Non-Negotiable (Premium)

When Microsoft announced Windows 11 in 2021, it angered customers by raising the hardware requirements for the first time in several years. The change was seen as artificial, an overt attempt to goose PC sales. And when it shipped the first incomplete version of Windows 11 later that year, Microsoft was further criticized because there were no inherent advantages to the new platform, security or otherwise. Indeed, Windows 11 was full of functional regressions that ironically made Windows 10 more attractive to users and Windows 11 less desirable to those who had complained about the new system requirements.

But there is an alternative reality in which Microsoft’s decision to raise the system requirements was brave, not foolhardy. Or even long overdue. And it is this reality that the company is retroactively now touting–even bragging about–in its recent missives about the so-called Windows Resiliency Initiative (WRI), part of a company-wide effort called the Secure Future Initiative (SFI). To be clear, there’s an overt marketing angle to WRI and SFI: Microsoft is trying to overcome the bad publicity triggered by the back-to-back disasters of its embarrassing state-sponsored hack and the CrowdStrike incident. But it’s more than marketing.

Windows today is a mixed bag of good and bad. This isn’t a recent thing, but it’s been amplified in recent years. As I wrote previously, there has long been two Windows, or two Windows teams, one that focuses on the foundational underpinnings and one that supplies the front-end user interfaces, features, and capabilities that customers interact with each day. This has always been the case, dating back to NT and Windows 3.x. And while responsibility for the underpinnings has shifted over time–it’s with the adults in the Azure group now–there’s been a more horrible downward shift with the front-end, or what we think of–because they call themselves this–as the Windows team. I am of course referring to the steady enshittification of the product in recent years which that undermines the user experience and, I think, the platform itself.

Some seem to struggle with this duality. But there’s no paradox here, just competing needs within the company expressing themselves simultaneously. Microsoft as a whole needs to correct its security problems, and so CEO Satya Nadella has directed each product team to focus first on security. But Microsoft as a whole is also strategically focused on AI and cloud computing. And where Windows was once the core product at the company, and then a core product, today it receives less attention from the senior leadership team than it perhaps deserves, given the several billion dollars in revenues it still generates each quarter. We all understand the chaos that’s resulted, with superfluous features added randomly and often with no testing, the net result being that the latest release, 24H2, is the least reliable, lowest quality version of Windows in the modern era.

But there is this duality. And when Microsoft revealed the Windows 11 system requirements three years ago, we saw it through the lens of the clown car that is the Windows client team. We pushed back. Because we saw it as negative.

But was it?

In the good old days of early 2015, Microsoft revealed that Windows 10 would have basically the same hardware requirements as its predecessor. But there is an interesting requirement in there that I–and, I suspect, many others–forgot about. For the initial release, a Trusted Platform Module (TPM) security chip was optional, and it could have been of the TPM 1.2 or 2.0 variety. But one year after Windows 10 RTMed–was “released to manufacturing”–this would change. At that point, in mid-2016, TPM 2.0 was to become a requirement.

Microsoft never made good on that requirement. Throughout the Windows 10 life cycle, one was able to install the product on any PC that met the minimum hardware requirements without issue. TPM was required for certain features–like BitLocker and BitLocker to Go in the Pro and higher SKUs–but it wasn’t needed to install Windows 10. And it’s not difficult to guess why. Microsoft’s goals for Windows 10 were many, but key among those goals was giving the user base–most of which ignored or hated Windows 8–an incentive to upgrade to a more modern version that didn’t suck. So the Windows 10 upgrade was free, and broadly. In a world in which most customers had stuck with Windows 7, an OS that was first released in 2009, it just didn’t make sense to block upgrades.

By 2021 and Windows 11, however, things had changed. Windows 7 support had ended in early 2020. Windows 11, finally, would be 64-bit only. And the TPM 2.0 requirement that Microsoft originally intended to put in place five years earlier was now far more feasible. The International Organization for Standardization (ISO) standardized the TPM 1.1 specification in 2011, and then 2.0 in 2014. Indeed, TPM 2.0 is still the standard: This spec hasn’t been updated at all since 2019. Support for TPM 2.0 was officially added to Windows 7 via a hot-fix, and it was natively supported in Windows 8 from its initial release.

As important, TPM 2.0 has been a standard feature in PCs for years. PC makers had to include a TPM 2.0 chip in their systems in order to be certified for Windows 8.1 starting in late 2014 in part because it was required for Connected Standby. Outrage over this requirement in Windows 11, over six years later, feels misguided today. And yet complain we did. Within days of the Windows 11 reveal in mid-2021, Microsoft said that it would re-evaluate the minimum requirements of the platform in response to complaints. And then it said two months later that it would not make any meaningful changes.

The issue wasn’t really about TPM per se, at least from the perspective of Microsoft’s customers. It was about the vague cut-off line between supported and unsupported PCs. Put simply, PCs with an 8th-generation or newer Intel Core processor (or AMD Zen 2 processor) made the cut, while those with a 7th-generation or older Intel Core (or AMD Zen 1) processor did not. Put even more simply, the cut-off line was basically 2017-era processors. A time by which TPM 2.0 chips were standard on all mainstream PCs.

To placate enthusiasts–a vocal minority of technical users–Microsoft said it would allow them to install Windows 11 on unsupported hardware, a situation that continues to this day. As I wrote at the time, this was clearly the right decision: It protects the mainstream user base while silencing the critics. And this requirement didn’t impact most businesses. They weren’t upgrading to Windows 11 anyway.

But it’s almost 2025 and things are changing yet again. Windows 10 exits support next October, and so Microsoft this week decided it was time to “revisit” its decision to require TPM 2.0 as a “key minimum system requirement for Windows 11.” It is troublesome to me that we even need to have this conversation. But it’s also more defensible now than it was in 2021. Since then, Microsoft has upgraded Windows 11 three times, and the most recent version, 24H2 isn’t just a buggy mess thanks to the clown car that is the Windows team, it’s also a major architectural change. As important, Windows 11 now supports far more advanced security features, like Windows Hello Enhanced Sign-In Security (ESS), that collectively raise the bar and point to a far more secure platform going forward. Where the requirements of Windows 11 felt artificial and invented, they are today real.

Oddly, the Microsoft post revisiting this issue focuses almost entirely on the same points that Microsoft made back in 2021. It enables Secure Boot, provides a broader range of cryptographic algorithms, encryption keys, and certificates than its predecessor, isolates its activities from the CPU, and enables BitLocker disk encryption. But I suspect this is because the post targets businesses, many of which will try to move forward on existing PCs.

“TPM 2.0 is a non-negotiable standard for the future of Windows,” Steven Hosking argues in the money quote. “It helps future-proof Windows 11 … TPM 2.0 is not just a recommendation—it’s a necessity for maintaining a secure and future-proof IT environment with Windows 11.”

He’s right. Just as Microsoft was right as long ago as 2016 in trying to require this very necessary–but also very common–component in all PCs, a need that only becomes more pressing as Microsoft and others jam more and more AI capabilities into these devices. It’s astonishing to me that we’re still having this discussion. But we are.

“With Windows 11, we’re requiring TPM 2.0 on new installs by default,” Microsoft director David Weston adds in a related video. “Most computers built over the past five years come with this, sometimes the TPM chip has been turned off in the firmware, and we need you to enable it in the firmware to get the protections from it, and install Windows 11.”

If anything, he’s underplaying it. But I can’t wait to see what happens when Microsoft’s declares that today’s Copilot+ PC requirements become the new baseline for Windows moving forward. It’s only a matter of time. And then we can debate the same tired nonsense all over again.