Microsoft Considers Tweaking Windows 11 TPM Requirement to Include Zen 1 and 7th Gen Core

[Colddecked]

99% of people out there don't use BitLocker full disk encryption and couldn't care less about TPM.

This whole saga is a fantastic load of crap.

It'll probably cause alot of businesses to upgrade computers. Its time for my company to upgrade our 5th gen core i5 laptops...

 

[Deleted member 185088]

Rather than force people out of win11, they just lock the features that require those new security features.

 

[defaultluser]

And this is why it is now mandatory because users cant be trusted to do security.

No, Bitlocker still has a chance of locking your drive unrecoverably when you do something as simple a Windows Update.

https://www.reddit.com/r/sysadmin/comments/j7deyn
There are also cases of the system randomly tunrning the feature on (and nobody offering a recoverry option, except nuke-from-orbit and start-over)

BitLocker: need a key but I never installed it | DELL Technologies

Hi all, I have an unusual problem. 3 days ago my hard drive got blocker by BitLocker. It asks for a key in order to unlock my hard drive. The problem is that I have never installed or set up BitLo...

www.dell.com

This is a pointless Feature-Push for clunky software that only corporations with proper backups should bother with (because there is no undo for a lost/ never-set-up encryption key)

So why not make TPM requirement Enterprise-only?)

 

[birdie]

Aside from TPM, could it be MS doesn't want to support processors that have less hardware mitigation for the spectre and meltdown family of vulnerabilities?

Hard no and I'm tired of people repeating this falsehood:

Transient execution CPU vulnerability - Wikipedia

en.wikipedia.org

Coffee Lake is fully supported yet it contains the most egregious vulnerabilities in all of x86 CPUs including Meltdown.

Again this TPM "requirement" will either not be a hard requirement at the time of release or it will have easy workarounds (like running regedit during installation and changing a few values).

 

[sebapolver]

I would like to know what the motherboard manufacturers are going to do. When are they going to start supplying the tpm chips for the motherboards already sold? Even the motherboards that are on sale today only have the connector.

 

[qubit]

Would be nice if our blessed Microsoft removed artificial limits preventing W11 from working on my old 2700K system (see specs) which is still perfectly capable after a decade. I wanna upgrade it on my schedule, not on theirs.

 

[windwhirl]

I hope they learn to support external 2.0 TPMs it’s my understanding they currently don’t.

I think they do? But I suppose almost nobody outside of enterprise has a discrete TPM, so it's more a matter of adoption.

remove the tpm requirement ......... my fx8350 still damn strong

I'm gonna say no. Why support a nearly 9 years old CPU (which had some questionable design choices leading to reduced performance) for another five to ten years? That's silly. Hell, Windows 10 LTSC will be supported until 2029, so that's fifteen years of support. Supposing they do the same with Windows 11, why would Microsoft have to support a CPU that by the end of LTSC would be 25 years old?!

My motherboard has a TPM header and it's not a 7th gen, WTF!

TPM headers are included at the behest of the motherboard designer. And TPM is a long known thing, with the TPM 2.0 spec going back to 2013 or so. It was required for Connected Standby as far back as Windows 10 original RTM release.

99% of people out there don't use BitLocker full disk encryption and couldn't care less about TPM.

This whole saga is a fantastic load of crap.

Yeah. I imagine that Microsoft is pushing for this to use the TPM for whatever things need encryption (say, Windows logins, for example), not just for Bitlocker. How and when, or even if it will be done, I don't know, but it's a possibility they've probably thought about.

I get it for companies and OEM's .... but for general home-user-public TPM2.0 should not be a fixed requirement....

I mean, there are so many good systems that don't need an upgrade (xeon v1-v3's still have enough power for general usage..... ) that would still work absolutely fine with windows 11..... if it wouldn't be for the TPM requirement


and, that it's not on the list of supported cpus ...... which states 1Ghz minimum .... but Gen8+ .... slight oxymoron .....

Considering that Microsoft probably plans to support Windows 11 for at least six if not ten years, I can understand why they want to cut off a lot of somewhat "old but not that old" hardware. Add LTSC releases which have even longer support, and they could find themselves supporting a processor that is nearly 20 years old by the time the OS goes out of support. A massive pain.

The 1 Ghz minimum is there because of mobile CPUs with their very low base clocks.

It'll probably cause alot of businesses to upgrade computers. Its time for my company to upgrade our 5th gen core i5 laptops...

Don't know about that, but for sure at work we'll have to replace them all, since they're all Ivy Bridge or Haswell, but we have four more years and absolutely no hurry to replace Windows 10, since Windows 11 has basically no improvements we're interested in.

I would like to know what the motherboard manufacturers are going to do. When are they going to start supplying the tpm chips for the motherboards already sold? Even the motherboards that are on sale today only have the connector.

No need, TPM is built in the CPUs, you can use that.

Transient execution CPU vulnerability - Wikipedia

en.wikipedia.org

Coffee Lake is fully supported yet it contains the most egregious vulnerabilities in all of x86 CPUs including Meltdown.

According to MS themselves, it's because of this:

Reliability. Devices upgraded to Windows 11 will be in a supported and reliable state. By choosing CPUs that have adopted the new Windows Driver model and are supported by our OEM and silicon partners who are achieving a 99.8% crash free experience.

Sourced from https://blogs.windows.com/windows-i...te-on-windows-11-minimum-system-requirements/

 

[Solaris17]

I think they do? But I suppose almost nobody outside of enterprise has a discrete TPM, so it's more a matter of adoption.

Just got home and ran the test tool (the version before it was removed) on my system (in specs) and surprisingly it passed. Even with a 7980XE. I do have an added physical TPM (2.0).

 

[NBH]

Don't get it really, they encouraged people to upgrade for free from Windows 7 to 10 to get more people on the same version of Windows and improve security. All this will do is force a huge amount of people to stay with windows 10 undoing any work Microsoft did in the past. I have 2 windows PCs and a windows laptop that run fine for what I want but I don't think windows 11 will work on any of them.

 

[Makaveli]

My motherboard has a TPM header and it's not a 7th gen, WTF!

Why is that WTF? TPM has been around for a long time.

 

[newtekie1]

This all comes down to Microsoft completely lying. TPM 2.0 and the generation of processor are not linked. I have a computer running a 6th Gen intel processor with an H110 chipset that has a firmware TPM 2.0 module. The generation of processor and TPM 2.0 are independent of each other. Especially since it is possible with a lot of even older generation hardware to add a TPM 2.0 module. Microsoft arbitrarily picked a processor generation and decided to cut off support for anything older as a method to force people to upgrade their computers.

Of course, forcing upgrading computers means all those people with OEM copies of Windows 10 suddenly have to buy new copies of Windows 11 with their new computers. Coincidence?

All this will do is force a huge amount of people to stay with windows 10 undoing any work Microsoft did in the past.

I think the idea there was that Win 7 was a pretty significant code base difference from Windows 10. Windows 11 on the other hand is just Windows 10.1. So it is considerably less work to keep both going side by side.

 

[windwhirl]

TPM 2.0 and the generation of processor are not linked

They're not linked, true.

However, it seems the driver model changed, according to them, and they have decided to support only this newer driver model when it comes to CPUs. Why? I do not know.

By choosing CPUs that have adopted the new Windows Driver model and are supported by our OEM and silicon partners who are achieving a 99.8% crash free experience.

As far as I know, they're not truly trying to enforce it yet with these Insider builds. But they might actually drop the support for those once the time comes for them to make the RTM or GA release.

 

[qubit]

Intel arbitrarily picked a processor generation and decided to cut off support for anything older as a method to force people to upgrade their computers.

Sounds like a good reason to go AMD for my next upgrade.

Agree with the rest of your post, too.

 

[newtekie1]

They're not linked, true.

However, it seems the driver model changed, according to them, and they have decided to support only this newer driver model when it comes to CPUs. Why? I do not know.

If Microsoft wants to cut off CPU support and only go so far back, they should just say it. I'm not even totally against that if they didn't lie about it. That's my problem with it, they lied about the reason. They are trying to use TPM 2.0 as a scape goat to cover their unpopular artificial limits.

Sounds like a good reason to go AMD for my next upgrade.

Actually I didn't mean to put Intel picked it, I meant Microsoft picked an arbitrary generation. They did the same thing on AMD's side.

 

[Camm]

Yeah, a safe with the key glued/soldered to it, brilliant idea.

such secure
much encrypt
very safe
wowe

By design it is incredibly difficult to get a private key out of a TPM. You could snoop the trace on the physical motherboard to maybe get some data, but with the CPU based versions that becomes obviously much more difficult. But hey, if you have a better idea where to keep private keys in a somewhat secure fashion there's a few million to make, chop chop.

This has nothing to do with the user side of things though. TPM doesn't mean full system encryption or anything like that, it's just a standard used for some hardware security features inside the processor.

In other words a system may support TPM but still be completely open to any kind of attack.

Not sure where I said that a TPM magically secures an OS, but can help form part of ensuring trust, or at least better protecting private keys if the machine gets breached.

No, Bitlocker still has a chance of locking your drive unrecoverably when you do something as simple a Windows Update.

If I can run an Enterprise on n-state, 1 Day Windows Update preflighting, fully bitlockered, with no issues, its pretty safe to say this has become a non-issue.

 

[marcelo.esteves]

I had a think about Microsoft's security requirements, and they aren't arbitrary.

Secure Boot requires UEFI, that comes in at 5th Gen in a patchy way I'm pretty sure, and was only default by 7th gen, and wasn't available on Piledriver or Bristol.

TPM 2 was only supported from 8th Gen and Zen+ and up.

Makes sense when looked at from a 50 foot view I guess, although time to include TPM 1.2 and anything that supports Secure Boot, which should extend down to some 5th gen parts.

Wrong. My laptop with an i7 7700hq have TPM 2.0, secure boot and UEFI by factory.

 

[Camm]

Wrong. My laptop with an i7 7700hq have TPM 2.0, secure boot and UEFI by factory.

Since I wrote that, I realised that there is also a new driver model, of which it seems Intel isn't supporting anything older than 8th gen.

 

[marcelo.esteves]

Wrong. My laptop with an i7 7700hq have TPM 2.0, secure boot and UEFI by factory.

Also has the ability to encrypt the drive, via hardware and logically, software through bitlocker if the problem is data at rest... Anyway, why not 7th gen? 8th gen+ includes extra built-in security features? Which ones? More RAM speed? Better known corrections for meltdown and spectre?

 

[Selaya]

By design it is incredibly difficult to get a private key out of a TPM. You could snoop the trace on the physical motherboard to maybe get some data, but with the CPU based versions that becomes obviously much more difficult. But hey, if you have a better idea where to keep private keys in a somewhat secure fashion there's a few million to make, chop chop.
[ ... ]

It is very hard, if not impossible to get a key that's been soldered to the lock of a safe either ...
The problem you see is, you can just lift the entire safe with the key and open it at your leisure.
The same can be said about encryption via TPM - if your computer gets stolen, chances are the thief will take the TPM along with it, and you've managed to accomplish exactly nil.

 

[windwhirl]

Also has the ability to encrypt the drive, via hardware and logically, software through bitlocker if the problem is data at rest... Anyway, why not 7th gen? 8th gen+ includes extra built-in security features? Which ones? More RAM speed? Better known corrections for meltdown and spectre?

Driver model is the reason offered by Microsoft.

They might review their position on this and allow 7th gen devices, but that's subject to change until Windows 11 goes gold. For now, there are no hard blocks for it.

 

[ozzyozzy]

lol ...

 

[Camm]

It is very hard, if not impossible to get a key that's been soldered to the lock of a safe either ...
The problem you see is, you can just lift the entire safe with the key and open it at your leisure.
The same can be said about encryption via TPM - if your computer gets stolen, chances are the thief will take the TPM along with it, and you've managed to accomplish exactly nil.

If you've lost physical security of the device, well I hope your other mechanisms of securing the device are top notch. Its also entirely outside of scope of expectation as to what you expect a TPM to be achieving.

 

[newtekie1]

Since I wrote that, I realised that there is also a new driver model, of which it seems Intel isn't supporting anything older than 8th gen.

Nah, it has nothing to do with Intel or AMD or drivers, otherwise Microsoft wouldn't be able to just suddenly include 7th gen Intel and 1st Gen Ryzen a day after they said they weren't supported. Microsoft is just cutting out support artificially.

And if it was Intel/AMD we'd have statements from them announcing they are going to have drivers for their processors that work with the new driver model and will work with Windows 11. Instead we got Microsoft saying they are re-evaluating their decision to exclude support for older processors.

 

[ValenOne]

I had a think about Microsoft's security requirements, and they aren't arbitrary.

Secure Boot requires UEFI, that comes in at 5th Gen in a patchy way I'm pretty sure, and was only default by 7th gen, and wasn't available on Piledriver or Bristol.

TPM 2 was only supported from 8th Gen and Zen+ and up.

Makes sense when looked at from a 50 foot view I guess, although time to include TPM 1.2 and anything that supports Secure Boot, which should extend down to some 5th gen parts.

Not correct.

Surface Pro 4 (with Core i5 6300U) has TPM 2.0, Secure Boot, UFI mode, and WDM 2.1 driver. Bitlocker is in a ready state out of the box.

HP Envy X360 with Ryzen 5 2500U has fTPM (TPM 2.0), Secure Boot, UFI mode, and WDM 2.7 driver. 14 nm Ryzen 5 2500U is very similar to 12 nm Ryzen 5 3500U.

The attached screenshots show R5 2500U's and R9 3900X's TPM 2.0 via APU's fTPM.

 

[Camm]

Nah, it has nothing to do with Intel or AMD or drivers, otherwise Microsoft wouldn't be able to just suddenly include 7th gen Intel and 1st Gen Ryzen a day after they said they weren't supported. Microsoft is just cutting out support artificially.

From Microsoft
Devices upgraded to Windows 11 will be in a supported and reliable state. By choosing CPUs that have adopted the new Windows Driver model and are supported by our OEM and silicon partners who are achieving a 99.8% crash free experience.

Yes, Microsoft IS cutting out support artificially and is currently letting CPU's that don't proscribe to the DCH standard to run. Its almost like Microsoft are really good at this backward compatibility thing, but wants to ensure a certain security standard going forward. We technically saw the same thing with XP SP3 to Vista, XP SP3 brought in WDM 2.0, but wasn't enforced until Vista. That change still broke tonnes of shit as we all remember.

Surface Pro 4 (with Core i5 6300U) has TPM 2.0, Secure Boot, and UFI mode.

HP Envy X360 with Ryzen 5 2500U has fTPM (TPM 2.0), Secure Boot, and UFI mode.

The attached screenshots show R5 2500U's and R9 3900X's TPM 2.0 via fTPM.

Pretty certain that the SP4 has an offboard TPM not part of the CPU.
And didn't say anything about Ryzen 2nd gen, only first gen.

I think after all this back and forth however we can agree on one thing, Microsoft's messaging around this is fucking idiotic when we are still all sitting around trying to figure out what the actual reasons are behind min requirements.

I do think it boils down to three things now.

A: TPM 2.0
B: Secure Boot
C: DCH drivers.

The more I think about it though, Microsoft shouldn't have launched Windows 11, and instead set a final feature pack version for unsupported hardware with say a two year security update before EOL.