Skip to main content
  1. Home
  2. Computing

Microsoft won’t budge on Windows 11 TPM requirement, but offers clarification

Jacob Roach
By

Microsoft has updated its minimum system requirements for Windows 11, which doesn’t make a difference for the vast majority of people. The requirements are less strict now, technically, though nowhere near on the level I hoped for or expected. That includes the TPM requirement, which Microsoft is holding firm on.

When Microsoft announced Windows 11, PC enthusiasts were forced to become cybersecurity experts, trying to figure out what a TPM is and why it’s important. Microsoft is offering a solution to that problem for people with recent hardware. Still, it hasn’t addressed the main issue with the TPM and Windows 11. Here’s why.

Related Videos

The enthusiast dilemma

Someone placing a processor in a motherboard.

Let’s get some housekeeping out of the way first. The main issue with TPM is that a lot of DIY motherboards don’t come with a chip on board. Microsoft has required PC makers to include a TPM for years, so this conversation doesn’t really apply to prebuilt machines or laptops from the last few years. It’s focused on PC builders that have recent hardware, but not a dedicated TPM chip.

Related

You don’t need a dedicated TPM chip for Windows 11, but Microsoft did a bad job of explaining that. Microsoft’s old PC Health Check app said my gaming PC with a 10th-gen Core i9 couldn’t run Windows 11. It could, but Microsoft didn’t explain that I would need to enable the TPM through firmware.

Needless to say, a media frenzy followed as PC builders were told they couldn’t run Windows 11. Recent motherboards support TPM through firmware, which is less secure than a hardware solution, but still enough to run Windows 11. Now, Microsoft is addressing the issue with an updated PC Heath Check app.

It will now tell users what component isn’t compatible with Windows 11 and link to a support article, including articles about enabling firmware TPM. Microsoft is standing its ground on this requirement, which has been around for PC manufacturers for a few years. There’s a good reason why, but that doesn’t address the problem TPM presented in the first place.

TPM or no TPM

asus tpm chip in motherboard.

A TPM is simple. It’s a small chip that stores keys to decrypt data and other authentication information. The TPM is notable because it’s set away from the CPU and other components. Even during a catastrophic event when your PC is compromised, no one will be able to crack into the TPM. It’s a vault for secure data, as Jorge Myszne, co-founder and CEO of Kameleon Security, calls it.

The applications of a TPM for most people are Windows Hello and Bitlocker, which aren’t strictly necessary. A strong password still works in place of biometric authentication for Windows Hello, and Bitlocker is only necessary if you want to encrypt your hard drive — and a lot of people don’t. They offer increased security, assuming you use them.

Secure Boot is a different matter. In short, Secure Boot is tied to firmware stored on your motherboard, and checks everything that executes before the operating system loads. To make sure there aren’t any unauthorized programs running, it gains deep access to the software running on your PC. It doesn’t require a TPM.

Windows gives applications access to the TPM, which makes it much more practical. According to Myszne, however, most developers don’t take advantage of it because messing with the TPM has the chance to brick components. “Anything that has to do with VPNs or storing, you know, all the password managers, all those things. It’s exactly the application [that] should be using the TPM, but they don’t use it, right? Just because they don’t want to deal with that.”

Instead, vendors store things like certificates and authentication keys in software, where it’s more vulnerable. That doesn’t mean all software bypasses the TPM, however. Outlook and Thunderbird, for example, use the TPM to handle encrypted email. Still, a lot of software opts to use software instead, rendering the TPM pointless for them.

I don’t want to mince words: Having TPM is better than not having it — it’s just a matter of how much security you need. Once you move from a dedicated TPM module to software TPM, you’re already giving up some security. Windows 11 works with both, but that doesn’t address the problem for people who either have an older version of TPM or not at all.

The TPM problem

AMD Ryzen 5 2400G & Ryzen 3 2200G Review fingers
Bill Roberson/Digital Trends

There’s a reason DIY motherboards don’t come with firmware TPM enabled: It’s not as secure. Firmware TPM uses the CPU instead of a separate, smaller processor on the motherboard. As the Spectre and Meltdown vulnerabilities show, the CPU isn’t immune to security compromises, which brings into question why firmware TPM works with Windows 11.

If both hardware and less-secure firmware TPMs work with Windows 11, why have the requirement at all? Microsoft wants increased security, which is something I can get behind, but it doesn’t make sense to meddle in a middle ground. Going hardware only would alienate some of Microsoft’s customers, but the hard requirement on TPM is already doing that.

You need a recent motherboard to use the TPM version Microsoft requires. Most motherboards produced after 2016 fall into that category. Every motherboard vendor is a little different, however, so some started supporting TPM 2.0 shortly after it released in 2014 while others waited until later. Unfortunately, most motherboard makers waited.

That means if you built your PC between 2014 and 2016, the answer to if your PC supports Windows 11 is a depressing “maybe.” If you built your PC before 2014, it’s a hard “no.” Instead, Microsoft has told users with older hardware to just keep using Windows 10, which is an OS that will almost certainly play second fiddle to Windows 11 once it launches.

Unfortunately, the conversation around TPM and Windows 11 is largely irrelevant. Microsoft updated its list of supported processors, but failed to add support for many of the CPUs customers were asking for. That includes first-gen Ryzen processors, which released in 2017. If you have a PC you built before 2016, there’s a decent chance it doesn’t support Windows 11 — TPM or not.

The good news is that Microsoft is offering a workaround. If you don’t have a supported CPU, you can still download the Windows 11 ISO and install the OS. Going this route will put the OS in an unsupported state, so it could be subject to more bugs and crashes. For the ISO, all you need is a 1GHz dual-core processor, 4GB of RAM, and 64GB of storage.

Microsoft’s firm stance on TPM sends a message. It’s that Windows is moving in a direction of enhanced security, but at the cost of the “bring-your-own-hardware” mentality the OS has long held. Holding onto Windows 10 or using Windows 11 in an unsupported state are fine solutions for now, but they will run their course before Microsoft ends support for Windows 10 in 2025.

Editors' Recommendations

Topics
Ranking all 12 versions of Windows, from worst to best
Windows 7 desktop.

You can tell a person's age by which version of Windows is their favorite. I have fond memories of XP and Windows 98 SE, so you can take a guess at mine, but I have colleagues who are much more enamored with Windows 7, or Windows 95. We all have something disparaging to say about Windows 8 though, and the less said about Windows Vista the better.

Ranking the different versions of Windows is about more than what era of computing you grew up in, though. There are some very serious duds in Microsoft's back catalog, just as there are a few wins too. But whether you can look back on some of Microsoft's disastrous releases with rose-tinted glasses, or have some genuine love for Microsoft's missteps, here's every version of Windows ranked from best to worst.
12. Windows ME

Read more
Microsoft will launch ChatGPT 4 with AI videos next week
ChatGPT AI bot running a phone.

ChatGPT has been inescapable in recent months, and it looks like Microsoft is about to upgrade the AI tool with an update that could thrust it into the spotlight once again. That’s because the company is set to launch GPT-4 as early as next week, and it will potentially let you create AI-generated videos from simple text prompts.

The news was revealed by Andreas Braun, Chief Technology Officer at Microsoft Germany, at a recent event titled “AI in Focus -- Digital Kickoff” (via Heise). According to Braun, “We will introduce GPT-4 next week … we will have multimodal models that will offer completely different possibilities -- for example videos.”

Read more
Grammarly’s new ChatGPT-like AI generator can do a lot more than proofread your writing
GrammarlyGO's Rewrite for Length feature is shown.

Grammarly, one of the biggest names in writing tools, is adding AI-generated text to its repertoire on the heels of the wild popularity of ChatGPT. Known as GrammarlyGO, this new tool is focused on improving writing rather than replacing the writer.

GrammarlyGO will roll out in beta form to existing users in April. All tiers, including developers, business, education, and premium users, will have access. You can even use GrammarlyGO with a free account.

Read more