Windows 11 Won’t Work Without a TPM – What You Need to Know

Windows 11 requires a TPM 2.0 security processor to install or upgrade to Windows 11. Unfortunately, mistakes in support documents have causes conflicting information on what type of TPM you need and why you need it in the first place.

Yesterday, Microsoft announced the system requirements to upgrade or install Windows 11 and included a new PC Health Check tool that you can use to check if your hardware is compatible with Windows 11.

However, after many people ran the tool, they discovered it was reporting that “This PC can’t run Windows 11,” even on devices that run Windows 10 flawlessly as they do not have a TPM 2.0 installed.

For those with hardware purchased over the past couple of years, the likely reason you see this message is that you do not have specific settings enabled in your BIOS, or you do not have a Trusted Platform Module (TPM) installed.

Also Read: How to Choose a Penetration Testing Vendor

Why you need a TPM

A TPM is a dedicated processor used to perform hardware-based cryptographic operations to secure encryption keys and defend against malicious tampering of your hardware and the boot process.

An example of a TPM that you can purchase and add to an Asrock motherboard is shown below.

TPM processors come in two versions – an older and less secure 1.2 version and a more secure 2.0 version, which is a requirement for Windows 11.

Since 2013, Intel and AMD added firmware TPM technology to many of their CPUs that perform the same functionality as a TPM 2.0 processor without the need of a dedicated module.

For Intel Process, this technology is called Intel Platform Trust Technology (Intel PTT), and for AMD, it is called AMD Platform Security Processor.

“Almost every CPU in the last 5-7 years has a TPM. For Intel its called the “Intel PTT” which you set to enabled. For AMD it would be “AMD PSP fTPM”. TPMs have been required for OEM certification since at least 2015 and was announced in 2013,” said David Weston, Director of Enterprise and OS Security at Microsoft.

With Windows 11, Microsoft has brought security to the forefront by requiring a TPM 2.0 or compatible technology (Intel PTT or AMD PSP fTPM) to be available.

When a TPM 2.0 is installed in Windows, the operating system can use more robust encryption to secure your Windows Hello PINs, encrypts passwords, and enables more advanced security features, such as Windows Defender System Guard.

“The following Windows features require TPM 2.0: Measured Boot, Device Encryption, WD System Guard, Device Health Attestation, Windows Hello/Hello for Business, TPM Platform Crypto Provider Key Storage, SecureBIO, DRTM, vTPM in Hyper-V,” Microsoft told BleepingComputer.

“It is also a foundational security component to Windows in addition to Virtualization Based Security and the enablement of Android Apps on Windows delivered in a secure way.”

Unfortunately, this week, there was a bit of confusion as one Microsoft support document stated TPM 1.2 was the minimum requirement for Windows 11. In contrast, another hardware requirements page said it was TPM 2.0.

This conflicting information has since been fixed by Microsoft, who clarified to BleepingComputer that Windows 11 requires TPM 2.0.

What you should do

Most modern motherboards released over the past few years support dedicated TPM 1.2 or 2.0 processors.

While they support TPM, it is usually required that you purchase and install the appropriate dedicated TPM that is compatible with your motherboard and then enable it in the BIOS.

However, since Windows 11 considers TPM 2.0 and the Intel PTT and AMD PSP fTPM CPU features to be equivalent, most people who have purchased a CPU over the last 5-7 years do not need to buy a dedicated TPM for their motherboard.

Instead, to achieve Windows 11 hardware compatibility, you just need to enable Intel PTT or AMD PSP fTPM support in your BIOS.

Also Read: This Educator Aims to Make Good Cyber Hygiene a Household Practice

Once you enable Intel PTT or AMD PSP fTPM support in the BIOS, even if you do not have a dedicated TPM 2.0 module, the PC Health Check tool will still consider your hardware compatible with Windows 11.

To enable Intel PTT or AMD PSP fTPM support is different on every motherboard but is usually found in the BIOS’s advanced settings under security.

Microsoft has released a list of Windows 11 compatible Intel, AMD, and Qualcomm CPUs.

Update 6/25/21: Added into about Intel PTT, AMD PSP, and Microsoft’s changes to support documents