Why does Windows 11 require TPM 2.0? Microsoft responds

When Microsoft announced Windows 11, there was quite a bit of excitement. DirectStorage, Auto HDR, Android app support—these all sounded like great features to have in your daily computer. However, once people started using their PC Health Check tool to see if their hardware could support Windows 11, it seemed as though many failed due to a pesky TPM 2.0 requirement.

David Weston, the Director of Enterprise and OS Security at Microsoft, explains what’s going on in a new post on Microsoft’s security blog. Essentially, a Trusted Platform Module (TPM) is a chip that is either already integrated into your motherboard, or added separately to your system. It helps protect encryption keys, user credentials and other various sensitive data behind a hardware barrier, preventing malware and hackers from accessing that data. If you use a laptop with Windows Hello for example, there’s a good chance a TPM 2.0 module is there to secure your identity and data.

While TPM has been around for quite some time now, it’s typically found on business laptops and enterprise machines only. For most regular folk with a desktop PC built themselves or bought pre-assembled, the motherboard will have a slot for it, but without the actual TPM chip itself. This has led to many people confused regarding the Windows 11 requirements, and could also explain why many are seeing the PC Health Check app reporting that their system can’t handle Windows 11.

According to Weston, the reason Microsoft decided that needing a TPM 2.0 chip is because of the rising number of cybersecurity threats. The security features that TPM 2.0 brings to the table means that Windows 11 will be safe and secure for the user.

“PCs of the future need this modern hardware root-of-trust to help protect from both common and sophisticated attacks like ransomware and more sophisticated attacks from nation-states.

Requiring the TPM 2.0 elevates the standard for hardware security by requiring that built-in root-of-trust,” – David Weston, Director of Enterprise and OS Security, Microsoft

So does this mean that, for desktop PC users at least, we’ll have to buy one of these TPM 2.0 modules to attach onto our systems?

Well, not exactly. I personally tried out Microsoft’s PC Health App tool and it told me that my desktop wouldn’t be able to run Windows 11—despite my CPU being an AMD Ryzen 5 3600, one that Microsoft themselves list as compatible.

Indeed, after going through my BIOS settings, it turns out that the culprit is Secure Boot and TPM 2.0 not being turned on by default. Switching those on meant that I was able to pass PC Health App’s Windows 11 test. Here’s the thing though: I don’t have a TPM 2.0 module. In fact, most people who have custom built PCs won’t have a physical TPM module attached to their motherboards.

Instead, what most people will have is a firmware TPM (fTPM). All of Intel’s CPUs from the 6th Generation Intel Core series have firmware TPM onboard, while non-K Intel CPUs from the 4th and 5th generation have it too. You won’t find it called fTPM though as Intel brands it as Platform Trust Technology, or PTT for short. AMD meanwhile has fTPM baked into its CPUs from Ryzen 2500 onwards. It’s not as secure as using an actual TPM 2.0 module, but it will meet Windows 11’s TPM criteria – as long as it’s part of or newer than the 8th Gen Intel Core series and 2nd generation AMD Ryzen.

So if you do have a system that’s compatible with Microsoft’s Windows 11 requirements but failed their PC Health Check app, you might need to enter your BIOS to tweak those settings. The steps will vary based on your motherboard manufacturer though, so it’s best to look up the manual for your motherboard on the vendor’s website.

However, there are those who meet its requirements but have a CPU that’s not on Microsoft’s list of supported CPUs for Windows 11. Weston says that their decision isn’t purely due to security, but to ensure there’s enough performance to handle the new OS too. And yet, it seems highly unlikely that a high-end 7th Gen Intel Core i7 is unable to run Windows 11, but somehow it’s not on Microsoft’s list.

Nevertheless, we’ll have to wait for the Windows Insider Program to release Windows 11 to the public to truly know just how Windows 11 will interact with not just fTPM solutions, but CPUs not officially on their supported list too.

[ SOURCE 2 3 ]