TPM Outrage (Premium)

Microsoft’s “chip-to-cloud Zero Trust” security promise for Windows 11 has become instantly controversial thanks to some unpopular decisions. Key among them: Requiring a TPM 2.0 security chipset, which could prevent millions of PCs from upgrading.

For those unfamiliar, TPM 2.0, or Trusted Platform Module 2.0, is a chip on a PC motherboard or some software code integrated into a modern CPU. It is designed “to help protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data,” as Microsoft describes it. And we first heard about this technology when Microsoft announced Longhorn in 2003. Today, TPM underpins Windows security features like Windows Hello and BitLocker drive encryption.

But with Windows 11, TPM—well, TPM 2.0 specifically—is going to play an even bigger role. It will create that Zero Trust environment in PCs that Microsoft has wanted for years, creating a so-called “PC of the future” that can protect users “from the chip to the cloud” against not just malware and spyware but also ransomware and other attacks that can occur even when the PC isn’t even running Windows yet, such as at boot time.

Windows 11 will ship many other unique security technologies, including out-of-the-box support for Azure-based Microsoft Azure Attestation (MAA), virtualization-based security (VBS), hypervisor-protected code integrity (HVCI), Secure Boot, and hardware-enforced stack protection (on supported Intel and AMD hardware only). And Microsoft and some of its top PC maker partners will offer PCs with the even more advanced Microsoft Pluton security processor, which will be integrated into new processors from Intel, AMD, and Qualcomm starting this holiday season.

But it’s TPM 2.0 that’s gotten all the press.

“With Windows 11, we’re making it easier for customers to get protection from advanced [hardware and firmware] attacks out of the box,” Microsoft’s David Weston explains in a post that describes Windows 11’s security features. “All certified Windows 11 systems will come with a TPM 2.0 chip to help ensure customers benefit from security backed by a hardware root-of-trust.”

That wording is interesting.

Many users have spent a frustrating couple of days trying to find out whether their PC is compatible with Windows 11 using Microsoft’s PC Health Check utility, which has proven dodgy, despite a few big updates. Does this mean that only new PCs running Windows 11 require TPM 2.0?

Maybe. And there is certainly some evidence to support this view, as Microsoft’s hardware compatibility pages for Windows 11 system builders list multiple CPUs from Intel and AMD that predate TPM 2.0. And all of Qualcomm’s PC-based chipsets make the cut, too. I’ve yet to hear from anyone who failed the PC Health Check literally because of TPM, though I suppose lack of Secure Boot capabilities is close enough. It looks like the “real” requirement, at least on the Intel side, is 8th-generation Core processors. Those are not particularly old.

Also, it appears that TPM 2.0 is a “soft” requirement and that TPM 1.2 is required to successfully run Windows 11 Setup. Maybe this requirement is even less onerous than we thought.

But there’s a more important point to consider: Even if TPM 2.0 is an ironclad requirement for Windows 11, who does this restriction really hurt? After all, Microsoft has required that all PCs that ship with Windows include and enable TPM 2.0 since 2016.

Given that, the TPM 2.0 requirement mostly just impacts two audiences, the relatively tiny number of enthusiasts who built their own gaming PCs and don’t have TPM 2.0-compatible motherboards, and those with computers that are more than 5 years old. Since that latter audience is far bigger than the other, one has to assume that at least part of this decision was aimed at triggering new PC purchases, which will help the industry better adjust to what will otherwise be a post-pandemic sales shortfall.

That’s understandable, as are the hard feelings from Windows enthusiasts who have bypassed TPM 2.0 either purposefully (in building a gaming rig) or inadvertently. And since the act of enabling TPM 2.0 in BIOS/firmware varies from PC to PC, just describing to normal people how they can do this is daunting or even semi-impossible. There will be confusion. I guess there already is.

Many believe that Microsoft can overcome these problems easily enough by dropping the TPM 2.0 requirement on upgrades. I initially landed on that side of the debate myself, but the more I think about it, the more correct I feel that Microsoft is to stick by this decision. It’s time to move the PC forward again.

Requiring TPM 2.0 and delivering on that “chip-to-cloud Zero Trust” security promise literally requires zero trust, not “sort of zero trust,” and if Microsoft lets in any non-compliant PCs then the system breaks. With Windows 10, Microsoft explained that it wanted to get all users, or at least as many as possible, on the most recent version because that was the only way to keep the wider community truly secure. With Windows 11, it is replacing those words with concrete action.

And the more I think about this, the more I keep coming back to that question about the impacted audience size. People who read this site and similar blogs are, by definition, technical, and we will be outspoken on topics like this even when they don’t impact us. (And many more will cite their need to support less technical friends and family as a justification for their outrage.) Maybe we need to dial it back a bit.

And Microsoft’s desire to help the PC industry is certainly understandable and laudable. After several years of dropping sales, the PC market flattened just ahead of the pandemic and then experienced temporary explosive growth during the pandemic. But with COVID-19 finally slowing down in many countries, that sales growth is going to fall and then flatten again, inevitably. And Microsoft simply giving away Windows 11 for free to all 1.3 billion Windows 10 users isn’t going to help with that at all. Whatever you think about the new Windows 11 user interface, the new Store, and the ability to run Android apps, I think most would agree that these changes aren’t enough to trigger PC market growth on their own.

But requiring that users buy a new PC when they’re currently relying on an aging 6- or more year old PC just might. As will the security story, which in Windows 11 will be more real than fantasy.

I guess we’ll see what happens. Microsoft’s inability to say no to any customer group could trigger the same type of concession that it’s made in the past. And if so, some minority of mostly technical customers will cheer the decision. But Windows 11, as a whole, will be no safer than its predecessor. And I’m not sure that’s the right direction for the PC.