Microsoft explains why you’ll need a TPM for Windows 11
Microsoft is prioritizing security over the PC's tradition of lifelong hardware support.
By Mark Hachman
PCWorldJun 30, 2021 9:50 am PDT
Image: Gordon Mah Ung / IDG
Microsoft’s hardware requirements for Windows 11 have been undoubtedly confusing, with users questioning why they need both an 8th-gen Intel Core CPU and TPM functionality to upgrade to Windows 11. Microsoft has attempted to answer the question.
In a blog post, David Weston, director of enterprise and OS security for Microsoft, explained that TPMs (Trusted Platform Modules) are part and parcel of Microsoft’s response to a growing level of cybercrime, including phishing and ransomware. PCs with TPMs inside offer a greater level of protection from those attacks, Weston wrote.
Weston explained that Microsoft has helped push the PC platform forward from 2019’s secured-core PCs, which began combining hardware and firmware protections with virtualization. But Microsoft needs a more solid foundation for the future, and TPMs enable that, Weston wrote. All new Windows 11 PCs will ship with a TPM 2.0 inside, he said.
“PCs of the future need this modern hardware root-of-trust to help protect from both common and sophisticated attacks like ransomware and more sophisticated attacks from nation-states,” Weston wrote. “Requiring the TPM 2.0 elevates the standard for hardware security by requiring that built-in root-of-trust.”
In the future, Weston added, you’ll see PCs with the Pluton technology, which Microsoft co-developed with AMD, integrated into AMD, Intel, and Qualcomm CPUs for the PC. Pluton further integrates the TPM into the PC’s microprocessor, establishing a secured channel to Microsoft’s Azure cloud for secured Windows updates and firmware updates, too.
Making sense of the TPM and Windows 11
The Trusted Platform Module (TPM) is a chip that is either integrated into your PC’s motherboard or added separately into the CPU, Weston explained. Its purpose is to help protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data. TPMs can be discrete chips on a PC’s motherboard, but more recently they’re been directly integrated into the CPU itself as a logic block.
Knowing the differences between a TPM 1.0 chip and a TPM 2.0 chip aren’t really necessary for the enthusiast PC owner, but Microsoft points out several differences: TPM 2.0 supports more sophisticated cryptographic algorithms, provides a more standardized experience, and, most importantly, can be integrated into a CPU.
In a Twitter post on Thursday, Weston pointed out that almost every CPU in the last five years includes a TPM, either called the Intel PTT, or the AMD PSP fTPM. Microsoft has required such a TPM to certify PCs since at least 2015. However, you may need to go into your BIOS and enable that functionality. Robert Hallock, director of technical marketing at AMD, also noted that most PCs already support a first-gen TPM.
Microsoft’s upgrade process for Windows 11 has been confusing on several fronts. First, the requirements for upgrading haven’t been made clear. As ZDNet noted, there are actually two tiers of Windows 11 compatibility: a “soft floor” where a user’s PC includes a TPM 2.0, and a “hard floor” where the PC only has a TPM 1.0, a dual-core CPU, and 4GB of RAM.
The “hard floor” is the minimum configuration mentioned earlier: If your PC doesn’t meet those specifications, you won’t receive Windows 11. Devices that meet the “soft floor” will receive a notification that a Windows 11 upgrade is not advised. But Microsoft also leaves the definition of a “soft floor” PC exceptionally vague, and leaves open the possibility that even a PC with TPM 2.0 functionality inside of it might not receive Microsoft’s recommendation to upgrade to Windows 11.
Editor’s Note: Microsoft removed the “soft floor” mentioned earlier in this article. This means that the TPM 1.0 has been removed from the minimum requirements, and only TPM 2.0 PCs will be eligible for Windows 11.
That’s the second area where Microsoft could improve: the PC Health Check app. If you’ve tried to run the app to check whether your PC is eligible to upgrade to Windows 11, and Health Check has told you that it’s not, it’s not clear whether your device doesn’t meet the “hard floor” minimum requirements, or Microsoft is simply telling you that the upgrade is not advised. Microsoft is promising revisions to the Health Check app to clear up the confusion.
Clearly, security is becoming more tightly integrated into PCs, with more sophisticated methods of combating malware. What we’re seeing is a clash between the ideology of the PC—that, essentially, it will run forever—and Microsoft’s contention that older hardware needs to be jettisoned for security’s sake. Microsoft certainly could have done a better job of preparing us for this shift, but at least those who can’t be upgraded to Windows 11 will be able to run Windows 10 until 2025.
Updated at 9:49 AM on June 30 to add an explainer video on what a TPM is.