Since Microsoft’s announcement of Windows 11 yesterday, one concern has echoed around the web: what about a Trusted Platform Module requirement?
Windows 11 is the first version of Windows to require a TPM, and most homebuilt PCs (and cheaper OEM PCs for home use) do not have a TPM module on board. While this requirement is a bit of a mess, it’s not as onerous as millions of people have assumed. We’ll walk you through all of the announced requirements for Windows 11, including TPM, noting when each of these is likely to become an issue.
General hardware requirements
While Windows 11 slightly increases overall hardware requirements from Windows 10’s extremely lenient minimums, it’s still going to be a challenge to find a PC that doesn’t meet most of these specs. Here’s the list:
- CPU—1 GHz or faster, two or more cores, x86_64 or ARM64 only
- RAM—4GiB or more
- Storage—Minimum 64 GB for installation… but we recommend least 128 GB for a vaguely normal system
- Pictures—Compatible with DX12 or later, with WDDM 2.0 driver
- firmware—UEFI, capable of secure boot
- TPM—Trusted Platform Module 2.0 is listed as a minimum requirement; TPM 1.2 may or may not be “good enough”, but read on before you throw your hands up in desperation!
- Display—Minimum resolution of 720p, minimum diagonal size of 9 inches, 8 bits per color channel or higher
In addition to these hardware requirements, Windows 11 Home requires an Internet connection and a Microsoft cloud account. The Microsoft account and internet connection are required only for Home, not for Pro. There’s no word yet on whether there will be a solution, such as the current “Do not connect the network cable until after installation” dance.
The CPU requirement may be more or less of an issue than it initially appears. Microsoft has a relatively short list of supported CPUs from three major manufacturers (AMD, Intel, and Qualcomm) that generally go back to Ryzen 2500 or Intel 8th Gen Core – no further. However, we’re not sure how reliable that list is. We strongly suspect that Windows 11 will run well on many significantly older processors.
If Microsoft encodes a hardware requirements checklist into the installer or boot order, many CPUs that would otherwise have worked well will be rendered unusable. This seems rather unlikely, but (pardon the overused phrase) only time will tell.
A closer look at the Trusted Platform Module requirement
Most homemade PC motherboards, even flagship ones, do not have a hardware TPM module installed. However, most of those signs Doing theoretically supports hardware TPM, with a dedicated 19-pin header ready to plug one in. Honestly, it’s a very niche, special device that few users have ever bought.
At least, very few people bought optional hardware TPM until yesterday, after seeing the Windows 11 requirements and then panicking. Within hours of the release of Windows 11, Chief Product Officer Panos Panay, the entire inventory of most manufacturers’ readily available TPM modules was sold out by Windows 10 users trying to make sure they could use 11.
Don’t worry if you didn’t get one of the few available TPM modules yesterday: you almost certainly don’t need one. OEM hardware TPM is generally considered the most hardened version and is soldered directly to the board in PCs intended for business use. Less hardened firmware TPM support is built into modern AMD and Intel processors, and it perfectly satisfies the Windows 11 TPM requirement.
It’s a bit difficult to get a full, accurate list of all CPUs that support built-in firmware-based TPM, largely because demand for them has been pretty low until this week. As far as we can tell, every x86_64 CPU on Microsoft’s list of supported processors includes that support.
Intel calls its firmware-based TPM iPPT (Intel Platform Protection Technology) and AMD calls its own fTPM (Firmware Trusted Platform Module). In general, iPPT appears in most Haswell (4th Gen Core) CPUs, though the K-series gaming models don’t get iPPT until Skylake (6th Gen Core) for inexplicable reasons. On the AMD side, we see fTPM showing up with Ryzen 2500 and above.
However, there is another problem to navigate. While the vast majority of semi-modern CPUs support firmware TPM, it is disabled in the BIOS on almost all motherboards. So you need a three-finger salute and a deep dive through the “advanced” part of your machine’s BIOS to try to find and enable that support if you need it.
OEM motherboards may as well have fTPM disabled by default – and unfortunately they often don’t release the setting to enable it, even if the CPU supports it in some other way. If you have an off-the-shelf system from Dell or HP that did not include a hardware TPM, you could be stuck and unable to take any further steps.
Run the command to determine if TPM support is available and works on Windows
tpm.msc. This will open a TPM dialog box showing if you have TPM support and what version (1.2 or 2.0) it is. (You can also interact with the TPM by clearing or “preparing” it, but that’s not something you need to do – or should do—unless specifically requested. Messing with your TPM can permanently lock Bitlocker volumes and in some cases it can even disable Windows.)
Let’s talk about UEFI and Secure Boot
Microsoft mentions support for Universal Extensible Firmware Interface (UEFI) and Secure Boot assets as hard requirements for Windows 11. As with the CPU requirements, we are currently hesitant to accept these requirements at face value.
The requirement for UEFI probably seems to be exactly what it says on the tin – no more old BIOS installations for anyone! – but there may be a slight weasel smell in the “Secure Boot Capability” wording. We won’t know for sure until Windows 11 Insider images become available, but we suspect “capacity” is probably an important word. Secure Boot itself may not be required.
If you’re rocking an off-the-shelf OEM PC, these requirements probably won’t affect you. Any system with both CPU and TPM support that is modern enough to run 11 will have UEFI firmware and the current Windows 10 installation will run on it.
But if you built your own PC, you might have an annoying problem. Most enthusiast boards can boot from either BIOS or UEFI, and if you installed Windows under BIOS, you can’t easily convert it to UEFI. With enough determination and technical prowess, it’s possible to revive a BIOS install of Windows under UEFI, but it just won’t be worth it for most Windows users, who will have to do a clean reinstall.
The problem becomes even more important for those using virtual machines. Several virtualization platforms (including Linux KVM) use default BIOS instead of UEFI guest boot. It’s simpler, it generally boots faster, and it’s been around a lot longer. Why fix what isn’t broken? If your daily driver boots Windows 10 VM from the BIOS, you’re stuck with the same issues you can’t get to as PC builders who had selected a BIOS boot.