(TPM) Trusted Platform Module for Windows 11
Why Windows 11 is forcing everyone to use TPM Trusted Platform Module chips
Microsoft announced yesterday that Windows 11 will require TPM (Trusted Platform Module) chips on existing and new devices.
It’s a significant hardware change that has been years in the making, but Microsoft’s messy way of communicating this has left many confused about whether their hardware is compatible. What is a TPM, and why do you need one for Windows 11 anyway?
“The Trusted Platform Module for Windows 11
Trusted Platform Module for Windows 11 (TPM) is a chip that is either integrated into your PC’s motherboard or added separately into the CPU,” explains David Weston, director of the enterprise and OS security at Microsoft.
“Its purpose is to protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data.”
So it’s all about security. TPMs Trusted Platform Module work by offering hardware-level protection instead of software only. It can be used to encrypt disks using Windows features like BitLocker or to prevent dictionary attacks against passwords.
TPM 1.2 chips have existed since 2011, but they’ve typically only been used widely in IT-managed business laptops and desktops. Microsoft wants to bring that same level of protection to everyone using Windows, even if it’s not always perfect.
Why Windows 11 is forcing everyone to use TPM chips
A dedicated TPM Trusted Platform Module chip you probably don’t actually need for Windows 11.
Microsoft has been warning for months that firmware attacks are on the rise.
“Our own Security Signals report found that 83 percent of businesses experienced a firmware attack, and only 29 percent are allocating resources to protect this critical layer,” says Weston.
That 83 percent figure seems huge, but when you consider the various phishing, ransomware, supply chain, and IoT vulnerabilities that exist, the broad range of attacks becomes a lot clearer.
Ransomware attacks hit the headlines weekly, and ransomware funds more ransomware so it’s a difficult problem to solve.
TPMs Trusted Platform Module
Trusted Platform Module will certainly help with certain attacks, but Microsoft is banking on a combination of modern CPUs, Secure Boot, and its set of virtualization protections to really make a dent in ransomware.
Microsoft is trying to play its part, particularly as Windows is the platform that’s often most affected by these attacks. It’s widely used by businesses worldwide, and there are more than 1.3 billion Windows 10 machines in use today.
Microsoft software has been at the core of devastating attacks that made global headlines, like the Russia-linked SolarWinds hack and the Hafnium hacks on the Microsoft Exchange Server.
And while the company isn’t responsible for forcing its clients to keep its software patched, it’s trying to be more proactive about protection.
Microsoft is pushing modern Windows 11 PCs.
Microsoft has a habit of struggling to move Windows into the future in both hardware and software, and this particular change hasn’t been explained well.
While Microsoft has required OEMs to ship devices with support for TPM chips since Windows 10, the company hasn’t forced users or its many device partners to turn these on for Windows to work.
That’s what’s really changing with Windows 11, and combined with Microsoft’s Windows 11 upgrade checker, it has resulted in a lot of understandable confusion.
Microsoft’s Windows 11 website lists the minimum system requirements, with a link to compatible CPUs and a clear mention that a TPM 2.0 is required at a minimum.
(It’s not.) The PC Health Check app that Microsoft asks people to download and check to see if Windows 11 runs will flag systems that do not have Secure Boot or TPM Trusted Platform Module support enabled or devices that have CPUs that aren’t officially supported (anything older than 8th Gen Intel chips).
That’s left many trying to figure out if their device supports TPM or not, confused with BIOS settings, and even people rushing to buy separate TPM modules they don’t need. Some are even scalping TPM 2.0 modules on eBay!
Thanks to Windows 11, people are scalping TPM2.0 modules as well now.
$24.90 ➡ $99.90 in just 12 hours pic.twitter.com/9TTHC2c47w
Hidden away on Microsoft’s site is what’s really happening here. The true minimum requirements are TPM 1.2 and a dual-core CPU that’s 1GHz or greater.
(TPM) Trusted Platform Module support can be enabled through practically any modern CPU in the BIOS settings of a machine. You shouldn’t need a separate module unless your CPU is very old.
Microsoft is promoting TPM 2.0 and performing checks for 8th Gen or newer Intel chips because these are the requirements for certified OEM hardware — the machines you’ll find in stores with an inevitable Windows 11 sticker.
The reality is that Windows 11 will install on devices with TPM 1.2 enabled, and practically any CPU that meets the dual-core 1GHz or above standard — you’ll just have to navigate a notification telling you the “upgrade is not advised.”
Microsoft doesn’t even mention this true TPM 1.2 minimum in its blog post outlining this new security effort today, nor does the company offer any details on the CPU support that many seem to be stumbling into.
If you’re having issues with the PC Health App checker for Windows 11, make sure you have “PTT” on Intel systems enabled in the BIOS, or “PSP fTPM” on AMD devices. Otherwise, wait for Microsoft to improve this system checker over the next couple of weeks.
What Microsoft is trying to achieve here will benefit the Windows ecosystem in years to come, alongside its new efforts for Xbox-like security on Windows. Microsoft just totally dropped the ball on explaining that to everyone on day one.