Windows 11 Now Enforces the Same System Requirements in Virtual Machines - Including TPM

[LAwLz]

14 minutes ago, StDragon said:

So the question I have is this: Does Windows 10 use the TPM for Windows Hello? Because clearly it's used for Windows Hello Business. As a follow up to that question, does Windows 11 now incorporate the spec of Windows Hello Business? If so, that stands to reason for using TPM 2.0 along side it.

It does not.

You can test this yourself if you want (I already have but if you want to double check feel free).

 

Configure Windows Hello on your PC. Fingerprint, face recognition, PIN, whatever you want.

Try logging in and out a few times to make sure it works.

Clear your TPM. You can do this from Windows Defender.

Restart your PC when asked.

Try logging in with Windows Hello. It will work.

 

If anything relating to Windows Hello was stored in the TPM, you would not be able to login. However, you will find that it is still very much possible.

 

Here is a Github issue about it, as well as an answer from a Microsoft employee (Imran Habib).

 

 

 

  

4 minutes ago, GoodBytes said:

Yes, I know nothing... really spreading miss information all days with these Microsoft doc pages all day long....

https://support.microsoft.com/en-us/windows/enable-tpm-2-0-on-your-pc-1fd5a332-360d-4f46-a1e7-ae6b0c90645c

Yes, you are ill informed and are spreading misinformation.

When Microsoft says "Windows Hello" in that context, they refer to Windows Hello for Business. Microsoft often uses "Windows Hello" to refer to both Windows Hello for Business and the consumer version of Windows Hello.

Only the business version uses the TPM, and it uses it for storing the asymmetric encryption keys (or certificates) needed for client/server authentication. It is not used in the consumer version because the consumer version uses symmetric encryption and therefore doesn't need to store any key. There is no point in using certs or asymmetric encryption unless you are going to transfer the data over an unsecure channel like a network (which you need when you do client/server auth). For local logins, the data does not need to leave the device and because of that symmetric encryption is not only more secure, but also faster.

[leadeater]

10 minutes ago, StDragon said:

I think this was discussed prior with @leadeater and yourself at one point, but apparently there's a difference with Windows Hello and Windows Hello Business.

There's a difference because Hello for Business uses an external authentication provider and the TPM is used to ensure the trust between those. For biometrics the encrypted user representation is stored in a TEE (AMD PSP or Intel TXT/SGX) and the TPM is used to develop a trust between the biometric device and the system. How and if all these things are used differ based on the implementation, you can use Windows Hello (with or without Business) or use different method (often these ones are FIPS certified)

[leadeater]

@StDragonAlso Microsoft's documentation on Hello is terrible, all links to how it works even from standard Hello take you to Hello for Business documentation with foot notes saying what isn't supported for standard Hello.

 

Take about 1 or 2 links off your original stating point to be reading not quite applicable information.

[Giganthrax]

Windows 10 is going to be supported until 2025. A lot can happen in that time, including Valve making Linux gaming as good as it is on Windows, so I'm not especially concerned even if MS becomes like Apple.

[GoodBytes]

47 minutes ago, LAwLz said:

It does not.

You can test this yourself if you want (I already have but if you want to double check feel free).

 

Configure Windows Hello on your PC. Fingerprint, face recognition, PIN, whatever you want.

Try logging in and out a few times to make sure it works.

Clear your TPM. You can do this from Windows Defender.

Restart your PC when asked.

Try logging in with Windows Hello. It will work.

 

If anything relating to Windows Hello was stored in the TPM, you would not be able to login. However, you will find that it is still very much possible.

We will see once Windows 11 is released. Windows 11 is still in development.

All I can do know, is follow Microsoft documentation. I don't know their roadmap, I don't know their plans.

[pythonmegapixel]

12 hours ago, CalintzJerevinan said:

At this rate who wants to even use Windows? 

The truth is that nobody does. If someone came out with a Linux distribution which was entirely seamless to switch to, trivially easy to learn, and came preconfigured with a 'perfect Wine' (i.e. a hypothetical version of Wine which flawlessly ran everything), I would be extremely surprised to see many people not looking to switch to it once it became stable.

 

It's just unfortunate that the operative word in that  'hypothetical'. This doesn't exist. I really hope it will someday - but for now, it's sadly the case that most people are stuck with Windows.

 

1 hour ago, HelpfulTechWizard said:

And everyone has hours tweaking wine or whatever to play games perfectly.....

Yes, that's precisely the problem. While that is still the case, Microsoft will be able to do pretty much whatever the hell they like, and people will just swallow it.

[Pc6777]

I'm planned on running this garbage in a VM and ignoring the requirements, this sucks.

[Pc6777]

1 hour ago, LAwLz said:

Nope, Windows Hello does not leverage the TPM. @GoodBytesdoesn't know what he is talking about.

The TPM doesn't even support storing biometric data. It's just flat out not in the spec and can therefore not be used for that purpose.

 

If I sound cranky it's because I am getting really tired of so much misinformation being spread about TPMs. There are so many people saying they increase security without even knowing how they work, or people making shit up about what they are capable of.

 

 

  

No, it's not that clear cut. On one hand, you can do more robust FDE if you got a TPM (more specifically, you can control what hardware can attempt to decrypt it), which I guess you could say is good for privacy.

But on the other hand, there is already one Chinese company (Riot) that have publicly said they will use it to track players and ban cheaters. So we already have conformation that companies will use the TPM to track users. I don't like that developers will have access to an unchangeable and spoof-proof ID that they can read and do whatever they want with. That's very bad for privacy.

Tpm is a Trojan horse for more drm and locking down systems and making PCs concoles and spying on you even more. Hopefully the valve Linux os thing takes off. I doubt tpm will just be used for anti cheat, also locking down single player games.

[Forbidden Wafer]

Well, at least for me, seems like this finally is the year of Linux on the desktop. 

[GoodBytes]

54 minutes ago, Pc6777 said:

Tpm is a Trojan horse for more drm and locking down systems and making PCs concoles and spying on you even more. Hopefully the valve Linux os thing takes off. I doubt tpm will just be used for anti cheat, also locking down single player games.

I don't think you know what TPM does:

Quote

• A hardware random number generator^[4][5]
• Facilities for the secure generation of cryptographic keys for limited uses.
• Remote attestation: Creates a nearly unforgeable hash key summary of the hardware and software configuration. The software in charge of hashing the configuration data determines the extent of the summary. This allows a third party to verify that the software has not been changed.
• Binding: Encrypts data using the TPM bind key, a unique RSA key descended from a storage key^{[clarification needed]}.^[6]
• Sealing: Similar to binding, but in addition, specifies the TPM state^[7] for the data to be decrypted (unsealed).^[8]
• Other Trusted Computing functions for the data to be decrypted (unsealed).^[9]

https://en.wikipedia.org/wiki/Trusted_Platform_Module

 

How is any of it DRM? or malware?

 

Linux won't take off until they start address basic issues that the Linux community refuses to fix or has no interest in fixing:

https://itvision.altervista.org/why.linux.is.not.ready.for.the.desktop.current.html

Many of these issues have been ongoing since the 90's, where every year it was "the year of Linux on PCs".. never happened. Even Netbooks didn't help get users onboard, and might have made things worse. OEMs have tried Linux based systems. Dell made a pretty nice XPS system where it would come shipped with Ubuntu out of the box, and everything hardware wise selected was 100% compatible and supported despite Ubuntu being installed. XPS Developer edition, it was called. It flopped. Lenovo offers Linux based PCs, typically RedHat, and those come and goes on select models, as it is also not doing well either.

[Alby Tastic]

Well I've been installing Win 11 on various legacy machines, Z800, Z600, Optiflex etc with no problems at all - and in VMs, again no problems and ATM I'm posting this from inside a VM with all updates installed and fully activated. And I really like it. Since this VM had Win 7 installed as my normal OS I had to update to Win 10 and then update again to Win 11 to make sure I got activated.

But so far so good.

[pythonmegapixel]

5 minutes ago, GoodBytes said:

Linux won't take off until they start address basic issues that the Linux community refuses to fix or has no interest in fixing:

Or until the alternative becomes so awful that working around those issues is the better solution. For many people, Windows is almost at that point, and for some it already is.

 

(Some of the listed issues can't be blamed on the Linux community, particularly the ones to do with peripheral hardware, but that's a discussion for another thread)

[StDragon]

4 minutes ago, Alby Tastic said:

Well I've been installing Win 11 on various legacy machines, Z800, Z600, Optiflex etc with no problems at all - and in VMs, again no problems and ATM I'm posting this from inside a VM with all updates installed and fully activated. And I really like it. Since this VM had Win 7 installed as my normal OS I had to update to Win 10 and then update again to Win 11 to make sure I got activated.

But so far so good.

HW requirements have been relaxed in the Windows 11 beta. When it goes final release, the requirements will be enforced.

Don't plan on being able to keep running those machines with a final version of Windows 11 and maintain patching them. But with that full understanding, there's no harm in taking the OS for a spin just for the look and feel of it.

[StDragon]

6 minutes ago, pythonmegapixel said:

Or until the alternative becomes so awful that working around those issues is the better solution. For many people, Windows is almost at that point, and for some it already is.

 

(Some of the listed issues can't be blamed on the Linux community, particularly the ones to do with peripheral hardware, but that's a discussion for another thread)

In many ways from a market share perspective, Linux on the desktop was abandoned in favor of the mobile market if you're running an Android phone or tablet.

[Forbidden Wafer]

13 minutes ago, GoodBytes said:

Linux won't take off until they start address basic issues that the Linux community refuses to fix or has no interest in fixing:

https://itvision.altervista.org/why.linux.is.not.ready.for.the.desktop.current.html

 

I've been using Ubuntu 21.04 for a while and it has been great. Fixed a ton of stuff for me.

 

No problems with displays.

 

Din't need to edit random config files to get my printer working, network shares are working normally (20.04 had no problem with samba).

 

Native NTFS drivers should land in the next release.

 

Drivers are being worked on and approaching Windows performance.

 

Wine, DXVK  and Mesa are progressing well with Codeweavers+Valve+Collabora.

[kanyewestlover911]

14 hours ago, TempestCatto said:

Linux is free...

I Use Arch BTW

[Zando_]

16 hours ago, Craftyawesome said:

Outside of Windows, Parallels and QEMU support TPM 2.0.

VMware Fusion also supports it. It throws a fit about my CPU, but it does run TPM 2.0: 

[Kisai]

25 minutes ago, Forbidden Wafer said:

I've been using Ubuntu 21.04 for a while and it has been great. Fixed a ton of stuff for me.

 

No problems with displays.

 

Din't need to edit random config files to get my printer working, network shares are working normally (20.04 had no problem with samba).

 

Native NTFS drivers should land in the next release.

 

Drivers are being worked on and approaching Windows performance.

 

Wine, DXVK  and Mesa are progressing well with Codeweavers+Valve+Collabora.

Your experience is not the kind of experience a "desktop switcher" would get. You're basically going "I have no problems with it, so everyone will have no problems with it."

 

The fact is, if you have an nVidia GPU, or any USB game controllers, you're going to have problems you won't know how to fix, or even if it's fixable. Historically, Linux has never supported any hardware newer than 4 years unless it was hardware that Dell, IBM (Lenovo) or Intel/AMD explicitly made open source drivers for. 

 

Not every use case is going to work. A lot of Linux problems are political around the GPL license, which creates a lot of Not-Invented-Here-and-isn't-GPL problems. So if you have a microphone, headset, webcam, game controller, or an accessibility device, good luck ever getting it to work, and even if you get it to work, chances are it only works with the universal basic profile. You won't have access to any of the tunables, so gaming mice stay at 800dpi, keyboards have no n-key-rollover, no RGB controls, webcams get stuck at their USB 2.0 settings, and so forth.

 

I can tell you from experience, that if you expose a Windows user to Linux, they will drop Linux and go back to Windows once they can't play the latest game that comes out.  Proton is a bandaid, and honestly I don't see how Valve expects to market the Steam Deck without being able to claim 100% of windows games work on it. Valve is not Nintendo. 

 

Honestly, sometimes I wonder why Nintendo doesn't just market their Switch as a computer.

[GoodBytes]

17 minutes ago, Forbidden Wafer said:

I've been using Ubuntu 21.04 for a while and it has been great. Fixed a ton of stuff for me.

 

No problems with displays.

Get yourself a 27inch 4K monitor, and set the Display Scaling to 125% or 150% (these are recommended DPI values), and come back to me.

Be sure to also get that monitor with AMD FreeSync support, and turn off V-Sync to really enjoy it.. I mean you would do that under Windows, normally. Nothing special here.

And this is AMD we are talking about, they provide the better Linux support. Tell how video playback is with it enabled as well. I mean, under Windows you don't enable it disable it, you just enable it and forget it. Throw in a second monitor in the mix too with such display. Maybe your current display, I mean why throw it out the bin, I mean.

 

If you don't have anything special, your system is very mediocre, and better yet, age old, Linux will run fine.

 

17 minutes ago, Forbidden Wafer said:

Wine, DXVK  and Mesa are progressing well with Codeweavers+Valve+Collabora.

https://www.protondb.com/

What you are looking for is the % of games under Platinum group. This means that the game will run perfectly. No graphical issues anywhere, no game issues anywhere (broken collision detection system at some place, for example, or strange behavior), no tweaks (apparently) needed.

These are based on Valve own numbers (so, take it as it is, keep in mind that they have a bias to show how great their platform is), that is, by their definition, only 21% of games, in the top 1000 games picked. Considering that it drop quickly to 15% for the top 100 games, this is very poor experience.

 

Progressing well, maybe... but has a very long way to go.

[Forbidden Wafer]

12 minutes ago, GoodBytes said:

Get yourself a 27inch 4K monitor, and set the Display Scaling to 125% or 150% (these are recommended DPI values), and come back to me.

Yup, that didn't work on 20.04 but works on 21.04. 

 

13 minutes ago, GoodBytes said:

Be sure to also get that monitor with AMD FreeSync support, and turn off V-Sync to really enjoy it..

Never tried that.

 

15 minutes ago, GoodBytes said:

Throw in a second monitor in the mix too with such display. Maybe your current display, I mean why throw it out the bin, I mean.

I do use two monitors, a vertical 1440p (24") and an horizontal 4k (43"). They have worked normally since 19.10.

 

17 minutes ago, GoodBytes said:

Progressing well, maybe... but has a very long way to go.

Considering the number of applications, some of which are abusing bugs that needs to be reproduced... Yeah, I'd say they're progressing well.

 

What really surprises me is how Google managed to screw up Stadia so badly instead of partnering (not necessarily publicly) with Valve to push game development/porting to Linux.

[GoodBytes]

13 minutes ago, Forbidden Wafer said:

Yup, that didn't work on 20.04 but works on 21.04. 

I'll give it a go. But to my knowledge Hi-DPI aware applications under Linux is very poor. (200% scaling, effectively quad each pixel, isn't scaling. Me too I can do the same with Windows and go "Look! 100% of applications are high-DPI aware, even this legacy Win3.1 panel!.. yea, no....)

Mind you, the font is already a blurry mess under Linux, so maybe double blurry makes sharp?

 

Quote

I do use two monitors, a vertical 1440p (24") and an horizontal 4k (43"). They have worked normally since 19.10.

I meant with FreeSync enabled on one of the panels.

 

Quote

What really surprises me is how Google managed to screw up Stadia so badly instead of partnering (not necessarily publicly) with Valve to push game development/porting to Linux.

Considering that Amazon has infinite moneys (all of them), they could have made a deal with Microsoft and get bulk volume licenses of Windows, and call it a day. In fact, it would have been a better "show of force" of AWS vs Azure (Xbox Cloud Gaming), and their streaming technologies knowhow.

[StDragon]

46 minutes ago, Kisai said:

Honestly, sometimes I wonder why Nintendo doesn't just market their Switch as a computer.

That would be the Nintendo Trans.

 

/ducks
 

[KaitouX]

4 hours ago, GoodBytes said:

Get yourself a 27inch 4K monitor, and set the Display Scaling to 125% or 150% (these are recommended DPI values), and come back to me.

Be sure to also get that monitor with AMD FreeSync support, and turn off V-Sync to really enjoy it.. I mean you would do that under Windows, normally. Nothing special here.

And this is AMD we are talking about, they provide the better Linux support. Tell how video playback is with it enabled as well. I mean, under Windows you don't enable it disable it, you just enable it and forget it. Throw in a second monitor in the mix too with such display. Maybe your current display, I mean why throw it out the bin, I mean.

 

If you don't have anything special, your system is very mediocre, and better yet, age old, Linux will run fine.

 

https://www.protondb.com/

What you are looking for is the % of games under Platinum group. This means that the game will run perfectly. No graphical issues anywhere, no game issues anywhere (broken collision detection system at some place, for example, or strange behavior), no tweaks (apparently) needed.

These are based on Valve own numbers (so, take it as it is, keep in mind that they have a bias to show how great their platform is), that is, by their definition, only 21% of games, in the top 1000 games picked. Considering that it drop quickly to 15% for the top 100 games, this is very poor experience.

 

Progressing well, maybe... but has a very long way to go.

I have no issues with scaling at my TV(225%) or my monitor (125%), neither have issues with Freesync that aren't present on Windows. Video playback is the same as Windows for me, multiple monitors with different scaling isn't that great, Windows is better there, but it's not like you can't make it work, issues with blurry things are common on Windows, while Linux the more common is to not scale the window at all, but both happen to either once in a while. No issues with Vsync after I set it up.

 

ProtonDB you should consider that not everyone will have issues, one person might have to tweak their VSync settings or something else while the other doesn't have to do any tweak. Also important to note a lot of games at the "Top" lists have issues due to DRMs and Anti-cheats.

And:

Quote

Rating Definitions

Platinum:Runs perfectly out of the box

Gold:Runs perfectly after tweaks

Silver:Runs with minor issues, but generally is playable

Bronze:Runs, but often crashes or has issues preventing from playing comfortably

Borked:Either won't start or is crucially unplayable

Gold means no issues after tweaks for the majority of users, for many it works OOTB without issues.

[LAwLz]

3 hours ago, GoodBytes said:

We will see once Windows 11 is released. Windows 11 is still in development.

Depends on what you mean. Windows 10 is still in development too.

Windows 11 is probably past the "release to manufacturer" stage as this point, since Microsoft has already started developing the next version of Windows 11, from what I can tell in the insider program.

What I do know however is that TPM is pretty much useless in its current iteration, and personally I can't see any technical reason why they are enforcing their really idiotic CPU requirements, or the TPM requirements. Even if it will be used for features in the future, I am really having a hard time figuring out what it will be used for. Full disk encryption is something I really like the idea of and I have praised Apple for it in the past, but that's about it. 

 

For Enterprise? Sure, it's great. A lot of security features relies on it (specifically Enterprise security features, not features consumer want or even can use). But for consumers, especially those on Windows 11 Home? It's rather pointless to have a TPM.

The CPU requirements especially grinds my gears because Microsoft has time and time again tried to justify it with absolute bullshit. It is very obvious to anyone who has followed them closely, watched their partner videos, watched their developer videos, read their PR messages etc, that they are trying to come up with reasons to justify their decision. It's like how they said the hardware requirements results in a 99,8% crash free experience so therefore they are needed, but then when you do a little bit more digging you realize unsupported hardware has a 99,7% crash free experience.

Or how they in one article says it's for VBS, but in another they say the CPUs they chose to support were not chosen because of any particular hardware feature.

 

They are just making shit up to try and appease angry consumers. There is a real reason for why they have these requirements but they don't want to tell us straight what it is.

 

 

3 hours ago, GoodBytes said:

All I can do know, is follow Microsoft documentation. I don't know their roadmap, I don't know their plans.

You really shouldn't follow their documentation. It's shit. 

 

 

2 hours ago, GoodBytes said:

How is any of it DRM? or malware?

TPM can absolutely be used for DRM purposes.

Like I said earlier, Riothas already announced that it is going to use it for DRM purposes. Their software will check your TPM and they can use that to ban your computer, just like a console. It's no longer just your account that can get banned, it's your PC too. A chain of trust all the way from the boot to the application layer is the foundation that a lot of DRM on for example the iPhone and gaming consoles is based on. 

Here is a quote from a research paper back in 2004 when TPM was being researched (back when it was just called "trusted compete"):

Quote

A common misconception is that TC and DRM goes hand in hand, this is not true. DRM is an independent technology but is strengthening by TC. The TC encryption, secure booting and the ability to detect unauthorized changes put DRM on a higher level of security. Microsoft and other TC companies state that TC was not intended for DRM, but few people have any doubts that they will be combined. Without TC behind DRM, DRM is not secure. The weaknesses in DRM without TC are that there are no secure ways to handle the keys and store the keys on the hard drive, and the applications do not run isolated from each other. “Screen sniffers” and “keystroke sniffers” could compromise secret information as well as other kinds of attacks. TC prevents this by handling and stores the keys in a secure way, applications are running isolated from each other and secure I/O channels are used

 

If you start saving decryption keys in the TPM the users will not be able to extract those keys, and if things like content were to require that key, you could not only have a hardened DRM system, but you could even make it so that each stream from Netflix was tied to a specific device.

Bought a movie from iTunes? The iTunes application could create a secure channel that the rest of the PC could not sniff (using a public/private key pair stored in the TPM), and over that secure channel, transfer and store a specific decryption key for the specific movie that got sent out by the Apple server. Now Apple just has to create an encrypted video file that can only be decoded using the secure key stored in the TPM. Voilà, iTunes now has a way to make sure a video file can not be copied between the device that bought the video, and some other device that might not have bought said video.

 

 

If you prefer another source, here is what Ross J Anderson, professor in security engineering at Cambridge university had to say in 2003 (please note that TC stands for Trusted Computing, which is what evolved into the TPM):

Quote

TC provides a computing platform on which you can't tamper with the application software, and where these applications can communicate securely with their authors and with each other. The original motivation was digital rights management (DRM): Disney will be able to sell you DVDs that will decrypt and run on a TC platform, but which you won't be able to copy. The music industry will be able to sell you music downloads that you won't be able to swap. They will be able to sell you CDs that you'll only be able to play three times, or only on your birthday. All sorts of new marketing possibilities will open up.

 

TC will also make it much harder for you to run unlicensed software. In the first version of TC, pirate software could be detected and deleted remotely. Since then, Microsoft has sometimes denied that it intended TC to do this, but at WEIS 2003 a senior Microsoft manager refused to deny that fighting piracy was a goal: `Helping people to run stolen software just isn't our aim in life', he said. The mechanisms now proposed are more subtle, though. TC will protect application software registration mechanisms, so that unlicensed software will be locked out of the new ecology. Furthermore, TC apps will work better with other TC apps, so people will get less value from old non-TC apps (including pirate apps). Also, some TC apps may reject data from old apps whose serial numbers have been blacklisted. If Microsoft believes that your copy of Office is a pirate copy, and your local government moves to TC, then the documents you file with them may be unreadable. TC will also make it easier for people to rent software rather than buy it; and if you stop paying the rent, then not only does the software stop working but so may the files it created. So if you stop paying for upgrades to Media Player, you may lose access to all the songs you bought using it.

 

[Dracarris]

56 minutes ago, LAwLz said:

Their software will check your TPM and they can use that to ban your computer, just like a console.

Does that mean that with a modular /add-in TPM (like many older MBs offer) you could evade such bans?