Microsoft makes TPM issue worse: TPM 1.2 is actually NOT acceptable

[BlueChinchillaEatingDorito]

Just now, Tieox said:

Make it an option, make it one you have to read and agree to the risks you take not having a TPM 2.0 module installed, but gatekeeping the OS because of it is stupid.  

What so more people can continue to make jokes on how Windows is still as secure as using a Cheeto as a deadbolt? Even though it's not being utilized to its fullest potential... still...

 

3 minutes ago, gjsman said:

I wish. But it appears BitLocker will remain a Pro-only feature. Microsoft Devs said the TPM requirement enables "future scenarios" apparently.

God dammit Microsoft... guys you can make the OS as resistant to outside attacks as much as you like. But if I can literally gain access to one's bank statements or home made porn films but just stealing their computer and transplant their storage drive... that's a big problem. 

[Tieox]

4 minutes ago, BlueChinchillaEatingDorito said:

What so more people can continue to make jokes on how Windows is still as secure as using a Cheeto as a deadbolt? Even though it's not being utilized to its fullest potential... still...

 

God dammit Microsoft... guys you can make the OS as resistant to outside attacks as much as you like. But if I can literally gain access to one's bank statements or home made porn films but just stealing their computer and transplant their storage drive... that's a big problem. 

https://portswigger.net/daily-swig/bitcracker-password-cracking-software-designed-to-break-windows-nbsp-bitlocker

 

TPM is fucking pointless.  

[BlueChinchillaEatingDorito]

6 minutes ago, Tieox said:

https://portswigger.net/daily-swig/bitcracker-password-cracking-software-designed-to-break-windows-nbsp-bitlocker

 

TPM is fucking pointless.  

Oh of course... if it's possible to brute force something, then it's "fucking pointless". How stupid of me.

 

And don't mind this blurb. 

[Tieox]

13 minutes ago, gjsman said:

And we'll once again have a proliferation of malware-infested ISOs. Fantastic.

YUP.

 

 

[Blademaster91]

8 minutes ago, BlueChinchillaEatingDorito said:

What so more people can continue to make jokes on how Windows is still as secure as using a Cheeto as a deadbolt? Even though it's not being utilized to its fullest potential... still...

 

God dammit Microsoft... guys you can make the OS as resistant to outside attacks as much as you like. But if I can literally gain access to one's bank statements or home made porn films but just stealing their computer and transplant their storage drive... that's a big problem. 

If you like the idea of not being able to replace a storage drive, then maybe get a M1 Mac?

I still don't see how TPM is protecting the OS any more, it doesn't prevent someone from downloading a virus or getting hacked from a keylogger.

[Tieox]

1 minute ago, BlueChinchillaEatingDorito said:

Oh of course... if it's possible to brute force something, then it's "fucking pointless". How stupid of me.

When you can just DL it this easily it makes you wonder why it's forced.  Just make it optional, because I am sure their are vastly superior options on the market for those interested in encryption.

https://github.com/e-ago/bitcracker

 

 

[BlueChinchillaEatingDorito]

1 minute ago, Blademaster91 said:

If you like the idea of not being able to replace a storage drive, then maybe get a M1 Mac?

No one is saying that... here. No one is against removable storage. But in this day and age, the technology is here to secure said storage. Make it enforced. The hardware is present, and it's already integrated in the OS. 

[HarryNyquist]

Cool. My upgrade to an iMac is ensured now. 

 

Fuck you microsoft.

[Mark Kaine]

42 minutes ago, gjsman said:

Microsoft Devs said the TPM requirement enables "future scenarios" apparently.

Hear me out…

 

"Bitlocker lite™"    

[gjsman]

I just enabled TPM on my build, which contains an i5-6500 with an MSI B150 PC-MATE motherboard. I dug in the settings and enabled it under "Trusted Computing." The first time I enabled it and exited the BIOS, Windows restarted after the initial boot, blue screened, then restarted again and reported there was no TPM. I then restarted again, and this time it didn't blue screen and actually enabled the TPM. 

 

Totally wouldn't have been confusing to a normal person. 

[Kisai]

1 hour ago, DrMacintosh said:

Why the hell is this announcement so convoluted? The PC Health Check tool will tell you you can't run Windows 11 without telling you why. In order to enable TPM users have had to dig around in their BIOS to see if their CPU can do the TPM functionality or see if their motherboards have a TPM module/header. If their CPUs don't have that ability ppl now have to buy scalped TPM modules or buy new computers just to run Windows 11. 

 

Microsoft claimed that the majority of computers will be able to run Windows 11, but with the ever changing TPM requirements.....not looking like that's going to be true. 

 

  

All PC's since 2015 almost certainly have TPM support, but it's likely DIY builds do not include the chip, even though it might be available in the BIOS. Like the ASUS Prime x590-V Prime I just bought doesn't have the TPM chip, but it does have the header, AND has an option in the BIOS to enable a TPM that is built into the firmware. That's a new board. The old board was a z87 and also had that header, but no firmware TPM.

 

All the Dell machines worked on had factory TPM's starting with the Skylake hardware, these were machines that were shipped with Windows 7 (none were shipped with Win8 or 8.1) and only the one machines released since 2019 come with TPM 2.0. The 1.2 TPM's can all be upgraded to 2.0 on Dell's via a update, and it's a bit convoluted (you have to disable, deprovision it, update the tpm, and reactivate it.)

 

However my opinion here is that most people should not enable the TPM at install time as this will turn Bitlocker on on Pro/Enterprise by default. Bitlocker is how you lose your data if your machine dies.

 

[Tieox]

So if I got a TPM 2.0 module for my GF's H170 Pro Gaming motherboard would it still refuse to install Windows 11 due to the CPU? is that still a soft limit or now a hard limit?

[Blademaster91]

1 hour ago, BlueChinchillaEatingDorito said:

No one is saying that... here. No one is against removable storage. But in this day and age, the technology is here to secure said storage. Make it enforced. The hardware is present, and it's already integrated in the OS. 

The issue is that the hardware is only present in recent hardware, even then some cheaper motherboards don't have the option in bios, and everything older than Intel 8th gen or Ryzen 1st gen is going to be e-waste.

And forcing TPM 2.0 is pointless for Windows 11 home because it doesn't have bitlocker, forcing TPM is just marketing fluff and a blatant cashgrab from Microsoft.

[Tieox]

2 minutes ago, Blademaster91 said:

The issue is that the hardware is only present in recent hardware, even then some cheaper motherboards don't have the option in bios, and everything older than Intel 8th gen or Ryzen 1st gen is going to be e-waste.

And forcing TPM 2.0 is pointless for Windows 11 home because it doesn't have bitlocker, forcing TPM is just marketing fluff and a blatant cashgrab from Microsoft.

They are deep mouth to Intel right now.  It's funny how many generations Intel are cutting off compared to AMD, and then guess who was promoted during the 11 presentation. 

[Kisai]

38 minutes ago, Tieox said:

So if I got a TPM 2.0 module for my GF's H170 Pro Gaming motherboard would it still refuse to install Windows 11 due to the CPU? is that still a soft limit or now a hard limit?

https://docs.microsoft.com/en-us/windows-hardware/design/minimum/supported/windows-11-supported-intel-processors

 

 

The list shows 8th gen and later parts. 

 

So the question is what feature is Microsoft looking for. Is it just looking for quad core, yet the minimum is dual core? Or maybe the iGPU capability?

 

Like I can't really figure out why an 8th gen would be Required when no new instructions were introduced over the 7th. Unless maybe it's not a hard list but rather an optimization level that is actually about parity with AMD.

 

https://docs.microsoft.com/en-us/windows-hardware/design/minimum/supported/windows-11-supported-amd-processors

 

 

Ryzen is all 2xxx parts or better. So that's a very VERY recent part still.

 

 

[Tieox]

1 minute ago, Kisai said:

https://docs.microsoft.com/en-us/windows-hardware/design/minimum/supported/windows-11-supported-intel-processors

 

 

The list shows 8th gen and later parts. 

 

So the question is what feature is Microsoft looking for. Is it just looking for quad core, yet the minimum is dual core? Or maybe the iGPU capability?

 

Like I can't really figure out why an 8th gen would be Required when no new instructions were introduced over the 7th. Unless maybe it's not a hard list but rather an optimization level that is actually about parity with AMD.

 

https://docs.microsoft.com/en-us/windows-hardware/design/minimum/supported/windows-11-supported-amd-processors

 

 

Ryzen is all 2xxx parts or better. So that's a very VERY recent part still.

 

 

Yup, I can't help but think Intel is paying for this to be a thing, and the AMD drop of 1x series is simply to avoid legal implications should they get called out on it. 

 

But I will hold final judgement to their blog, they need to explain this DAMN well before I decide I need to save and drop several hundred quid on a new mobo/cpu/ram for my gf's perfectly good Skylake system post 2025!.

 

 

[Nowak]

2 minutes ago, Tieox said:

Yup, I can't help but think Intel is paying for this to be a thing, and the AMD drop of 1x series is simply to avoid legal implications should they get called out on it. 

Legal implications?

[Mark Kaine]

17 minutes ago, Nowak said:

Legal implications?

I think he's saying intel paid ms to drop older intel cpu to boost sales, so they also dropped Ryzen 1st gen to look less suspicious.

 

brb running out of tinfoil

[TetraSky]

So they are effectively killing off older computers to prevent people from simply updating the OS without also buying a new PC.

Is this because the HP and Dell of the world asked Microsoft to do this? We'll probably never know...

[Tieox]

3 minutes ago, TetraSky said:

So they are effectively killing off older computers to prevent people from simply updating the OS without also buying a new PC.

Is this because the HP and Dell of the world asked Microsoft to do this? We'll probably never know...

I suspect Intel.  I mean they have been loosing relevance in recent years.  And they did sponsor the reveal it seems with the push on 11th Gen Intel being mentioned.

[Blademaster91]

56 minutes ago, Tieox said:

They are deep mouth to Intel right now.  It's funny how many generations Intel are cutting off compared to AMD, and then guess who was promoted during the 11 presentation. 

I wouldn't be surprised if Intel paid Microsoft to get people to buy new PC's, and OEMs like HP and Dell. I think Microsoft needs to have a really good reason for not supporting anything older than Intel 8th gen or Ryzen 1st gen.

[gjsman]

10 minutes ago, Tieox said:

I suspect Intel.  I mean they have been loosing relevance in recent years.  And they did sponsor the reveal it seems with the push on 11th Gen Intel being mentioned.

Conspiracy Theory Time: Remember how Panos said out of the blue that "Intel is doing great things with their 11th gen CPUs!" Over on Reddit they were wondering how much Intel paid him to say that for no reason...

[Foxlet]

3 hours ago, Radium_Angel said:

Take this for what it's worth, but the leaked dev version ran (in a VM) perfectly fine on my system, an twin Xeon Ivybridge Xeon e5-2643v2 workstation

Microsoft explicitly mentioned that Insider Preview builds would be exempt from needing to meet all the system requirements (this also applies to hypervisors), and users will be required to return to Windows 10 once 11 hits General Availability. In effect this new hard floor is only for the RTM version.

 

[Guest]

Intel? This was already pushed through a while ago....

 

Here's some interesting read then? 

 

This only applies with those that have a module installed. I do not have one installed, and is not enabled automatically on my current systems (Maximus X hero version 1.2)

 

 

Quote

 

Automatic initialization of the TPM with Windows 10

Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, TPM.msc. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see Clear all the keys from the TPM. We're no longer actively developing the TPM management console beginning with Windows Server 2019 and Windows 10, version 1809.

In certain specific enterprise scenarios limited to Windows 10, versions 1507 and 1511, Group Policy might be used to back up the TPM owner authorization value in Active Directory. Because the TPM state persists across operating system installations, this TPM information is stored in a location in Active Directory that is separate from computer objects.

 

https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/trusted-platform-module-overview

[gjsman]

Some people might wonder in all of this what a TPM does at the end of the day. In a nutshell, it's very much like what Apple calls the "Secure Enclave" inside their chips. It can serve many security-related functions like random number generation, which (if you don't have true randomness) can weaken your security and make keys more easily guessable by an attacker or the NSA. Another things TPMs can do, for example, is generate an SSH Key you can log into remote servers and devices with, but the private key never leaves the TPM being securely generated and stored inside it. So if you are logging into a remote server with a TPM SSH Key, the company running the server can be 100% sure that it was that specific device authenticating and that your SSH key wasn't copied by an attacker. Or for BitLocker, you can generate a ridiculously long key that is stored on the TPM, and encrypt your SSD with it, and then use a human-readable password to encrypt the ridiculously long key that is kept in the TPM. Then you can change the human-readable password very quickly without re-encrypting the SSD, and brute-forcing the SSD is ineffective without the matching TPM. This is because you need to brute-force against the TPM to get the key from the TPM - and if you don't have the TPM or the TPM restricts brute-force attacks, you can't get the original key the data was encrypted with, at least in theory.