Windows 11 is just a matter of months away, and system requirements are a concern. While this is not a problem for anyone buying a new computer with the operating system preinstalled, it is a major consideration for anyone upgrading to Windows 11 from Windows 10.
In the Windows documentation, there is a topic that lists the minimum hardware requirements for the operating system editions that are still supported. For Windows 11, the editor has made an update to indicate that it is imperative to have a TPM 2.0 to be able to install Windows 11.
The requirement of TPM 2.0 is something that has attracted special attention. While Microsoft has made it clear that for OEM customers with special requirements, the need for TPM can be eliminated with a custom Windows 11 image, the same cannot be said for the average user. While there is currently a registry hack that works around the need for TPM 2.0, Microsoft has pointed out that it will not be possible to use group policy to bypass hardware requirements (which may mean that the registry hack will also not work after Windows 11 is released).
The news came in a recent Ask Me Anything (AMA) session published for the Microsoft Tech community. During the session, Microsoft program manager Aria Carley shares the news while talking about the deployment of Windows 11. She answers a question about devices that are not fully compatible with Windows 11. The user asks him:
If we consider that a device is not fully compatible with Windows 11, will it be offered the upgrade via Windows Update?
Carley rpond :
So we are talking about this new hardware floor of which devices are eligible and which are not. And we know that has been concerned that some may not be eligible for Windows 11. But the reason we do this is to keep devices more productive, to have a better experience and most of all to have better security than before so that they can stay protected.
There is then a request to turn off backups that can block upgrades, and Carley says group policy can be used, although not recommended, to bypass those blocks. However, she adds:
This group policy will not allow you to bypass the Windows 11 hardware application. We will always prevent you from upgrading your device to an unsupported state, as we really want to make sure that your devices remain supported and security
AMA videos are available on YouTube, and if you make it past the sixth minute, you can hear the relevant questions and answers *:
The TPM 2.0 specification has been standardized (ISO / IEC 11889) since 2015. It succeeded TPM 1.2, which was standardized in 2009.
In 2016, Microsoft announced a change in the minimum hardware requirements for mobile devices and PCs that would run on Windows 10, hoping to see manufacturers adopt them soon for more secure devices.
Also, since July 28, 2016, all new device models must have version 2.0 of the TPM (Trusted Platform Module) which must be enabled by default. The Trusted Platform Module (which can also take the form of a chip and bear the name TPM chip or Fritz chip) is a hardware cryptographic component, on which the hardware-level implementation of the Next-generation secure computing base system is based. (NGSCB). It is expected to be integrated on the motherboards of computers and other electronic and IT equipment that meet the specifications of the Trusted Computing Group.
Although this chip is a passive electronic component (which cannot order the computer such as blocking the system, or monitoring the execution of an application), it allows easy storage of secrets (such as keys encryption), securely. Also, it will benefit users by offering them better protection of their sensitive information on PC for example.
TPM 2.0 could also help improve the security of the Windows Hello biometric authentication feature through which users can log into their PCs after being identified by their fingerprints, face or a kidney scan. In this case, the TPM 2.0 will be able to generate and save the authentication keys in a secure area.
To check what a machine has available, you can go to the device manager (“Devmgmt.msc” command in execute), category Security devices. And, for more details, open the Secure Platform Module Management tool on the local computer.
If your TPM is used correctly, as is the case on our machine, the utility will give you the version of the specification used. In our case, this is version 2.0. If TPM is not enabled on your machine, the utility will display the message Compatible Secure Platform Module not found.
Microsoft’s explanation for Windows 11
The editor’s recommendation appears to be the same. In a blog post, David Weston, Director of Enterprise and OS Security at Microsoft, said:
In 2019, we announced Secure Core PCs that apply security best practices to the firmware layer, or device core, that underpins Windows. These devices combine hardware, software and operating system protections to provide end-to-end protections against sophisticated and emerging threats such as those against hardware and firmware which are on the increase according to the National Institute of Standards and Technology as well. than the Department of Homeland Security. Our Security Signals report found that 83% of organizations have experienced a firmware attack and only 29% allocate resources to protect this critical layer.
With Windows 11, we’re making it easier for customers to get protection against these advanced attacks out of the box. All Windows 11 certified systems will ship with a TPM 2.0 chip to ensure that customers have security backed by a hardware root of trust.
The Trusted Platform Module (TPM) is a chip that is either integrated into your PC motherboard or added separately to the CPU. Its purpose is to help protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers cannot access or tamper with that data.
The PCs of the future need this modern hardware root of trust to protect against common and sophisticated attacks such as ransomware and more sophisticated nation-state attacks. Requiring TPM 2.0 raises the standard for hardware security by requiring this built-in root of trust.
TPM 2.0 is a critical part of providing security with Windows Hello and bitLocker to help customers better protect their identities and data. Additionally, for many corporate customers, TPMs help facilitate zero trust security by providing a secure element to attest to the health of devices.
Source: question session and answer (in text)