Does Windows 11 really need TPM? Perhaps not...
While there was undoubted excitement at the announcement of Windows 11's impending launch, there was also a great deal of confusion about system requirements. Concern built up around not only Microsoft setting the bar fairly high in terms of CPU generations, making many processors that are far from old essentially obsolete, but also TPM requirements.
Communication about Windows 11's reliance on Trusted Platform Module (TPM) has been poor. Is it TPM 1.2 that's needed, or TPM 2.0? It depends on who you listen to, and which documentations you read -- even official Microsoft documentation. But it turns out that TPM may not be required at all... only in certain circumstances though.
- WhyNotWin11 is a better Windows 11 compatibility checker
- Upgrade to Windows 10 Pro at a big discount now... and get Windows 11 free later
- You're not going to get a Windows 11 upgrade until next year
The buzz around TPM has resulted in endless online search as people try to find out what a Trusted Platform Module actually is, and also a global shortage and price hikes as demand skyrocketed.
But it is the confusion that is what's most apparent. Having initially suggested that TPM 1.2 was what Windows 11 needed, Microsoft then revised this so that TPM 2.0 was the minimum requirement. TPM 2.0 is what you will now see listed in Microsoft's Windows 11 requirements documentation.
This has upset many people who have discovered that many computers that were bought relatively recently do not meet this requirement. But this is not necessarily going to be a stumbling block. As noted by Tom's Hardware, Microsoft sets out a different possible scenarios in a PDF entitled "Minimum Hardware Requirements for Windows 11".
Head to section 3.6.1 of this document and you'll read the following:
All device models, lines or series must implement and be in compliance with the International Standard ISO/IEC 11889:2015 or the Trusted Computing Group TPM 2.0 Library and a component which implements the TPM 2.0 must be present and enabled by default.
The following requirements must be met:
• All TPM configurations must comply with local laws and regulations.
• Firmware-based components that implement TPM capabilities must implement version 2.0 of the TPM specification.
• An EK certificate must either be pre-provisioned to the TPM by the hardware vendor or be capable of being retrieved by the device during the first boot experience.
• It must ship with SHA-256 PCR banks and implement PCRs 0 through 23 for SHA-256. Note that it is acceptable to ship TPMs with a single switchable PCR bank that can be utilized for SHA-256 measurements.
• It must support TPM2_HMAC command.
So far, nothing unusual. But the document then goes on to say:
A UEFI firmware option to turn off the TPM is not required. Upon approval from Microsoft, OEM systems for special purpose commercial systems, custom order, and customer systems with a custom image are not required to ship with a TPM support enabled.
In short, this means that it will be possible to install Windows 11 on systems that do not meet the normal minimum requirement specs, and lack TPM 2.0. The question is how this will be made possible -- and, indeed, why?
While the document says such installations will require "approval from Microsoft", it is hard to imagine that whatever method is involved in enabling Windows 11 to be installed on systems without TPM 2.0 will not leak. Whether there is a registry hack, a hidden setting, or some sort of patch, this will almost certainly be leaked or hacked. And this may -- just may -- force Microsoft to rethink it's minimum requirements.
After all, if TPM 2.0 is not needed in all circumstances, is it really needed in any?