Why Windows 11 is forcing everyone to use TPM chips

Image: Collected
Microsoft announced yesterday that Windows 11 will require TPM (Trusted Platform Module) chips on existing and new devices. It’s a significant hardware change that is years in the making, but Microsoft’s messy method of communicating it has left many confused about whether their hardware works with. What is a TPM, and just why do you will need one for Windows 11 anyway?

“The Trusted Platform Modules (TPM) is a chip that's either built-into your PC’s motherboard or added separately in to the CPU,” explains David Weston, director of enterprise and OS security at Microsoft. “Its purpose is to safeguard encryption keys, user credentials, and other sensitive data behind a hardware barrier in order that malware and attackers can’t access or tamper with that data.”

So it’s about security. TPMs work by offering hardware-level protection rather than software only. It works extremely well to encrypt disks using Windows features like BitLocker, or even to prevent dictionary attacks against passwords. TPM 1.2 chips have existed since 2011, but they’ve typically only been used widely in IT-managed business laptops and desktops. Microsoft really wants to bring that same degree of protection to everyone using Windows, even if it’s not necessarily perfect.

Microsoft has been warning for months that firmware attacks are increasing. “Our very own Security Signals report discovered that 83 percent of businesses experienced a firmware attack, and only 29 percent are allocating resources to safeguard this critical layer,” says Weston.

That 83 percent figure appears huge, but when you take into account the many phishing, ransomware, supply chain, and IoT vulnerabilities which exist, the broad range of attacks becomes a whole lot clearer. Ransomware attacks hit the news weekly, and ransomware funds more ransomware so it’s a hard problem to resolve. TPMs will certainly help with certain attacks, but Microsoft is banking on a mixture of modern CPUs, Secure Boot, and its own group of virtualization protections to essentially make a dent in ransomware.

Microsoft is wanting to play its part, particularly as Windows may be the platform that’s often most influenced by these attacks. It’s widely employed by businesses worldwide, and there are a lot more than 1.3 billion Windows 10 machines used today. Microsoft software has been at the core of devastating attacks that made global headlines, just like the Russia-linked SolarWinds hack and the Hafnium hacks on Microsoft Exchange Server. Even though the company isn’t accountable for forcing its clients to keep its software patched, it’s trying to become more proactive about protection.

Microsoft has a habit of struggling to go Windows in to the future in both hardware and software, which particular change hasn’t been explained well. While Microsoft has required OEMs to ship devices with support for TPM chips since Windows 10, the company hasn’t forced users or its many device partners to turn these on for Windows to work. That’s what’s really changing with Windows 11, and coupled with Microsoft’s Windows 11 upgrade checker, it has resulted in a whole lot of understandable confusion.

Microsoft’s Windows 11 website lists the minimum system requirements, with a web link to compatible CPUs and a clear mention a TPM 2.0 is necessary at a minimum. The PC Health Check software that Microsoft asks persons to download and check to see if Windows 11 runs will flag systems that do not have Secure Boot or TPM support enabled or devices which may have CPUs that aren’t officially supported (anything more than 8th Gen Intel chips).

That’s left many racking your brains on if their device supports TPM or not, confusion with BIOS settings, and even persons rushing to get separate TPM modules they don’t need. Some are even scalping TPM 2.0 modules on eBay!

In addition, it didn’t help that Microsoft originally had a second webpage with contradictory information, one which it changed a couple hours directly after we published this story. According to the original version of the page, the real minimum requirements were TPM 1.2 and a 64-bit dual-core CPU that’s 1GHz or greater, but the new page now clarifies it needs TPM 2.0 and an processor that Microsoft has explicitly certified as compatible - which can mean everything before an 8th Gen Intel Core and AMD Ryzen 2000 won’t work.

We’re still looking forward to explicit confirmation from Microsoft on the CPU requirement, but a rep confirms that TPM 2.0 will be mandatory, and that the initial information on that page was wrong. “The referenced docs page was a blunder which has since been corrected,” an MS rep tells The Verge.

Microsoft is promoting TPM 2.0 and performing checks for 8th Gen or newer Intel chips because these are certain requirements for certified OEM hardware - the machines you’ll find to get with an inevitable Windows 11 sticker. But it’s no more clear if the Windows 11 update will work on older machines either, and Microsoft is telling us that it won’t. We understand Microsoft happens to be putting together a blog page post that will describe the minimum requirements in greater detail.

But that doesn’t mean your existing PC has gone out of luck because you’re having problems with Microsoft’s compatibility tool. Unless your CPU is very old, it probably already has baked-in TPM 2.0 support.

If you’re having issues with the PC Health App checker for Windows 11, be sure to have “PTT” on Intel systems enabled in the BIOS, or “PSP fTPM” on AMD devices. The company’s system checker also needs to be less confusing now: soon after we published this story, Weston tweeted that the tool will now be more specific about why your personal computer isn’t passing muster.

What Microsoft is wanting to achieve here will benefit the Windows ecosystem in a long time, alongside its new efforts for Xbox-like security on Windows. Microsoft just totally dropped the ball on explaining that to everyone on day one.

Update, 2:26PM ET: Added that Microsoft updated its PC Health Check app, shortly after we published this story, to become more specific about why your personal computer isn’t meeting Windows 11 system requirements.

Update, 3:53PM ET: Added that Microsoft has changed its compatibility page to say TPM 2.0 as a requirement rather than TPM 1.2, and that specific CPUs may be a requirement. We’re getting to the bottom of this now.

Correction, 8:06PM ET: This story formerly stated Windows 11 may likely still install on PCs with usage of TPM 1.2 and older CPUs, because that’s what we read in Microsoft’s documentation. Microsoft has corrected those documents to specify TPM 2.0 is a minimum requirement of Windows 11.
Source: https://www.theverge.com

Share this news on: