TPMpocalypse; Microsoft singlehandedly destroys the TPM market

[StDragon]

41 minutes ago, Radium_Angel said:

I get careless and download a keylogger, or worse, an encryption virus. How does the TPM protect me from this?

 

In other words, I'm having a hard time visualizing how the TPM improves security for me...

It won't protect from malware unless you're only running trusted code (S-Mode) from the store. Even then AV is not its function.

 

What this does is prevent someone scraping the cache or cloning the drive and the attempt to access secure websites. The TPM hardware won't match.

 

Even better, just use Bitlocker and no one can access the data without the TPM or recovery key if the PC or laptop is stolen.

[Mark Kaine]

what i find funny everyone (general public for sure) hates 10 but when a new version gets announced thats probably even more restrictive and privacy envading, everybody cant get it fast enough??  

 

The craze for anything "new" is really astonishing and quite bizarre.

 

i get it, people arent content , but apparently  they also never learn lol.

 

 

[leadeater]

9 hours ago, LAwLz said:

The thing is that just having a TPM doesn't make anything more secure. It has to actually be used for something to increase security.

So far Microsoft haven't really said HOW they are making Windows more secure or why TPM is required.

I don't think what and how Microsoft uses TPM has changed at all with Windows 11 and fyi hardware level TPM 2.0 support has been a Windows certification requirements since 2016, this isn't actually new, other than Microsoft only allowing TPM enabled status to actually install.

 

Quote

Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the Minimum hardware requirements page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see TPM and Windows Features.

https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-recommendations

 

Quote

Windows Features	TPM Required	Supports TPM 1.2	Supports TPM 2.0	Details
Measured Boot	Yes	Yes	Yes	Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot
BitLocker	No	Yes	Yes	TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. Automatic Device Encryption requires Modern Standby including TPM 2.0 support
Device Encryption	Yes	N/A	Yes	Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
Windows Defender Application Control (Device Guard)	No	Yes	Yes
Windows Defender System Guard	Yes	No	Yes
Credential Guard	No	Yes	Yes	Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported.
Device Health Attestation	Yes	Yes	Yes
Windows Hello/Windows Hello for Business	No	Yes	Yes	Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support.
UEFI Secure Boot	No	Yes	Yes
TPM Platform Crypto Provider Key Storage Provider	Yes	Yes	Yes
Virtual Smart Card	Yes	Yes	Yes
Certificate storage	No	Yes	Yes	TPM is only required when the certificate is stored in the TPM.
Autopilot	No	N/A	Yes	If you intend to deploy a scenario which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required.
SecureBIO	Yes	No	Yes	TPM 2.0 and UEFI firmware is required.
DRTM	Yes	No	Yes	TPM 2.0 and UEFI firmware is required.

 

 

Also remember TPM itself is a standard defined by Trusted Computing Group (TCG) so it's largely up to them how TPM works and how to actually use it.

 

A lot of entities now mandate that TPM must be enabled now, NIST, PCI DSS. It's likely gotten to the point with so many requiring it to be on, that TPM is integrated in to all modern CPUs/Chipsets, that it is just easier to only support TPM on now.

[Helpful Tech Witch]

43 minutes ago, Vishera said:

Windows 11 is just a reskin of 10,

It's not, there seem to be some pretty major changes you see the hood, like arm support and Android app support (man the latter will be great on a toutchscreen laptop or 2 in 1)

[Spindel]

Hey just wait a minute. Is this really a problem?

 

Dosen’t basically all hardware that isn’t ancient have TPM allready?

 

 

[Quartz11]

4 minutes ago, Spindel said:

Hey just wait a minute. Is this really a problem?

 

Dosen’t basically all hardware that isn’t ancient have TPM allready?

 

 

What do you mean by "ancient", and no?

[leadeater]

11 minutes ago, Spindel said:

Hey just wait a minute. Is this really a problem?

 

Dosen’t basically all hardware that isn’t ancient have TPM allready?

My Asus Rampage IV BE and 4930K does not, it's my current gaming computer and it works perfectly fine. Sure it's pretty old so I'm not actually annoyed it will not be supported and I should upgrade but other than TPM my system could have run Windows 11 perfectly fine.

[Seyrren]

I'm sorry to say this, but people like this that are freaking retards and they are the reasons we can't have nice things, just because MS "thinks" all PC's should have TPM doesn't mean its true, rather then holding out for a bit which will make MS automatically drop this stupid thing they go out in droves like mindless zombies buying this stuff... to the bring of extinction, just how can they be so impulsively stupid ?

[Brooksie359]

10 hours ago, sof006 said:

I'd imagine its an effort to make Windows more secure, adds a layer of encryption

I think they have literally said basically this. MS I guess doesn't want windows to be able to get hacked as easily so they are basically trying to force the market into adopting it so it becomes standard in any new device going forward and likely enabled by default. I think the last part is the thing they were striving for the most as its great that most new systems already have the ability to enable it but I think Microsoft really wants it enabled by default. I mean it does make one wonder why it isn't already? 

[D13H4RD]

Funny thing is that a lot of the people buying them probably don't even need one in the first place.

 

Many modern systems have a firmware-level TPM that's usually disabled by default in the BIOS for custom-built machines. It's a simple toggle assuming you're on GPT and in UEFI mode.

 

As for laptops, many of them should have it enabled. My Lenovo Yoga Slim 7i has everything enabled from the factory, from the TPM to the secure boot feature.

[LAwLz]

8 hours ago, leadeater said:

I don't think what and how Microsoft uses TPM has changed at all with Windows 11 and fyi hardware level TPM 2.0 support has been a Windows certification requirements since 2016, this is actually new, other than Microsoft only allowing TPM enabled status to actually install.

If Microsoft aren't changing how the TPM is used then I think the new requirements are incredibly stupid. 

Barely anything in Windows requires a TPM, and the few things that does like Bitlocker and System Guard. 

 

I don't think Microsoft is raising the minimum requirements just so that some PCs will be able to turn on Bitlocker if they want, since it's a pretty niche feature to begin with (one that the home version doesn't even support). 

 

I am not sure why you bring up it being a requirement for the Windows 10 certified program since 2016. So what? That's a really short time (potentially cut off support for PCs older than 5 years) and that only applies to pre-built PCs and not self built or non-certified PCs. 

 

 

8 hours ago, leadeater said:

Also remember TPM itself is a standard defined by Trusted Computing Group (TCG) so it's largely up to them how TPM works and how to actually use it.

What do you mean? Don't try and shift the blame to the TCG like "Ohh yeah Windows doesn't use the TPM for much but that's not microsoft's fault because it's a limitation of the TPM spec". I'd it's not used for much then why are Microsoft making it mandatory?

The TCG are not at fault here at all. They just made the spec. It's Microsoft that seems to be making it mandatory for lackluster reasons. I found a blog post about it from Microsoft and 90% of it is just fluff and buzzwords like how it "increases security from chip to the cloud".

 

What I would like to know from Microsoft is why it's now mandatory on a technical level. Not "it increases security" because that's just fluff that doesn't mean anything. 

[RejZoR]

The requirements for Windows 11 are absolutely ridiculous. Beginning with TPM module requremenet, then 4GB RAM requirement (netbook I have is 2GB only but runs Win10 just fine) and further if it's laptop it absolutely requires "precision touchpad" and bunch of other stupid things. How the frigging hell do I know if touchpad is "precision" or not?! Like, surprise! when I want to install it? Or be left out for such stupid reason?

[LAwLz]

1 hour ago, Brooksie359 said:

I think they have literally said basically this. MS I guess doesn't want windows to be able to get hacked as easily so they are basically trying to force the market into adopting it so it becomes standard in any new device going forward and likely enabled by default. I think the last part is the thing they were striving for the most as its great that most new systems already have the ability to enable it but I think Microsoft really wants it enabled by default. I mean it does make one wonder why it isn't already? 

The problem i have is that Microsoft aren't telling us how it increases security. 

A TPM doesn't magically make viruses and other malware infections less likely. Code has to be written to take advantage of the TPM in some particular way to increase security, and nothing Microsoft has announced talks about how they are doing things differently now. 

 

Apple were very upfront about exactly how the T2 was used. They wanted FDE on by default and if you want that to be properly implemented you need hardware based key storage. Microsoft on the other hand just seems to wave their hands and go "it's for security" when asked to explain their requirements. 

 

What I want to know is what piece of code or what function in Windows is now enabled by default that relies on a TPM being present. Microsoft has yet to answer that and until they do, they have not adequately explained why a TPM is suddenly a requirement for windows 11.

[leadeater]

25 minutes ago, LAwLz said:

If Microsoft aren't changing how the TPM is used then I think the new requirements are incredibly stupid. 

Well it's not actually new for OEM/ODM devices, the required actually only affects DIY. Since 2016 it's been a requirements that all devices pre-installed with Windows 10 have TPM 2.0 and it must be enabled.

 

"Omg this is new" is not correct. This is new for DIY.

 

25 minutes ago, LAwLz said:

So what? That's a really short time (potentially cut off support for PCs older than 5 years)

5 years is short? Really? Not at all, show me all the systems being sold today that are using 5 year old designs. In fact show me 3 year old designs with 3 year old chipsets and CPUs.

 

DIY is not the standard for what Windows should support or allow. Literally everything from Skylake onward can install Windows 11, anything older you can buy a TPM module. Support is not being cut, you are being very selective here. If you want to run Windows 11 on an older device you can buy a 3rd party TPM module and then you can install Windows 11.

 

TPM module is far, far, less cost than a new computer.

 

25 minutes ago, LAwLz said:

What do you mean?

You asked what Microsoft does with TPM, well what they can do is as much as the features and functions TCG put in to the specification that then allows further feature design usage, like Credential Guard. Without TPM such a feature would have to be done and storage within the OS and it's data structure, with TPM credentials can be saved within an out of band security module.

 

25 minutes ago, LAwLz said:

What I would like to know from Microsoft is why it's now mandatory on a technical level.

Things do not require a technical reason to be mandatory. If 90% of shipping Windows devices must have TPM 2.0 enabled because of requirements outside of Microsoft then it follows rather simplistic logic that you may as well only support TPM 2.0 being enabled and cut out all code paths that allow it to be off.

 

Like people complain about all the legacy bloat in Windows yet never allow them to remove such things or optimize.

 

Is it easier to support two device models/mode or one?

[leadeater]

4 minutes ago, LAwLz said:

Apple were very upfront about exactly how the T2 was used. They wanted FDE on by default and if you want that to be properly implemented you need hardware based key storage. Microsoft on the other hand just seems to wave their hands and go "it's for security" when asked to explain their requirements. 

So you didn't read the part at all where it lays out what each feature does then and which TPM version is required. You can go through the docs for every single feature, they have their own docs, and read how they work.

 

Microsoft isn't at all closed about this and not saying how things works, just go read the documentation.

[Doobeedoo]

People are so dumb, it's not even close to release, let alone even shown much. Also people how I see it everywhere tend to avoid stuff like OS upgrades especially early on, so yeah quite surprised about this nonsense. 

[D13H4RD]

The real problem here is Microsoft's flip-flops and poor communication over it.

 

Previously, it was said that even CPUs older than Kaby Lake/Zen 1 and TPMs that are version 1.2, while not officially supported, would work. Now, it's changed so that only TPMs version 2.0 or newer and CPUs that are Intel 8th-gen and Zen+ or newer would explicitly work, and anything older just wouldn't without messing about with the setup.

 

Problem is that there's no explanation as to why all of these requirements exist, especially the CPU requirement. What's the explicit reason that support for Intel 7th-gen and Ryzen 1st-gen are being cut? The poor level of communication surrounding all of this is baffling, and honestly doesn't bode well for the OS when it launches, if they can't actually decide on requirements at this stage.

[Sauron]

Still not sure why TPM should be required anyway... surely if someone has been doing without it up until now they don't particularly care about having it, and why should Microsoft be interested in changing that by force?

[Murasaki]

1 minute ago, Sauron said:

Still not sure why TPM should be required anyway... surely if someone has been doing without it up until now they don't particularly care about having it, and why should Microsoft be interested in changing that by force?

A more user-friendly approach would have been TPM to be required only on certain editions like Pro/Enterprise. But hey dreams are dreams.

[Sauron]

1 minute ago, Murasaki said:

A more user-friendly approach would have been TPM to be required only on certain editions like Pro/Enterprise. But hey dreams are dreams.

I mean even then, that should be a problem for the company's IT department to manage. If they need TPM they should have it regardless of whether Windows requires it or not, and if they don't need it then I don't see why Windows should care.

[chebsy]

42 minutes ago, D13H4RD said:

Problem is that there's no explanation as to why all of these requirements exist, especially the CPU requirement. What's the explicit reason that support for Intel 7th-gen and Ryzen 1st-gen are being cut? The poor level of communication surrounding all of this is baffling

Is it really though?  If you look at it from their perspective, there is no good answer to give.

 

Either the cutoff is arbitrary, or it's because the TEE logic on those chips aren't compatible with the latest TPM implementations.

 

So on 1 hand they would be admitting to a conspiracy to sell new computers.  On the other hand they would be admitting that anything up to and including 7th gen Intel and 1st gen Ryzen are too insecure to run W11, in which case Intel and AMD would probably appreciate their discretion.  Why do you think AMD hasn't come out themselves and clarified their position on Ryzen and W11?  Probably because they helped craft the W11 minimum cpu requirements in the first place........

[chebsy]

20 minutes ago, Sauron said:

Still not sure why TPM should be required anyway... surely if someone has been doing without it up until now they don't particularly care about having it, and why should Microsoft be interested in changing that by force?

Security through ubiquity.  If every W11 machine is guaranteed to have TPM forced-on, it basically zeros the chances of a non-TPM system being deployed in an area it shouldn't be.  Yes if you are DoD or NSA or whoever, you should probably verify that your systems are running the security protocols you require.  But we are all human and stuff slips through the cracks.  W11 requiring TPM to function under all circumstances, even for enthusiast/gamers, guarantees a certain security floor for everyone.

 

Now maybe I should use the word "security" in quotes because it's certainly debatable whether all this crap is more secure than open source firmware/OS.  But the U.S. govt seems to think it is, so here we are. 

[leadeater]

2 minutes ago, chebsy said:

Yes if you are DoD or NSA or whoever, you should probably verify that your systems are running the security protocols you require

Even that whoever list is probably much bigger than some may expect. Where I work which is just some university in some country both of which most realistically do not care about are mandated by our government laws and security standards as well as through our insurance company that certain standards and practices are put in place, like data and device encryption.

 

On the insurance side we get an audit every year by an independent audit company and this directly affects our insurance premiums, these requirements come from the international insurance underwriters.

 

Then we also have just our general security teams security policies they come up with.

 

In any case a lot more require and use TPM and like I've pointed out already anyone buying pre-build systems since 2016 have TPM enabled and on devices, though not necessarily TPM 2.0.

 

If all this really does come down to "Well most have it on now so we are requiring it for everything from now on" that's just as good of a reason as anything else. Bar has been raised, things will already meet it or be brought up to it, this is no automatically a bad thing.

 

Computer enthusiasts opinion on Windows:

[Sauron]

12 minutes ago, chebsy said:

Security through ubiquity.  If every W11 machine is guaranteed to have TPM forced-on, it basically zeros the chances of a non-TPM system being deployed in an area it shouldn't be.  Yes if you are DoD or NSA or whoever, you should probably verify that your systems are running the security protocols you require.  But we are all human and stuff slips through the cracks.  W11 requiring TPM to function under all circumstances, even for enthusiast/gamers, guarantees a certain security floor for everyone.

I guess... then again it could just issue a warning. And it doesn't really guarantee anything if someone's hardware just doesn't support it and they stick with 10 for another 5 years. It could just require it to be on if it detects that the system supports it and it's just disabled in the BIOS.

[Sauron]

3 minutes ago, leadeater said:

Computer enthusiasts opinion on Windows:

That's my secret Cap, I always hate Windows