TPMpocalypse; Microsoft singlehandedly destroys the TPM market

[chebsy]

5 hours ago, LAwLz said:

I don't think you understand what a TPM is or how it works.

Just having it does not "guarantee a certain security floor". TPM does absolutely nothing for an enthusiast or gamer if it isn't being used.

 

Like I've said all throughout this thread, TPMs aren't magic. It literally does not do ANYTHING unless the OS uses it in some particular way, such as for storing crypto keys. If the OS isn't set up to do that, then it is a waste of silicon. 

If your PC doesn't use one of these features, then the TPM is just sitting there doing nothing.

 

Please really need to understand that just having a TPM does not magically make their PC more secure. 

 

 

  

A TPM does not magically make your machine more secure.

Just having a TPM does not increase the "security threshold" unless it is actually used for something.

 

 

Unless you can explain to me exactly how the TPM requirement for Windows 11 increases security I'd greatly appreciate it if you could stop saying it raises the "security threshold", because it doesn't.

 

I appreciate the patronization. 

 

I suppose the only difference between our opinions is that I do not pretend to know exactly how W11 with implement and integrate TPM.

 

You are clearly convinced that it will do absolutely nothing if it isn't "used", whatever that means. 

 

I am merely suggesting that W11 might not give the option to "not use" TPM, therefor rendering your opinion moot. 

 

And again, whether TPM is actually secure or not is an entirely different discussion. 

 

Also I'm not even trying to shill or anything.  Personally I disable Microsoft Defender in group policy, and don't even have a password on my PC.  I'm a terrible advocate for computer security, I will turn it off if given the chance.  I am only playing devil's advocate because a lot of you are completely incapable of considering different perspectives. 

[LAwLz]

6 hours ago, leadeater said:

I agree that there are bad aspects of Microsoft's communication, what I disagree with your statement is that Microsoft does not tell you what features use TPM or how they work as they certainly do both. I don't know if they have changed in Windows 11, I don't think they have as of yet but they very well could in later builds before RTM or post RTM.

You're talking out of both sides of your mouth right now.

You can't say Microsoft have been clear with what features use the TPM, and then in literally the next sentence say you don't know what Windows 11 features will use the TPM.

Microsoft has released info about what Windows 10 might use a TPM for, but not what Windows 11 will use the TPM for. That's a big difference and the reason why I am saying Microsoft's communication has been so bad. 

 

This is essentially how our conversation has gone:

Me: I want Microsoft to tell us why a TPM is required for Windows 11. What has changed between 10 and 11 that makes it require a TPM.

You: Microsoft are clear in their communications! Stop saying they aren't. Here is a link to optional features in Windows 10 that uses the TPM.

Me: Yes but I asked for what was different about Windows 11 and why it requires a TPM. I already know what Windows 10 uses it for but in Windows 10 it was optional. I wonder why it isn't optional anymore. Microsoft hasn't said why yet.

You: Stop saying they aren't telling you. They told you what it was used for in Windows 10.

Me: But I'm asking about Windows 11! Why is it required in Windows 11?

You: In Windows 10 it is used for things like Windows Hello.

 

See why I am getting frustrated? Can you link me to documentation which explains why Windows 11 requires a TPM. What features that relies on a TPM will be enabled by default and why it is so important that even the home version has it? Because that's the questions I want answered, and why I am frustrated that Microsoft won't tell us.

I do not give two shits about what features in Windows 10 can take advantage of a TPM because:

1) I already know that.

2) A TPM wasn't required for Windows 10 so something should have changed, and we don't know what yet. I want to know what has changed and why on a technical level. Not some marketing fluff like "it helps bring security to the chip and the cloud" or whatever BS Microsoft published after the keynote.

 

 

6 hours ago, leadeater said:

If every device running Windows 11 has TPM and it's actually enabled Microsoft could, or may have already, removed the existing capability for features that don't currently require TPM but can use it if present and enabled to work without TPM. Some features do require TPM, some do not, however the ones that do not but can use TPM 1.2 or 2.0 are actually considered more secure than utilized without, and that's not even Microsoft saying that.

Can you link me to some of those features that will be enabled by default in Windows 11?

Mandatory hardware requirement for optional software features that aren't even enabled by default sounds like a really stupid limitation. What's next, Windows 12 Home will only work on ECC RAM because some people running Windows 12 on a server might benefit from it?

 

 

6 hours ago, leadeater said:

Biometric data (finger print, picture etc) should not be stored within Windows, Windows Hello (not just business version) can store this in TPM. Windows Hello without TPM does not attain any of the security standards accreditations and certain levels cannot be attained if it's capable of disabling TPM and it falls back to just within the OS.

But Windows Hello is an optional feature that a lot of people don't use. 

Also, the reason why a TPM is useful for Windows Hello for Business is because Hello for Business uses asymmetric encryption and that the private key is stored in the TPM. The non-business Windows Hello version uses symmetric encryption so there is no key to store.

Also, the biometric data is NOT stored in the TPM. A TPM can not store things like fingerprint data or facial recognition data. It's not in the spec. If you don't believe me you can try it for yourself. Enable Windows Hello (non-business) and set it up. Then clear your TPM. You will still be able to login with Windows Hello.

 

6 hours ago, leadeater said:

In bold. fall back to Windows 10 information, it's that or better. So my point was and is they have told you i.e. go and read it.

But the Windows 10 information clearly doesn't apply to Windows 11 because in Windows 11 it is now mandatory and in Windows 10 it was optional. Something has changed (or should have changed) if they suddenly say "Windows won't work without a TPM".

Did they just make it mandatory for shits and giggles or is there any actual, technical reason for why it is mandatory? We don't know because Microsoft aren't telling us.

[RejZoR]

I ran that PC health Tool that's suppose to tell me if system will run Windows 11. Well, the stupid app doesn't even launch. It just seems like it runs the installer again when you run it and then nothing happens. LOL?

[LAwLz]

6 hours ago, leadeater said:

And that's where you've gotten lost, technical reason are not the only good reason. You can technically store passwords in plain text, there is no technical reason this cannot be done. There is a non technical reason why you shouldn't do this, and no don't try and justify it with technical reason as to why not doing so is better. That is a technical solution to a non technical issue. Big difference.

Yes, technical reasons are the only good reasons to make something mandatory.

There are technical reasons for not storing passwords in clear text.

"Storing passwords as hashes instead of clear text increases security by not making passwords extractable". That is a technical reason.

 

Don't confuse "technical reason" for "technical requirement".

 

 

6 hours ago, leadeater said:

Don't cripple your software or security to support legacy hardware that doesn't support modern security implementations. Why have Secure Boot without TPM when you can have Secure Boot with TPM. And if I go down your line of must having technical reasons then there you have one, the technical aspects of Secure Booth with TPM over without it.

Not having a TPM is not "legacy", nor does supporting machines without TPMs "cripple software".

For example GNU/Linux which is arguably far superior to Windows in terms of security can use TPMs more often than Windows and also supports machines without TPMs.

 

Also, Secure Boot does not use a TPM.

You might be confused because features like Credential Guard states that they use a TPM, and Credential Guard is involved in the Secure Boot process. But that's not the same as Secure Boot using a TPM. Secure Boot relies on the public keys of firmware and EFI modules being present in the UEFI firmware, not in a TPM. A lot of the secure boot process takes place before hardware (such as the TPM) has even been initialized. So it would not make any sense if Secure Boot used the TPM.

[Brooksie359]

21 hours ago, Radium_Angel said:

Ok, so let me ask you this, my system is locked down via TPM and HelloFace or whatever other crap is "required" by MS.

I get careless and download a keylogger, or worse, an encryption virus. How does the TPM protect me from this?

 

In other words, I'm having a hard time visualizing how the TPM improves security for me...

That is an absolute terrible example and conclusion. That's like saying why get the flu shot when it can't protect against cancer. Just like the flu shot TMP isn't meant to protect against everything. 

[Zodiark1593]

3 hours ago, StDragon said:

Never followed him myself; and with such a snarky ass comment as that, I don't think I will.

BTW, next time link to the source  

 

https://twitter.com/thurrott/status/1408116438460682242

 

I thought I made early morning hot takes at times. This hot take is pretty brutal. 

[LAwLz]

6 hours ago, leadeater said:

That as far as I'm aware until there is counter factual information devices without the required TPM support can buy a TPM module and then be able to install Windows 11. It's not a dead end like you've said it is. I could be wrong, you could also be wrong. That information is not clear yet. All I know for sure is Windows 11 check for TPM presence and it's enabled and near as much any computer is possible of passing that check it's just that it might require $30-$50.

 

Otherwise continue to run Windows 10, you don't have to or need to run Windows 11 yet.

I have the fTPM enabled on my Ryzen desktop, and my laptop has a TPM module in it. So I won't be affected by the TPM requirement. But just because I am not affected doesn't mean I am curious WHY it is a requirement.

 

 

7 hours ago, leadeater said:

If you think DIY represents 10% or more of the PC sales market then I think you might have you head a little too far in to the clouds. Honestly did not expect this to be contested, unless you're confusing shipping with existing.

What I am saying is that I do not think 90% of all PCs in the world has a TPM module. If we look at the best selling computers on Amazon then I think you'll find that 90% is probably a high estimate as well for the amount sold with TPMs.

If you're wondering, the Mac Mini M1 with 8GB of RAM is the best selling desktop on Amazon.

The second best selling is a HP Elite Desktop with what seems to be a Broadwell processor.

 

Not everyone who buys a new PC buys the latest model released. In fact, most of the computers on Amazon's best selling list are not using the latest hardware. Some of them are old models released years ago. 

That's also if we don't count all the computers sold without a TPM before Microsoft made it mandatory (but not a requirement to run) Windows 10.

 

 

7 hours ago, leadeater said:

Rubbish, I challenge you to prove that the T2 was demanded by customers. And I mean specifically T2 and how it's implemented, not just "better security". Apple did this of their own will through their design process and focus on making secure devices.

 

Windows is now requiring TPM through their own design process and focus on improving security standards.

 

The double standards here is neck breaking.

I think you misunderstood what I meant. I wasn't saying "Apple did it better than Microsoft". I made a comparison with Apple because I think both of them are doing the same thing. There is double standard here because I am not defending Apple.

 

I'm trying to illustrate that saying "if 90% of computers sold with it already has it then you might as well make it mandatory" is a bad argument when Microsoft were the ones reason why 90% of computers sold allegedly has it.

I am questioning Microsoft's decision to make it mandatory for Windows 10 certification to begin with, and I am heavily questioning the chose to not let Windows 11 run on a computer without it.

 

It's circular logic to point to "90% of computers has it" as an argument for why it should be okay to make it mandatory, because the reason why "90% of computers has it" is because it was made mandatory.

 

 

7 hours ago, leadeater said:

Yes they do, cut that out you're spreading false information.

No I am not. You're the one who is spreading misinformation by saying some features use it when they don't, as I have pointed out above.

[LAwLz]

6 hours ago, leadeater said:

Windows Hello is supported on Home edition.

Device Encryption is supported on Home edition (standard Bitlocker is not and isn't the same actual feature).

Secure Boot is supported on Home edition.

 

It's not 9/10 and that's not even including Windows Pro which is sold on consumer devices, which supports a lot more of the features that utilized TPM.

Windows Hello (non business) does not use the TPM.

Biometric data is not stored in the TPM as I said earlier (not supported by the standard) and the encryption key is not stored in the TPM either because Windows Hello (non business) uses symmetric encryption so there is no key to store.

 

Device encryption does use the TPM, I'll give you that.

 

Secure Boot does not use the TPM. Secure Boot's public keys are stored in the UEFI firmware because they are needed before other hardware (such as the TPM) is even initialized. Storing the public keys for the EFI and firmware on a TPM would not make any sense because the secure boot process would not be able to access the keys when necessary.

 

 

I am not the one who is spreading misinformation about what TPMs are used for. You are.

[LAwLz]

5 hours ago, StDragon said:

It's either because of fTPM support, or specific Spectre mitigations that can only be coded with certain generations of CPUs. Just a wild guess.

5 hours ago, D13H4RD said:

The latter seems more plausible. fTPM was already a thing in those generations of CPUs, iirc. I know my ASUS GL502 that has a 7700H has a TPM inside.

Yep, it's not because of fTPM support. Because:

1) Windows 11 doesn't require an fTPM. Any TPM (2.0) will do, including a hardware module which exists for processors before Zen 1 and 8th gen Intel.

2) Zen 1 processors like my 1700X (not supported according to Microsoft) has a fTPM.

 

If I had to guess then I'd say the cut-off for processors are either, as you said, something to do with Spectre, or it might just be an easy way for Microsoft to cut off older computers they think might not be powerful enough.

It's easier to say "no Ryzen 1000 series supported" than to say "some Ryzen 1000 processors are supported but not some Ryzen 2000 processors".

It's easier to just say "nothing before X" and draw a clear cut line, than to try and figure out which individual processor should or shouldn't be supported.

 

Another guess would be that Windows 11 uses some instructions that are not present on those older processors, but I haven't looked into which instructions were new with Zen+ and 8th gen Intel that weren't present on the older generations. Also, I think it would be a hard requirement and not just give you a warning if that was the case, since your OS would constantly crash because of it.

[D13H4RD]

2 minutes ago, LAwLz said:

If I had to guess then I'd say the cut-off for processors are either, as you said, something to do with Spectre, or it might just be an easy way for Microsoft to cut off older computers they think might not be powerful enough.

It's easier to say "no Ryzen 1000 series supported" than to say "some Ryzen 1000 processors are supported but not some Ryzen 2000 processors".

It's easier to just say "nothing before X" and draw a clear cut line, than to try and figure out which individual processor should or shouldn't be supported.

Apparently, according to some Microsoft department heads on Twitter, it's got nothing to do with security. 

 

It's about the "experience". 

 

Yeah, this will not go down well at all. 

[LAwLz]

5 hours ago, gjsman said:

I used to follow this Windows pundit who was talking about Windows development, but with recent events he has shown himself to be a Microsoft shill to unbelievable proportions. This tweet is unbelievable.

 

-Snip-

This is not photoshopped. It's on his feed right now.

 

I listen to Paul on Windows Weekly and I still like him, even if I think that tweet was idiotic.

I don't listen to him because I think he is an all-knowing deity regarding Microsoft and always gets things right, but because I think he sometimes have interesting ideas and thoughts, on top of some good tips.

Same with Mary Jo. Her finding job listings from Microsoft referencing unreleased products? Interesting and educational. Her ideas of what those unreleased products might be and how they will work? Also interesting although I often find that I don't agree with her and think she might be wrong.

 

For example Mary Jo said that she thought Windows 11 would not replace Windows 10. I thought that was a silly idea but it's not like I completely stop listening to her thoughts and findings just because she sometimes says things I don't think are true.

 

 

4 hours ago, StDragon said:

Never followed him myself; and with such a snarky ass comment as that, I don't think I will.

I think he is pretty good on Windows Weekly. I don't think he is a Microsoft shill either. He often ruthlessly criticize Microsoft, especially when it comes to things like UWP and their horrible communication skills.

I think he has a bad take on the TPM requirement but it's also easy to understand why someone who doesn't build his own computers, and constantly get sent brand new computers for free would think this way.

 

"What? People don't replace their laptops every 3 months with the new one HP/Dell/Lenovo/Microsoft sent them for free?"

-Paul, probably.

 

 

3 hours ago, Mark Kaine said:

And we dont even know the implications of this all, as in what if your hardware breaks leaving you with tons of "secured" aka encrypted data, etc*. Also we dont know if this'll actually be a final requirement and not just for the "leaked" (*nudge nudge wink wink*) version  (or do we?)

It doesn't seem like BitLocker or device encryption will be mandatory, or even turned on by default, so it should be fine.

I don't think your conspiracy theory is true.

 

 

3 hours ago, Brooksie359 said:

I was actually reading an article about this and I remembered Microsoft did sorts say how it would help. Obviously TMP won't magically make windows immune to virus and malware but they did say it made memory based attacks much more difficult from my understanding. Granted I would have to look up the article again to remembered the exact wording so hopefully I didn't misinterpret what they said. Regardless I doubt they would be pushing this so far for no reason entirely. 

Interesting. I'll have to look into that.

TPM is used for some memory protection but I am not aware of any that would be useful for the Home edition, or that would be enabled by default.

[StDragon]

9 minutes ago, D13H4RD said:

Apparently, according to some Microsoft department heads on Twitter, it's got nothing to do with security. 

 

It's about the "experience". 

 

Yeah, this will not go down well at all. 

If that's the case, then MS can experience my 

[Radium_Angel]

39 minutes ago, Brooksie359 said:

That is an absolute terrible example and conclusion. That's like saying why get the flu shot when it can't protect against cancer. Just like the flu shot TMP isn't meant to protect against everything. 

The last line about having a hard time visualizing how TPM improves security for me?

That's the key. 

 

MS is making it mandatory...what I"m asking is why? What does having the TPM enabled offer me?

[LAwLz]

2 hours ago, chebsy said:

I appreciate the patronization. 

 

I suppose the only difference between our opinions is that I do not pretend to know exactly how W11 with implement and integrate TPM.

 

You are clearly convinced that it will do absolutely nothing if it isn't "used", whatever that means. 

 

I am merely suggesting that W11 might not give the option to "not use" TPM, therefor rendering your opinion moot. 

 

And again, whether TPM is actually secure or not is an entirely different discussion. 

 

Also I'm not even trying to shill or anything.  Personally I disable Microsoft Defender in group policy, and don't even have a password on my PC.  I'm a terrible advocate for computer security, I will turn it off if given the chance.  I am only playing devil's advocate because a lot of you are completely incapable of considering different perspectives. 

I don't pretend that I know how Windows 11 will use the TPM either. That's actually why I am upset at Microsoft, because I don't know and Microsoft aren't telling us.

 

I am convinced that it does absolutely nothing if it isn't used. I am convinced because that is the truth. If you want an analogy, a TPM is basically a safe. Like one of these that you can have at home:

 

Just having a safe in your home doesn't protect you from burglars. You have to actually put something in the safe for it to be effective.

If we keep with the safe analogy, this is what has happened.

Microsoft: Okay, everyone needs to get a safe for their homes now.

Me: Okay, but why?

Microsoft: Because it's a security feature. Having a safe at home makes you safer.

Me: Okay I get that, but what do you want us to put in the safe? Having an empty safe at home doesn't really protect me.

Microsoft: A safe protects you from burglars.

Me: Yes but it doesn't provide protection unless there is something inside it. So what do you want us to put inside it?

Microsoft: So yeah, everyone needs a safe now because we say so. 

 

 

2 hours ago, chebsy said:

I am merely suggesting that W11 might not give the option to "not use" TPM, therefor rendering your opinion moot. 

Yes and I am thinking it might not give us the option to not use a TPM as well. That's what I find frustrating. That we aren't sure what Microsoft are planning and they aren't telling us.

 

 

I'm sorry if I was patronizing but it feels like a lot of people who do not know the first thing about TPMs are suddenly waving their hands telling everybody that it will make them more secure and whenever I ask "how" or "why" I get a bunch of incorrect info (like from leadeater) or non-answers like "because TPMs make you more safe".

[LAwLz]

38 minutes ago, D13H4RD said:

Apparently, according to some Microsoft department heads on Twitter, it's got nothing to do with security. 

 

It's about the "experience". 

 

Yeah, this will not go down well at all. 

Is that serious? Because that's what I was worried about. 

Can you find the tweet? I am looking for it right now, but there are a lot of Microsoft employees on Twitter.

 

I don't understanding how it will improve the "experience" either.

 

 

Edit:
I think I found the tweet you're referring to, although it doesn't really align with what you said.

It's from David Weston which is the "director of enterprise and OS security in Azure Edge and Platform".

 

He says that the CPU requirement is for "experience reasons" but the TPM requirement is for other reasons (that he hasn't disclosed in any of his tweets).

This is the type of fluff Microsoft answers with when pressed why a TPM is required:

Quote

The new set of hardware security requirements that comes with this new release of Windows is designed to build a foundation that is even stronger and more resistant to attacks on certified devices

None of that actually means anything. It doesn't give us any info about why or how it will be used which is so frustrating.

 

 

Edit 2:

I found this blog post from Microsoft which seems to suggest that TPM 2.0 is not a requirement for the dev build of Windows 11. It says that it will be possible to install the dev and beta channel for Windows 11 even if you do not meet the hardware requirements for Windows 11.

[Forbidden Wafer]

1 minute ago, LAwLz said:

Is that serious? Because that's what I was worried about. 

Can you find the tweet? I am looking for it right now, but there are a lot of Microsoft employees on Twitter.

 

I don't understanding how it will improve the "experience" either.

Microsoft is repeating EA's "Pride and accomplishment" moment.

[chebsy]

4 minutes ago, LAwLz said:

people who do not know the first thing about TPMs are suddenly waving their hands telling everybody that it will make them more secure

But you are doing the same thing in reverse, telling people that TPM won't inherently make anything more secure. 

 

Nobody knows the extent to which W11 will force TPM and utilize it.  Maybe people's worst fears that it will be used for DRM are true.  I don't know, you don't know, so stop telling people that it is "useless".  Just because you might not like TC-DRM, doesn't mean it isn't "useful" in the strictest definition of the word.  It just happens to be "useful" to copyright holders and not consumers.

[Forbidden Wafer]

TPM isn't even that important. Seems like the 8th Gen Intel and 2nd Gen Ryzen are really required. They're throwing most PCs under the bus.

[StDragon]

3 hours ago, Brooksie359 said:

Obviously TMP won't magically make windows immune to virus and malware but they did say it made memory based attacks much more difficult from my understanding. Granted I would have to look up the article again to remembered the exact wording so hopefully I didn't misinterpret what they said. Regardless I doubt they would be pushing this so far for no reason entirely. 

Memory Integrity? It's a subset feature of Core Isolation.

 

https://www.howtogeek.com/357757/what-are-core-isolation-and-memory-integrity-in-windows-10/

 

It's been stated in that article that Memory Integrity will be disabled by default on PCs that upgraded to build 1803. But going forward all newer installations of Windows 10 will have it enabled. Well, when I built my new AMD PC with build 2004 (clean install) it never enabled that feature. In addition, it's still disabled by default within a Windows 11 VM... 

 

That said, if it's enabled and turns itself off, it could be because of an incompatible device driver. So going back to my example of Windows 11 VM, go figure; it's confounding. Maybe it's because I install VMWare tools on it???  I'll have to revisit this later.

 

 

[LAwLz]

6 minutes ago, chebsy said:

But you are doing the same thing in reverse, telling people that TPM won't inherently make anything more secure. 

But it won't, unless it is actually used for something which we don't know yet.

Just having a TPM does not inherently make your PC more secure just like having a safe in your house doesn't make your house more secure. You need to actually use it (like putting something in it) in order for it to do anything. 

 

People like you are saying: TPMs make you more secure!

I am saying: A TPM doesn't magically make your PC more secure. It will make it more secure if Microsoft uses it for something but so far they have not told us if it will even be used for anything. If it isn't, then it won't improve security.

 

8 minutes ago, chebsy said:

Nobody knows the extent to which W11 will force TPM and utilize it. 

Yes and that's the problem I am having with the requirement. They say they require it but won't tell us why. That is the entire reason why I am so frustrated with Microsoft.

Their attitude of "because we say so" is not how you do security. Security is about transparency and understanding, and right now Microsoft are essentially giving anyone who asks them why TPM is required a big middle finger.

 

 

10 minutes ago, chebsy said:

I don't know, you don't know, so stop telling people that it is "useless".

I will keep telling people that TPMs are useless IF they are not used by some feature. Because that is the truth.

Just like an empty safe doesn't provide you any protection from burglars, a TPM that is not used by some function provides 0 additional protection. This is very important to understand so I will keep repeating it until people stop acting like just having a TPM make your computer more safe. It doesn't. 

 

 

12 minutes ago, chebsy said:

Just because you might not like TC-DRM, doesn't mean it isn't "useful" in the strictest definition of the word.  It just happens to be "useful" to copyright holders and not consumers.

What? Why are you bringing up TC-DRM? Nobody in this thread has mentioned that.

Is that what you think the TPM will be used for? I understand how a TPM could be used to enforce DRM but I am not too worried about that. There are other ways Microsoft could force DRM into Windows if they wanted, that wouldn't have to rely on a TPM.

[Mark Kaine]

50 minutes ago, D13H4RD said:

Yeah, this will not go down well at all. 

as i already said, no it wont. kinda reminds me of dx12 which was an utter failure and embarrassment for ms initially, but they did stick to "make it happen" and still not many games support it, with varying success.

 

This is the same thing i feel, since 2015 they want "secure chip" to happen and now theyre just trying to force it.

 

They know its a risk, but theyre also in a position they can take that risk, and Im also not convinced they arent going to do a 180 on these "requirements".

 

[D13H4RD]

21 minutes ago, LAwLz said:

 

Snip 

 

Honestly, I'm just as baffled as you are. This is confusing, as if it needs to be even more so.. 

[LAwLz]

18 minutes ago, StDragon said:

Memory Integrity? It's a subset feature of Core Isolation.

 

https://www.howtogeek.com/357757/what-are-core-isolation-and-memory-integrity-in-windows-10/

 

It's been stated in that article that Memory Integrity will be disabled by default on PCs that upgraded to build 1803. But going forward all newer installations of Windows 10 will have it enabled. Well, when I built my new AMD PC with build 2004 (clean install) it never enabled that feature. In addition, it's still disabled by default within a Windows 11 VM... 

 

That said, if it's enabled and turns itself off, it could be because of an incompatible device driver. So going back to my example of Windows 11 VM, go figure; it's confounding. Maybe it's because I install VMWare tools on it???  I'll have to revisit this later.

 

 

Memory integrity might be a reason why Windows 11 requires TPM 2.0.

Maybe they will make memory integrity mandatory? It doesn't require a TPM but becomes more secure with it. If they make that mandatory in Windows 11 then I can kind of see why they would want TPM 2.0 to be a requirement. Although I think that's very ham-fisted. I also don't think making it a requirement is a good idea since, as the how-to-geek article says, it breaks some drivers. Microsoft are so aware of this they even made the feature silently turn off if it runs into errors. Making it mandatory might cause a lot of issues for people.

Also, does it even work in the Home version of Windows? Windows 10 Home doesn't have Hyper-V support and Memory Integrity relies on Hyper-V. 

 

Also, it solve the reason why I am upset with Microsoft. We shouldn't have to sit here on an Internet forum and guess why they are pushing the requirements they are pushing. Why not just tell us?

 

Great finding by you and @Brooksie359 though.

[StDragon]

26 minutes ago, LAwLz said:

Memory integrity might be a reason why Windows 11 requires TPM 2.0.

Maybe they will make memory integrity mandatory? It doesn't require a TPM but becomes more secure with it. If they make that mandatory in Windows 11 then I can kind of see why they would want TPM 2.0 to be a requirement. Although I think that's very ham-fisted.

 

Also, it solve the reason why I am upset with Microsoft. We shouldn't have to sit here on an Internet forum and guess why they are pushing the requirements they are pushing. Why not just tell us?

 

Great finding by you and @Brooksie359 though.

I'm still unclear though how TPM involves kernel isolation via virtualization .

That said, I tried enabling it on my WIndows 11 VM, and it remained "off" after a required reboot. However, when I enabled it on my physical AMD PC, it shows now as being on.

 

I've since dropped BitDefender AV on this one computer and I'm rolling with Windows Defender. It's not that I had any issues with BitDefender; quite the contrary, it's very effective. I was just worried that Windows Defender wasn't providing enough protection via URL interception and definition updates. Though at a system OS level, Windows Defender is more tightly integrated, so there's that aspect of it.

Hopefully I don't run into performance or reliability issues with Memory Integrity. If I do, I'm turning it back off. Consider this me dipping my toes in these waters in preparation for Windows 11 usage.

 

EDIT: For those wondering, I'm running Windows 10 Pro (21H1)
EDIT2: The Windows 11 VM couldn't have Memory Isolation enabled because the Virtualization Engine wasn't passing through AMD-V/RVI.

Note: Once you enable Memory Integrity on the host machine, it prevents being able to pass through the CPU via Virtualization engine in VMWare Player. Ditto for any other Type 2 hypervisors. Not a bug, just a nature of the functionality. If you need these advanced virtualization features, you must turn off Memory Integrity on the host.

Edited June 26, 2021 by StDragon

[NumLock21]

29 minutes ago, LAwLz said:

TPM does not inherently make your PC more secure

No it doesn't, it just adds more hassle down the road, which is also the reason TPM never took off as must have Security feature.