Why Windows 11 is forcing everyone to use TPM chips

Reading Time: 4 minutes

Windows 11 will require TPM (Trusted Platform Module) chips on both existing and future devices, according to Microsoft. It’s a big hardware update that’s been years in the making, but Microsoft’s clumsy communication has left a lot of people wondering if their gear is compatible. What is a Trusted Platform Module (TPM), and why do you need one for Windows 11?

According to David Weston, director of enterprise and OS security at Microsoft, “The Trusted Platform Modules (TPM) is a chip that is either embedded into your PC’s motherboard or installed separately into the CPU.” “Its goal is to keep encryption keys, user credentials, and other sensitive data safe behind a hardware barrier, preventing viruses and criminals from accessing or tampering with it.”

As a result, it’s all about safety. TPMs work by providing hardware-level protection rather than just software-level protection. It can be used to encrypt disks using Windows technologies such as BitLocker, or to protect passwords against dictionary attacks. TPM 1.2 chips have been around since 2011, although they’ve mostly been seen in IT-managed corporate laptops and PCs. Microsoft aims to ensure that everyone who uses Windows has the same level of security, even if it isn’t always perfect.

For months, Microsoft has warned that firmware attacks are on the rise. “According to our own Security Signals research, 83 percent of businesses have encountered a firmware attack, yet only 29% are investing resources to secure this key layer,” Weston said.

READ ALSO: Apple releases iOS 14.7 just as MagSafe Battery Pack appears on shelves

The wide breadth of assaults becomes evident when you consider the different phishing, ransomware, supply chain, and IoT vulnerabilities that exist. Ransomware attacks make the news on a weekly basis, and ransomware funds even more ransomware, making it a challenging challenge to overcome. TPMs will likely assist with some attacks, but Microsoft is betting that a combination of contemporary CPUs, Secure Boot, and its virtualization defenses will be enough to defeat ransomware.

Microsoft is doing its part, especially as Windows is the platform that is most frequently targeted by these attacks. It’s widely utilized by organizations all over the world, with over 1.3 billion Windows 10 machines in operation right now. Microsoft software has been at the heart of severe attacks that have made international news, such as the SolarWinds hack connected to Russia and the Hafnium hacks on Microsoft Exchange Server. While the company isn’t responsible for requiring its clients to maintain their software up to date, it is attempting to be more proactive in terms of security.

Microsoft has a history of failing to bring Windows into the future, both in terms of hardware and software, and this change hasn’t been effectively articulated. Since Windows 10, Microsoft has required OEMs to ship devices with TPM chip support, but it hasn’t needed consumers or its various device partners to switch them on in order for Windows to run. That’s what’s truly new with Windows 11, and it’s caused a lot of understandable confusion when combined with Microsoft’s Windows 11 upgrade checker.

The minimal system requirements are listed on Microsoft’s Windows 11 website, along with a link to compatible CPUs and an explicit note that a TPM 2.0 is necessary at a minimum. The PC Health Check program, which Microsoft encourages consumers to download and run to test if Windows 11 is installed, will highlight systems that lack Secure Boot or TPM compatibility, as well as devices with CPUs that aren’t officially supported (anything older than 8th Gen Intel chips).

As a result, many consumers are trying to figure out if their device supports TPM, are confused about BIOS settings, and are even rushing to buy TPM modules they don’t require. TPM 2.0 modules are even being scalped on eBay!

It didn’t help matters that Microsoft had a second homepage with contradicting information, which it later removed a few hours after we published this report. The true minimum requirements, according to the original version of the page, were TPM 1.2 and a 64-bit dual-core CPU with a clock speed of 1GHz or higher, but the new page now specifies TPM 2.0 and a processor that Microsoft has explicitly certified as compatible — which could mean anything before an 8th Gen Intel Core and AMD Ryzen 2000 won’t work.

We’re currently waiting for Microsoft to confirm the CPU requirement, however a representative confirmed that TPM 2.0 will be required and that the information on that website was incorrect. An MS representative tells The Verge, “The cited docs page was a mistake that has since been fixed.”

Because these are the requirements for approved OEM hardware — the computers you’ll find in stores with an eventual Windows 11 badge — Microsoft is promoting TPM 2.0 and completing checks for 8th Gen or newer Intel CPUs. However, it’s no longer clear whether the Windows 11 update will operate on older devices, and Microsoft has told us it won’t. Microsoft is reportedly working on a blog post that will go over the minimal criteria in greater detail.

However, just because you’re having trouble with Microsoft’s compatibility tool doesn’t imply your current PC is toast. Unless your CPU is quite ancient, it is likely that TPM 2.0 capability is already built-in.

If you’re having trouble using the PC Health App checker in Windows 11, make sure your BIOS has “PTT” activated on Intel systems or “PSP fTPM” enabled on AMD devices. The company’s system checker should also be less confused now: Weston tweeted shortly after we published this story that the tool will now be more precise about why your PC is failing to pass inspection.

What Microsoft is attempting to accomplish here, together with its new efforts for Xbox-like security on Windows, will benefit the Windows ecosystem for years to come. On the first day, Microsoft completely failed to communicate this to everyone.