Discussion Is Windows 11 TPM requirement a 'red herring'?

https://www.forbes.com/sites/daveywinder/2021/07/03/windows-11-security-stink-reveals-massive-microsoft-ransomware-red-herring/?sh=68c1b1f422e1

TPM 2.0 ISN'T the security panacea Microsoft is touting it to be. All of the top types of virus/ransomeware attacks going on today would still be occuring on Windows 11 machines. Requiring TPM 2.0 is like Microsoft saying, "Hey, we need to install newer locks on all the doors on your house," as you stare at the broken glass from where the burgler broke in through the window for the third time.

Note: I fully recognize that TPM does improve security in certain ways. However, to me it just appears like a cheap way for Microsoft to get more people to buy/adopt Windows 11.
 
Last edited:
Reactions: Tommy Sawyer

USAFRet

Titan
Moderator
Mar 16, 2013
145,701
8,920
175,340
22,724
The TPM is not perfectly secure. Nothing is.

But, moving forward, it is probably more secure.


All this flap about "OH NOES! My old system can't upgrade to Win 11!!" is a temporary thing.
These old systems, mine included, will age out of use eventually.
The only people yelling about this are those with older systems, AND afflicted with GHIN(*) Syndrome.

Win 10 will be around for several more years.


* - Gotta Have It Now
 
Reactions: Tommy Sawyer
Isn't it just the opposite? With the TPM and CPU support list requirements, many people will NOT get Windows 11.
I don't think so and it appears that Microsoft has gambled on it pushing more people to get new computers (with accompanying new Windows 11 licenses, of course).

They definitely created a 'line in the sand' with their TPM requirement for Windows 11. We'll see how many cross that line for the holiday shopping season.
 

USAFRet

Titan
Moderator
Mar 16, 2013
145,701
8,920
175,340
22,724
I don't think so and it appears that Microsoft has gambled on it pushing more people to get new computers (with accompanying new Windows 11 licenses, of course).
A current Win 7/8/10 license can upgrade to 11 for $0.
If you're building up a second system, that needs its own license anyway. Be it 10 or 11.

They definitely created a 'line in the sand' with their TPM requirement for Windows 11. We'll see how many cross that line for the holiday shopping season.
As they've done in the past, regarding required RAM or drive size.
 

kanewolf

Titan
Moderator
I don't think so and it appears that Microsoft has gambled on it pushing more people to get new computers (with accompanying new Windows 11 licenses, of course).

They definitely created a 'line in the sand' with their TPM requirement for Windows 11. We'll see how many cross that line for the holiday shopping season.
I think that is a good thing. Do you also complain that Intel requires a new motherboard for each new generation of CPU? Or even complain that NVIDIA (or AMD) has limited feature XYZ to the RTX7000 series ONLY? If you want that feature you purchase the necessary parts. That is the way the world works.
 
I think that is a good thing. Do you also complain that Intel requires a new motherboard for each new generation of CPU? Or even complain that NVIDIA (or AMD) has limited feature XYZ to the RTX7000 series ONLY? If you want that feature you purchase the necessary parts. That is the way the world works.
If the main driver for new requirements appears to be greed and not actual technical need, you better believe I will voice my concerns.

Especially, if the new requirement is portrayed as something it is not.
 

Colif

Win 10 Master
Moderator
Right now, we have nothing
TPM doesn't protect against all attacks but it protects against some that are currently unprotected.

What do you want? You need to move from none to some at some stage and 11 is a step... it might not be last step but its more than nothing. Someone is going to be left behind regardless of when we take steps.
 
Reactions: Oasis Curator

dwd999

Honorable
Feb 24, 2016
78
6
10,545
1
The thing is, for the average user, what benefits are they actually going to see with a compliant build and W11? I got lucky and finished a new 11900K Z590 build in April, right before this whole thing started. So when they explained what I had to do in bios settings and W10 features and settings, I did it so now I have everything all set, the same as it will be under W11. (I also have an alternate SSD that I can switch to in bios when booting up running the latest W11 beta). But what do I actually see in daily use? Sure, I can use Application Guard browsing in Edge or Chrome, but its tedious and confusing because its not clearly explained. And I can already do that in W10 so why upgrade? In Edge I have to manually open an Application Guard window since you can't set that as the default opening window, or use the Start menu Microsoft Defender Application Guard Companion option (which doesn't seem to work on my W11 installation since its only beta) before browsing. Once that's done, the only real benefit I see (maybe I'm missing something) is that if I try to download any files from any website, they essentially disappear, which is a good thing for companies where they don't want their employees downloading any files that could compromise their network. I don't know anything about network administration so maybe you can already with W10 and network group policy controls. So for companies without network admin, Application Guard is a great thing if there were a way to restrict employees to that, but you can already do that with a compliant build and W10, so again why upgrade.
 
Last edited:

dwd999

Honorable
Feb 24, 2016
78
6
10,545
1
No luck involved.
Pretty much any system built since 2017 is viable for Win 11.
The lucky phrase actually refers to being able to get all of the parts I wanted despite supply chain problems. I had originally planned that build for 2020 but all of the parts were never available at the same time. So I was especially glad I finally got to upgrade my H97 4790S build. Hopefully the Alder Lake supply chain will cooperate and I'll be able to replace my other build in January.
 

ginandbacon

Commendable
Aug 22, 2019
9
1
1,515
0
Most PC's built around 2011/2012 should be supported in regards to just TPM and Secure Boot (well, maybe not the versions they have). Most people forget, MS initially tried to make Secure Boot a requirement for Windows 8.1 but backed down due to user complaints. Secure Boot is based on Sony's rootkit software they put on CDs/Digital Media (which Sony got a lot of heat for at the time). It's been in PC's for a while and you can turn it on on Windows 10. Secure Boot should probably be turned on even if you are on Windows 10. Most machines that get hit by ransomware are due to a compromised bootloader and this should make it much harder. It took the Federal Government one day to pay when the pipeline got hit, ransomware is only going to get worse although for home users who don't click on links because of some basic common knowledge aren't as likely to end up in this scenario as they can spot a scam email pretty quickly.

You can buy a TPM adapter/USB dongle but if your PC doesn't have one, it most likely won't pass the CPU compatibility list. This is 100% due to VBS Virtual Based Security) and Windows 11 will run SLOWER on unsupported hardware *(links below). Even CPU's that support older versions of VBS are unsupported. TPM WITH Bit Locker is more secure and you can't encrypt an already encrypted filesystem which I feel is geared towards government agencies and businesses with weak security. BitLocker has had security issues before and having a dedicated hardware device in the mix makes it more secure as hardware based security solutions are always better then software based solutions. With that said, I've noticed an extreme difference on Windows 11 with Bit Locker enabled vs disabled, so it has been disabled due to loosing 1000MB/s read speeds and sometimes up to 1500MB/s write speeds per Crystal Disk Mark and AS SSD Benchmark. I know software based encryption takes more resources but that is unacceptable. I shouldn't be getting less then Gen3 speeds when I have a Gen4 Nvme SSD.

Regarding the CPU, it seems like VBS is the deciding factor, and a particular version (earlier CPU's with VBS aren't supported) although I wish MS would just come out and confirm this. Virtual Based Security is required, it allows the OS to sandbox programs similar to how tabs are sandboxed in modern browsers. While you can still install it on an unsupported CPU, people have found that it runs slower on an unsupported CPU then the same hardware on Windows 10. This seems to be the main driving force of supported CPU's.

Also, and purely speculation by me as I have nothing to back this up, but if you looks at the list of CPU's effected by SPECTRE and MELTDOWN, and the supported CPU's for Windows 11, they are pretty much identical. Makes me wonder if there was more to those two vulnerabilities then what was publicly known. Just speculation, nothing more.

The video below and article explains it pretty well, MS should have been more clear about this when they announced the requirements. While people complain over Secure Boot and TPM, they most likely have it, and it may be an unsupported version but it just has to be turned on in the BIOS. The problem is, average users don't even know what the BIOS is, or what half this terminology means and MS's inability to be clear about it has just made things worse. Obviously new machines with Windows 11 will have this prebuilt in so the end user doesn't have to worry about it but if you yank the battery, or the BIOS gets reset for any reason, you then need your BitLocker recovery key to boot. This happened to me once. I know better, and had the key backed up but you average user probably won't even save this txt file off on a USB drive. At that point, they are more then likely hosted.

View: https://youtu.be/_xqbp0w5fJ4?t=178


https://www.zdnet.com/article/ok-microsoft-you-win-im-buying-a-windows-11-pc/

Now, with this required hardware-enforced containerization and virtualization tech, Windows 11 will isolate applications and processes much more easily. It will be much more difficult for malware in an errantly running application to access resources it isn't supposed to. It will only access the resources in that specific application task that it infects, such as a particular browser tab.
 

ginandbacon

Commendable
Aug 22, 2019
9
1
1,515
0
Considering there are already 2 billion computers out there with TMP chips, I don't see how. They have been in computers since 2009. TPM 2.0 came out in 2014. Your computer/laptop more then likely already has one (as did your previous one also). Additionally, living somewhere with an extremely high military presence where we make rockets and things that go BOOM, I can say that the DOD doesn't mess around, and it has been required for quite some time. I have friends that do contract work and while they can't say much, it's about as secure as you can get (no cell phones, random checks, ect..).

https://www.laptopmag.com/articles/tpm-chip-faq

Since an industry consortium called the Trusted Computing Group (TCG) introduced TPM in 2009, more than 2 billion of the chips have been embedded into PCs and other devices, such as ATMs and set-top boxes. The TPM standard has been updated over the years, and its most recent release is TPM 2.0, which was released in October 2014.

https://en.wikipedia.org/wiki/Trusted_Platform_Module

The United States Department of Defense (DoD) specifies that "new computer assets (e.g., server, desktop, laptop, thin client, tablet, smartphone, personal digital assistant, mobile phone) procured to support DoD will include a TPM version 1.2 or higher where required by Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) and where such technology is available." DoD anticipates that TPM is to be used for device identification, authentication, encryption, and device integrity verification
 

ginandbacon

Commendable
Aug 22, 2019
9
1
1,515
0
What!?
This is totally false. Drives can most definitely still be encrypted with ransomware - even if bitlockered and using TPM.

I've got to run into the city so can't comment on other aspects of your post just yet.
To clarify, the addition of TPM 2.0 and it being setup correctly requires physical access to a computer to bypass. After that, yes you can encrypt an already encrypted drive. Bit locker without TPM has been a poor solution since the start and can be encrypted by ransomware but with TPM 2.0 configured properly you need physical access (for now at least, I'm sure a flaw will be found at some point). Secure Boot prevents unauthorized OS's to boot, which is also a very common way ransomware attacks are done. So yes, you can encrypt an already encrypted hard drive with TPM 2.0 and Bit locker but you need physical access to the machine. Yes. they bypassed it in under 30 minutes but they had physical access to the Lenovo laptop.

https:///arstechnica.com/gadgets/2021/08/how-to-go-from-stolen-pc-to-network-intrusion-in-30-minutes/

ignoring Fort Knox and focusing on the not-so-armored car coming out of it.

In order to sniff the data moving over the SPI bus, we must attach leads or probes to the pins (labeled above as MOSI, MISO, CS, and CLK) on the TPM. Normally that is simple but there is a practical problem in this case. This TPM is on a VQFN32 footprint, which is very tiny. The “pins” are actually only 0.25mm wide and spaced 0.5mm apart. And those “pins” aren’t actually pins, they are flat against the wall of the chip so it’s physically impossible to attach any sort of clip. You could solder “fly leads” to the solder pads but that’s a hassle and tends to be a very physically unstable connection. Alternatively a common tactic is to locate in-series resistors to solder to, but they were just as small, and even more fragile. This was not going to be easy.

But before we got started we figured there might be another way. Many times SPI chips share the same “bus” with other SPI chips. It’s a technique hardware designers use to make connections simpler, save on cost, and make troubleshooting/programming easier. We started looking throughout the board for any other chip that might be on the same bus as the TPM. Maybe their pins would be larger and easier to use. After some probing and consulting the schematics, it turned out that the TPM shared a SPI bus with a single other chip, the CMOS chip, which definitely had larger pins. In fact, the CMOS chip had just about the largest pin size you can find on standard motherboards, it was a SOP-8 (aka SOIC-8).

Short for complementary metal–oxide–semiconductor, a CMOS chip on a PC stores the BIOS settings, including the system time and date and hardware settings. The researchers connected a Saleae logic analyzer to the CMOS. In short order, they were able to extract every byte moving through the chip. The researchers then used the bitlocker-spi-toolkit written by Henri Numi to isolate the key inside the mass of data.

With the hard drive decrypted, the researchers combed through the data in search of something—encrypted or plaintext passwords, maybe exposed sensitive files or similar things—that might bring them closer to their goal of accessing the client’s network. They soon hit upon something: Palo Alto Networks’ Global Protect VPN client that had come pre-installed and preconfigured.
 
To clarify, the addition of TPM 2.0 and it being setup correctly requires physical access to a computer to bypass...
This...is also totally false.

The article specifically talks about 'hacking your network' BEFORE login. I am referring to people accidentially (or maliciously, or on purpose) running malware/ransomware on their computer FROM WITHIN THE OS - which is 99.99% of the 'home user' use case. Once you log into an OS, the system (and you) have full access to write, delete, change, AND encrypt data. By extension, any program you run (think ransomware) can also do all of these things.

Also, even in the Ars Technica example, there's absolutely NOTHING stopping me from taking that drive, hooking it up to some other computer system, and encrypting the already encrypted data AGAIN.

Thus, I repeat, The TPM requirement will help in absolutely ZERO of the home use cases where ransomware is run from within the Windows 11 operating system.
 
Last edited:
I will give you this -

If virtualization-based security (VBS) can actually defeat ransomware, malware, and viruses for good (not just until the better, smarter ransomwares come around) then the TPM pre-requisite may be worth it, but I definitely have my doubts.
 

ginandbacon

Commendable
Aug 22, 2019
9
1
1,515
0
I will give you this -

If virtualization-based security (VBS) can actually defeat ransomware, malware, and viruses for good (not just until the better, smarter ransomwares come around) then the TPM pre-requisite may be worth it, but I definitely have my doubts.
I agree time will tell. there is a lot of money involved in ransomware/malware, which is used to fund new ransomware/malware development so it could be all for nothing. Someone pointed out in another thread that OEM and hardware makers should of been shipping hardware with all the security features enabled by default, and I agree. MS did try to make secure boot required for Windows 8.1, but backed down. I don't think they can this time, all the security stuff really does require the CPU to support multiple things that are relatively new considering the time it takes from being a concept CPU (for lack of a better term) to being assembled in bulk, sold to OEM's, and made publicly available if you build your own machine.

Yes, you were 100% correct and I was wrong. You can encrypt an already encrypted filesystem. I have no issues admitting when I am wrong, so thanks for pointing that out. Honestly, I wish we could trust hard drive manufactures to support encryption at the hardware level. Hardware solutions are almost ALWAYS better then software solutions in my experience, both in performance and actual security gained, but based on some brief research, consumer level hard drive manufactures just can't be trusted to leave a potential back door. I am sure enterprise hard drives do support it as enterprise level hardware is more expensive and if they get caught, they lose a LOT of money compared to home users. There is a reason Lenovo and other only put backdoor software on consumer level laptops but not their business ones like ThinkPad's a few years back.

Bit Locker currently slows down my read speeds by 1GB/s. According to Crystal Disk Mark, I consistently get 4600MB/s read on sequential reads with Bit Locker disabled. I consistently get 3500/3600 MB/s read on sequential reads with Bit Locker enabled. Write speeds are closer, although still slower when BL is enabled. 4K random and sequential read/write speeds are pretty much the same. While I know software based encryption slows down drives, 1000MB/s is close to losing 1/5th the read speeds as I often transfer large files and right now, my internal nvme drive seems to be the bottleneck when transferring data to my external Samsung X5 nvme TB3 drive (no Bit Locker on external drives, fully decrypted).

Yes, that article was about compromising one computer with physical access to get access to business/ect.. network and compromising the company's VPN or LAN, among other things, not someone clicking on a link they obviously shouldn't be. Hopefully this is where VBS really helps, but we will have to wait and see. I came across another article that lists another security feature that works out of the box with Edge, but you have to install an optional feature, app from the MS store, and a Chrome/Firefox extension to get it working in other browsers. Sounds like MS tried to bury this feature to make Edge seem more secure. One article I read said it was useless in Windows 10 Pro and only worked on Enterprise while another said the opposite. Being able to sandbox Office is good, as malware attachments are often sent in an Office file format of some kind.

While Edge is better now that it is Chromium based, I rarely use it. I use the Chrometana Pro extension, along with EdgeDeflector (which can oddly be downloaded via winget). Essentially it redirects searches through Start/Cortona, anywhere so you can do internet searches without having to using Bing and Edge and use Chrome and Google every time. Pretty nice to just be able to hit WINKEY and type in "dogs are cool" and have Chrome open with the Google search results. I could live with Edge but I can't stand Bing, you can't change the search engine, and MS needs to quit trying to make Bing a thing.

VBS sounds promising, and if you have all the supported hardware that is needed for 11, you can turn on every one of these features in Windows 10 Pro, you just have to manually enable them in the BIOS and in the OS.

https://www.zdnet.com/article/windows-11-has-advanced-hardware-security-heres-how-to-get-it-in-windows-10-today/

The CPU must support Intel's VT-X and AMD-V, while neither are new, it also requires VT-X/AMD-V to support Second Level Address Translation (SLAT), which is newer hence the CPU compatibility list being what it is.

There's an additional HVCI requirement that any I/O devices capable of Direct Memory Access (DMA) sit behind an IOMMU (Input-Output Memory Management Unit). Those are implemented in processors that support Intel VT-D, or AMD-Vi instructions. (also required for 11, not talked about but relatively new)

Should the browser become infected by scripting or malware attacks, the Hyper-V container, which runs separately from the host operating system, is kept isolated from your critical systems processes and your enterprise data.
MDAG is combined with Network Isolation settings configured for your environment to define your private network boundaries as defined by your enterprise's Group Policy.


https://hitechglitz.com/windows-11-offers-advanced-hardware-security-heres-how-to-get-it-in-windows-10-today/

One particular feature that many Windows users are unfamiliar with is Microsoft Defender Application Guard or (MDAG). (***Based on group policy and appears to be geared towards businesses, but can be configured via local group policy also with scripts available to set local GPO options already out there)

This is another virtualization-based technology (also known as “Krypton” Hyper-V containers) that, when combined with the latest Microsoft Edge (and current versions of Chrome and Firefox with an extension), creates an isolated storage instance of your browser. Prevent your system and company data from being compromised by untrusted website
Should the browser be infected by scripting or malware attacks, the Hyper-V container, which runs separately from the host operating system, remains isolated from your critical system processes and your company data.

MDAG is combined with network isolation settings configured for your environment to define your private network boundaries according to your company’s group policy.

In addition to protecting your browser sessions, MDAG can also be used with Microsoft 365 and Office to prevent Word, PowerPoint, and Excel files from accessing trusted resources like corporate credentials and data. This feature was released in August 2020 as part of a public preview for Microsoft 365 E5 customers.

MDAG, which is part of Windows 10 Professional, Enterprise, and Educational SKUs, is activated through the Windows Features menu or a simple PowerShell command. It doesn’t require Hyper-V to be enabled.
 
Reactions: alceryes
Microsoft is using it so they can use their own encryption on everything. They will override all hardware based encryption making access to outside actors easier in many ways.

It will also be used as a unique fingerprint & tracking to assess whom you are and what software is registered to what system, what you do online, and what you are doing with it.

Trust me the next time you register with a Microsoft account for windows they will require a non VPN ip, a non burner email, and attached to that registration will be your tpm key 10:1. No doubt it will phone home using your regular IP on a regular basis.
 
Last edited:

Endre

Respectable
Apr 30, 2019
842
156
2,190
28
The requirements of Windows 11 are fine, by me (Secure boot; UEFI; TPM 2.0; new CPU generation; DirectX 12).
More secure platform = OK.

The thing that doesn’t sit well with me is that Windows 11 will be released in a few days, but it’s still not a 100% finished product!
Why Microsoft??
Why rushing in a product that doesn’t have all the features and bug fixes resolved from the get-go?
 

ASK THE COMMUNITY

TRENDING THREADS