend people go outright for a Macbook, than to replace Windows laptop with linux distros. Ubuntu got some traction few years ago, and they displayed it would be faaar worse OS than Windows, and company worse then Microsoft if they had it's marketshare. Ubuntu is now at a state when pretty much anything can be bundled with app installer(snaps), malware or worse and we don't have controll over it, still people call linux a saviour.
Dude, I have a strong feeling you're mixing apples with oranges here. Linux was always clearly a much more nuanced and complicated system to use in comparison to Windows. It's a tool, a fantastic one at that, which gives you the freedom to set up your system however you want and the vast majority of the time does not shove stupid and useless features down your throat. Yes, it's difficult to use for an average user but it was never meant for them in the first place.

I have had an i7 6800K paired with 32GB 3200Mhz DDR4 RAM a 2TB NVMe SSD and a GTX 1080Ti since 2016 and it runs blistering fast. PC is on in 15 seconds and serves me perfectly well for work and gaming (God of War was running at 1440p 80+ fps with all settings almost completely maxed out). My two kids have i7 4770K and an i7 3770K machines that are well over 10 years old with GTX1070Ti's that will run anything they need. I help and administer yhe PC's of almost all of my friends and family in my vicinity, and their hardware in their desktops is also on average over 6 years old. None of these people have TPM 2.0 chips and all of them are running Windows 11, working and playing on these machines everyday without a single problem. I just think it unfair to force these people to throw these perfectly good tools away and get new ones for what? Increased security?
 
Back