Question tpm module question

[corvairbob]

i have 4 probook laptops the 6470b,6570b,6460b and the 6465b they all tell me theya re not ready for win11 but on the 6470b laptop when i do the win+r key and then tpmmsc and i get the tpm app to show up it looks like i have the tpm 1.2 it tells me i have the IFX module and mfg ver 3.19 and spec ver 1.2 and if i click the command management tab i get tons of blocked items. i can click them and i see they can be changed but i avoid that for messing the tpm up and making the pc a big brick.

anyway is there any driver updates to make this tpm usable for win11?
does anyone know if ther is a physical tpm chip on these pc? i looked and i could not find anything that looks like a tpm chip
if the board does not have the tpm module, then can the ExpressCard slot or smart card be used for the tpm module?
i have the win11 iso but i do not think windows will do security updates on a pc that is running win11 if it is not really able to run it normally.

thanks

 

[drea.drechsler]

I believe Win 11 requires TPM ver 2.0. It must be a hardware (or firmware) TPM built to ver. 2.0 and no driver or driver/software can change it.

But there are more criteria than just TPM version that make a system compatible, in particular Microsoft has also determined many older CPU's aren't compatible for other technical reasons. Microsoft has the oddly named PCHealth Tool you can use to see everything that makes your system non-compliant. It is possible to force it to install on non-compliant hardware, I'm not sure it's a good idea though. Windows 10 is still an equally good alternative but the main reason is MS is constantly updating Win11. You never know if, in the future, an update won't play nicely with your non-compliant hardware.

 

[corvairbob]

thanks i did find that pchealth app on the microsoft site and ran it and it turns out my processor is not up to the win11 standards either. and now i see tons of win11 pcs on ebay and i believe they are bypassing the win11 tpm and processor requirements and selling them and they may not be able to get the security updates. so now window may have to filter those pcs out i have a pc with that bootloaded win11 and it tells me i have no security updates on it. so i guess i will wait until win10 is about to run out and see what is available new and just get a new pc. or i may get lucky and winows will do a work around that will allow updates to the pcu and tpm and maybe even do drivers for them.

 

[drea.drechsler]

.... wait until win10 is about to run out ...

Win 10 will continue support until 2025...at least that's the plan we've been told since Win11's hardware requirements became known. But even then, it really only means they'll stop "developing" it...meaning adding new features. I'm pretty sure security updates will continue after that, at least for so long as a sufficiently large base is still using it.

I can also imagine it means they'll stop support for new hardware. That's doesn't seem such a big deal to me if running it on pretty pretty old hardware that's not likely to be compatible with the newer stuff. That would be mostly a problem for people who insist on running Win10 on the latest hardware at that time, like they do Windows 7 now.

 

[corvairbob]

ok thanks that may be how it turns out. i plan on waiting until i'm forced to get a new pc as like your saying they may just keep security going and not much else, i guess by then anti virus program will make a big return again.

 

[drea.drechsler]

...i guess by then anti virus program will make a big return again.

Based on the things I've been reading I'm pretty sure Microsoft will continue to provide security updates so Defender will continue to function as it does now. It's not such a bad AV app but a good 2nd party AV app is a good idea since an exploit missed by one the other will quite likely catch. I use MalwareBytes right now although only Defender is providing real-time protection along with Microsoft's firewall.

And you'll still have other security features Windows 10 offers. You should be able to use your rev 1.2 TPM, except for Credential Guard which will require TPM 2.0 going forward. You could enable UEFI and secure Boot...but only if your motherboard vendor provides a UEFI firmware with Secure Boot. To do that you'll have to convert your system disk to GPT partitioning scheme if it's not already.

 

[corvairbob]

yes i run mwb also along with windows defender they both run auto and i also do now and then the anti rootkit as well. i was thinking of getting a cheap pc off ebay with win11 but i see they are now coming out of the wood work so i'm thinking peopel are just putting win11 on old pcs and they do not have the proper security on them, so i will just wait and the worst case is that in a few years i will jst have to get a new pc that has the correct OS on it for the security. thanks

 

[drea.drechsler]

yes i run mwb also along with windows defender they both run auto and i also do now and then the anti rootkit as well....

I'm not sure a TPM will do much to help with preventing a root-kit infection. As I understand it, what helps most with that is UEFI mode operation with Secure Boot. I was able to enable that on a 2012 era computer, with an FX 6300 processor that lacks any sort of TPM. What it required was the latest BIOS and a little perseverance (mainly because Gigabyte makes it so hard to disable CSM/enable UEFI on their boards). Now Windows 10 is running on it with Secure Boot and I have pretty good protection.

As far as I can tell, a TPM's major benefit to security is provide a place to safely encrypt and store credentials for logging on certain services. Microsoft uses it for the PIN when you also use your Microsoft account for logon credentials, for instance. It also stores the key there for a BitLocker protected drive. And finally...some games require use of it for hardware/software attestation as anti-cheat protection so you won't be able to play them without one.

In a business environment, or any other place where people have physical access to your computer, these things may be more important. But locked up in your home it seems much less so.

 

[corvairbob]

that makes sense. i run the bit defender now and then and the root kit if i install a new download just in case for my pc i have fingerprint turned on but some say that is about useless but it is easier that entering a password or pin as i just swipe the finger and it turns on. i do not do games on my pcs only my phone and i do not do any money stuff on my phone i do not trust the apps thanks

 

[drea.drechsler]

that makes sense. i run the bit defender now and then and the root kit if i install a new download...

IMO, the best strategy to prevent that is download only from known reliable and reputable sources.

But if for some reason you have to use sketch download sites, or just like the extra protection, the best tactic is dedicate one computer to do it on. Pick up a cheap used one just to give it that task if you have to. Then run all your security measures on that computer against the file before decompressing/copying it off to a USB stick to take to other computers. And, of course, run security scans against it there too just to be safe.

That dedicated computer you can easily enough re-image, even after every download if necessary, so you don't have to worry about picking up rootkits or anything else. Just make sure you have a good process for scanning the file before opening it up on any other computer.

 

[corvairbob]

i run ublock and also chrome and if happen on a iffy site and one of those pops up i never go further. i figure it the ublock site does not like the site or chrome does not like it then it most likely is a bad virus infected site. but now and then when i'm doing a search from an email and i know the site should be good i have to bypass the warning then i run the rootkit app and now and then if i get multiple warnings i will run defender in its full scan. thanks

 

[sajid_ali]

Based on the information you provided, it appears that the TPM version on your ProBook laptops is TPM 1.2, which is not compatible with Windows 11. TPM 1.2 is an older version of the TPM standard and is not supported by the latest version of Windows. To use Windows 11, you will need a TPM 2.0, which is the latest version of the TPM standard.

Regarding the driver updates, it's possible that HP may release updated TPM drivers for your ProBook laptops that are compatible with Windows 11. You can check the HP website for any available updates.

Regarding the physical TPM chip on the laptops, it's possible that it is embedded on the motherboard and not visible as a separate chip. Also, there is no support for the ExpressCard slot or Smart card as a TPM module replacement.