Windows 11 requires a TPM 2.0 security processor to install or upgrade to Windows 11. Unfortunately, mistakes in support documents have causes conflicting information on what type of TPM you need and why you need it in the first place.
Yesterday, Microsoft announced the system requirements to upgrade or install Windows 11 and included a new PC Health Check tool that you can use to check if your hardware is compatible with Windows 11.
However, after many people ran the tool, they discovered it was reporting that "This PC can't run Windows 11," even on devices that run Windows 10 flawlessly as they do not have a TPM 2.0 installed.
For those with hardware purchased over the past couple of years, the likely reason you see this message is that you do not have specific settings enabled in your BIOS, or you do not have a Trusted Platform Module (TPM) installed.
Why you need a TPM
A TPM is a dedicated processor used to perform hardware-based cryptographic operations to secure encryption keys and defend against malicious tampering of your hardware and the boot process.
An example of a TPM that you can purchase and add to an Asrock motherboard is shown below.
TPM processors come in two versions - an older and less secure 1.2 version and a more secure 2.0 version, which is a requirement for Windows 11.
Since 2013, Intel and AMD added firmware TPM technology to many of their CPUs that perform the same functionality as a TPM 2.0 processor without the need of a dedicated module.
For Intel Process, this technology is called Intel Platform Trust Technology (Intel PTT), and for AMD, it is called AMD Platform Security Processor.
"Almost every CPU in the last 5-7 years has a TPM. For Intel its called the "Intel PTT" which you set to enabled. For AMD it would be "AMD PSP fTPM". TPMs have been required for OEM certification since at least 2015 and was announced in 2013," said David Weston, Director of Enterprise and OS Security at Microsoft.
With Windows 11, Microsoft has brought security to the forefront by requiring a TPM 2.0 or compatible technology (Intel PTT or AMD PSP fTPM) to be available.
When a TPM 2.0 is installed in Windows, the operating system can use more robust encryption to secure your Windows Hello PINs, encrypts passwords, and enables more advanced security features, such as Windows Defender System Guard.
"The following Windows features require TPM 2.0: Measured Boot, Device Encryption, WD System Guard, Device Health Attestation, Windows Hello/Hello for Business, TPM Platform Crypto Provider Key Storage, SecureBIO, DRTM, vTPM in Hyper-V," Microsoft told BleepingComputer.
"It is also a foundational security component to Windows in addition to Virtualization Based Security and the enablement of Android Apps on Windows delivered in a secure way."
Unfortunately, this week, there was a bit of confusion as one Microsoft support document stated TPM 1.2 was the minimum requirement for Windows 11. In contrast, another hardware requirements page said it was TPM 2.0.
This conflicting information has since been fixed by Microsoft, who clarified to BleepingComputer that Windows 11 requires TPM 2.0.
What you should do
Most modern motherboards released over the past few years support dedicated TPM 1.2 or 2.0 processors.
While they support TPM, it is usually required that you purchase and install the appropriate dedicated TPM that is compatible with your motherboard and then enable it in the BIOS.
However, since Windows 11 considers TPM 2.0 and the Intel PTT and AMD PSP fTPM CPU features to be equivalent, most people who have purchased a CPU over the last 5-7 years do not need to buy a dedicated TPM for their motherboard.
Instead, to achieve Windows 11 hardware compatibility, you just need to enable Intel PTT or AMD PSP fTPM support in your BIOS.
Once you enable Intel PTT or AMD PSP fTPM support in the BIOS, even if you do not have a dedicated TPM 2.0 module, the PC Health Check tool will still consider your hardware compatible with Windows 11.
To enable Intel PTT or AMD PSP fTPM support is different on every motherboard but is usually found in the BIOS's advanced settings under security.
Microsoft has released a list of Windows 11 compatible Intel, AMD, and Qualcomm CPUs.
Update 6/25/21: Added into about Intel PTT, AMD PSP, and Microsoft's changes to support documents
Comments
MadmanRB - 3 years ago
You know what will work without TPM? Linux
Some-Other-Guy - 3 years ago
Yeah, but the Clipper Chip 2.0 provides BETTER SECURITY for 3 letter agencies accessing your data and verifying chain of custody
AND.........you even get to pay for your own enslavement
Win/Win
MadmanRB - 3 years ago
Meh TPM is a joke, its practically useless.
MischaBearach - 3 years ago
Agreed! Since my laptops are pre-2016, and it's unlikely TPM can be added, I'll wait for Windows 10 support to end and then remove the MS product. Hardly a difficult issue, since the machines already dual-boot to Linux versions. Wine supports the few Windows-only apps I really like, such as IrfanView and 7-Zip... some of which are also available as Snap installations.
webrider - 3 years ago
That's just a way to push old configurations off circuit
phegi - 3 years ago
I have TPM 2.0 on my computer (Lenovo) but I often get the message: The device driver for the Trusted Platform Module (TPM) encountered a non-recoverable error in the TPM hardware, which prevents TPM services (such as data encryption) from being used.
Some-Other-Guy - 3 years ago
It is a simple labeling error
You have the Untrusted Platform Module 2.0
phegi - 3 years ago
But I am allowed to install Windows 11!
redwolfe_98 - 3 years ago
i saw that TPM was built into AMD ryzen processors so i enabled it and ran the MS health check tool to see if my computer was compatible with windows 11, and the MS health check tool reported that my AMD ryzen 1800x processor was not compatible with windows 11. first generation AMD ryzen processors are not supported.
plat1098 - 3 years ago
Not having the TPM 2.0 will get you kicked out of the Insiders channels beta and up. I just got the news, with no warning. All done in the background--now in the Release Preview channel. Thanks ever so, MS .
Lawrence Abrams - 3 years ago
They stated you do not need a TPM to continue receiving builds from the Dev channel, including Windows 11. WIll see next week.
DrkKnight - 3 years ago
Believe it or not I see more systems failing the Windows 11 upgrade test for CPU incompatibility than TPM. CPU's that are well within system requirements but are not being supported.
Amigo-A - 3 years ago
The use of hardware TPMs in Russia is limited and regulated by the FSB. For the legal import of equipment with these modules, you must undergo special certification in the FSB. Because of this, most of the equipment sold in Russia is devoid of TPM modules.
You can check if there is TPM in your system and find out its version by pressing the Win + R keys and entering the tpm.msc command.
SandytheArtist - 3 years ago
I am a just a computer user, not an IT pro. I ran that PC health check on my laptop and it said it wasn't ready and my TPM is 2.0. It did not say why it was not ready, so I guess it is something else. I wish their program would elaborate further.
Lawrence Abrams - 3 years ago
Read through the entire article. It explains how to enable Intel's or AMD's firmware based TPM support, which should make you compatible.
CallMeBC - 3 years ago
I was able to install the "leaked" Win11 version on, ironically enough, an 11 yr old HP Pavilion with an Intel Q8400 CPU. The trick is to not use the standard Windows installation procedure and instead "deploy" the Win11 "install.wim" file via Diskpart/DISM or a 3rd party installer (which I did).
This indicates that it's the Win11 installer that checks for TPM 2 and Secure Boot, but not Win11 itself. This would explain why there were no issues installing it as a VM, but which also suggests that Microsoft is lying -- again -- about their latest version of Windows being more secure. But again, this was the leaked version -- we'll have to see if the upcoming Insider releases show the same behavior.
Lawrence Abrams - 3 years ago
This is also not a realistic method going forward to install Windows 11. It may work, but users should not have to do this.
Just enabled Intel PTT or AMD PSP and you should be good TPM wise.
CallMeBC - 3 years ago
Actually Microsoft has a thing called "Windows Deployment Services" for doing corporate workstation installs of Windows, usually customized, by deploying the wim file.
My point is that Microsoft is basic lying about TPM 2.0 and Secure Boot being required for Win 11 when it's just an artifact of the installer. But again this is only based on the leaked version. So it remains to be seen if this will be the case with the released version.
4675636b207468652045 - 3 years ago
I agree with you, for me TPM is synonymous with vulnerability and probably signed malicious code. I disable it for my clients at setup anytime I find an option.
Lawrence Abrams - 3 years ago
Why would you disable a TPM? That makes no sense as it only increases security.
CallMeBC - 3 years ago
Apparently, from a Twitter screenshot, this dopey, badly confused, and apparently rushed last minute TPM "requirement" is *only* for Microsoft stuff like Bitlocker, Windows Hello and such. If I had to take a guess, this is all mostly, if not completely a response to all the vulnerability and security issues Microsoft and its products have had the past year, especially on the corporate & government side of things. As far as I'm concerned, this is all a way too late, wholly inadequate effort, especially given how Microsoft's own product source code was accessed at least once by the SolarWinds hackers, and that no Microsoft product should have direct Internet access in a sensitive environment.
Some-Other-Guy - 3 years ago
"Why would you disable a TPM? That makes no sense as it only increases security."
Security.....for whom?
In a Zero Trust environment, "we" cannot ever trust Microsoft without "EVIDENCE" of security for the END USER!
"YOU" can trust them without any evidence, but "WE" cannot!
If you had evidence, we should have seen it by now
SHOW ME THE EVIDENCE!
chrismaxey - 3 years ago
So disable TPM if I want to ensure that MS does not "accidentally" upgrade my pc without my permission?