What is TPM and why does Windows 11 require it?

nanoguy

Posts: 1,355   +27
Staff member
Why it matters: Windows 11 is coming, but it won't be coming to just any PC. Microsoft says the next generation of Windows requires the use of a system with Trusted Platform Module 2.0, and most Windows users have never had to deal with the term before, at least outside of enterprise environments. The company does make a good point that TPM helps add to the security of Windows PCs, but this aggressive push for TPM 2.0 compliance may backfire.

This week Microsoft announced the most significant overhaul to Windows in years, with a simplified UI and (hopefully) cohesive user interface. Other key features as described by Microsoft include better performance, a new Microsoft Store, and more gaming-oriented features meant to align the PC and Xbox experiences.

Oh, and it's also a free upgrade for Windows 10 users.

Microsoft seems determined to make developers love the new operating system and the opportunities it brings to the table. However, in turning Windows up to 11 the company also introduced new system requirements, and released a Health Check tool that can tell you if your PC will be able to run Windows 11 when it lands later this year.

You'll need a slightly beefier system for the new operating system when compared to Windows 10, with a dual-core processor and a minimum of 4 GB of RAM becoming the bare new minimum.

TPM in a nutshell

Upon using the compatibility tool, some of you no doubt found that your system isn't "officially" capable of running Windows 11, which will require a PC with UEFI and Secure Boot capability, as well as something called Trusted Platform Module or TPM. As we explained in this article, people with relatively new hardware (1-3 years old) should be able to pass the checks made by the app with flying colors, but only if TPM is enabled in your UEFI settings.

Most computers released over the last 10 years use a UEFI or hybrid UEFI implementation with a BIOS compatibility layer on top of it, so theoretically all these systems can run Windows 11 if they pass the CPU, RAM, and storage requirements. However, not all of them may have a TPM chip, and unfortunately in typical Microsoft fashion, the company has done a poor job of communicating when it comes to this new system requirement.

Why now?

You may be wondering why Microsoft has suddenly decided to require TPM, a technology that has been used mostly in business environments for IT-managed PCs. TPM started out as a dedicated microcontroller chip (dTPM) integrated on some PC motherboards but in recent years processor manufacturers like Intel and AMD have started adding this functionality to their CPUs in the form of firmware-based TPM (fTPM).

Microsoft Director of Enterprise and OS Security David Weston explains the purpose of TPM is to "protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data." In other words, TPM is a hardware security feature that stores secrets in a special space that's better protected against external software attacks.

In Windows, TPM has been used to augment features like Windows Hello passwordless authentication, Windows Defender Application Control, BitLocker (used for full-disk encryption), as well as ensuring hypervisor code integrity. This isn't exactly impenetrable security, but it makes it much harder for hackers to perform remote attacks on important systems, especially when this isn't the only layer of security that stands in their way.

There are now over 1.3 billion Windows 10 PCs in active use around the world (and around 100 million Windows 7 and 8 PCs), which is a large attack surface that is increasingly being subjected to new types of threats, including ransomware campaigns. The latter are only getting worse and are forecasted to cost $265 billion worldwide by 2031.

Microsoft has been trying hard to educate consumers and businesses about the importance of protecting against this type of cyberattack. Furthermore, according to Microsoft's March 2021 Security Signals report, 83 percent of all businesses have experienced sophisticated firmware attacks over the past two years, and these companies only dedicate around 29 percent of their security budget to protecting against them.

Nicole Dezen, who is VP of Global Partner Solutions at Microsoft says the TPM requirement also means Windows 11 will come with security features like Secure Boot, hardware-based isolation, and hypervisor code integrity turned on by default. However, Microsoft's reasons may extend well beyond improving the security posture of Windows users, as TPM can also be used for protecting copyrighted works and adding anti-cheat efforts for popular online games.

Microsoft has patents describing the use of TPM in conjunction with other technologies to create better anti-cheat solutions. And even though everyone who's passionate about online multiplayer games hates cheaters, this might even protect those who try to use cheats from getting their PCs infected with malware, while simultaneously making it difficult to ruin other people's gaming sessions. Of course, this won't be something that Windows 11 will have at launch, but the TPM requirement is a good foundation to build upon the future.

Who is covered and who is not?

Windows 11 has a hard requirement for TPM 2.0 to be present in your system, which is a big ask. If you have an AMD processor from this list or an Intel processor from this list you are essentially covered. All you need to do is check your UEFI settings -- usually in the Advanced tab -- and enable a feature called "PTT" for Intel systems and "PSP fTPM" for AMD systems.

Missing from that group are most PCs four years old or older. That includes first-gen Ryzen CPUs and first-gen Threadripper CPUs. On the Intel side, all 6th-gen and 7th-gen Core CPUs are not supported, or essentially anything released prior to the Coffee Lake family (late 2017). That's harsh. However, shortly after the controversy surrounding the TPM requirement blew up, we're hearing about "soft floors," where older PCs may still be able to upgrade to Windows 11 by simply bypassing some kind of warning dialog. No doubt, sooner or later, users will figure out some workaround as well.

Update (6/29): It now looks like Microsoft could expand the list of officially supported CPUs for Windows 11 by adding another (older) generation of Intel and AMD chips, specifically Core 7th-gen and AMD 1st-gen Ryzen CPUs. This is still pending confirmation however, more details here.

There's another way for those of you who are sticking with a desktop PC powered by an older CPU not included in the list do have a way of fulfilling the TPM requirement using a discrete TPM 2.0 module that can be attached to your motherboard, but Microsoft won't "officially" support your configuration. The company also doesn't recommend pairing a TPM module with a motherboard that only uses a legacy BIOS implementation, as some features may not work as expected.

But guess what, another problem with trying to buy a TPM module right now is... scalpers. A mere day after the Windows 11 announcement there were almost no such items available to buy from retailers, but there's a flood of them on sites like eBay for a significant premium compared to their normal price. A typical TPM 2.0 module costs around $25 but is now $90 to $100 or more, depending on the model.

Bottom line is the TPM 2.0 requirement is Microsoft's way of saying that it wants the next generation of Windows to bring a new level of security to consumers and businesses, which is also why it's partnered with Intel, AMD, and Qualcomm to bake TPM directly into the CPU core designs of future processors. The only problem is that it's doing so in the middle of a shortage of silicon, which takes away from the otherwise promising characteristics Windows 11.

Permalink to story.

 
It's requires TPM 1.2 as a hard floor, not 2.0, though the windows upgrade tools will apparently advise against updating if you only have version 1.2 (which obviously means way more devices can run it)

 
As long as MS also takes security seriously when it comes to coding, I.e. doesn‘t preach water and drinks wine, that‘s fine.

Looking forward to their presentation on how they updated their coding and QC practices for better security.
 
How many ransomware attacks have been prevented by TPM?

Requiring the likes of TPM and Secureboot doesnt improve security. They remove control and choice from the end user, and introduce yet another avenue that can be used to spy on the individual. They dont stop ransomware, and they just happen to make it harder to run alternative software to Microsoft's operating system of choice.

"Microsoft Director of Enterprise and OS Security David Weston explains the purpose of TPM is to "protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data." In other words, TPM is a hardware security feature that stores secrets in a special space that's better protected against external software attacks."

That doesnt help at all when phishing is used to access someone's credentials. Guess how the vast majority of ransomware attacks get user credentials.
 
Already enabled ftpm on my AMD system.

While I am seeing the tpm out of stock in canada prices are not what I see on ebay from a retailer.

 
It looks like my MS Surface Book 1 actually has TPM 2.0 and it's enabled and activated. So the stupid Health Check app is telling me I'm ineligible just because my processor isn't on the list. And that processor list only applies to the soft floor, not the hard floor.

If you want to check your computer's status for TPM, there's a much easier way then going to your BIOS (mine didn't even have a setting for it). Open PowerShell with admin privs and run Get-TPM. That'll tell you your TPM present, ready, enabled, and activation status. For the 1.2/2.0 version information, I found it in Device Manager under "Security devices".
 
"Microsoft has patents describing the use of TPM in conjunction with other technologies to create better anti-cheat solutions"
Let's cut the cr*p. In a world where 99% of "hacks" are social engineering, TPM in practise will end up far more about DRM-enforcement and control than "security". If MS really took Windows security seriously, the Windows firewall would have long been on a default whitelist since at least Vista instead of allowing anything & everything to chatter away in the background unrestricted by default, and I laugh long and hard at any gamer trying to give lectures on "Windows security" whilst continuing to voluntarily install Sony Rootkit 2.0 into their Windows kernel...
 
How many ransomware attacks have been prevented by TPM?

Requiring the likes of TPM and Secureboot doesnt improve security. They remove control and choice from the end user, and introduce yet another avenue that can be used to spy on the individual. They dont stop ransomware, and they just happen to make it harder to run alternative software to Microsoft's operating system of choice.

"Microsoft Director of Enterprise and OS Security David Weston explains the purpose of TPM is to "protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data." In other words, TPM is a hardware security feature that stores secrets in a special space that's better protected against external software attacks."

That doesnt help at all when phishing is used to access someone's credentials. Guess how the vast majority of ransomware attacks get user credentials.

TPM isn't designed to stop ransomware, that would be the host based anti-virus. To run alternative software turn off secure boot. Teaching end users about phishing is a way better tool. TPM does protect someone's credentials when used with a PKI system, you can lock down a single user to a single device.
 
My premium 2013 ASUS Maximus VI Hero (Haswell) motherboard has a TPM port and supports TPM (as well as UEFI boot) as I learned when I checked the manual yesterday, so presumably there's a lot of ppl with old systems but premium motherboards who will be able to upgrade to Windows 11 with few or none issues.
 
If Microsoft has an "Enterprise" edition why not make TPM a requirement for *that* edition and explicitly optional for a "Home" edition? As it has been mentioned before, social engineering mostly makes this unnecessary and not to fully discredit user data but let's be honest, most of these security features are aimed at the enterprise anyway.

So what do you end up with? You will end up with a not insignificant part of very alienated enthusiast users that quite honestly, will simply not bother to grab the free upgrade if they need to go buy and install an additional chip.

This is pretty specifically my case by the way (So take that for what it is when it comes to bias): My rig is still 1600 and while I do plan on upgrading I am not going to fully retire this one: someone else will use it at one point or another.

So what am I missing if I don't bother to buy an install a TPM chip or enable whatever bypass methods people will inevitably come up with?

1) Android Apps: Yeah I already have a phone emulator installed on the rig
2) Centered start menu: Not that impressive on a multiple screen set up
3) Auto-HDR: Yeah Skyrim on Auto-HDR looked better, but I've been accomplishing far better visuals already for 9 years on Skyrim with user mods for ENB.
4) Task zones or whatever they're called: Again I've owned a DisplayFusion license for something like 5 or 6 years and I do use screen splits on an every day basis. They work great, better than what they publicized even since I can manually size zones (For example I can zone a full 1440p zone with 2 secondary ones: a reading pane and small info center thin view beneath) and I can add their own dedicated task bars if I wanted to, I can even compensate for applications that have different sized bezels if I want to tweak that deep.
5) The new Microsoft Store: Chances are most of the important functionality like package control will be retrofitted to Windows 10 and if not I'll continue to manually manage that part or use npm and chocolatery which again has been out for some time as well when it comes to managing dependencies and other dev stuff on Windows.

So overall if I have to do *ANYTHING* at all on this system beyond clicking "Ok" after I know for sure there's little chance of upgrade issues (So, 2022 at the earliest since I'm not risking upgrade issues at all, no matter how minor and isolated they might end up being) I have no reason to upgrade.

In fact I'm tech saavy enough that if Microsoft decides to tell me "You can't get security upgrades anymore" I would migrate the entire OS to a VM and run it on isolation if needed be. I don't need Windows 11 if I keep 10 is mostly out of inertia at this point so this requirements are a really, really bad idea for the enthusiast market, hopefully they can rectify but I don't think they will.
 
My premium 2013 ASUS Maximus VI Hero (Haswell) motherboard has a TPM port and supports TPM (as well as UEFI boot) as I learned when I checked the manual yesterday, so presumably there's a lot of ppl with old systems but premium motherboards who will be able to upgrade to Windows 11 with few or none issues.
just be sure that the motherboard supports TPM 2.0 modules.
 
Why is 1st and 2nd Gen Ryzen CPU's not compatible even though they have fTPM 2.0 enabled CPU's. What is the difference between 3rd and 4th gen Ryzens fTPM vs that of 1st and 2nd?. This question also applies to Intel's CPU's as well
 
Why is 1st and 2nd Gen Ryzen CPU's not compatible even though they have fTPM 2.0 enabled CPU's. What is the difference between 3rd and 4th gen Ryzens fTPM vs that of 1st and 2nd?. This question also applies to Intel's CPU's as well

I believe it's a "Enforcing Planned Obsolescence" thing in the bottomline.
just be sure that the motherboard supports TPM 2.0 modules.

AFAIK, ASUS only sells one TPM module for all ASUS mobos.
 
So overall if I have to do *ANYTHING* at all on this system beyond clicking "Ok" after I know for sure there's little chance of upgrade issues (So, 2022 at the earliest since I'm not risking upgrade issues at all, no matter how minor and isolated they might end up being) I have no reason to upgrade.

In fact I'm tech saavy enough that if Microsoft decides to tell me "You can't get security upgrades anymore" I would migrate the entire OS to a VM and run it on isolation if needed be. I don't need Windows 11 if I keep 10 is mostly out of inertia at this point so this requirements are a really, really bad idea for the enthusiast market, hopefully they can rectify but I don't think they will.

I suspect Nadella's goal has always been to actually drive away enthusiast users, just like it has always been his goal to remove Windows sysadmins. They have no place on his OS.
 
Why is 1st and 2nd Gen Ryzen CPU's not compatible even though they have fTPM 2.0 enabled CPU's. What is the difference between 3rd and 4th gen Ryzens fTPM vs that of 1st and 2nd?. This question also applies to Intel's CPU's as well
I believe it's a "Enforcing Planned Obsolescence" thing in the bottomline.

AFAIK, ASUS only sells one TPM module for all ASUS mobos.

People have been speculating that the Meltdown and Spectre vulnerabilities will be Nadella's excuse to leave older CPUs out (Meltdown and Spectre themselves are something I've always seen as an industry scam to accelerate and enforce obsolence of perfectly capable CPUs, since their risks have been blown way out of proportion since the start - of course the media and kool-aid drinking users are also to blame).
 
It is not big deal. People who have old PC can still use windows 10 and microsoft will continue updating it until 2025
 
I suspect Nadella's goal has always been to actually drive away enthusiast users, just like it has always been his goal to remove Windows sysadmins. They have no place on his OS.
That sounds about right: Ironically enough he constantly took jabs directly at Apple during the 11 keynote but what he is trying to achieve here is basically the Apple Store: default everything to the windows store, then start deprecating all other functionality until you *have to* use their store which eventually becomes just permanently tied to Azure services and your Windows box becomes a lot more like a Chromebook appliance: sure it might have *some* power but you shouldn't have free access to the OS or even program data, not even if you're a developer: Azure pushes a lot of "Platform-as-a-Service" and even "Software-as-a-Service" which is sold as "this is is very convenient!" but is ultimately "Microsoft fully controls your application, for good AND bad"
 
It is not big deal. People who have old PC can still use windows 10 and microsoft will continue updating it until 2025
I agree: it really isn't a big deal.

Problem is, Microsoft probably *wanted* Windows 11 to be a big deal, big enough that it would encourage people to want to upgrade and in my opinion, it's lukewarm at best.
 
Back