Why does Microsoft enforce TPM for Windows 11?

Discussion in 'Windows 11' started by JBenal, May 26, 2022.

  1. JBenal

    JBenal MDL Senior Member

    Nov 2, 2009
    491
    193
    10
    Is it to encourage (force) people to buy new computers? As I and many others have found out, it's possible to install Windows 11 on older x64 systems. So what's so special about TPM?

    (TPM is supposed to be required to install bitlocker on USB sticks, but the hack to bypass that has been around for years.)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. Konde

    Konde MDL Junior Member

    Aug 1, 2009
    62
    17
    0
    TPM isn't just for usb sticks, its for all drives, specially for the system drive so it auto unlocks at boot, also, a gpedit settings isn't a "hack", its something you easily found on the documentation, if you read it.
     
  3. JBenal

    JBenal MDL Senior Member

    Nov 2, 2009
    491
    193
    10
    I know that. I was just using as another example. I'm asking why MS is enforcing TPM now in order to install Windows 11.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. nosirrahx

    nosirrahx MDL Expert

    Nov 7, 2017
    1,038
    493
    60
    It might matter for sophisticated attacks against corporate computers but I don't expect to see a meaningful delineation between typical consumer malware on 10 VS. 11. Even if there was, they will just code around it.

    If TPM and Windows 11 was kicking malware ass, you would see Microsoft punching everyone in the face with demonstrations of this.
     
  5. nosirrahx

    nosirrahx MDL Expert

    Nov 7, 2017
    1,038
    493
    60
    "Its so new and advanced that Windows 11 requires new hardware." is an easier sell than "Its Windows 10, again, with a new GUI."
     
  6. SAM-R

    SAM-R MDL Guru

    Mar 21, 2015
    5,295
    4,949
    180
    There are 2 Types of TPM Hardware & Software. The Hardware is a chip that plugs into a Motherboard for Security & the Software is found in the BIOS of many PC's. The latest TMP is ver 2.
     
  7. kaljukass

    kaljukass MDL Guru

    Nov 26, 2012
    2,847
    1,094
    90
    Yes, you have understood absolutely correctly.
    Forcing people to buy new computers and throw old ones in the trash - that's the goal. On the one hand, they are right, because there is no way to further develop Windows if it has to run on a computer, a laptop, a tablet - all made today, and an iron pile made 20 years ago. It's just not possible.
    Another thing is that since Microsoft can't ask money for a non-working OP system (then no one would start using it if they had to buy it), the only way to make money is to sell computers.
    Yes, you got it absolutely right - the reason, of course, is not someone's security, but the revenue from the sale. This has always been the case and will remain so for a very long time.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Enthousiast

    Enthousiast MDL Tester

    Oct 30, 2009
    40,945
    73,235
    450
    Lovely how all the conspiracy crap reaches to all levels^
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. ohenry

    ohenry MDL Member

    Aug 10, 2009
    213
    103
    10
    I remember reading an article, some time back, about the reason for Windows 11 and TPM. The author talked to people inside Microsoft who said the change was driven by their employees (Microsoft employees) all working from home as a result of the pandemic. TPM would help with security for those thousands and thousands of company owned PCs used to work from home.


    At that time (spring and summer of 2020), I was working for a major oil company, and like all of the other employees I was working strictly from home. And I can assure you that my employer was consumed with the need for security with remote access. So yes, I can easily believe that story.


    Are they also driven by a need to make money? Of course they are. This is America, we are a capitalistic society, if Microsoft doesn’t make money and pay dividends, they will be out of business very quickly.
     
  10. case-sensitive

    case-sensitive MDL Expert

    Nov 7, 2013
    1,292
    541
    60
    >Is it to encourage (force) people to buy new computers?

    >Yes, you have understood absolutely correctly.

    Yes ...... its capitalism and thats how capitalism works . Safety was the excuse that they made .

    It has nothing to do with conspiracy theorys ............ the claim is based on capitalist methods , microsofts past record and press reports about a meeting between microsoft and big computer manufacturers where they decided to introduce the limitations .......... and force them onto people .

    The computer industry was stagnating because people have computers that work and didnt need to buy new ones ........... now they do . That means billions of $$ of profit for the industry .......... at nearly zero cost .
     
  11. Dark Dinosaur

    Dark Dinosaur X Æ A-12

    Feb 2, 2011
    1,402
    1,530
    60
    they need to make money somehow.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    8,455
    15,511
    270
    And it's disgusting to the point of vomit how some naive still think things just happen.
     
  13. oilernut

    oilernut MDL Senior Member

    Jul 8, 2007
    423
    334
    10
    No one is forcing you to use Windows 11...

    Windows 10 will be supported until June 2023, which could be extended.

    Everyone bemoans how unsecure Windows is yet everyone seems to be against every security feature Microsoft tries to implement.
     
  14. Enthousiast

    Enthousiast MDL Tester

    Oct 30, 2009
    40,945
    73,235
    450
    There are so much more important things going on in reallife, try to wrap you fried brain around that.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. timis

    timis MDL Novice

    Jun 17, 2007
    17
    17
    0
    Some actual facts - TPM is an open standard developed by the Trusted Computing Group which lists over 100 members who are either adopters, contributors or promoters. Microsoft is classified as a promoter. The official stated goal of TCG is 'The Trusted Computing Group (TCG) is a not-for-profit organization formed to develop, define and promote open, vendor-neutral, global industry standards, supportive of a hardware-based root of trust, for interoperable trusted computing platforms' The TPM 2 specification is classified as an official international standard by the International Standards Organization/International Electromechanical Commission. If you really want to understand the power of TPM 2, google ISO/IEC 11889:2015 for all the technical details, it is pretty amazing stuff actually. So whether you agree with the Windows 11 requirement or not, this is something that is much much greater than Microsoft.
     
  16. JBenal

    JBenal MDL Senior Member

    Nov 2, 2009
    491
    193
    10
    Some really good info in this thread. Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. nosirrahx

    nosirrahx MDL Expert

    Nov 7, 2017
    1,038
    493
    60
    It is but there are lots of amazing computing technologies that simply do not benefit the average user.

    Had Microsoft delineated TPM requirements between Home and all higher builds, I don't think there would have been much in the way on complaints compared to what we are seeing.

    If it were my call, you would be able to install Windows 11 Home (without hacks or mods) on any system capable of running Windows 10 out of the box.
     
  18. ohenry

    ohenry MDL Member

    Aug 10, 2009
    213
    103
    10
    This would have been my call. There would have been downsides, as the product differentiation would have caused support nightmares.
     
  19. joshieecs

    joshieecs MDL Novice

    Oct 8, 2014
    11
    4
    0
    I would say that driving sales of newer hardware is a small part of the reason, or at least considered a nice bonus for Microsoft's partners. But I imagine Microsoft genuinely does want their enterprise users adopting TPM technology, because it does offer security benefits.

    Microsoft wants the OS to be more secure, they have implemented a number of low level hardware security features, and while Defender comes included with the Windows, they also sell Endpoint Security products which are probably quite lucrative, and a TPM really does provide unique functionality that is more applicable to secure enterprise environments than a home PC.

    For consumer laptops or tablets, having a TPM with BitLocker enabled out of the box on new devices is a real security measure for such portable devices that are commonly lost or stolen. It means whoever ends up with your device won't be able to access any of your data. That's a big deal.

    It reflects poorly on Windows and Microsoft when their OS has vulnerabilities, or has significant performance regressions to mitigate vulnerabilities, and it makes sense that as attacks become more sophisticated, hardware solutions become necessary, or at least preferred. It seems natural for Microsoft to eventually set them as a requirement, just like it has with other hardware features like SIMD instructions (SSE) or WDDM graphics hardware. Not to force DIY PC enthusiasts to throw out working systems as e-waste, but to force OEM's to implement the hardware features instead of doing whatever is bottom of the barrel cheapest to manufacture. I imagine future versions of Windows will have even more hardware security requirements, like CET shadow stack support in the CPU, guarded hypervisor, secure launch/SMM, etc.

    Such features don't just require being present in the silicone, but also in the firmware and driver stack. They have to be well-supported by the manufacturers, integrators, and vendors. AMD and Intel might put TPM (or some other security feature) in the CPU or platform chipset, but will the motherboard offer good firmware support? What about driver updates?

    I have to say, the current state of Windows hardware security is not very good. If you buy the premium "secured-core" branded OEM systems that ship with all this tech baked-in and OEM supported, you can in theory call Lenovo, HP, Microsoft, etc. tech support if it's not doing what it's claimed to do in the product sheet, and get it functioning even if they have to escalate to the engineering team.

    But on consumer/enthusiast hardware, it's a nightmare. For example: Ryzen fTPM still to this day has a critical flaw that prevents it from getting an AIK certificate from Microsoft, which severely limits its functionality. (the dreaded "SCEP certificate" failure, event 86). This has been a problem since 2017 from what I can tell.

    There was also a recurring whole-system stuttering issue with Ryzen's fTPM that took years to have AMD recognize (from when it was first posted by users on forums) and many more months after that to get a fix in BIOS firmware updates, and still some older (but still supported) motherboard models still don't have the firmware file available to download and flash.

    Surely part of Microsoft's thinking is that by requiring TPM now, they are "laying down the law" and forcing the OEM's and vendors to improve their sloppy and patchwork support (or lack of support) for such features that are, in theory, available in the hardware. If Microsoft wants to harden and secure its OS against vulnerabilities, so it can market Windows as a safe and secure product with good performance, it needs that hardware support to be present and working from the manufacturer and their partners.

    I think the TPM requirement is much more about what AMD, Intel, Dell, Acer, HP, etc. are doing in mass production than what DIY PC builders are doing. The DIY market is barely noise for the PC market, maybe 5% if you include small shops and boutiques. Besides that, we are the small percentage of users who can mostly figure out how to apply a workaround to the requirement.

    But for us tinkerers, we should look at Microsoft's TPM requirement as discipline on the manufacturers and board partners (not us!) to improve the poorly supported and barely documented features they claim to be selling, and make them conform to some kind of open standard. The TCG specs for TPM are complicated and a pretty hairy, but they are well-defined, open, and auditable. Not secret, proprietary tech Intel or Dell might try to otherwise offer in its place. That aspect represents a positive change, in my opinion.

    To put it another way, without Windows 11's TPM requirement, the Ryzen users who needed their fTPM enabled would just have to live with the stuttering bug, with no fix in sight. It was only after the mass of people turned on fTPM to install Windows 11 that enough attention was put on the bug to get a fix prioritized by AMD. That's just one example. If you don't need or want to use the TPM, then you don't have to use it. But for users that did need it, the fact that Microsoft required it be present led to a better user experience.