Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys ~ Wikipedia
You may have read my recent rant regarding Microsoft’s ridiculous requirements for running Windows 11: Windows 11 Forces Hardware Upgrades. If you did, then you will know that I am not a happy camper. The mandatory requirements for running Windows 11 are, in my opinion, ridiculous in the extreme… and that includes enforcing the TPM security protocol. TPM can be included either as part of the motherboard (hardware TPM) or as a feature of the CPU (firmware TPM).
Hardware TPM
I have been researching motherboard specs and discovered that, while most modern motherboards include a TPM “header” very few, if any, come with the required TPM chip (or module):
If you look up the specs for a specific motherboard and see the following:
It means that the motherboard only includes provision for a TPM chip and not that a chip is actually fitted. Not only are these TPM chips as scarce as rocking horse manure but they are also not a universal fit, meaning you need to track down a TPM chip that is compatible with the specific motherboard brand and model. As I have discovered, not an easy chore. On a side note, such has been the demand for TPM chips that scammers are now selling fake chips on eBay at inflated prices.
Firmware TPM
According to many reports, all CPUs manufactured post-2016 include TPM as part of the firmware. However, to confirm this claim I started randomly checking the specs for 8th gen and 9th gen Intel CPUs and of six I checked none supported TPM- or TXT (Trusted Execution Technology) as Intel refers to it. For example, here is the relevant spec for the popular Intel i5 9400 CPU:
So, apparently, just because an Intel chip has been manufactured post-2016 does not necessarily mean it supports TXT/TPM. I tried the same exercise with modern AMD CPUs but none of the specs I checked even mention TPM. Here are the specs for the popular Ryzen 5 5600X taken directly from the official AMD website:
And, if a CPU does support TPM, the setting to enable/disable TPM in BIOS is disabled by default. This begs the question: if TPM is such an important security measure that it is now mandatory for Windows 11, why on earth has it not always been ENABLED by default?
While most security experts are in favor of the adoption of TPM, especially in corporate environments, the security protocol has not been without its critics. The following is from Wikipedia:
TCG (Trusted Computing Group) has faced resistance to the deployment of this technology in some areas, where some authors see possible uses not specifically related to Trusted Computing, which may raise privacy concerns. The concerns include the abuse of remote validation of software (where the manufacturer—and not the user who owns the computer system—decides what software is allowed to run) and possible ways to follow actions taken by the user being recorded in a database, in a manner that is completely undetectable to the user ~ source
Windows 11 And TPM
At the moment, users are reporting that enabling the CPU’s firmware TPM in BIOS is sufficient to meet the Windows 11 requirement. However, bearing in mind that firmware TPM is generally regarded as less effective than hardware TPM, I wonder if that will always be the case:
- When manufacturers start producing certified Windows 11 motherboards will a TPM chip/module then be fitted as standard?
- And, if hardware TPM does become the standard, will firmware TPM still meet the Windows 11 TPM requirement — or will Microsoft move the goalposts yet again?
When Microsoft first announced its requirements for Windows 11, the older version of TPM (v1.2) was given the green light. However, Microsoft has since backflipped on that and announced that the latest TPM v2.0 is the minimum requirement.
No wonder users are confused!
BOTTOM LINE
TPM is a security measure specifically designed to help safeguard against firmware attacks, including Ransomware. While many in the security industry see this as a positive move, there is no doubt that Microsoft’s decision to enforce TPM for Windows 11 has been ill-conceived and ill-timed. Considering it’s highly doubtful that this has been a spur-of-the-moment decision by Microsoft, why on earth wasn’t this impending requirement announced much earlier so that manufacturers could make the necessary adjustments and users were not taken completely by surprise?
I’ve been researching this matter because I was seriously considering purchasing a new PC that meets Windows 11 requirements so I could write articles to help you good folk get started with the new operating system and keep you informed of any new innovations and/or peculiarities. However, after discovering this confusing mess regarding TPM, I am now resolved to waiting until the release of Windows 11 officially certified PCs and components so I know for certain that when I outlay $$$$ for a new machine it will definitely meet all of Windows 11’s requirements.
In the meantime, I have four perfectly healthy machines all with specs that are more than adequate to run Windows 11 but can’t because of Microsoft’s ridiculous requirements.
—
Gee, what if MS issued an upgrade and nobody downloaded it.
Couldn’t agree with you more about holding off until the official certifications. Not only are the TPM and hardware requirements ridiculously confusing, but the Health Check app to check for upgradability was also a complete disaster. I’m certainly in no hurry to install it at this point, especially since Windows 10 is being supported until 2025.