Why it matters: Windows 11 is coming, but it won't be coming to just any PC. Microsoft says the next generation of Windows requires the use of a system with Trusted Platform Module 2.0, and most Windows users have never had to deal with the term before, at least outside of enterprise environments. The company does make a good point that TPM helps add to the security of Windows PCs, but this aggressive push for TPM 2.0 compliance may backfire.
This week Microsoft announced the most significant overhaul to Windows in years, with a simplified UI and (hopefully) cohesive user interface. Other key features as described by Microsoft include better performance, a new Microsoft Store, and more gaming-oriented features meant to align the PC and Xbox experiences.
Oh, and it's also a free upgrade for Windows 10 users.
Microsoft seems determined to make developers love the new operating system and the opportunities it brings to the table. However, in turning Windows up to 11 the company also introduced new system requirements, and released a Health Check tool that can tell you if your PC will be able to run Windows 11 when it lands later this year.
You'll need a slightly beefier system for the new operating system when compared to Windows 10, with a dual-core processor and a minimum of 4 GB of RAM becoming the bare new minimum.
TPM in a nutshell
Upon using the compatibility tool, some of you no doubt found that your system isn't "officially" capable of running Windows 11, which will require a PC with UEFI and Secure Boot capability, as well as something called Trusted Platform Module or TPM. As we explained in this article, people with relatively new hardware (1-3 years old) should be able to pass the checks made by the app with flying colors, but only if TPM is enabled in your UEFI settings.
Most computers released over the last 10 years use a UEFI or hybrid UEFI implementation with a BIOS compatibility layer on top of it, so theoretically all these systems can run Windows 11 if they pass the CPU, RAM, and storage requirements. However, not all of them may have a TPM chip, and unfortunately in typical Microsoft fashion, the company has done a poor job of communicating when it comes to this new system requirement.
You may be wondering why Microsoft has suddenly decided to require TPM, a technology that has been used mostly in business environments for IT-managed PCs. TPM started out as a dedicated microcontroller chip (dTPM) integrated on some PC motherboards but in recent years processor manufacturers like Intel and AMD have started adding this functionality to their CPUs in the form of firmware-based TPM (fTPM).
Microsoft Director of Enterprise and OS Security David Weston explains the purpose of TPM is to "protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can't access or tamper with that data." In other words, TPM is a hardware security feature that stores secrets in a special space that's better protected against external software attacks.
In Windows, TPM has been used to augment features like Windows Hello passwordless authentication, Windows Defender Application Control, BitLocker (used for full-disk encryption), as well as ensuring hypervisor code integrity. This isn't exactly impenetrable security, but it makes it much harder for hackers to perform remote attacks on important systems, especially when this isn't the only layer of security that stands in their way.
There are now over 1.3 billion Windows 10 PCs in active use around the world (and around 100 million Windows 7 and 8 PCs), which is a large attack surface that is increasingly being subjected to new types of threats, including ransomware campaigns. The latter are only getting worse and are forecasted to cost $265 billion worldwide by 2031.
Microsoft has been trying hard to educate consumers and businesses about the importance of protecting against this type of cyberattack. Furthermore, according to Microsoft's March 2021 Security Signals report, 83 percent of all businesses have experienced sophisticated firmware attacks over the past two years, and these companies only dedicate around 29 percent of their security budget to protecting against them.
Nicole Dezen, who is VP of Global Partner Solutions at Microsoft says the TPM requirement also means Windows 11 will come with security features like Secure Boot, hardware-based isolation, and hypervisor code integrity turned on by default. However, Microsoft's reasons may extend well beyond improving the security posture of Windows users, as TPM can also be used for protecting copyrighted works and adding anti-cheat efforts for popular online games.
with secure boot and a TPM you can defeat a lot of the early boot hax I have seen like cheat engine. A TPM with EK would at least force a cheater to get a new computer (or TPM) if they are identified.--- DWIZZZLE (@dwizzzleMSFT) April 29, 2021
Microsoft has patents describing the use of TPM in conjunction with other technologies to create better anti-cheat solutions. And even though everyone who's passionate about online multiplayer games hates cheaters, this might even protect those who try to use cheats from getting their PCs infected with malware, while simultaneously making it difficult to ruin other people's gaming sessions. Of course, this won't be something that Windows 11 will have at launch, but the TPM requirement is a good foundation to build upon the future.
Who is covered and who is not?
Windows 11 has a hard requirement for TPM 2.0 to be present in your system, which is a big ask. If you have an AMD processor from this list or an Intel processor from this list you are essentially covered. All you need to do is check your UEFI settings – usually in the Advanced tab – and enable a feature called "PTT" for Intel systems and "PSP fTPM" for AMD systems.
Missing from that group are most PCs four years old or older. That includes first-gen Ryzen CPUs and first-gen Threadripper CPUs. On the Intel side, all 6th-gen and 7th-gen Core CPUs are not supported, or essentially anything released prior to the Coffee Lake family (late 2017). That's harsh. However, shortly after the controversy surrounding the TPM requirement blew up, we're hearing about "soft floors," where older PCs may still be able to upgrade to Windows 11 by simply bypassing some kind of warning dialog. No doubt, sooner or later, users will figure out some workaround as well.
Update (6/29): It now looks like Microsoft could expand the list of officially supported CPUs for Windows 11 by adding another (older) generation of Intel and AMD chips, specifically Core 7th-gen and AMD 1st-gen Ryzen CPUs. This is still pending confirmation however, more details here.
There's another way for those of you who are sticking with a desktop PC powered by an older CPU not included in the list do have a way of fulfilling the TPM requirement using a discrete TPM 2.0 module that can be attached to your motherboard, but Microsoft won't "officially" support your configuration. The company also doesn't recommend pairing a TPM module with a motherboard that only uses a legacy BIOS implementation, as some features may not work as expected.
But guess what, another problem with trying to buy a TPM module right now is... scalpers. A mere day after the Windows 11 announcement there were almost no such items available to buy from retailers, but there's a flood of them on sites like eBay for a significant premium compared to their normal price. A typical TPM 2.0 module costs around $25 but is now $90 to $100 or more, depending on the model.
Bottom line is the TPM 2.0 requirement is Microsoft's way of saying that it wants the next generation of Windows to bring a new level of security to consumers and businesses, which is also why it's partnered with Intel, AMD, and Qualcomm to bake TPM directly into the CPU core designs of future processors. The only problem is that it's doing so in the middle of a shortage of silicon, which takes away from the otherwise promising characteristics Windows 11.