Skip to main content

Microsoft explains Windows 11 requirement of TPM 2.0

Windows 11 Start Surfacepro
Windows 11 Start Surfacepro (Image credit: Daniel Rubino / Windows Central)

What you need to know

  • Microsoft explains in a new blog post how Windows 11 "enables security by design from the chip to the cloud.".
  • The company explains that requirements such as TPM 2.0 chips help ensure hardware-based security.
  • TPM 2.0 is a "critical building block" of Windows Hello and BitLocker, according to Microsoft.

The minimum requirements of Windows 11 have brought TPM 2.0 into the spotlight. TPM stands for Trusted Platform Module. Even though TPM 2.0 has been in new PCs for years, it's a technology that many hadn't heard of until this week. A new security blog post (opens in new tab) from Microsoft's director of enterprise and OS security, David Weston, explains the importance of TPM 2.0. The post also runs through some of the other security benefits of the new operating system.

Before diving into Windows 11, Weston runs through some of Microsoft's previous security efforts, including secured-core PCs and spending $1 billion per year on security. He then provides insight into some of the security aspects of Microsofts new operating system.

"All certified Windows 11 systems will come with a TPM 2.0 chip to help ensure customers benefit from security backed by a hardware root-of-trust," explains Weston.

TPM is a chip that's integrated into a motherboard on a PC or added to a CPU. It helps protect sensitive data, user credentials, and encryption keys. It helps protect PCs from malware and ransomware attacks, which are becoming more common.

Specifically, TPM 2.0 is a "critical building block for providing security with Windows Hello and BitLocker to help customers better protect their identities and data," as explained by Weston.

HP ENVY 32 AIO Windows Hello

Source: Windows Central (Image credit: Source: Windows Central)

Weston also highlights that Windows 11 has out-of-the-box support for Microsoft Azure Attestation (opens in new tab), which lets people enforce Zero Trust policies with supported mobile device managements.

Windows 11 also supports virtualization-based security, hypervisor-protected code integrity, Secure Boot built-in, and hardware-enforce stack protection for supported hardware from Intel and AMD.

The blog post is an interesting read for security professionals and those worried about device security, but for many people, the main takeaway is that TPM 2.0 isn't a Windows 11 requirement for an arbitrary reason.

With Windows 11, some PCs may be left behind because of TPM, and it's causing a lot of confusion

It's worth noting that the soft floor and hard floor minimum requirements (opens in new tab) are different for Windows 11. There's a chance that people will be able to get Windows 11 to run on devices with older TPM 1.2 chips, though we're waiting for more clarity on the situation.

Sean Endicott
News Writer and apps editor

Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at sean.endicott@futurenet.com (opens in new tab).

35 Comments
  • Someone at MS must've read my comment on the TPM 2.0 module scalpers story.
  • I think we're going to find out that the requirements for new hardware with Windows 11 pre-installed are not the same as requirements to upgrade to Windows 11.
  • It looks like this is built into all Intel Core CPUs since 4th gen and all Ryzen CPUs, so there are far fewer people affected by this than some of us originally thought. Intel's built-in version is called PTT and AMD's is called fTPM. These are not exactly the same as a physical TPM module, but they serve the same purpose as far as Windows is concerned and should satisfy the system requirements.
  • It is, I managed to partially activate it in mine (attestation is still not ready for some reason).
    The problem is how you get the Regular Joe user to dive deep into the OS and BIOS to enable it.
  • I'll honestly be surprised if MS doesn't have this step as part of their upgrade process most uefi settings (tpm included) can be managed from the OS so you don't necessarily have to go into the bios to turn them on.
  • Excellent point. I jumped into the bios of both of my Ryzen rigs which failed the initial check due to TPM, enabled fTPM, activated bitlocker on my boot drives and both machines now pass the Windows 11 upgrade check. Thanks for the heads up GraniteStateColin. That was easy.
  • I enabled fTPM but disabled secure boot and haven't used Bitlocker, my PC still passes the validation check
  • 4th Gen kind of interests me as my last custom build currently runs 8.1 & 10, and is a 4th gen build. It's not in the same county as I am so I can't take a look around the BIOS for a while, but the manual for my Z87 board shows a TPM slot. Great, but the pinout of header based TPM chips is different for v1.2 and v2.0. That motherboard has a header that supports TPM 1.2 only. I read elsewhere that K CPUs prior to 6th gen don't have TPM of any kind so my options would be to either swap the CPU out for a non-K 4th gen CPU or to find a TPM 1.2 chip and hope that Microsoft allow devices with TPM 1.2 to take Win 11. On the balance, I'll probably stick with Win 10 on that build. Guess I'm lucky that my build of 10 weeks just needed the PTT to be enabled in the BIOS.
  • Yeah, all is this is very good on paper, and I'm sure that follows their view. But in practice? People aren't going to buy a new device, or know how to enable this in their device, or simply not care about it to begin with. The result will be few adopting Windows 11 other than those who get it preinstalled in a new device. Seriously, I'm a knowledgeable user, I've been building and troubleshooting PCs for decades, and I've never had to wrestle with this TPM thing.
  • Yeah, this issue is more on average PC users that will be confused why their PC can't get this Windows 11 thing, then move on and forget about it. Thus slowing the adoption of W11 for a while and we will have additional fragmentation. We'll not much difference as long as users cna use their own PC and its apps as they are used to. I hope after this, TPM requirements and secure boot will be full standardize even for custom built PC's. The more pressing issue at the moment is the CPU requirements.
  • What concerns me the most is the list of supported processors. There's no reason a 6th or 7th gen Intel CPU is not capable of running Windows 11. If Microsoft really keeps that many people from upgrading, they might create another Windows Vista situation where only a minority will be using the OS (especially in many 3rd world countries where technology is still catching up - Dell still sells 8th gen laptops as their flagship devices in Brazil, for God's sake, so you can imagine that 4th, 5th, and 6th gen intel processors are a majority here). It's quite a miserable list if you ask me. They want developers to develop for the platform, bring their Android apps to the system, but then, they won't have users using it, so developers won't feel the need to make an effort. At the same time, Windows 10 will basically remain as the most used OS, and 5 years from now, when support ends, many people will simply move over to Max, which has been gaining great traction recently. If BigSur can be used on Macbooks air and pro from 2011, I don't see a reason why Microsoft is turning obsolete devices from 5/6 years ago.
  • "There's no reason a 6th or 7th gen Intel CPU is not capable of running Windows 11. "
    Let's be careful of wording. Those chips ARE capable of running Windows 11. Absolutely. But it sounds like they are unsupported. That is, Microsoft does not endorse running Windows 11 on them. That's true even of Windows 10 where 4th Gen Intel chips are not supported on 21H1. But this is a soft block, you can still install Windows 10 on those PCs. I believe the same thing is true here, but it would be nice for Microsoft to clarify.
  • Yes, I understand. And I hope they are not creating another Vista situation with this new release. I guess we will need to wait and see.
  • @Daniel Rubino - The clarification is key. I do find it quite disappointing that as things stand, my less than 3 year old Surface Go isn't supported (despite TPM support being the main difference between the 4415Y and 4425Y). And I'll be very annoyed if Win 11 is completely blocked from it. @Gabriel Paiva - the Vista situation was mainly caused by Microsoft caving to OEMs and allowing them to install Vista on lower end hardware that couldn't really support the OS. I rarely had an issue with Vista but that's likely due to buying high end parts around a year after Vista was released
  • Well in the worst case you still would get a total of ~8 years of security updates and ~3 years of OS updates which is not to bad for an edge case. You could also sell your Go 1 and upgrade to a Go 2, plenty of people who probably do not mind having W10 on it.
  • That's the issue at the moment, the lack of clarity in their communication, in which who follows Microsoft would not be surprised as they tend to give mixed messaging at times for no reason. Makes more confusing with their own system check app. I believe that is just a soft block and PC's older than 8th gen Intel may be upgradable. Basically upgrade at your own risk. Still though, 8th gen Intel for example is still too recent to be a minimum. Considering if you have far higher tier like i7 and i9's but on older generation. At least on AMD side, support to 2000 series is there considering how old they are by now. Though would be nice if 1st gen was also officially supported. Those chips are plenty capable.
  • "That's true even of Windows 10 where 4th Gen Intel chips are not supported on 21H1. But this is a soft block, you can still install Windows 10 on those PCs." @Daniel Rubino This surprised me that Microsoft would drop support of a CPU gen through the lifecycle of Win 10 so I took a look at older documentation for CPU support for Windows 10. Turns out that 4th Gen Intel CPUs were NEVER supported, even on the original 1507 build. When Win 10 launched those CPUs were less than 3 years old, so I'm surprised that Microsoft never officially supported 4th Gen CPUs on Win 10. Where it gets confusing is that Asus provide the same range of drivers for my Z87 motherboard for both Win 10 and Win 8. And most of those downloads aren't shared drivers that work on either OS, so how can Asus support the CPU/OS combination when Microsoft apparently can not? That there was no official support for 4th Gen CPUs is pretty worrying - and while Microsoft may actually change their mind or make clear that more CPUs are supported than they state, the poor messaging just seems like the bad classic Microsoft that existed under Steve Ballmer.
  • What I totally don't understand is that why people focuses on TPM while ignoring the CPU. The TPM standard is something generally available since 6 years ago while the supported CPUs are only introduced in last 3 years. That means, if you CPU is supported, there would be no issue with TPM; while if you hardware doesn't have TPM, even if you somehow bought and installed one, your CPU is still not supported (at least for now by the definition of hard floor)
  • Some gaming PCs do not ship with TPM enabled, including this CLX rig which costs $7,500 and is from 2021 with an 11th Gen Intel processor. Sure, TPM/ Secure Boot is there, but it was disabled. That's quite common. That could be an issue if you need to send thousands/millions of users to their UEFI/BIOS to start fiddling.
  • Yeah, this TPM requirement will going to make tons of users calling support or for small businesses who don't have IT/MSPs supporting them. From this on, custom built PC's may have to enable TPM and use secure boot as part of the build processes.
  • TPM 2.0 shouldn't be enforced on existing PCs that are already in use. TPM 2.0 should only be enforced on new PCs.
  • It already is. It's been a requirement of Windows going back and all laptops/PC since 2016 should have it already. What was optional was enabling it. That is going to change for new Windows 11 hardware, obviously. A bigger concern is not TPM, but the processors, which seems more arbitrary.
  • Microsoft, I get it: you want money. Please stop with this charade and make Windows 11 a paid upgrade.
  • Why. Its free. You just need a reasonably modern PC.
  • If TPM is a requirement for Windows 11, then why has Microsoft themselves added a regedit key to bpyass it? You can add these to the registry while booting from the ISO (Shift+F10), no changing .dlls or .wims required. [HKEY_LOCAL_MACHINE\SYSTEM\Setup\LabConfig]
    "BypassTPMCheck"=dword:00000001
    "BypassSecureBootCheck"=dword:00000001 Credit: github.com/St1ckys
  • Seems like he has NT OS kernel trickery on that page as well. So might not be as simple as it seems
  • And when these requirements backfire into abysmal adoption of Windows 11, watch Microsoft backtrack on this.
    'cause between those of us who won't update to Windows 11 thanks to the horrible UI options, and those who won't update to Windows 11 because Microsoft says "they can't", I foresee a very low adoption rate for the OS. On the other hand, all of this makes perfect sense as soon as you remember Windows 11 is the garbage version of Windows that always follows the good version. So I'm sure this will all be ironed out and fixed once Windows 11 flops, on Windows 12.
  • So what happens if the user decides to disable TPM once Windows 11 is installed? Sorry, but the reason MS gives are bull, total and complete bull. Bitlocker for a start is not on Windows home edition unless they are going to put it in Windows 11 home. While i can understand bit locker being useful for laptops, certainly if they are taken away from the property, bitlocker is not normally required for desktops. in the home.
    My machine has TPM2.0, but it is not enabled as I have no need for it. I do not need or require my drives to be encrypted and if I did, i would not use bitlocker, I prefer to use something that is not linked to MS. i can understand the requirement of TPM if people want to use those features, but in my opinion this is just about selling more machines the same with Windows hello, there are a fair few people who will not use it, I have no password on my machine, because again I have no need for it.
  • Security. And biometrics are the future. Most apple devices work this way.
    Its the same argument for needing a microsoft account. People are whining like babies.
    When they use an iPhone or Android phone that does _exactly_ the same thing.
    Devices are becoming consumerised. Secure. TPM is part of that future. People need to just get over it
  • People who can use regedit or other software tricks can enable PC's that cannot run Windows
    11 to run on PC's that are rejected to use it but most People wont do that since Windows 10 is good to
    use until 2025. This gives folks time to save money to get a new PC/Laptop ect I think Microsoft
    should modify Windows 11 home edition to not require "TPM" modules because it does not
    use "Bitlocker" anyhow And give Windows defender the power to warn & stop Hacker
    Attempts to modify Windows 11. This way everyone can use Windows 11 no matter if they have
    an Old or more Modern PC/tablet. In this case Microsoft would Warn those who use Windows
    home they wont have as much security as regular Windows 11 but they can use it. They could
    call this Windows 11 Version= Windows 11 "Legacy" and have it on the list of Versions you get
    to choose from When you INSTALL Windows 11. When Microsoft upgrades a Computer &
    detects it wont load Standard Windows 11 Microsoft will automatically upgrade
    it to Windows 11 "Legacy" Microsoft should have this set up BEFORE Windows 11
    is installed on their Auto upgrade Servers. This way Microsoft will make Windows 11
    a success instead of a headache.
  • Microsoft BE WARNED COPIES OF MODIFIED WINDOWS 11 WILL APPEAR ON WEBSITES
    THAT INSTALL ON OLD COMPUTERS SO CREATE YOUR IN HOUSE VERSION OF
    WINDOWS 11 THAT CAN INSTALL ON COMPUTERS THAT DONOT HAVE TPM
    REQUIREMENTS SUCH AS SOME OF YOUR OWN SURFACE DEVICES THAT COST
    FOLKS LOTS OF MONEY DO THIS AHEAD OF TIME TO HELP YOUR CUSTOMERS
  • I don't want Windows Hello or Bitlocker. My PC can't do TPM 2.0. This is an arbitrary and unnecessary requirement. It's a good thing that Linux offers a satisfactory alternative to Windows 11.
  • I agree. This requirement needs to go away.
  • Lack of TPM is a poor excuse for not allowing us to upgrade to Windows 11. His explanation makes no sense. Most people dont care about Bitlocker or Windows Hello anyway. I think MS needs to abandon this ludicrous requirement.
  • No , they need to keep it. Its about time Windows was as secure as iOS. This helps make that at least feasible.