Skip to main content

With Windows 11, some PCs may be left behind because of TPM, and it's causing a lot of confusion

Windows 11 Taskbar Icons Surfacepro
Windows 11 Taskbar Icons Surfacepro (Image credit: Daniel Rubino / Windows Central)

As we remarked a week ago, Windows 11 turned out to be much more than just a new Start menu. The new store, Android apps, Direct Storage, Auto HDR, new touch UX, and new forthcoming features, such as haptic pens, make Windows 11 a significant overhaul of the six-year-old Windows 10.

But one item we did not anticipate when it came to major Windows 11-related changes was the apparent cutoff for which PCs can get the free Windows 11 upgrade. That topic is causing a lot of confusion. Here is what we know and what we don't know about it.

Why have TPM requirements at all?

It is clear Microsoft is positioning Windows 11 as its next major OS for the upcoming decade. While it is not a clean break from Windows 10, some older PCs will not make the cut.

The big motivator here seems to be security, as Microsoft explained recently in a blog post.

TPM (Trust Platform Module) is nothing new for PCs. It goes back to the mid-2000s as an international standard for a secure cryptoprocessor. Although there are software versions, too, like fTPM, TPM is a physical hardware chip used to store encrypted information while also ensuring a secured boot environment.

In the real world, TPM allows for things like:

  • BitLocker Drive Encryption
  • Windows Hello PINs and biometrics
  • Windows Defender System Guard (opens in new tab)
  • Tamper detection of the PCs hardware
  • Virtual Smart card
  • Credential Guard
  • Secure Boot

With TPM, BitLocker gets to store the encryption key and your Windows Hello biometrics securely. This ability is why Windows Hello is so protected. Your biometrics, like fingerprints or facial recognition data, do not go to the cloud; instead, they get hardware encrypted on your PC so that info cannot be retrieved nor reversed engineered to bypass your PC's login process.

Secure boot is becoming increasingly important, too. From Microsoft's documentation (opens in new tab):

Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system.

Source: Microsoft (Image credit: Source: Microsoft)

Microsoft is drawing a line on security and saying that to use Windows 11 PCs going forward, you need to have this feature enabled.

The good news is TPM 1.2 (more on that below) goes back to 2005. TPM 2.0 goes back to 2015, and most PCs are supposed to ship with it, although that does not always seem to be the case, especially if you build your own.

I realize that this is all just techno mumbo jumbo for many consumers, but Windows PCs have had a long history of security issues. Microsoft has gone to great lengths since Windows 10 to secure its OS as much as possible, and Windows 11 takes a more rigid stance.

What is required for Windows 11?

Check Tpm Windows

Source: Daniel Rubino / Windows Central (Image credit: Source: Daniel Rubino / Windows Central)

Even the requirements for Windows 11 are a bit confusing as there are both "hard" and "soft" floors of cutoffs for the update. Many PC makers are also now giving guidance on which PCs will get it.

Update: Soon after this article was published, Microsoft removed the hard/soft floor distinction for Windows 11. The changes seem to merge the two where you can have just a 1GHz CPU, but it has to be on the supported list. TPM 1.2 is no longer mentioned.

The hard floor is what most people who have older PCs should be looking at. If your PC does not meet these standards, you cannot get Windows 11. In addition, the hard floor requires "greater or equal" to TPM 1.2, Secure Boot capable, 4GB of RAM, 64GB of storage, and at least a dual-core processor that is faster than 1GHz.

Those are hardly strict requirements for a forward-looking OS in 2021.

The soft floor requires TPM 2.0 (which started shipping in all PCs around 2016/2017) and needs specific processors. These are devices that are free to update with no caveats.

The soft floor seems to be what Microsoft's PC Health Check app is looking at and where a lot of confusion is happening.

Indeed, the more significant issue here may not be TPM requirements, but the fact that any Intel CPU older than 8th Gen does not make the cut for Windows 11. Unfortunately, that includes a lot of Surface devices, including Surface Studio 2 and Surface Pro 5. That caveat does not mean those computers can't run Windows 11; it just means Microsoft does not support them running Windows 11. It is an important distinction.

Gaming PCs and TPM: present (but not enabled)

CLX Ra

Source: Daniel Rubino / Windows Central (Image credit: Source: Daniel Rubino / Windows Central)

One issue that will be hard to navigate for the entire upgrade process is that many gaming PCs have TPM on the motherboard (it is a physical chip, after all), but it is not enabled. For example, this was the case on my CLX gaming PC, which initially failed Microsoft's check for Windows 11 compatibility.

Source: Daniel Rubino / Windows Central (Image credit: Source: Daniel Rubino / Windows Central)

The solution was to go into the BIOS and enable secure boot and Intel Platform Trust Technology (PTT). It took 30 seconds, and my PC is now Windows 11 compliant, which is reasonable considering it is a brand new 2021, $7,500 computer!

As you can see, the problem is some PCs have the hardware, but it is not enabled. Microsoft's Health Check app does not qualify why your PC does not meet the requirements, although we have heard Microsoft will update the app soon to address that. It is also not clear that you can do a software check to see if your PC has TPM 2.0 in the event the module is present but disabled.

Here's the more significant issue: Does Microsoft want to send thousands (millions?) of people into their PC BIOS to start fiddling with security features? Again, you can see how that leaves room for a lot of problems.

At least for new PCs that sell Windows 11 pre-installed, this won't be a concern.

What happens if your PC does not have TPM 2.0 or a modern processor?

Pc Health Check App Update Processor

Source: Daniel Rubino / Windows Central (Image credit: Source: Daniel Rubino / Windows Central)

We don't know. Microsoft says (opens in new tab):

Devices that do not meet the hard floor cannot be upgraded to Windows 11, and devices that meet the soft floor will receive a notification that upgrade is not advised.

It sounds like if your computer has TPM 1.2 (which is incredibly old) and at least a 1GHz processor, you can still get Windows 11; it is just "not advised."

Source: Amazon (Image credit: Source: Amazon)

But what that process looks like is not known at this time. We expect Windows 11 to start rolling out in October through early 2022, like previous Windows updates. So my hunch is users can still take the Windows 11 upgrade, but there may be some warnings about it not being recommended.

To be clear, Windows 11 runs well on older hardware. It is not like older Intel 6th Gen processors cannot handle the OS — far from it. This discussion is all about security.

For those who build their gaming PCs, if your motherboard does not have TPM 2.0 you can buy the module ($30) and install it yourself. Just make sure your motherboard does not already have it since many modern motherboards do, even if it's not enabled.

Will Microsoft stick with Windows 11 requirements?

If I had to guess, Microsoft might modify some of these requirements and even the wording around Windows 11 as we advance. Right now, the scope of the "TPM problem" is not known, when it comes to how many PCs are out there with TPM in a disabled state.

Microsoft has four months to figure out how to address the issue. It could either relax requirements or let affected users take Windows 11 even after advising them against it.

In some ways, this debacle is unfortunate but not uncommon. Apple and Google routinely cut off hardware for new operating systems. My late 2017 Google Pixel 2 will not get Android 12 even though it can absolutely run it. Microsoft doing the same in the name of security is necessary to push standards forward, especially in an age of ransomware, where TPM plays one part in an increasingly growing security infrastructure.

How to check if your PC has a trusted platform module (TPM)

I think the bigger looming issue is not even TPM, but processor compatibility. Microsoft has done this in the past, but these are known as "soft blocks." For example, Windows 10 21H1 does not officially support Intel 4th Gen "Haswell" chips, but you can still run Windows 10 on those processors without issue. Microsoft appears to be doing the same here. There will be soft blocks for non-compatible CPUs, but you can still install Windows 11 on a Surface Pro 5; it just won't be "supported."

Regardless, I think it is evident that Microsoft needs to get clearer messaging around this update as there will be a lot of confusion in the future.

Daniel Rubino
Executive Editor

Daniel Rubino is the Executive Editor of Windows Central, head reviewer, podcast co-host, and analyst. He has been covering Microsoft here since 2007, back when this site was called WMExperts (and later Windows Phone Central). His interests include Windows, Microsoft Surface, laptops, next-gen computing, and arguing with people on the internet.

120 Comments
  • Enabling fTPM (AMD) or PTT (Intel) will pass the validation check for Windows 11, even if the motherboard doesn't have a discreet TPM chip. Secure boot is optional - I have enabled fTPM but Secure boot is disabled, my PC passes the check and qualifies for the upgrade. As long as the PC is secure boot capable it will work, whether used or not
  • Right, but then on something like Surface Studio 2 where TPM 2.0 and Secure Boot are enabled, it still fails the check because of the CPU (7th Gen).
  • Yes. Lot of confusion there. Mine failed the check for I guess the same reason. 7th gen processor. MS should directly list which processor is supported.
  • Microsoft does list that.
  • Which will be a ball-ache for a lot of people I imagine
  • Secure boot is not optional. After enabling fTPM, my PC still failed the compatibility check because secure boot wasn't enabled.
  • That's strange, I've just checked my BIOS. fTPM - ENABLED, Secure Boot - DISABLED. My PC still passes the validation check.
  • Same here. Lol
  • Alternate way: Open Device Manager > Find TPM under Security Devices option.
  • What do you mean by "not supported"?
  • Probably a better question for Microsoft since it is their wording. I guess the issue is how often do you contact Microsoft for support about problems with Windows running on older hardware, right?
  • I am worried about security patches, Patch Tuesday updates, and cumulative updates not being applied.
  • I wouldn't be worried.
  • What I've heard from most MS engineers via premier is that as it relates to hardware generation requirements "unsupported" generally means untested. It doesn't mean it won't run it means that they haven't tested it on that hardware so you may run into issues. It also doesn't necessarily mean if you open a support request for it they won't help you but its usually at best effort (and generally depends on the Engineer or tech you get how far they will go to help you).
  • I have a custom built gaming/development PC which doesn't have a TPM. I have headers for it but never needed it for anything. Bitlocker can work without it, you just need a USB drive to store your decryption key. And I'm using Windows Hello without it, so the decision to require it for Win 11 is both puzzling and troubling. The trouble being how difficult it may be to obtain a TPM now.
  • Is it an AMD computer?
  • It's an Intel i9-9900K. I'll have to check for the settings the others have mentioned. My motherboard has a header for TPM but I never installed one. I'll have to check that other stuff.
  • How old is it? You do not need a physical tpm module on newer (read post 2016 cpus), as the functionality necessary to enable it exists in the cpus/chipsets directly. It'll be called fTPM or PTT in UEFI settings, depending on if you're AMD or Intel respectively.
  • Found it. Thanks! For me, the option was Discrete TPM vs Firmware TPM. Changing to Firmware TPM worked beautifully.
  • If your cpu is fairly new, go to the bios / system/ miscellaneous, you may find ( as I did) an option to enable PPT. Bam, your computer will pass and it will take less than 5 minutes.
  • Yes, that worked. Thanks! For me, the option was Discrete TPM vs Firmware TPM.
  • Both my Surface Go and Surface Go 2 is failing the PC Health Check. The Surface Go is failing because of the CPU. But the Surface Go 2 meets all requirements (hard and soft). Should the Surface Go pass the health checks but with warnings and I should be able to install Windows?
    Should the Surface Go pass the health checks and I should be able to install Windows 11?
  • I reran the PC Health Check and it applied an update. After I clicked on "Check Now", my Surface G0 2 is still failing, but now it is saying it failed because the CPU is not supported. My CPU is "Intel(R) Core(TM) m3-8100Y CPU @ 1.10GHz 1.61 GHz" and it is on the supported list for Windows 11!
  • How are they gonna get people running Windows 7 to update if mine won't update. I've got a decent spec laptop but saying it doesn't have TPM or whatever.
  • It should have been upgraded to Windows 10 at this point.
  • You could also check the TPM chip on your motherboard(Desktop) using e-manual. Mine has a connector but not chip.
  • This is too confusing, I will wait until this becomes clear, I hate deciphering this type of thing.
  • Most of people having issue with one of these,
    - TPM chip
    - Processor Model
    - Secure Boot By default, TPM setting is enabled if that's on their motherboard.
  • Microsoft has updated its "Compatibility for Windows 11" page to say that TPM 2.0 is required. Previously, the page said that TPM 1.2 is required. https://docs.microsoft.com/en-us/windows/compatibility/windows-11/
  • Yup, this article was updated with that info.
  • Mine has TPM 2.0 but still not supported and says your processor is not supported.
  • MSFT is trending because of TPM not for w11. 😶 They should record a video to clarify it so people won't panic and buy new system at scalpers price.
  • Interesting: I have an 8th gen Core i7. I just rebooted and went into the BIOS (yes, it's UEFI) expecting to be able to turn on PTT, but under Advanced then Trusted Computing (the only place I would expect to find this in the BIOS), it says, "No Security Device Found." I'm not sure how to reconcile that with the previous statement I've heard that all recent Intel Core chips include PTT which is equivalent to TPM. I'm still investigating, but maybe this won't be as simple as I had hoped. If it really requires a dedicated physical TPM module, VERY FEW of us will have qualifying systems, as almost no-one besides enterprise systems include the $20 part.
    On the other hand, that's precisely why I can't believe this is the requirement. There is no way MS is going to launch Windows 11 in a way that it only works on new machines and for Enterprise.... right?
  • AHA! My mistake. It's a DIFFERENT BIOS setting. Instead, look under Security then Intel Platform Trust Technology. Set that to ENABLED in the BIOS (you may need to turn off CSM compatibility mode), then when you run tpm.msc in Windows it will show your Intel Core chip supports TPM 2.0, just like in the 3rd picture in the article. My 8th Gen Core i7 with PTT on shows Manufacturer Version # 402.1.0.0, quite a bit lower than in the article here, but still shows the Specification Version of 2.0, which is the critical part for Windows 11 compatibility. Phew. I think this applies to just about everyone with a Core chip after 4th Gen and most (maybe all) of the 4th Gen chips. The exact position in the BIOS may vary depending on the manufacturer of your motherboard.
  • In addition to the good article here on Windows Central, MS has a good piece on this too: https://docs.microsoft.com/en-us/windows/security/information-protection...
  • MSFT stroke again. They introduced a new OS and after one day everybody is talking about TMP. Something I did not even know what it was till June 23th. Incredible
  • People will always cry whenever MS does anything. This TPM thing will be the new thing that everyone whines about on the Internet, even though all you must do is enable the firmware in your BIOS if it isn't already.
  • Maybe they shouldn't tell people they can update from Windows 7... and then require something that wasn't available then.
    My desktop PC is an HP Envy 23 Recline All-in-One that came with Windows 8 and doesn't have any TPM version at all (just UEFI/secure boot). Runs Windows 10 perfectly fine but won't be able to update to Windows 11, so why would we be happy about this?
  • Doesnt seems like the G1.Sniper Z97 has it nor the proper connection on the mobo to add something like Gigabyte GC-TPM :(
  • I didn't realise intel 4th gen Haswell wasn't supported in the latest win 10 update, my 7 year old i5 Devils Canyon still works perfectly smooth with the latest Windows.
  • Yeah, I wasn't aware that my 3770k workstation was "out of support."
  • Mine 7th gen i7 Dell isn't supported and yes it has TPM 2.0. MS has pissed lot of people.
  • 4th Gen! You've got to be kidding. I will not push them for supporting that. I get it if they will not support all my 16 to 32gb storage atom tablets. But I do feel that all the cute Chinese toys I purchased over the last couple of years deserve to be supported. For example, the "world's tiniest 4K pc", the Chuwi LarkBox deserves to be supported. fTPM is enabled but seems it is still missing some TPM ****. I guess this is just Nadella's signature... "we are making it for the elite business, not for you lowly consumers"
  • "Does Microsoft want to send thousands (millions?) of people into their PC BIOS to start fiddling with security features?" I am getting the feeling it is going to be a lot worse than that. I have a PC with a ROG STRIX Z370-G gaming motherboard and a Core i5 8600K processor. I have tweaked the bios atleat 20 times since yesterday but that damn tool just keeps failing. 21H1 is installed with latest cumulative update. Secure boot is enabled and set to "Windows UEFI", not "other". TPM 2.0 is enabled and shows up in device manager and on TPM Management. Since the tool was upgraded today, it has stated complaining: "the PC must support secure boot". Hope it is just the tool that is messed and that the "Windows 11 upgrade detector" module will be somewhat more earthly.
  • There are definitely some errors with that tool, so likely a bit of grain of salt. I think it's more of a guide. A bigger concern should be can you just install Win11 via media creation tool or even straight WU. That we don't know (the leaked build installs on anything with a USB)
  • Finally, managed to fix the issue. It was actually dumb... my system disk M2 card was configured with MBR... don't ask me why I had it configured that way, probably because I was using it previously as a data disk. Ran mbr2gpt utility and that was it... fixed. Surely, the microsoft tool could have said as much, that my system disk needs to be configured with GPT instead of MBR, rather than saying my machine cannot run Windows 11 due to lack of secure boot support
  • I have two Dells - XPS AIO 7760 and a 15" XPS 9575. Neither are eligible for W11. Microsoft is going to piss off a lot of people. When these machines run their course, they will be replaced with Apple products. I'm done with stupid Microsoft decisions.
  • Quite agree with this and windows is gonna lose lot of market share because of this decision. Even if you have 3ghz processor with all other requirements satisfied comfortably. You are not gonna get windows 11. This is bullshit.
  • You could just continue to use Windows 10. That is an option too. My Pixel 2 doesn't get Android 12, but it still works just fine with Android 11.
  • Sir, it's understandable but what after year 2025 ? This is painful for those who spent money in this pandemic on 'non-TPM' devices. This OS is more promising than W10 for more people.
  • Microsoft could extend Windows 10 support. By 2025, the OS is 10 years old. There does become a time where an OS needs to be phased out. See Windows 7.
  • I can bet MS is gonna lose significant market share because of this stupid requirements for windows 11. For enterprises, they are not gonna buy new PCs for their employees for windows 11.
  • They will not lose market share, c'mon. Here's the worst that happens: People continue using Windows 10, which is supported through 2025. Windows 10 even gets the new store! Unless, are you suggesting that people get mad because, in order to get Windows 11, they have to buy a new PC. But, instead, will still buy the new PC, it'll just be Apple instead - all to spite Microsoft? I'm not sure how that makes sense.
    "For enterprises, they are not gonna buy new PCs for their employees for windows 11."
    Enterprise is quite literally the last group I'd expect to WANT to upgrade to Windows 11. Enterprise always goes last for updates, not first 🤦‍♂️ Also, let's wait until Microsoft clarifies. We have 4 months before this release. A lot can change.
  • If Microsoft says 2025, read it as 2045 for corporate support. And you can keep running it for another 20 years after that if you are still alive. In one Weston hotel in Asia, I saw they are still running XP on business centre PCs.