A look at TPM and Windows 11 hardware requirements

A look at TPM and Windows 11 hardware requirements

Last week, Microsoft held a special online event to announce the next version of Windows: Windows 11. It looks nice in the sizzle video:

Of course, one has to look beyond the fancy covers also. The first preview bits for Windows 11 will land this week for Windows Insiders, and the final version is promised for the holiday season of 2021 (thus, the end of the year). It will be a free upgrade for existing Windows 10 PCs.

I’ve been mostly happy with Windows 10 since it initially became available in mid-2015. There are some quirks that I wouldn’t say I like each day, but I guess those are the same quirks we’ve had since Windows 95. I’m not expecting Windows 11 to fix each problem somehow, but perhaps the new release will abandon some legacy cruft and make it easier to fix things in the future? Similarly to how Windows Terminal is a fresh take on the Windows shell engine.

I wanted to take a deeper look at the hardware requirements, and specifically the surprising hard requirement for a TPM chip.

What are the hardware requirements for Windows 11?

The full list of Windows 11 hardware requirements is here. On paper, they are very moderate – 1 GHz CPU, although it has to be a 64-bit one, and just 4 GB of RAM are the bare minimum. My current CPU is an AMD Ryzen 3900X, with a base clock of 3.8 GHz, and it’s been at least 20 years since I last resorted to using a CPU with a base clock of 1 GHz (and that was a Pentium III).

Beyond the CPU, a graphics card (GPU) that is compatible with DirectX 12 is required. I’m not a gamer, so I haven’t paid much attention to DirectX recently. Even an old GPU such as the GeForce 600 (from 2012!) seems to support DX12, so I don’t feel this is a blocker for anyone wanting to upgrade to Windows 11. Then again, if your GPU is older than 10 years, perhaps Windows 11 gives you very little in return. Keeping in mind that Windows 10 is still fully supported until at least late 2025. By then, your hardware is presumably at least 14 years old, and you might want to upgrade that first before moving to Windows 11.

Display requirement is relaxed, at 720p (9″ or larger in size).

There are also additional requirements for specific features – such as Auto HDR required a HDR monitor, for example.

However, the last one is a complex beast – a TPM chip, version 2.0 is required. Let’s pause here and look into what TPM actually is.

What is TPM?

TPM, or the Trusted Platform Module, is a hardware solution. Mostly. TPM is described here and to paraphrase, it’s a crypto-processor in charge of providing cryptographic operations. Many features in Windows 10 rely on this, such as BitLocker, Windows Hello, SecureBoot, and such.

TPM has two main versions – 1.2 and 2.0. The latter is required for Windows 11. And this version 2.0 requires UEFI firmware, which translates so that older hardware with older BIOS cannot be upgraded to TPM 2.0. And herein is the problem: You might have older hardware that is still within the boundaries of hardware requirements for Windows 11, but you don’t have TPM 2.0, or UEFI-based firmware, or either. And this would block you from moving on to Windows 11 – even your hardware is competent on paper.

Options for TPM 2.0

How do you know if your hardware is supported for Windows 11? First, there is the PC Health Check tool from Microsoft that checks for this. You can download it here. I ran the tool on my high-end PC, which I put together just a year ago, in mid-2020:

TPM 2.0 is missing. My CPU (the AMD Ryzen 9 3900X) is listed in the supported CPUs, so one would assume that TPM 2.0 is supported also, right? My motherboard is the Asus PRIME X570-Pro, and checking within Windows 10 security settings it seems something is not enabled:

This is an easy fix for AMD – assuming the hardware supports fTPM, the TPM implementation for AMD architecture. I rebooted my workstation, went into BIOS (with F2 or DEL during the boot logo), and found the setting:

By default, discrete TPM is enabled, but what’s this then? The options are “Enable Discrete TPM” and “Enable Firmware TPM.” The former is hardware-based, and the latter is software-based. I had the hardware-based enabled, but I don’t have that specific hardware purchased! It’s an additional buy from my motherboard vendor and costs about $50. For Windows 11, it doesn’t see a difference – as long as TPM 2.0 is implemented, either one is fine. The options thus are:

  1. Buy a separate hardware chip, and enable discrete TPM in BIOS
  2. Don’t buy anything, and enable firmware-based TPM in BIOS

Obviously, it warms a geeks heart to buy something to fix a problem – but I guess the whole world figured the same approach is the best one. The ASUS-based chips for TPM are sold out, everywhere – such as the ASUS TPM-M R2.0:

Now that I’ve simply enabled a software-based TPM in my BIOS, will Windows 11 work? Let’s try by running the PC Health Check again. And no complaints now:

Checking in Windows 10 security settings again reveals the same result:

Not only did I save some money, but I also saved a lot of time and some effort simply by enabling a feature in my BIOS that was there all along. But would it be better to use a hardware-based chip instead of relying on a firmware-based chip? Let’s see what Microsoft has to say about this, as I guess they are the authority on TPM chips. From this article, I quote:

Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions which should suit all needs.Source: Microsoft Docs

I guess hardware vendors opt for a physical chip, but it doesn’t really matter for the regular consumer. If your BIOS supports it, enable TPM 2.0 and carry on with your life.

TPM 2.0 is referred to as PTT (for discrete TPM 2.0) in BIOS for Intel-based systems. For AMD-based systems, TPM 2.0 is referred to as fTPM in BIOS. For AMD systems, once you enable fTPM (TPM 2.0), it will implement the necessary functions via AMD AGESA, which is in charge of the initialization of the CPU cores, memories, and the HyperTransport controller. The AMD AGESA is then expanded with credential storage and key management.

You can also use a command-line tool in an elevated command prompt to check for details. This tool is called tpmtool, and you run it with tpmtool getdeviceinformation:

In conclusion

Once Windows 11 arrives in late 2021, it will be around for probably a decade. Perhaps we’ll get Windows 12 in 2030, then. The hardware requirements are quite relaxed, but due to the new strict requirement on a separate TPM 2.0 capability, much older hardware will not work with Windows 11. For any recent hardware (2016 and newer), TPM 2.0 is implemented but might be disabled. Or then it’s enabled but requires a small hardware chip to be purchased and installed.

I could rely on the firmware-based TPM 2.0 feature, enabling that via BIOS took 30 seconds. If you need to opt for a hardware-based solution, you will obviously need to source and install one first. I can foresee that in corporate environments, new workstations will be purchased with a hardware-based solution as it usually feels more secure than a firmware-based one. And I guess this makes sense, as the overall cost is negligible.