TPM, Windows 11, and what it means for getting that upgrade this fall

Why is TPM a thing, and what does it mean for getting that Windows 11 upgrade later this year? Let's find out.

As we remarked a week ago, Windows 11 turned out to be much more than just a new Start menu. The new store, Android apps, Direct Storage, Auto HDR, new touch UX, and new forthcoming features, such as haptic pens, make Windows 11 a significant overhaul of the six-year-old Windows 10.

But one item we did not anticipate when it came to major Windows 11-related changes was the apparent cutoff for which PCs can get the free Windows 11 upgrade. That topic is causing a lot of confusion. Here is what we know and what we don't know about it.

Why have TPM requirements at all?

It is clear Microsoft is positioning Windows 11 as its next major OS for the upcoming decade. While it is not a clean break from Windows 10, some older PCs will not make the cut.

The big motivator here seems to be security, as Microsoft explained recently in a blog post.

TPM (Trust Platform Module) is nothing new for PCs. It goes back to the mid-2000s as an international standard for a secure cryptoprocessor. Although there are software versions, too, like fTPM, TPM is a physical hardware chip used to store encrypted information while also ensuring a secured boot environment.

In the real world, TPM allows for things like:

  • BitLocker Drive Encryption
  • Windows Hello PINs and biometrics
  • Windows Defender System Guard
  • Tamper detection of the PCs hardware
  • Virtual Smart card
  • Credential Guard
  • Secure Boot

With TPM, BitLocker gets to store the encryption key and your Windows Hello biometrics securely. This ability is why Windows Hello is so protected. Your biometrics, like fingerprints or facial recognition data, do not go to the cloud; instead, they get hardware encrypted on your PC so that info cannot be retrieved nor reversed engineered to bypass your PC's login process.

Secure boot is becoming increasingly important, too. From Microsoft's documentation:

Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system.

TPM's role in Windows Hello and Microsoft Passport security.

Microsoft is drawing a line on security and saying that to use Windows 11 PCs going forward, you need to have this feature enabled.

The good news is TPM 1.2 (more on that below) goes back to 2005. TPM 2.0 goes back to 2015, and most PCs are supposed to ship with it, although that does not always seem to be the case, especially if you build your own.

I realize that this is all just techno mumbo jumbo for many consumers, but Windows PCs have had a long history of security issues. Microsoft has gone to great lengths since Windows 10 to secure its OS as much as possible, and Windows 11 takes a more rigid stance.

What is required for Windows 11?

Win + R and typing in 'tpm.msc' tells you about TPM on your PC.

Even the requirements for Windows 11 are a bit confusing as there are both "hard" and "soft" floors of cutoffs for the update. Many PC makers are also now giving guidance on which PCs will get it.

The hard floor is what most people who have older PCs should be looking at. If your PC does not meet these standards, you cannot get Windows 11. In addition, the hard floor requires "greater or equal" to TPM 1.2, Secure Boot capable, 4GB of RAM, 64GB of storage, and at least a dual-core processor that is faster than 1GHz.

Those are hardly strict requirements for a forward-looking OS in 2021.

The soft floor requires TPM 2.0 (which started shipping in all PCs around 2016/2017) and needs specific processors. These are devices that are free to update with no caveats.

The soft floor seems to be what Microsoft's PC Health Check app is looking at and where a lot of confusion is happening.

Indeed, the more significant issue here may not be TPM requirements, but the fact that any Intel CPU older than 8th Gen does not make the cut for Windows 11. Unfortunately, that includes a lot of Surface devices, including Surface Studio 2 and Surface Pro 5. That caveat does not mean those computers can't run Windows 11; it just means Microsoft does not support them running Windows 11. It is an important distinction.

Gaming PCs and TPM: present (but not enabled)

One issue that will be hard to navigate for the entire upgrade process is that many gaming PCs have TPM on the motherboard (it is a physical chip, after all), but it is not enabled. For example, this was the case on my CLX gaming PC, which initially failed Microsoft's check for Windows 11 compatibility.

Enabling Secure Boot on a 2021 gaming PC.

The solution was to go into the BIOS and enable secure boot and Intel Platform Trust Technology (PTT). It took 30 seconds, and my PC is now Windows 11 compliant, which is reasonable considering it is a brand new 2021, $7,500 computer!

As you can see, the problem is some PCs have the hardware, but it is not enabled. Microsoft's Health Check app does not qualify why your PC does not meet the requirements, although we have heard Microsoft will update the app soon to address that. It is also not clear that you can do a software check to see if your PC has TPM 2.0 in the event the module is present but disabled.

Here's the more significant issue: Does Microsoft want to send thousands (millions?) of people into their PC BIOS to start fiddling with security features? Again, you can see how that leaves room for a lot of problems.

At least for new PCs that sell Windows 11 pre-installed, this won't be a concern.

What happens if your PC does not have TPM 2.0 or a modern processor?

Sorry, your CPU is no good. But, is it really?

We don't know. Microsoft says:

Devices that do not meet the hard floor cannot be upgraded to Windows 11, and devices that meet the soft floor will receive a notification that upgrade is not advised.

It sounds like if your computer has TPM 1.2 (which is incredibly old) and at least a 1GHz processor, you can still get Windows 11; it is just "not advised."

Gigabyte GC-TPM Trusted Platform Module.

But what that process looks like is not known at this time. We expect Windows 11 to start rolling out in October through early 2022, like previous Windows updates. So my hunch is users can still take the Windows 11 upgrade, but there may be some warnings about it not being recommended.

To be clear, Windows 11 runs well on older hardware. It is not like older Intel 6th Gen processors cannot handle the OS — far from it. This discussion is all about security.

For those who build their gaming PCs, if your motherboard does not have TPM 2.0 you can buy the module ($30) and install it yourself. Just make sure your motherboard does not already have it since many modern motherboards do, even if it's not enabled.

Will Microsoft stick with Windows 11 requirements?

If I had to guess, Microsoft might modify some of these requirements and even the wording around Windows 11 as we advance. Right now, the scope of the "TPM problem" is not known, when it comes to how many PCs are out there with TPM in a disabled state.

Microsoft has four months to figure out how to address the issue. It could either relax requirements or let affected users take Windows 11 even after advising them against it.

In some ways, this debacle is unfortunate but not uncommon. Apple and Google routinely cut off hardware for new operating systems. My late 2017 Google Pixel 2 will not get Android 12 even though it can absolutely run it. Microsoft doing the same in the name of security is necessary to push standards forward, especially in an age of ransomware, where TPM plays one part in an increasingly growing security infrastructure.

How to check if your PC has a trusted platform module (TPM)

I think the bigger looming issue is not even TPM, but processor compatibility. Microsoft has done this in the past, but these are known as "soft blocks." For example, Windows 10 21H1 does not officially support Intel 4th Gen "Haswell" chips, but you can still run Windows 10 on those processors without issue. Microsoft appears to be doing the same here. There will be soft blocks for non-compatible CPUs, but you can still install Windows 11 on a Surface Pro 5; it just won't be "supported."

Regardless, I think it is evident that Microsoft needs to get clearer messaging around this update as there will be a lot of confusion in the future.


TPM, Windows 11, and what it means for getting that upgrade this fall TPM, Windows 11, and what it means for getting that upgrade this fall Reviewed by admin on June 25, 2021 Rating: 5

No comments:

Powered by Blogger.