Microsoft introduced yesterday that Windows 11 would require TPM (Trusted Platform Module) chips on current and new units. It’s a major {hardware} change that has been years within the making, however Microsoft’s messy approach of speaking this has left many confused about whether or not their {hardware} is suitable. What is a TPM, and why do you want one for Windows 11 anyway?

“The Trusted Platform Modules (TPM) is a chip that is either integrated into your PC’s motherboard or added separately into the CPU,” explains David Weston, director of enterprise and OS safety at Microsoft. “Its purpose is to protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data.”

So it’s all about safety. TPMs work by providing hardware-level safety as a substitute of software program solely. It can be utilized to encrypt disks utilizing Windows options like BitLocker, or to forestall dictionary assaults in opposition to passwords. TPM 1.2 chips have existed since 2011, however they’ve usually solely been used extensively in IT-managed enterprise laptops and desktops. Microsoft needs to carry that very same degree of safety to everybody utilizing Windows, even when it’s not always perfect.

Microsoft has been warning for months that firmware assaults are on the rise. “Our own Security Signals report found that 83 percent of businesses experienced a firmware attack, and only 29 percent are allocating resources to protect this critical layer,” says Weston.

That 83 p.c determine appears big, however when you think about the varied phishing, ransomware, provide chain, and IoT vulnerabilities that exist, the broad vary of assaults turns into loads clearer. Ransomware assaults hit the headlines weekly, and ransomware funds extra ransomware so it’s a tough drawback to resolve. TPMs will definitely assist with sure assaults, however Microsoft is banking on a mix of recent CPUs, Secure Boot, and its set of virtualization protections to actually make a dent in ransomware.

Microsoft is making an attempt to play its half, notably as Windows is the platform that’s usually most affected by these assaults. It’s extensively utilized by companies worldwide, and there are greater than 1.3 billion Windows 10 machines in use at present. Microsoft software program has been on the core of devastating assaults that made world headlines, just like the Russia-linked SolarWinds hack and the Hafnium hacks on Microsoft Exchange Server. And whereas the corporate isn’t accountable for forcing its purchasers to maintain its software program patched, it’s making an attempt to be extra proactive about safety.

Microsoft has a behavior of struggling to maneuver Windows into the longer term in each {hardware} and software program, and this explicit change hasn’t been defined nicely. While Microsoft has required OEMs to ship units with assist for TPM chips since Windows 10, the corporate hasn’t pressured customers or its many machine companions to show these on for Windows to work. That’s what’s actually altering with Windows 11, and mixed with Microsoft’s Windows 11 improve checker, it has resulted in a whole lot of comprehensible confusion.

Microsoft’s Windows 11 website lists the minimal system necessities, with a hyperlink to compatible CPUs and a transparent point out {that a} TPM 2.0 is required at a minimal. (It’s not.) The PC Health Check app that Microsoft asks individuals to obtain and examine to see if Windows 11 runs will flag techniques that wouldn’t have Secure Boot or TPM assist enabled or units which have CPUs that aren’t formally supported (something older than eighth Gen Intel chips).

That’s left many making an attempt to determine if their machine helps TPM or not, confusion with BIOS settings, and even individuals dashing to purchase separate TPM modules they don’t want. Some are even scalping TPM 2.0 modules on eBay!

Hidden away on Microsoft’s site is what’s actually occurring right here. The true minimal necessities are TPM 1.2 and a dual-core CPU that’s 1GHz or larger. TPM assist could be enabled by way of virtually any fashionable CPU within the BIOS settings of a machine. You shouldn’t want a separate module except your CPU is very outdated.

Microsoft is selling TPM 2.0 and performing checks for eighth Gen or newer Intel chips as a result of these are the necessities for licensed OEM {hardware} — the machines you’ll discover in shops with an inevitable Windows 11 sticker. The actuality is that Windows 11 will set up on units with TPM 1.2 enabled, and virtually any CPU that meets the dual-core 1GHz or above normal — you’ll simply should navigate a notification telling you the “upgrade is not advised.”

Microsoft doesn’t even point out this true TPM 1.2 minimal in its weblog submit outlining this new security effort today, nor does the corporate supply any particulars on the CPU assist that many appear to be stumbling into. If you’re having points with the PC Health App checker for Windows 11, ensure you have “PTT” on Intel techniques enabled within the BIOS, or “PSP fTPM” on AMD units. Otherwise, look forward to Microsoft to improve this system checker over the following couple of weeks.

What Microsoft is making an attempt to attain right here will profit the Windows ecosystem in years to come back, alongside its new efforts for Xbox-like safety on Windows. Microsoft simply completely dropped the ball on explaining that to everybody on day one.