TPM Outrage (Premium)

Microsoft’s “chip-to-cloud Zero Trust” security promise for Windows 11 has become instantly controversial thanks to some unpopular decisions. Key among them: Requiring a TPM 2.0 security chipset, which could prevent millions of PCs from upgrading.

For those unfamiliar, TPM 2.0, or Trusted Platform Module 2.0, is a chip on a PC motherboard or some software code integrated into a modern CPU. It is designed “to help protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data,” as Microsoft describes it. And we first heard about this technology when Microsoft announced Longhorn in 2003. Today, TPM underpins Windows security features like Windows Hello and BitLocker drive encryption.

But with Windows 11, TPM---well, TPM 2.0 specifically---is going to play an even bigger role. It will create that Zero Trust environment in PCs that Microsoft has wanted for years, creating a so-called “PC of the future” that can protect users “from the chip to the cloud” against not just malware and spyware but also ransomware and other attacks that can occur even when the PC isn’t even running Windows yet, such as at boot time.

Windows 11 will ship many other unique security technologies, including out-of-the-box support for Azure-based Microsoft Azure Attestation (MAA), virtualization-based security (VBS), hypervisor-protected code integrity (HVCI), Secure Boot, and hardware-enforced stack protection (on supported Intel and AMD hardware only). And Microsoft and some of its top PC maker partners will offer PCs with the even more advanced Microsoft Pluton security processor, which will be integrated into new processors from Intel, AMD, and Qualcomm starting this holiday season.

But it’s TPM 2.0 that’s gotten all the press.

“With Windows 11, we’re making it easier for customers to get protection from advanced [hardware and firmware] attacks out of the box,” Microsoft’s David Weston explains in a post that describes Windows 11’s security features. “All certified Windows 11 systems will come with a TPM 2.0 chip to help ensure customers benefit from security backed by a hardware root-of-trust.”

That wording is interesting.

Many users have spent a frustrating couple of days trying to find out whether their PC is compatible with Windows 11 using Microsoft’s PC Health Check utility, which has proven dodgy, despite a few big updates. Does this mean that only new PCs running Windows 11 require TPM 2.0?

Maybe. And there is certainly some evidence to support this view, as Microsoft’s hardware compatibility pages for Windows 11 system builders list multiple CPUs from Intel and AMD that predate TPM 2.0. And all of Qualcomm’s PC-based chipsets make the cut, too. I’ve yet to hear from anyone who failed the PC Health Check literally because of TPM, though I suppose lack of Secure Boot capabilities is close en...