If you were secretly hoping Microsoft would lower the system requirements for Windows 11 so you could upgrade your or your family’s Windows 10 machines to Windows 11, you’re going to be in for some bad news. In a blog post, Microsoft detailed that its most stringent Windows 11 requirement – the Trusted Platform Module (TPM) 2.0 – is here to stay and crucial to the future of Windows.
By instituting TPM 2.0 as a non-negotiable standard for the future of Windows, we elevate the security benchmark. It allows you and us to better align with the growing need for formidable data protection in the modern digital sphere.
[…]In conclusion, TPM 2.0 is not just a recommendation—it’s a necessity for maintaining a secure and future-proof IT environment with Windows 11. And it’s an important part of the larger Zero Trust strategy, alongside Secure Boot, Credential Guard, and Windows Hello for Business.
↫ Steven Hosking at the Windows IT Pro Blog
So no, if you had the hope Microsoft would lower Windows 11’s system requirements in the face of the oncoming end of support deadline for the 60% of Windows users still using Windows 10, your hope has just been dashed. A more likely outcome here is that as the deadline grows closer, Microsoft will extend the deadline by another year, and if needed another, because leaving 60% of users without security updates and little to no path to upgrade is not going to be a good look for the marketing and legal departments.
If you really do want to upgrade to Windows 11, there’s a few options. There’s the enterprise-focused Windows 11 LTSC 2024 release, which does not require a TPM 2.0, regarding it as an optional feature instead. On top of that, LTSC is much more bare-bones, shipping without much of the stuff many of us more nerdy users aren’t interested in anyway. The big downside is that getting your hands on a legal copy of LTSC will be difficult, as it’s only available to volume licensing customers, which you most likely are not. Of course, you shouldn’t give a shit about Microsoft’s rules, so you can always use unapproved methods of getting a license.
Another option is the one I took for my parts-bin Windows 11 PC which I only use for League of Legends: I bought a cheap TPM 2.0 module from eBay, slotted it into my motherboard, and was on my merry way. Due to League of Legends’ required rootkit, a TPM 2.0 module is needed, so a few euros and days waiting later, I was ready to go. Do make sure you get the right type of TPM 2.0 module for your motherboard, as they’re not universally compatible.
The final option is to use one of the few remaining ways to circumvent Windows 11’s system requirements, which are sadly dwindling with every major update. Right now that means using a tool like Flyby11, which uses the Windows Server installer to bypass Windows 11’s system requirements. We’ll have to wait and see for how long that trick remains possible.
TPM 2.0 is not the real problem with Windows 11, every laptop that has one of the “supported” CPUs that Windows 11 requires also has TPM 2.0 (since it was an OEM requirement for laptops shipping with Windows 10), and every desktop that shipped with Windows 10 has TPM emulation in the UEFI (which is something Windows 11 considers legit). AMD calls their UEFI-emulated TPM “fTPM” and Intel calls it “PPT”, so even that hardware TPM module was probably useless, Thom.
The real problem with Windows 11 is the CPU list. The fact my old laptop’s i7-4930MX doesn’t qualify while random Celeron and i3 garbage does is insane. It’s not even that old, it’s not like we are asking them to support Core 2 Duos or something.
Also, the the really infuriating thing is that Microsoft will offer 3 years of ESU for Windows 10, but non-corporate users will only be able to buy one year of ESU.
Neither of the two big blockers are ACTUAL requirements.
BitLocker, secure boot, etc. can work fine without having TPM at all, though yes there are obvious benefits to more secure key storage. Granted, that was (as acknowledged many places) very much secondary to platform lockdown that manufacturers still haven’t properly bought in on.
Core Isolation / Virtualization-Based Security can work with CPUs older than the 8th-gen Core series, but with greater performance penalty.
All in all, if Microsoft actually gave a single damn about the customers below the enterprise level (except as crash-test dummies for their enterprise customers) this would be pushed as “You could use new hardware to get these benefits” instead of “get it or go away.”
So Microsoft wants the Year of Linux Desktop that bad, huh?
Apparently so. Their unmitigated arrogance hasn’t hurt them too much so far.
The 4930MX is a 11.5 year old CPU… “not that old” … what are you talking about? Also have you paid attention to new CPUs? Heck even cheap 10th gen i3s have 4C8T, and massive IPC improvements etc and that’s already a FIVE year old CPU! And celeron has been killed off for years. It’s time to move on.
Microsoft Windows 11 is going to create a MOUNTAIN of e-waste! #RANT : https://www.youtube.com/watch?v=1g6IiVUQsI4
Microsoft will support Windows 10 IoT Enterprise LTSC 2021. So if they are producing fixes at least for the next 10 years, why don’t make them available to all users of Win10? That is the real issue here.
They want to push Windows 11 then Windows 12, not wanting to support different kernels in the long run.
But they will be suporting W10 IoT till 2035.
That gives them time to corret all the shit that Win11 is, and launch a nice Win12.
So again the good-bad-good-bad-good release scheme ? I was quite satisfied with XP (classic look) and 7, never understood why they took the 8 route. Come on, their core business is sure to make profit, not to care about customers, but why make things to work obsolete ?
Correct, Microsoft has done good, bad, good, bad releases since Win95 IIRC.
Yes, I was also under the impression it is mainly a CPU generation thing. The TPM requirement could be worked around fully in software by running inside a virtual machine and enabling its software TPM.
Z_God,
I’m curious how it works. Have you tried this?
I’ve found a few docs that include steps for enabling TPM2 under QEMU and vmware…
https://tpm2-software.github.io/2020/10/19/TPM2-Device-Emulation-With-QEMU.html
https://www.prajwaldesai.com/enable-tpm-on-a-virtual-machine-encrypt-a-vm/
Apparently vmware forces you to encrypt the VM and set a password before it allows a vritual TPM device to be added…does this mean TPM + win11 cannot be used in unattended boot scenarios under VMware?
Regardless of this caveat though, does windows ever validate TPM implementations or does it just accept any TPM provider without question?
Edit: Had another question about vmware’s encryption. When the guest is encrypted on the host, doesn’t that lead to bitlocker encryption being redundant on the guest? Seems like pointless overhead but maybe I’m just fuzzy on the details.
I’m not sure I understand your question and I didn’t try this myself.
A TPM is simply a piece of hardware and if you want it to be really about security, you’d need to add something to make it tamper resistant. An emulated/virtual one is not that 🙂
Some mainboards have a connector that simply allows adding a separate TPM chip, but apparently it’s not too hard to just hook up the bus lines and see all the data going in and out.
There’s no way for software to check these (physical) aspects.
Z_God,
I’m just not sure if windows 11’s TPM requirements makes any attempt to validate TPM providers or if anyone can write one and windows will use it without caring. For example, it might work under VMWare, but not QEMU (I don’t know this to be true, just as a hypothetical).
The problem with hardware TPM is that processing crypto on the chip is a bottleneck, it just doesn’t have the flexibility, capacity, and multithreading of a CPU. So I believe that in practice things like bitlocker end up implementing a hand shake that asks TPM (hardware or software) for the encryption keys and performing the crypto in the kernel. This is why cryptographic material ends up transferring over the bus in the clear.
IMHO building it into the CPU would be far more secure than an external TPM chip, but in order to protect it from software exploits it would have to run in a separate privilege domain that not even the kernel has access to. Historicity CPU side effects like caching and TLD can leak secret information even across privilege domains (ie meltdown/spectre), so a lot of hardening is required around any facilities that are shared. So while doing it in the CPU might theoretically be more secure, it’s complexity leads to a larger attack surface that needs to be considered too.
Honestly, I don’t expect Microsoft to extend the deadline, just issue some security updates for the worst problems, like they’ve done with SMB2 for Windows XP.
Upgrade to Linux is what some people are choosing, even gamers these days.
I saw Wine (thus Proton at some point and Steam) now has experimental Wayland support as well.
Unfortunately, some of us have very Windows-specific needs. For example, I have some Nvidia 3D Vision laptops (all of them on Intel 4th gen like the 4930MX that I mentioned above) and Nvidia 3D Vision only works with Windows. Then there is various software with anti-cheat and HASP that requires Windows kernel drivers.
So, for those systems, it’s either pirate 3-year ESU or some LTSC version of Windows 10.
nVidia murdered 3d Vision support years ago at this point. Are you running ancient drivers?
I miss my 3d Vision – so many of the current crop of games would be GORGEOUS in 3d Vision.
Short answer: Yes
Long answer: Yes, the 770M and 880M my Nvidia 3D Vision laptops have don’t support any newer driver versions anyway, and I bought an Area-51m from eBay with an RTX 2080 precisely because it’s the last GPU that supports the magic 425.31 driver version (the RTX 2080 SUPER was released after). The Area-51m doesn’t support it on the internal LCD like the older ones obviously, but can do it via HDMI and DP.
There is also a “3D Fix Manager” app from the HelixMods guy that allows you to have more recent drivers, but it didn’t work for me because the Area-51m needs DCH drivers (not the Standard non-DCH).
TPM should be renamed to not-trusted spying plattform.
Not really, hardware-level encryption is a nice thing to have. I don’t want to know how many people out there have set a BIOS-level password on their laptops thinking they’ve secured their private data in case their laptop gets lost, not knowing that all a thief has to do is unplug the hard drive (per the manufacturer’s repair manual), use one of the readily-available harddrive enclosures, and have a bootable drive with all the private data intact and accessible.
But there is a difference between Microsoft making it a requirement for new systems (as they did for Windows 10) and blocking systems from upgrades. I bought my laptop without TPM, which means I have accepted the risk or I have set up a software encryption system. If Windows 11 only complained instead of blocking installation, I would be ok with that, but now that Microsoft gives upgrades “for free” like their envy Apple does, they gotta trigger a “refresh cycle” somehow.
TPM is not a requirement for disk level encryption, it is mostly a convenience aid in implementation systems.
Also, literally nobody sets BIOS passwords or would even know what that is, except for nerds like us, who should know bettter anyway. But I think the scenario you describe would apply well to the Windows login password instead, with equally no security there, and most users being mislead in their assumptions of its protection.
I have no problems with TPM.
The real problem in my mind is Secure Boot for which the root is controlled by Microsoft. Which is basically equivalent to DRM.
If I have full control of my secure boot system (for example with Coreboot), both things are great.
Lennie,
Ah yes, it’s become normalized by now, but secure boot is deceptively not as vendor neutral as it appears. The built in keys are microsoft’s and having several major linux distros signed under microsoft’s keys can leave even experienced linux users unaware of this relationship / dependency. A future version of windows need only make secure boot mandatory on x86 “the vast majority of linux users already had secure boot on anyway so it’s really no big deal you guys”, then microsoft will be left holding the keys for a feature that can’t be disabled by end users. It is a conspiracy, and it would require a business-safe political environment to finish the take over, but it could credibly have been microsoft’s plan for secure boot since the beginning. Owner control is notably completely absent in the spec. Going by the spec there’s no way to control secure boot or to change the keys unless you control an existing key. This omission of owner control is either an extremely glaring oversight by stupid architects, or more likely a calculated plan with microsft knowing exactly what they were doing knowing that their keys were going to be the x86 defaults.
So what’s the bad news here? Part of my own Zero Trust strategy involves not using products by companies I can’t trust, and this decision not only reaffirms my decision but also makes the choice simple.
My laptop has an i7-4700 MQ with a maximum clock rate of 3.4 GHz so that’s sure as hell not the problem, but it only has TPM 1.0 or 1.1.. Windows 11 doesn’t seem to like that, but literally no operating system seems to care as long as Secure Boot remains off like it should be.
I used rufus to make a usb install stick with the over-rides.
Then just copied the patched files off onto a win10 system and was able to do an in-place upgrade on a 6th gen i5.
Actually have 50+ systems I need to upgrade remotely.
Most businesses are not going to override the installer. Then again, by the time this hits, most businesses will have replaced hardware old enough to fail the Windows 11 requirements. I suspect circumventing the install constraints will be quite popular with regular folk. I doubt that Microsoft cares much about that. One more reason not to relax the requirements.
my daily driver workstation is a 4th gen i5. it works perfectly fine for my needs. plus I can’t bare to simply toss what I consider to be perfectly good hardware, just because MS deems it so. I have given away many perfectly good old machines to those who need it with win11 so they can be current.
I think it’s perfectly reasonable to perhaps have some sort of reduced features if the CPU or TPM can’t support those features but it has certainly been proven that these imposed limitations are poppycock and hogwash.
Whether they actually stick to their guns or not will depend on what users do. If MS fails to get a majority of customers upgraded to win11 in a timely manor, they will backtrack on this threat to deny those customers an upgrade option. This is microsoft’s poker face, part of the game is not telling your bluffs. But at this point in time internally microsoft knows it’s a bluff. If enough users collectively refuse to buy new hardware just to run win11 then microsoft’s bluff will be called out. Of course it’s possible enough users will buy new computers and so the need for MS to provide an upgrade path goes away. But the outcome will clearly be contingent on the reality on the ground at that time and not whatever microsoft are saying today.
I tend do believe them, for them not to lower Windows 11 requirements and by doing that preventing a wide range of hardware to run on latest Windows version. This will naturally have at least one big side effect and that is fragmentation. On the other hand they IMHO will support Windows 10 until it has substantial market share. For free. So they can in a way be stubborn but that means they will need to continue to support two versions of Windows for years to come. Just like AI infested in Windows i feel that this strategy is also damaging Windows reputation. They created an artificial problem and are now burning their reputation for not rethinking what they are doing, on where it’s rather clear they are acting stupid.
UPD: Windows 11 LTSC IoT has requirements very close to Windows 10:
https://x.com/TheBobPony/status/1864366955689295977
No TPM or Secure Boot requirement, all x86-64 dual-core processors with at least SSE 4.2 supported.