So you have probably heard that Microsoft has announced that a TPM (Trusted Platform Module) chip will be required to run Windows 11 OS. The news comes with some confusion, especially in regards to older existing devices. 

On the surface, it sounds like a significant hardware upgrade for anyone who wants to upgrade from Windows 10. The plans have been in the works for quite some time but the communication of the facts has been a little blurry. Not all devices will be compatible with the hardware even if they were to switch. Some are left at the first hurdle, wondering what even is a TPM, anyway and why does Windows 11 need it?

“The Trusted Platform Modules (TPM) is a chip that is either integrated into your PC’s motherboard or added separately into the CPU,” explains David Weston, director of the enterprise and OS security at Microsoft. “Its purpose is to protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data.”

Typically with a computer’s security, only your software gets taken care of. The key difference with a TPM is that it can protect at a hardware level. Users will be able to benefit from Windows BitLocker feature and encrypt their own disks. It will also handle attacks against passwords more thoroughly, preventing dictionary attacks altogether. 

A dedicated TPM chip you probably don’t actually need for Windows 11.
A dedicated TPM chip you probably don’t actually need for Windows 11. Image credit: theverge.com

TPM is not a new technology. We have seen 1.2 chips since 2011, but until now they have generally been reserved for the devices used by IT-managed businesses. Basically, with Windows 11 Microsoft is looking to bring the same level of protection to the average consumer. Some of the features in question haven’t exactly got the smoothest history, the aforementioned BitLocker was found to have a serious flaw that the company has since put right.

Since their hasty and confusing initial announcement, the company has clarified TPM 2.0 as a requirement, not TPM 1.2. It is also likely that specific CPUs may then also be a requirement to run the TPM chips. 

Unfortunately, with our increasingly computer-driven world, firmware attacks have been becoming far more frequent. We have had warnings from Microsoft for months. Inevitably as the creator of one of the most popular operating systems the company felt the need to tackle the issue head-on. “Our own Security Signals report found that 83 percent of businesses experienced a firmware attack, and only 29 percent are allocating resources to protect this critical layer,” says Weston.

Microsoft is pushing modern Windows 11 PCs.
Image credit: theverge.com

83 percent may sound alarmingly high but the reality is that there are so many different types of cyber warfare. Phishing, ransomware, supply chain, and IoT vulnerabilities make for a broad range of attacks. Ransomware attacks are very frequent, and ransomware profits and gains only continue to fund further ransomware production. Making it a tricky problem to solve but TPMs is a step in the right direction and will help with some forms of attack. To cover its bases, Microsoft is proposing a combo of modern CPUs and Secure Boot alongside its set of virtualization protections to tackle future ransomware issues.

The Windows platform is more often than not at the center of these cyber attacks. As one of the most widely used platforms for worldwide businesses operations, it has seen more than its fair share of devastation. With over 1.3 billion Windows 10 machines currently in use today the software has certainly borne the brunt and made global headlines on many occasions. You may remember that the Russia-linked SolarWinds hack and the Hafnium hacks were both aimed at a Microsoft Exchange Server. Although Microsoft isn’t responsible for whether or not a client keeps its software patched, they have concerns and are trying to get one step ahead.

OEMs have been shipping devices with TPM support since Windows 10. As yet, no one has had to turn them on in order to get Windows working. Tom Warren put it plainly in his article at The Verge. Microsoft has been stagnant to “move Windows into the future in both hardware and software”. Unfortunately, it has taken a while to get all the details of this overhaul or at least some have felt that way at least.  Microsoft’s Windows 11 upgrade checker was not easy and so there was understandable confusion. But basically, the devices will now activate the TPM chip and support that is the real Windows 11 change.

The minimum system requirements are listed together on the Microsoft Windows 11 website alongside a link to check compatible CPUs. There is also a PC Health Check app launched. Microsft has asked users to download it so that it can be used to check and see whether or not Windows 11 will run. The app will flag systems that do not have Secure Boot. It will also alert users with TPM support-enabled devices that don’t have the required supporting CPU. From what we can gather this is limited to those that aren’t officially supported 8th Gen Intel chips and beyond.

However, even with the upgrade checker many are still lost trying to figure out if their device supports TPM or not, confused by their BIOS settings. Some have even gone as far as ordering and purchasing TPM modules which they have zero need for. There is obviously a sudden rise in demand because we are already seeing scalpers appear on eBay.

Add to that the fact that Microsoft originally had an entirely different webpage full of information that contradicts their latest announcement. Conveniently it changed the details. The original version of the page stated the true minimum requirements as a TPM 1.2 and a 64-bit dual-core CPU 1GHz upwards, but it now says TPM 2.0 with an ‘explicitly certified’ compatible processor from the linked list. This, unfortunately, means that anything earlier than an 8th Gen Intel Core may not work, neither will an AMD Ryzen 2000.

CPU requirement is still up in the air, for now, we only have confirmation via a rep that spoke to The Verge thatTPM 2.0 will be mandatory minimum. They also made mention and clarified that the original website information was incorrect and that the mistakes have since been corrected.

New vs Old
New vs Old. Image credit: theverge.com

Certified OEM hardware that sports a Windows 11 sticker still needs checking. Microsoft is promoting TPM 2.0 and performing checks for 8th Gen or newer Intel chips as well. Microsoft’s suggestions, make it seem as though older machines will probably be incompatible with a Windows 11 update. As yet, we still don’t know for sure but it seems like we are headed that way. Microsoft is planning to share a more detailed blog post with a better explanation of the minimum requirements as we speak.

Unless you have a seriously old CPU in your PC it probably has TPM 2.0 support. So don’t go throwing them out just yet.

If you find yourself flagged. Make sure you have “PTT” on Intel systems enabled in your BIOS, or “PSP fTPM” on AMD devices to be able to use the PC Health App checker for Windows 11. The company’s system checker has been updated and tweaked a little; it is now much more specific about why your PC isn’t passing.

We will all benefit from a more secure platform. Windows could evolve into a safe ecosystem following the efforts of Xbox. Microsoft has good intentions and is clearly making an effort; they just didn’t give it to us clearly from the get-go.