News Windows 11's TPM Requirement Surprised PC Builders, but You Can Enable It in BIOS

[Admin]

Microsoft requires TPM to be enabled to upgrade to Windows 11. For many PC builders, you can enable that in your BIOS.

Windows 11's TPM Requirement Surprised PC Builders, but You Can Enable It in BIOS : Read more

 

[saudor]

Interesting how lowly ATOM processors can get the update but an i5 6600k with 32 GB RAM cannot, despite also having TPM 2.0 support.

Looks like they took a page out of Apple on this one!

 

[hotaru.hino]

Firmware based TPM implementations require the CPU to have something called a Trusted Execution Environment.

If you just want the tl;dr of what has this:

Hardware support
The following hardware technologies can be used to support TEE implementations:

• AMD:
  • Platform Security Processor (PSP)[21][22][23]
  • AMD Secure Encrypted Virtualization[24] and the Secure Nested Paging extension[25]
• ARM:
  • TrustZone[26]
• IBM:
  • IBM Secure Service Container,[27] formerly zACI, first introduced in IBM z13 generation machines (including all LinuxONE machines) in driver level 27.[28]
  • IBM Secure Execution,[29] introduced in IBM z15 and LinuxONE III generation machines on April 14, 2020.
• Intel:
  • Trusted Execution Technology
  • SGX Software Guard Extensions[30]
  • "Silent Lake" (available on Atom processors)[31][32][33]
• RISC-V:
  • MultiZone™ Security Trusted Execution Environment[34]
  • Keystone Customizable TEE Framework[35]
  • Penglai Scalable TEE for RISC-V [36]

 

[Colif]

I think ftpm is just AMD systems, Intel ones call it Intel Trusted Platform Module.

I went from not able to get it to being eligible by changing it in BIOS. So it works.

 

[USAFRet]

I seriously think that 'requirement' will be pulled out of the final release.
Far far too many systems that are currently running Win 10 just fine are not capable of that.

 

[Colif]

Do MS have shares in Hardware companies?

On 1 hand win 10 support ends 2025
On other hand, win 11 needs TPM which many PC don't have.

Lots of unforced upgrades in coming years?

the changes needed to make it work on anything are minimal.

 

[Reclusive Eagle]

Ok so I have a i5 9600k (Microsoft lists intel 8th gen and up as compatible) and an MSI Gaming Plus Z390 motherbaord.
Motherboard does not have TPM (has socket for external one) but the 9600k has a dTPM.

The health app is garbage and says I am not compatible (TPM disabled). My question is am I compatible? Do you specifically NEED PTT TPM 2.0 or does dTPM 2.0 work as well??? I have Secure boot with UEFI+Legacy support

 

[Colif]

7 hours after reveal, these are questions we will discover answers to in coming days I guess.

If win 10 runs on PC, no reason win 11 won't. I seen people run it on really old dell laptops.

 

[Reclusive Eagle]

7 hours after reveal, these are questions we will discover answers to in coming days I guess.

If win 10 runs on PC, no reason win 11 won't. I seen people run it on really old dell laptops.

That's because there is a work around to disable TPM requirements on the leaked build by hacking the iso builder. These requirements will be hard coded on official release

 

[velocityg4]

I seriously think that 'requirement' will be pulled out of the final release.
Far far too many systems that are currently running Win 10 just fine are not capable of that.

They better if they don't want this to be one of the slowest roll outs in Windows history. Loads of computers which may have TPM support may have Secure Boot disabled. Meaning a lot of those people won't upgrade either. As they won't think their computers can run it.

Also, what about computers which don't pass the compatibility check. Is Windows 11 going to keep haunting them with an upgrade offer which won't work? Just like Windows 10 did.

One nice thing is MS is not Apple. They're a bit more responsive to user push back. This sounds like a decision which looked great on paper. In a room full of tech geeks with the latest hardware. Waiting for reality to take a dump on it.

 

[Reclusive Eagle]

They better if they don't want this to be one of the slowest roll outs in Windows history. Loads of computers which may have TPM support may have Secure Boot disabled. Meaning a lot of those people won't upgrade either. As they won't think their computers can run it.

Also, what about computers which don't pass the compatibility check. Is Windows 11 going to keep haunting them with an upgrade offer which won't work? Just like Windows 10 did.

One nice thing is MS is not Apple. They're a bit more responsive to user push back. This sounds like a decision which looked great on paper. In a room full of tech geeks with the latest hardware. Waiting for reality to take a dump on it.

I honestly think this is may end up being the deal breaker for Windows 11's success. Like do you know how many people are running 7th gen and down? (MS lists Windows 11 compatibility with Intel 8th Gen +) Like I don't even think gen 1 ryzen is compatible with TPM 2.0.

 

[mikewinddale]

I wonder if one reason for this requirement is to incentivize motherboard makers to finally enable fTPM / PTT by default? There's really no reason for most motherboards to disable it by default. By requiring TPM, Windows 11 will incentivize motherboard makers to enable it by default, so that Windows 11 will work without having to modify BIOS settings.

 

[gtarthur]

There is also the requirement for UEFI boot AND secure boot must be enabled.

MBR2GPT /convert /allowfullOS

Then boot into BIOS/UEFI mode and change setting to force boot to UEFI mode and turn on secure boot.

Rerun the PC Health Check to see if that passes the Windows 11 compatibility test.

 

[Reclusive Eagle]

I wonder if one reason for this requirement is to incentivize motherboard makers to finally enable fTPM / PTT by default? There's really no reason for most motherboards to disable it by default. By requiring TPM, Windows 11 will incentivize motherboard makers to enable it by default, so that Windows 11 will work without having to modify BIOS settings.

When they said "most secure" version they meant "we haven't actually updated security but we require you to enable hardware locks like TPM and secure boot"

 

[Reclusive Eagle]

Does anyone know if dTPM 2.0 works? My motherboard doesn't have PTT TPM 2.0 but my 9600k has discrete tpm 2.0 as a setting in BIOS

 

[hotaru.hino]

On other hand, win 11 needs TPM which many PC don't have.

While a lot of PCs don't have the capability, quite a few motherboards do provide a TPM port. So you may not need to upgrade your system entirely. You just need to add a TPM 2.0 compliant module.

I wonder if one reason for this requirement is to incentivize motherboard makers to finally enable fTPM / PTT by default? There's really no reason for most motherboards to disable it by default. By requiring TPM, Windows 11 will incentivize motherboard makers to enable it by default, so that Windows 11 will work without having to modify BIOS settings.

Honestly there's a lot of things about x86 based systems that should just no longer be the default. Like every processor starting in Real Mode.

When they said "most secure" version they meant "we haven't actually updated security but we require you to enable hardware locks like TPM and secure boot"

View: https://www.youtube.com/watch?v=3byNNUReyvE

There's a lot of attacks that can still happen before the OS gets a chance to boot. Requiring a secure environment before boot will help with that.

 

[Reclusive Eagle]

While a lot of PCs don't have the capability, quite a few motherboards do provide a TPM port. So you may not need to upgrade your system entirely. You just need to add a TPM 2.0 compliant module.

The issue is yes it might be easy to get a manufacture specific TPM module in the US, in every other country its an issue. In South Africa we only have Gigabyte TPM modules (I have MSI) So imagine if I import and its broken? That's if it even makes it through customs and if it does I pay 30% on the entire shipment.. Which would require a 3rd party courier with a min price of $50

 

[hotaru.hino]

The issue is yes it might be easy to get a manufacture specific TPM module in the US, in every other country its an issue. In South Africa we only have Gigabyte TPM modules (I have MSI) So imagine if I import and its broken? That's if it even makes it through customs and if it does I pay 30% on the entire shipment.. Which would require a 3rd party courier with a min price of $50

But is it still cheaper than buying a new system outright?

 

[punkncat]

I really feel like if they don't change their mind on this that a whole lot of users will have no choice but to consider open source OS after EOS on W10.

This also means that all these office refurbs of older generation Dell, HP, etc. are basically going to be worthless as an old Mac after EOS.
This could seriously change the landscape of the computer buying world.

 

[Johnpombrio]

I too thought that MS went way out on a limb by requiring TPM2, but MS gives some reasons why they may require it. From MS:

"Is there any importance for TPM for consumers?

For end consumers, TPM is behind the scenes but is still very relevant. TPM is used for Windows Hello, Windows Hello for Business, and in the future, will be a component of many other key security features in Windows. TPM secures the PIN, helps encrypt passwords, and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage."

I finally found the way to enable TPM on my ASUS Z390-E mobo in the BIOS. Advanced-PCH-FW Configuration-change Discrete(dongle needed) to Firmware. BTW, MS treats the dongle and Intel's PTT exactly the same so no reason to buy a dongle if you can enable firmware.

 

[Sleepy_Hollowed]

This opens up a huge issue: unless you have an external TPM chip (only some mainboards have this, and are version limited for the most part), the firmware, CPU based TPM has to be turned off every time there’s a uefi update. Will that not affect windows 11?
I few this wasn’t well thought of.

I do have an AMD system that I use the external TPM chip so firmware updates don’t affect the system, but the immense majority of people won’t have systems like these.

 

[ex_bubblehead]

Even if one does find a compatible TPM module there are a great many systems (eg. some HP Elitebook laptops) that don't have fully compatible UEFI BIOS and therefore will not work. This was not well thought out by Microsoft.

 

[Colif]

Passport works perfectly fine without TPM enabled. I have been using a PIN for the last 8 months and only today enabled TPM in bios. So it might help passport but passport is able to create unique keys without needing tpm.

 

[Johnpombrio]

This opens up a huge issue: unless you have an external TPM chip (only some mainboards have this, and are version limited for the most part), the firmware, CPU based TPM has to be turned off every time there’s a uefi update. Will that not affect windows 11?
I few this wasn’t well thought of.

I do have an AMD system that I use the external TPM chip so firmware updates don’t affect the system, but the immense majority of people won’t have systems like these.

Nope. Just did an ASUS Z390-E mobo UEFI BIOS update with Intel's PTT firmware TPM turned on. It only warns about making sure I have my BitLocker key saved (I don't use Bitlocker). The BIOS update went ahead as usual and the only thing I had to do was to reenable TPM under Advanced-PCH-FW Configuration- firmware again. Normal boot and all is well. The only thing that will mess you up is losing that TPM chip/dongle or the BIOS ROM/CPU which will brick your boot and the encrypted drives.

 

[anonymousdude]

I can't imagine they keep this requirement when they officially release. What are you gonna do for all the people that have a newish PC and all of a sudden you're told by Microsoft that you can't upgrade to or run windows 11 even though they could by changing a setting? It's gonna be a headache for everyone involved.