TPMpocalypse; Microsoft singlehandedly destroys the TPM market

[DildorTheDecent]

Just now, leadeater said:

6700 or 6700K, there's actually from features Intel removed from the K's.

Sacrifices have to be made for more speed.

[Murasaki]

Actually nevermind, turns out it matters if Powershell is running as admin. Now it says 1, 2, 4.

 

[LAwLz]

5 minutes ago, leadeater said:

Yes I understand that to be the case for the simple PIN, I thought it was TPM supported in Standard if you were using a Microsoft Account. Microsoft Account is a supported identify provider and can use TPM 2.0. I though that was the case for Hello and Hello for Business, not just Business.

That is not the case. Again, the TPM is only used when you use Windows Hello for Business.

I am not sure how many times I've told you this but it is true. If you really don't believe them then I urge you to do the tests both me and other people have done.

Install Windows 10. Initialize your TPM. Configure Windows Hello (you can use a Microsoft Account if you want, it doesn't matter). Restart your computer. Clear the TPM. Restart the computer again. You will be able to login with Windows Hello despite all the info in the TPM being wiped.

 

If Windows Hello (non-business) used the TPM for ANYTHING, then you would not be able to login using Windows Hello, but you can.

 

If Microsoft's documentation says anything else (which you have yet to show, because everything you have linked has to do with Windows Hello for Business) then that documentation is wrong. It really is as simple as that.

[leadeater]

57 minutes ago, LAwLz said:

That is not the case. Again, the TPM is only used when you use Windows Hello for Business.

I am not sure how many times I've told you this but it is true.

Yes, and that's not the issue, I just edited my post but TL;DR I don't care about opinions. Documentation in multiple places says yes it could. The capability is there, if using identify provider. There is literally nothing that prevents Hello non Business from using it. 

 

57 minutes ago, LAwLz said:

If Microsoft's documentation says anything else (which you have yet to show, because everything you have linked has to do with Windows Hello for Business) then that documentation is wrong. It really is as simple as that.

Oh come on now, I've linked at least two official Microsoft documentation pages that show Hello/Hello for Business together with TPM support.

 

57 minutes ago, LAwLz said:

Configure Windows Hello (you can use a Microsoft Account if you want, it doesn't matter). Restart your computer. Clear the TPM. Restart the computer again. You will be able to login with Windows Hello despite all the info in the TPM being wiped.

With Microsoft Account (because that does matter) is the only test I care about. When you say you've tired it or others have for all I know you are using local accounts which I know for a fact wouldn't do didly squat. I do not have a Hello capable device, I cannot personally test it. But if you can show me evidence (as you did here), using a Microsoft Account, then that would be great.

 

You've been giving me the equivalent of "trust me bro". When I'm reading official Microsoft documentation that says otherwise then no I will not. That github link is the only convincing evidence you've actually given that TPM isn't used in any way for any configuration.

 

What I will have to say is you did actually give this earlier however I missed it as the quote below it was quite irrelevant so I guess I assumed the contained information in that link was too.

[StDragon]

1 hour ago, leadeater said:

What's up with this one, would have expected more?

 

1 hour ago, leadeater said:

6700 or 6700K, there's actually from features Intel removed from the K's.

 

You can compare the two in the link below, but basically the i7-6700 has the feature Trusted Execution Technology (TXT) whereas the i7-6700K does not.

 

https://ark.intel.com/content/www/us/en/ark/compare.html?productIds=88195,88196

As for what the values mean in the AvailableSecurityProperties, they are numbered as follows.

 

0. If present, no relevant properties exist on the device.

1. If present, hypervisor support is available.

2. If present, Secure Boot is available.

3. If present, DMA protection is available.

4. If present, Secure Memory Overwrite is available.

5. If present, NX protections are available.

6. If present, SMM mitigations are available.

7. If present, Mode Based Execution Control is available.

8. If present, APIC virtualization is available.

[Quartz11]

20 minutes ago, StDragon said:

 

 

You can compare the two in the link below, but basically the i7-6700 has the feature Trusted Execution Technology (TXT) whereas the i7-6700K does not.

 

https://ark.intel.com/content/www/us/en/ark/compare.html?productIds=88195,88196

As for what the values mean in the AvailableSecurityProperties, they are numbered as follows.

 

0. If present, no relevant properties exist on the device.

1. If present, hypervisor support is available.

2. If present, Secure Boot is available.

3. If present, DMA protection is available.

4. If present, Secure Memory Overwrite is available.

5. If present, NX protections are available.

6. If present, SMM mitigations are available.

7. If present, Mode Based Execution Control is available.

8. If present, APIC virtualization is available.

Was that comparison possibly affected by these recent stealthy changes to 6th and 7th generation processor listings?

 

[DildorTheDecent]

1 hour ago, Quartz11 said:

Was that comparison possibly affected by these recent stealthy changes to 6th and 7th generation processor listings?

There weren't any stealthy changes though.

 

Unlocked processors from Nehalem to Kaby Lake never supported Intel TXT.

[leadeater]

2 hours ago, DildorTheDecent said:

There weren't any stealthy changes though.

 

Unlocked processors from Nehalem to Kaby Lake never supported Intel TXT.

Yep that was just part of Intel being annoying and not allowing things like vPro on Unlocked parts as well.

[LAwLz]

13 hours ago, leadeater said:

Yes I understand that to be the case for the convivence PIN, I thought it was TPM supported in Standard if you were using a Microsoft Account.

I am not sure why you thought that though, because nowhere in the documentation does it state it works that way.

The only thing you could potentially misinterpret that way is on the Windows Hello for Business page, were it says a Microsoft Account can be used, but that's specifically for the business version and not the consumer version (hence why it is only mentioned on the business version page).

 

13 hours ago, leadeater said:

Microsoft's own documentation says TPM can be used with Hello (Standard), in many places.

I have so far not found anywhere where it says that, if we take into consideration that Microsoft did not use to make a distinction between Windows Hello and Windows Hello for Business (so any old documentation that refers to "Windows Hello" might be talking about Windows Hello for Business). The table that says:

Quote

Windows Hello/Windows Hello for Business

TPM Required: No

Supports TPM 1.2: Yes

Supports TPM 2.0: Yes

That / might be an inclusive or. It does not necessarily mean "and". This is one of the many things I have referred to when I have said you are not reading the documentation correctly and are making assumptions.

 

"Windows Hello/Windows Hello for Business" does not necessarily mean "both of these supports it". It is very likely that it means "one of these supports it but not necessarily the other". Judging by pretty much all other documentation Microsoft has regarding TPM use and Windows Hello, it is most likely an inclusive or statement, not an "and" statement.

 

 

13 hours ago, leadeater said:

I don't see any reason if using a Microsoft Account you shouldn't be able to utilize TPM, if that is the case that sucks. Although many here would argue having to use a Microsoft Account to sign in to your computer sucks more (tbh I wouldn't want to)

But why should it? Home users do not gain anything from having it work that way. The entire reason why the business version of Windows Hello uses public/private keys is to be able to reliably and secure provide authentication tokens to computers so that those tokens can be used for authentication for things like let's say internal resources.

If your goal is just to authenticate a user for access to their computer, symmetrical encryption is far less complex and provide better security.

This is also why I asked you before if you really understood why Windows Hello and Windows Hello for Business works differently and what implications using symmetrical vs asymmetrical encryption has.

Microsoft aren't dumb. They have designed their login processes in certain ways because it makes sense, and using PKI in consumer products just to login to their computers doesn't make a whole lot of sense. At least not in my mind, and it seems like Microsoft agrees since they have designed Windows Hello (and for Business) in this way.

 

 

 

13 hours ago, leadeater said:

No I understand it perfectly fine.

But you clearly didn't... There have been multiple times in this thread where you have just said flat out incorrect things like how Windows Hello saves biometric data in the TPM, or how Windows Hello uses the TPM (I hope we both agree that it doesn't now).

A lot of your statements are based on you incorrectly reading the documentation and making assumptions. That's why I have on multiple occasions told you "just try it for yourself if you don't believe me" and then posted instructions on how to test it.

That's why I have linked you to the standard specifications and said "try and find where it says what you think it does" and even done searches for you and quoted the documentation such as the UEFI spec.

 

Details matters greatly when we're talking about these things, and doing something as simple as assuming a / sign means one thing when it might mean another can give you a completely incorrect assumption of how something works.

[LAwLz]

14 hours ago, StDragon said:

@LAwLz @leadeater

So, I've managed to run the PS command from other machines. I found it interesting that, in theory, 7th gen should be supported.

 

i3-6100U = 1, 3, 6
i7-6700K = 1, 2
i7-7700 = 1, 2, 3, 4, 5, 7
i5-7500 = 1, 2, 3, 4, 5, 7
i5-7500T = 1, 2, 3, 4, 5, 7
i3-7100 = 1, 2, 3, 4, 5, 6, 7
i5-7300U = 1, 2, 3, 4, 5, 6, 7
i5-8259U = 1, 2, 3, 4, 5, 7
i5-8400 = 1, 2, 3, 4, 5, 7
i7-9700T = 1, 2, 3, 4, 5, 6, 7
i5-1145G7 = 1, 2, 3, 4, 5, 6, 7, 8

Thanks a lot!

I guess that disproves my theory that MBEC support was the reason for the cutoff.

 

I wouldn't be surprised if it has something to do with some VBS feature though. I just wish Microsoft would tell us instead of having us guessing why things are the way they are.

Security should be done in complete transparency. If Microsoft want to make Windows more secure then they should tell us exactly how, not just go "because we say so and we know best".

 

 

 

Edit:

Holy crap I am not sure if you have seen this but I now know the reason for why only second gen Ryzen and 8th gen Intel processors are supported. Tagging everyone I tagged before just in case. Here I was thinking that I was super clever for discovering the technical reason for Microsoft's weird system requirements but nope, apparently there is no technical reason for it. Microsoft just didn't feel like supporting anything below Ryzen 2000 and Intel 8th gen.

@StDragon@Brooksie359@chebsy @Sauron @Murasaki

 

 

Microsoft has also confirmed now that this is not some "soft requirement" that will be bypassable. If you don't have one of the CPUs on their support list, then you will not be able to run Windows 11. Not even if you dismiss some warnings.

According to Microsoft, the Surface Pro 4 from 2017 is apparently not good enough to run Windows 11.

 

Silly me for trying to find logical explanations to Microsoft's illogical behavior...

 

 

13 hours ago, Hakemon said:

I'm just waking up and haven't fully caught up yet.  But regarding Windows Hello, Microsoft Accounts and TPM, At least for me on the leaked build (which I admit is not a finished product, it's missing quite a bit actually), I'm using Windows Hello PIN, with a Microsoft account, on a platform that very much lacks TPM of any kind, and yet here I am.

 

If this wasn't what you guys were talking out, please forgive me, I need more coffee probably.

Thanks for chipping in!

It is kind of what we're talking about, but the disagreement Leadeater and I have had is whether or not Windows Hello (non business) can use a TPM. We already know that it can be used without a TPM (like in your case).

So your post proves that it does not require it, but what we wanted info on (and I hope I have now convinced leadeater of) is that Windows Hello (non business) is unable to use the TPM. That it always functions the way it functions on your computer, and there is no way to make it use a TPM.

[Murasaki]

"Ensure a great experience" it's been great so far!

[RejZoR]

This whole thing stinks hard. Imagine if Apple released M1 and dropped support for everything before it in that moment. You'd still be getting basic support (aka security fixes) for few more years and that would be it. That's the level of absurdity here. Ryzen 1800X is still considered a modern powerhouse yet it's dropped like a corpse. Or my Ryzen 5 2500U that runs circles around newer Ryzen 3, yet it's just not supported. And it has TPM 2.0 as I checked in Device Security. Only device I can use Win11 on is my system with 5800X bought last year. And I had to manually enable Firmware TPM in BIOS. Can't wait to see all the newbs crawling through BIOS for this...

[Kisai]

38 minutes ago, RejZoR said:

This whole thing stinks hard. Imagine if Apple released M1 and dropped support for everything before it in that moment. You'd still be getting basic support (aka security fixes) for few more years and that would be it. That's the level of absurdity here. Ryzen 1800X is still considered a modern powerhouse yet it's dropped like a corpse. Or my Ryzen 5 2500U that runs circles around newer Ryzen 3, yet it's just not supported. And it has TPM 2.0 as I checked in Device Security. Only device I can use Win11 on is my system with 5800X bought last year. And I had to manually enable Firmware TPM in BIOS. Can't wait to see all the newbs crawling through BIOS for this...

Apparently one of my laptops the app says is supported despite not meeting the criteria.

 

The App says the ROG Zephyrus, is supported? Maybe it has a TPM and is not listed? So what about the camera support? Only for "new" laptops then?

 

 

 

 

 

[RedRound2]

Lol, what a shitshow

 

I still don't understand in any capacity why my 3770K and Z77 platform wouldn't be able to run Windows 11. Forget TPM requirement, now there's a processor label requirement as well, even though 8th gen U/Y series is still slower than my overclocked 3770k

 

So why in the world did Microsoft put "Dual core 64 bit processor" on their website? Like are they still having internal debates about how to artificailly make Windows 11 not run on most computers. Especially given the worldwide PC component shortage, this seems so far out of touch with reality.

 

Panos Panay sure wasted my time talking about how Windows is some sort of gateway to heaven when it bloody isn't going to run in most of my machines

[D13H4RD]

1 hour ago, LAwLz said:

Holy crap I am not sure if you have seen this but I now know the reason for why only second gen Ryzen and 8th gen Intel processors are supported. Tagging everyone I tagged before just in case. Here I was thinking that I was super clever for discovering the technical reason for Microsoft's weird system requirements but nope, apparently there is no technical reason for it. Microsoft just didn't feel like supporting anything below Ryzen 2000 and Intel 8th gen.

 

Microsoft has also confirmed now that this is not some "soft requirement" that will be bypassable. If you don't have one of the CPUs on their support list, then you will not be able to run Windows 11. Not even if you dismiss some warnings.

According to Microsoft, the Surface Pro 4 from 2017 is apparently not good enough to run Windows 11.

 

Silly me for trying to find logical explanations to Microsoft's illogical behavior...

Yep, that's exactly the tweet I mentioned to you about.

 

If it's really simply a case of Microsoft just not wanting to support old stuff, then I fully expect them to change their tune eventually.

 

Just to dig in the point, this would mean that a Mac from 2013 would officially be supported for longer (with the 2-3 extra years of extended security patches) than a Windows machine on a 7th-gen Intel processor from 2017. Even with the 2025 support cutoff date for Windows 10, it would mean the system is officially supported for 8 years, compared with 10-11 years for that Mac with the extended security patch window. Granted, I don't think too many people out there are going to keep using the exact same computer for 8 years, let alone 10, but it's nonetheless interesting.

[leadeater]

3 hours ago, LAwLz said:

That / might be an inclusive or. It does not necessarily mean "and". This is one of the many things I have referred to when I have said you are not reading the documentation correctly and are making assumptions.

If something is different like that then it would (here should) not be in the same row. If Hello (standard) cannot ever at all in any configuration use TPM then to include it in the row is entirely wrong. No it isn't wrong to read it like that because that is exactly how you should read a table like that.

 

If it is that different it belongs on it's own row so all three can be No, No, No. At a minimum if they want it on the same row then No/No, No/Yes, No/Yes to show that there is a difference between item 1 and item 2.

 

Being on the same row explicitly does mean that it is saying yes it does, that's how tables are read. It's incorrect to put them on the same row like that when it is not the case. What you did was just not believe what the table said, that's not actually reading it correctly.

 

3 hours ago, LAwLz said:

That's why I have on multiple occasions told you "just try it for yourself if you don't believe me" and then posted instructions on how to test it.

And I also told you I cannot do that, I can't do the impossible. I went away from laptop last device refresh and none of my personal devices have a fingerprint reader or Hello camera.

 

3 hours ago, LAwLz said:

But why should it? Home users do not gain anything from having it work that way. The entire reason why the business version of Windows Hello uses public/private keys is to be able to reliably and secure provide authentication tokens to computers so that those tokens can be used for authentication for things like let's say internal resources.

So you don't think having a Microsoft Account Identity provider which is used for all the Microsoft Cloud services and also for other Microsoft Account login integration doesn't have any similar value? That's an odd position to take.

 

At least with AzureAD when you bind the computer to it the generated private key can be stored in TPM and then session keys can be created and can be used to secure App Tokens and Browser Cookies.

 

I just would have expected Microsoft to build in similar capability in to a Microsoft account as it also registers your computer with your Microsoft account. Seems like if Microsoft is trying to Microsoft account all the things and offer you email services, cloud storage etc that a way to secure your sessions like you can with AzureAD & SSO would be something you'd actually do. Microsoft account can and is used for more than just sign-in to the PC.

 

If Hello for Business can use a Microsoft Account and utilize TPM then Hello with a Microsoft Account and cannot utilize TPM is just well, purposeful exclusion on Microsoft's part. Or it's just the difference between "Work or School Microsoft Account" and "Personal Microsoft Account'.

[leadeater]

3 hours ago, LAwLz said:

But you clearly didn't... There have been multiple times in this thread where you have just said flat out incorrect things like how Windows Hello saves biometric data in the TPM, or how Windows Hello uses the TPM (I hope we both agree that it doesn't now).

Excuse me but while I may not have worded that correctly, I don't even remember exactly how I said it, fingerprint readers can and do use TPM. If you buy the FIPS compliant fingerprint reader option on HP/Dell/Lenovo laptops then they do use the TPM, they warn you about unlocking any encrypted disks with keys stored in the TPM before you set them up as that clears the TPM. But I guess I'm wrong in that those readers use Hello at all, probably even for Hello for Business. We get that reader with our laptops. Thing is I chose a desktop rather than a laptop for my work provided device last device refresh.

 

Far as I know the data is secured in the reader firmware and a key paring between the reader and the TPM is the actual TPM utilization part of that.

 

I didn't bother address this part before as there was already enough other things being talked about, not that you didn't like to keep bringing it up over and over. Covering less better is more effective, you'll get your point across both more quickly and more clearly.

[jagdtigger]

49 minutes ago, D13H4RD said:

I don't think too many people out there are going to keep using the exact same computer for 8 years

Up until AMD came out with ryzen there was negligible performance uplift in terms of CPU so ppl held onto it and only upgraded the GPU. Its not rare to find ppl still running 3rd or 4th gen intel these days.

[Stahlmann]

TPM scalping shows one thing again: 2nd hand market needs some sort of regulation when it comes to scalping. It shouldn't be allowed that scalpers are just able to destroy one market after the other just because of one single announcement talking about OS requirements... 

 

Yeah, yeah i know. Supply and demand, free market and so on... It's just ridiculous that nowadays everything is being scalped. If you want to make a living out of buying and selling, then fucking start a business and don't just be a short-term pain in the ass for people.

[leadeater]

4 minutes ago, jagdtigger said:

Up until AMD came out with ryzen there was negligible performance uplift in terms of CPU so ppl held onto it and only upgraded the GPU. Its not rare to find ppl still running 3rd or 4th gen intel these days.

I'm still using my 4930K today, it is at the point I want to upgrade it though.

[jagdtigger]

5 minutes ago, leadeater said:

I'm still using my 4930K today, it is at the point I want to upgrade it though.

Mine still does what i need it to (gaming), ill consider upgrading when it cant keep up with the gpu (vega64, 1440p ultrawide monitor, aint going to happen anytime soon)....

[suicidalfranco]

So basically MS managed to create something that will have a smaller marketshare than Windows 8

 

pretty much how MS is being run

[leadeater]

3 hours ago, LAwLz said:

Thanks a lot!

I guess that disproves my theory that MBEC support was the reason for the cutoff.

Possibly not? Like the 6700K any 7th Gen K models I believe would also only be 1,2 (or at least lack 7). 8th Gen added back vPro and TXT to K models. Maybe Microsoft had to cut off at 8th Gen because of this even though 7th could have if it weren't for all the K's not being able to.

 

Edit:

Never mind, not even that 8550U has TXT or vPro, but the 7660U does, what?

[D13H4RD]

33 minutes ago, jagdtigger said:

Up until AMD came out with ryzen there was negligible performance uplift in terms of CPU so ppl held onto it and only upgraded the GPU. Its not rare to find ppl still running 3rd or 4th gen intel these days.

I still have a laptop that has a second-gen Core i3 inside it. For web browsing, it holds up perfectly fine.

[LAwLz]

1 hour ago, leadeater said:

If something is different like that then it would (here should) not be in the same row. If Hello (standard) cannot ever at all in any configuration use TPM then to include it in the row is entirely wrong. No it isn't wrong to read it like that because that is exactly how you should read a table like that.

 

If it is that different it belongs on it's own row so all three can be No, No, No. At a minimum if they want it on the same row then No/No, No/Yes, No/Yes to show that there is a difference between item 1 and item 2.

 

Being on the same row explicitly does mean that it is saying yes it does, that's how tables are read. It's incorrect to put them on the same row like that when it is not the case. What you did was just not believe what the table said, that's not actually reading it correctly.

That's an assumption you're making.

Does it say what you're saying anywhere on the page? No. Then it's an assumption.

Do you think it would make sense if it was the way you described? Yes, but that does not mean Microsoft thinks that way.

 

Not sure why we are even having this conversation. You have been convinced that Windows Hello (non-business) do not use the TPM, correct?

So either you have misread Microsoft's documentation (either because it is poorly written or because you made assumptions) or Microsoft's documentation is wrong.

It's either one of those two.

 

 

1 hour ago, leadeater said:

And I also told you I cannot do that, I can't do the impossible. I went away from laptop last device refresh and none of my personal devices have a fingerprint reader or Hello camera.

Windows Hello is defined as a PIN, fingerprint or face. So you can test it with a PIN if you want. It works the same way as a fingerprint or face.

 

1 hour ago, leadeater said:

So you don't think having a Microsoft Account Identity provider which is used for all the Microsoft Cloud services and also for other Microsoft Account login integration doesn't have any similar value? That's an odd position to take.

I don't see how using asymmetrical encryption for their device login would benefit a home user, no.

I am not entirely sure what you are trying to describe here but I fail to see how it would need a system similar to Windows Hello for Business.

 

 

1 hour ago, leadeater said:

At least with AzureAD when you bind the computer to it the generated private key can be stored in TPM and then session keys can be created and can be used to secure App Tokens and Browser Cookies.

I haven't looked into how it can be used for App Tokens and browser cookies so I'll take your word for that being true (although I really doubt it, doesn't make sense to me), but I don't see how that would help home users in any way.

 

1 hour ago, leadeater said:

I just would have expected Microsoft to build in similar capability in to a Microsoft account as it also registers your computer with your Microsoft account. Seems like if Microsoft is trying to Microsoft account all the things and offer you email services, cloud storage etc that a way to secure your sessions like you can with AzureAD & SSO would be something you'd actually do. Microsoft account can and is used for more than just sign-in to the PC.

That's possible even without a certificate. There is nothing preventing the standard Windows Hello login process from also being used for SSO into other Microsoft services. In fact, that's how it works today, even without a TPM and only using symmetrical encryption (except for the secure tunnel that is configured when contacting Microsoft's server, but that's a one time tunnel for the HTTPS session, not something that needs to be stored).

 

1 hour ago, leadeater said:

If Hello for Business can use a Microsoft Account and utilize TPM then Hello with a Microsoft Account and cannot utilize TPM is just well, purposeful exclusion on Microsoft's part. Or it's just the difference between "Work or School Microsoft Account" and "Personal Microsoft Account'.

They could make it so that Hello (non business) with a Microsoft Account could generate public and private keys and store the private key in a TPM, but the thing is that there is no point in doing that for a home user because none of the reasons why you want that in a business do not apply to home users. 

You don't complicate things if they serve no purpose. The symmetrical encryption system used by regular Windows Hello is stronger (against brute force attacks), faster (in terms of compute performance), less complex (doesn't rely on having to store keys and certs which expire, and need to be stored securely) and has no drawbacks.

Windows Hello for Business was developed to serve a purpose, a very enterprise specific purpose (have machines identify themselves so that you can apply policies to them) that is simply not used in home setups.