TPMpocalypse; Microsoft singlehandedly destroys the TPM market

[leadeater]

2 minutes ago, LAwLz said:

I haven't looked into how it can be used for App Tokens and browser cookies so I'll take your word for that being true (although I really doubt it, doesn't make sense to me), but I don't see how that would help home users in any way.

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token

[leadeater]

8 minutes ago, LAwLz said:

That's an assumption you're making.

No it's literally how you read table data like that 

 

But don't worry we don't need to continue past this. I only replied to it fyi because you said no Microsoft documents showed this incorrectness where it does.

Edited June 28, 2021 by leadeater

[StDragon]

5 hours ago, LAwLz said:

I guess that disproves my theory that MBEC support was the reason for the cutoff.

 

I wouldn't be surprised if it has something to do with some VBS feature though. I just wish Microsoft would tell us instead of having us guessing why things are the way they are.

Security should be done in complete transparency. If Microsoft want to make Windows more secure then they should tell us exactly how, not just go "because we say so and we know best".

 

No, I don't think it does. I'm 100% in your camp that thinks it has everything to do with MBEC. I think your original assessment here was spot on. And if I'm wrong, I'm going down on that same ship.
 

5 hours ago, LAwLz said:

Here I was thinking that I was super clever for discovering the technical reason for Microsoft's weird system requirements but nope, apparently there is no technical reason for it. Microsoft just didn't feel like supporting anything below Ryzen 2000 and Intel 8th gen

 

Microsoft has also confirmed now that this is not some "soft requirement" that will be bypassable. If you don't have one of the CPUs on their support list, then you will not be able to run Windows 11.

 

Silly me for trying to find logical explanations to Microsoft's illogical behavior...

 

I think DWIZZLE is providing PR cover here. His response felt like some 'Yes MSFT, I will forward the message along and not be a part of the controversy', kind of thing.

 

So, at this point it's a giant shit-show with the lack of transparency with regards to their rationale. My issue isn't the cut-off at 8th gen, but WHY? I don't think this has anything to do with Microsoft sandbagging via some security-through-obscurity thing. I do believe they're just trying to smooth over the fact of how discombobulated they are in terms of all departments staying on the same page; hence the boiler plate talking points by MSFT staff and associates. But that's pure conjecture on my part.

So the way I see it one of several things is going on.

• MBEC was introduced to Intel 7th gen, but perhaps not all CPUs of that generation supports it whereas all 8th gen and above do? So for the sake of brevity MS has only officially announced support for 8th gen and newer with perhaps a future update that includes some 7th gen too.
• Microsoft identified a performance issue or undisclosed Intel bug with the 7th gen implementation of MBEC and thus decided a clean cut to 8th just removes the headache all around.
• Or, maybe there's other factors beyond MBEC and it just so happens other features are available and more inline with 8th gen platforms and newer.

Regardless, aside from a potential 7th gen bug, I think many 7th gen CPUs can and should be able to run Windows 11 just fine. But if Microsoft allows for it, at minimum it would be unofficial support because it's not on the marketing material. 

[StDragon]

If this is the rationale for setting the floor at 8th and newer (Firmware TPM / fTPM), and not MBEC support, then this is extremely shallow of MS.  Because I know of plenty of 7th gen Intel systems with a dedicated TPM chip on the MB.

 

 

Edited June 28, 2021 by StDragon

[StDragon]

LOL, this shit-show gets better and better. @LAwLz

 

"If Microsoft nerfs this box, they get to tell my wife why we need two new desktops and why the 7700k and 7900X are trash CPUs"

 

 

[Tristerin]

Someone will debloat this requirement Im sure

[RejZoR]

41 minutes ago, StDragon said:

If this is the rationale for setting the floor at 8th and newer (Firmware TPM / fTPM), and not MBEC support, then this is extremely shallow of MS.  Because I know of plenty of 7th gen Intel systems with a dedicated TPM chip on the MB.

 

 

Ryzen 5 2500U has TPM 2.0. I checked 3 times now. Yet it's not on the list.

[Kisai]

I think HVCI and MBEC might actually be the keyword.

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure

Quote

Microsoft works closely with OEM partners to help ensure that all certified Windows systems deliver a secure operating environment. Windows integrates closely with the hardware to deliver protections that take advantage of available hardware capabilities:

• Baseline Windows security – recommended baseline for all individual systems that provides foundational system integrity protections. Leverages TPM 2.0 for a hardware root of trust, secure boot and BitLocker drive encryption.
• Virtualization-based security enabled – leverages virtualization capabilities from hardware and the hypervisor to provide additional protection for critical subsystems and data.
• Secured-core – recommended for the most sensitive systems and industries like financial, healthcare, and government agencies. Builds on the previous layers and leverages advanced processor capabilities to provide protection from firmware attacks.

Which I found linked from https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3997

 

This is where the mention of MBEC and HVCI show up. This aligns with 8th gen and 2xxx Ryzen parts.

 

Likewise;

https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity

Quote

Because it makes use of Mode Based Execution Control, HVCI works better with Intel Kaby Lake or AMD Zen 2 CPUs and newer. Processors without MBEC will rely on an emulation of this feature, called Restricted User Mode, which has a bigger impact on performance.

 

 

[StDragon]

12 minutes ago, Kisai said:

I think HVCI and MBEC might actually be the keyword.

Yes, that seems to be the consensus at this point among some of us. 

 

Though trying to find specific information on what SKUs that AMD GMET (their version of Intel's MBEC) includes is nearly impossible. Other than wording of "next generation Ryzen" which means 2nd gen Ryzen (Zen+).

@RejZoR. Can you run the following from a PowerShell command? 

 

$Win32_DeviceGuard = Get-CimInstance -Namespace ROOT\Microsoft\Windows\DeviceGuard -ClassName Win32_DeviceGuard
$Win32_DeviceGuard.AvailableSecurityProperties

 

If your CPU supports GMET, it should have a number 7 in the output.

[SpikeSpiegel]

On 6/25/2021 at 4:12 PM, wkdpaul said:

Not sure I understand the craze ; Windows 11 isn't necessary for the moment and if you really need Windows 11, wait until it's out, by that time you might get an upgrade that make your computer compatible, and if not, just wait it out and see if it's really worth it or not since Windows 10 is still supported until 2025 !!!

 

This is similar to the TP or fuel hoarding ... panic buying is dumb.

And GPU hoarders too....RTX 3000 GPUs....

[RejZoR]

This is becoming an even bigger shitshow. Now users need to know about absolutely retarded nonsensical in-depth details of processors (because 3/4 of them are not eligible and of course everyone will fucking wonder why) and their whatever the fuck security extensions they have. Oh my god, Windows 11 is a fucking trainwreck even before it's officially launched. Something not even Windows Me and Vista managed to do. They were just sort of meh when launched. Windows 11 is a monumental failure and it's just been announced with all of its retarded requirements. My freaking god.

[Donut417]

2 hours ago, Tristerin said:

Someone will debloat this requirement Im sure

That might be fine for techie users but what about non techie users? 

[Donut417]

Between the shit show PC hardware has been in and now the TPM chips. The market keeps sinking deeper and deeper in to despair. 

[chebsy]

9 hours ago, LAwLz said:

Edit:

Holy crap I am not sure if you have seen this but I now know the reason for why only second gen Ryzen and 8th gen Intel processors are supported. Tagging everyone I tagged before just in case. Here I was thinking that I was super clever for discovering the technical reason for Microsoft's weird system requirements but nope, apparently there is no technical reason for it. Microsoft just didn't feel like supporting anything below Ryzen 2000 and Intel 8th gen.

@StDragon@Brooksie359@chebsy @Sauron @Murasaki

 

No I actually think you might be right with the MBEC thing.

 

The only thing that doesn't make sense is 7th gen intel, it supports MBEC and TPM.

 

HOWEVER, Microsoft fought with Intel extensively over 7th gen.  I don't know the exact details, but you can search for "surfacegate".  Basically MS disagreed with how Intel supported 7th gen.  So it is cut off from Windows 11 as a middle finger to Intel, despite having the technical requirements. 

 

All these factors combined, MBEC requirements and MS not wanting to deal with 7th gen Intel, means I think we might have a full answer for the supported CPU list.

 

And of course MS will not admit publicly to blocking 7th gen for this reason.  They will just say as you quoted, "to ensure a great experience".

[LAwLz]

38 minutes ago, RejZoR said:

This is becoming an even bigger shitshow. Now users need to know about absolutely retarded nonsensical in-depth details of processors (because 3/4 of them are not eligible and of course everyone will fucking wonder why) and their whatever the fuck security extensions they have. Oh my god, Windows 11 is a fucking trainwreck even before it's officially launched. Something not even Windows Me and Vista managed to do. They were just sort of meh when launched. Windows 11 is a monumental failure and it's just been announced with all of its retarded requirements. My freaking god.

To be fair, people don't actually need to know the reasons for why some processors aren't supported. 

If it's not 8th gen or newer, or zen+ or newer then it won't run, plain and simple. 

 

It's if you're like me (and lots of other people on the forum) and you want to know WHY it's not supported that you need to read about security extensions some processors supports. 

 

I mean, we could have gotten this answered without needing to dig though blog post and github pages if Microsoft had just told us, but it's tradition for Microsoft to not tell us jack shit. 

[StDragon]

@LAwLz@RejZoR@leadeater@chebsy@Kisai

Ryzen 5 2500U = 1, 2, 3, 4, 6

 

Care to guess what's missing?
 

Spoiler

No AMD GMET (MBEC) support

Now we just need someone to confirm with a Ryzen 5 2500X as a sanity check.

 

I'm throwing all chips on the table and assume it's going to throw a 7 for support

[Tieox]

What I can see happening is less techie people getting annoyed that their computer won't get Windows 11 while running 10 just fine, contact peeps like ourselves, who will have found Win 11 restriction bypassed .iso images in the wild and found the clean ones through testing, and pay us to come and install that for them.

 

Ah takes me back to days of Windows XP Gold Edition etc.

 

 

[leadeater]

41 minutes ago, StDragon said:

@LAwLz@RejZoR@leadeater@chebsy@Kisai

Ryzen 5 2500U = 1, 2, 3, 4, 6

 

Care to guess what's missing?
 

  Hide contents

No AMD GMET (MBEC) support

Now we just need someone to confirm with a Ryzen 5 2500X as a sanity check.

 

I'm throwing all chips on the table and assume it's going to throw a 7 for support

Well I still find it confusing that my Zen2 EPYC 7272 system did not support 7 

 

Problem is I can't go in to BIOS and look for any reason why if it's actually supposed to and something isn't enabled, it drives the tape library and it never seems to find a time where it isn't writing tapes lol.

 

Edit:

EPYC3 Milan does have it, wikichip shows GMET support. Problem is wikichips information on EPYC1/2 is much more sparse than EPYC3

 

Quote

Security extensions: CET_SS, GMET, NX, SEV, SEV-ES, SEV-SNP, SMAP, SME/TSME, SMEP, UMIP
Speculation control: IBPB, IBRS, PSFD, SSBD, STIBP

https://en.wikichip.org/wiki/amd/cores/milan

https://en.wikichip.org/wiki/amd/cores/rome

https://en.wikichip.org/wiki/amd/cores/naples

 

Intel ARK is so much better than what AMD has i.e. barely anything.

[NumLock21]

On 6/27/2021 at 11:46 AM, StDragon said:

Run tpm.msc , the version will be listed where it says "Specification Version:"

Ran the command, says I've got TPM version 2.0. Also ran the Win11 checker and it says my system is ready for the new OS.

[StDragon]

28 minutes ago, leadeater said:

Well I still find it confusing that my Zen2 EPYC 7272 system did not support 7 

 

Problem is I can't go in to BIOS and look for any reason why if it's actually supposed to and something isn't enabled, it drives the tape library and it never seems to find a time where it isn't writing tapes lol.

 And yet that CPU supports SEV (Secure Encrypted Virtualization). Maybe Windows 11 will leverage that instead for your CPU as part of HVCI HW compliance? . That or you have GMET disabled in BIOS. I really don't know as I've never worked on an EPYC based system.

[DildorTheDecent]

1 hour ago, leadeater said:

Well I still find it confusing that my Zen2 EPYC 7272 system did not support 7 

Yet my Zen 2 3950X does.

 

Strange.

[RejZoR]

11 hours ago, StDragon said:

@LAwLz@RejZoR@leadeater@chebsy@Kisai

Ryzen 5 2500U = 1, 2, 3, 4, 6

 

Care to guess what's missing?
 

  Reveal hidden contents

No AMD GMET (MBEC) support

Now we just need someone to confirm with a Ryzen 5 2500X as a sanity check.

 

I'm throwing all chips on the table and assume it's going to throw a 7 for support

Because some bullshit CPU extension is enough to have eligibility blocked. Besides, I've made a decision to migrate all my non eligible systems to Kubuntu. And I'll be doing now, not when Win10 life runs out. Fuck you Microsoft.

[RejZoR]

12 hours ago, LAwLz said:

To be fair, people don't actually need to know the reasons for why some processors aren't supported. 

If it's not 8th gen or newer, or zen+ or newer then it won't run, plain and simple. 

 

It's if you're like me (and lots of other people on the forum) and you want to know WHY it's not supported that you need to read about security extensions some processors supports. 

 

I mean, we could have gotten this answered without needing to dig though blog post and github pages if Microsoft had just told us, but it's tradition for Microsoft to not tell us jack shit. 

You don't need to when trying to install on ancient hardware. When the fuck has 3-4 years old hardware become "ancient"? I sure as fuck want to know why I can't use latest OS on such modern hardware.

[Tristerin]

17 hours ago, Donut417 said:

That might be fine for techie users but what about non techie users? 

My real feels?  Anyone can learn anything if they want to.  Be it a debloated Windows 10 (doing it yourself), or any other "hack" out there with a walkthrough or download.  What stops most people is insecurity in messing it up. 

 

Do not get me wrong, this planned obsolescence for much older systems being able to run this OS is unacceptable.  My tinfoil hat says this is on purpose.  More people will just buy new systems that support the tech circle jerk that is available to the world. 

[Donut417]

13 minutes ago, Tristerin said:

Anyone can learn anything if they want to. 

Yeah but a lot of people don't want to learn. You have to take in to account the lowest common denominator and thats the amount of people who dont want to learn. My dad is one. My mom while she can use a computer, doesnt want to learn the technical stuff.