Question Windows 11 not meeting requirement TPM2 , secure boot?

[plopke]

Not sure if this should be posted under the motherboard section.

I was running the system PC health check if my pc would be able to run windows 11 , which it said no , does not specify why i assume because TPM 2.0 and secure boot requirements.

I do not have any TPM module on motherboard but i did enable fTPM under the AMD Bios option. This was not enough to make my PC ready for windows 11 , but it still booted.

So i disabled CSM , which make secure boot visible then under secure boot options i enabled it. But after rebooting no drives are visible to boot from expect a USB flash drive. is there anything i need to setup to have the drives appear?
There some options under secure boot BIOS menu but lo clue what to do and manual does not specify.



System spec :
Ryzen 1700
B350 Gaming 3 Gigabyte
16GB ram 2400
San disk ultra II , sata boot drive
Crucial Mx500 , sata
Kingston A2000, nmve


PS : also for anyone looking true manual , it is wrong many times where the default does not match the default in the bios.

PSS : uploaded some bios pictures , first 2 pictures is secure boot on and the secure boot option page , 3th picture is with CSM on then it shows all drives.

 

[VirtualLarry]

TPM is a standalone chip on the motherboard, not a feature of CPU.

I don't think that's always true. See AMD's "TrustZone" and Platform Security Processor docs.

 

[mxnerd]

OK. I was wrong, about AMD platform.

 

[Geegeeoh]

OK. I was wrong, about AMD platform.

Intel has it too.
Intel® Platform Trust Technology (Intel® PTT)

 

[mxnerd]

I was wrong again. There are 5 types of TPM.

• Discrete TPMs are dedicated chips that implement TPM functionality in their own tamper resistant semiconductor package. They are theoretically the most secure type of TPM because the routines implemented in hardware should be[vague] more resistant to bugs[clarification needed] versus routines implemented in software, and their packages are required to implement some tamper resistance.
• Integrated TPMs are part of another chip. While they use hardware that resists software bugs, they are not required to implement tamper resistance. Intel has integrated TPMs in some of its chipsets.
• Firmware TPMs are firmware-based (e.g. UEFI) solutions that run in a CPU's trusted execution environment. Intel, AMD and Qualcomm have implemented firmware TPMs.
• Hypervisor TPMs are virtual TPMs provided by and rely on hypervisors, in an isolated execution environment that is hidden from the software running inside virtual machines to secure their code from the software in the virtual machines. They can provide a security level comparable to a firmware TPM.
• Software TPMs are software emulators of TPMs that run with no more protection than a regular program gets within an operating system. They depend entirely on the environment that they run in, so they provide no more security than what can be provided by the normal execution environment, and they are vulnerable to their own software bugs and attacks that are penetrating the normal execution environment.[citation needed] They are useful for development purposes.

 

[mnewsham]

I was wrong again. There are 5 types of TPM.

• Discrete TPMs are dedicated chips that implement TPM functionality in their own tamper resistant semiconductor package. They are theoretically the most secure type of TPM because the routines implemented in hardware should be[vague] more resistant to bugs[clarification needed] versus routines implemented in software, and their packages are required to implement some tamper resistance.
• Integrated TPMs are part of another chip. While they use hardware that resists software bugs, they are not required to implement tamper resistance. Intel has integrated TPMs in some of its chipsets.
• Firmware TPMs are firmware-based (e.g. UEFI) solutions that run in a CPU's trusted execution environment. Intel, AMD and Qualcomm have implemented firmware TPMs.
• Hypervisor TPMs are virtual TPMs provided by and rely on hypervisors, in an isolated execution environment that is hidden from the software running inside virtual machines to secure their code from the software in the virtual machines. They can provide a security level comparable to a firmware TPM.
• Software TPMs are software emulators of TPMs that run with no more protection than a regular program gets within an operating system. They depend entirely on the environment that they run in, so they provide no more security than what can be provided by the normal execution environment, and they are vulnerable to their own software bugs and attacks that are penetrating the normal execution environment.[citation needed] They are useful for development purposes.

Yes, though I believe virtual and software TPMs will be incapable of running W11 without key attestation, which requires one of the other 3 types of TPMs to verify. This is likely also why we are seeing a hard requirement of TPM 2.0

TPM 1.2 supports a single "owner" authorization, with an RSA 2048b Endorsement Key (EK) for signing/attestation and a single RSA 2048b Storage Root Key (SRK) for encryption. This means a single user or entity ("owner") has control over both the signing/attestation and encryption functions of the TPM. In general, the SRK serves as the parent for any keys created in TPM 1.2.

TPM 2.0 has the same functionality represented by the EK for signing/attestation and SRK for encryption as in 1.2, but the control is split into two different hierarchies in 2.0, the Endorsement Hierarchy (EH) and the Storage Hierarchy (SH). In addition to the EH and SH, TPM 2.0 also contains a Platform Hierarchy (PH) for maintenance functions, and a Null Hierarchy. Each hierarchy has its own unique "owner" for authorization. Because of this, TPM 2.0 supports 4 authorizations which would be analogous to the single TPM 1.2 "owner".

In TPM 2.0, the new Platform Hierarchy is intended to be used by platform manufacturers. The Storage and Endorsement hierarchies, and the Null hierarchy will be used by OS's and OS-present applications. TPM 2.0 has been specified in a way that makes discovery and management less cumbersome than 1.2. TPM 2.0 has the capability to support RSA and ECC algorithms for Endorsement Keys and SRK's.

 

[VirtualLarry]

This is likely also why we are seeing a hard requirement of TPM 2.0

In my opinion, this is all because of the "re-vamped MS store", and content-protection/DRM. If you thought Blu-Ray playback on PC was bad, wait until you see this! No more sharing Netflix passwords.

 

[Magic Carpet]

I think, Larry has a point. Hope there will be a workaround around that issue, though.

 

[Shmee]

guys, if you are having issues installing windows 11 currently, (be careful with this, I would not recommend it on your main system, unless you make a full backup first) just use this simple workaround. It worked for me with an upgrade as well. This was on an X99 system.

How to Install Windows 11 on Legacy BIOS without Secure Boot or TPM 2.0

Want to Install Windows 11 on a Legacy BIOS without Secure Boot and TPM? Well, here's a workaround that works 100%.

allthings.how

 

[Magic Carpet]

Just got Windows 11 Pro up and running and I must say, I really like it. Runs great on an Ivy Bridge laptop. Local offline account without any passwords. Need to try this on my Core 2 Duo next.

 

[eek2121]

In my opinion, this is all because of the "re-vamped MS store", and content-protection/DRM. If you thought Blu-Ray playback on PC was bad, wait until you see this! No more sharing Netflix passwords.

Incorrect. DRM is not the driving force behind Microsoft requiring TPM 2.0.

The primary reason is security. TPM used in combination with secure boot and virtualization can stop malware attacks at all levels, from firmware on.

EDIT: https://www.microsoft.com/security/...ecurity-by-design-from-the-chip-to-the-cloud/ kind of explains it.

 

[mxnerd]

If you really want to run Win11 but the hardware could not pass the test, you can run it as a VM. With fast SSD, that shouldn't bother too much.

https://download.microsoft.com/download/7/8/8/788bf5ab-0751-4928-a22c-dffdc23c27f2/Minimum%20Hardware%20Requirements%20for%20Windows%2011.pdf

5. Virtual Machine

Microsoft recognizes that the user experience when running the Windows 11 in virtualized environments may vary from the experience when running non-virtualized. So, while Microsoft recommends that all virtualized instances of the Windows 11 follow the same minimum hardware requirements as described in Section 1.2, the Windows 11 does not apply the hardware-compliance check for virtualized instances either during setup or upgrade​

​

===

You can also avoid MS account by using Windows Pro instead Windows Home.

 

[simas]

Honestly, that just seems really odd to me. What is MS's target market for this OS? Intel 8th/9th/10th/11th-gen only? Ryzen 1st-gen isn't more than 3, maybe 4 (?) years old at this point, and it's still on AMD's current platform (!). I don't get it.

to me as well - I can not figure out what good reasons are there to update and what is Microsoft truly selling here. Are they still planning to charge for OS? How restrictive would be ability to install 'normal' (non-Store) programs on my hardware?

I.e. I use to understand Microsoft model -> we sell you OS , you install what you want on it, i.e. I do not pay a cut to Microsoft if I install say tax software directly on Windows (not through its store)
Google model -> OS is "free" but we want to make money by getting cut from app store and then marketing you/to you
Apple model -> OS is "free" if it comes with our hardware (we build it into the premium).

Is Microsoft now wanting to charge me for OS, charge its cut for anything passing through its store, AND then also collect telemetry and sell my data profile? Triple dipping here?

 

[Kenmitch]

Just got Windows 11 Pro up and running

I just finished installing it on my 5600x/6800 backup rig and it seams OK so far. I'm not into OS upgrades so I just initialized the system reset function to do a clean install of the OS.

I didn't see anything that would turn me off from trying it out for a while. I'd rather start from scratch and see if I run into any issues loading driver, apps, etc.

 

[lifeblood]

I suspect the primary driver for this is all the big hacks occurring (Colonial Pipeline, etc). I suspect the feds are encouraging Microsoft and others to tighten up security as much as possible. Those sorts of attacks are not going away, they're only going to get bigger, and we need to do as much as possible to fight them. TPM and secure boot may have been around a while but few people were actually using it.

Of course I would be surprised if Microsoft doesn't take advantage of it to make a profit by trying to lock in users some way. It Microsoft after all and that leopard has not changed its spots.

 

[DeathReborn]

I suspect the primary driver for this is all the big hacks occurring (Colonial Pipeline, etc). I suspect the feds are encouraging Microsoft and others to tighten up security as much as possible. Those sorts of attacks are not going away, they're only going to get bigger, and we need to do as much as possible to fight them. TPM and secure boot may have been around a while but few people were actually using it.

Of course I would be surprised if Microsoft doesn't take advantage of it to make a profit by trying to lock in users some way. It Microsoft after all and that leopard has not changed its spots.

TPM won't protect from file encryption attacks, it's more of a DRM really.

 

[kschendel]

Incorrect. DRM is not the driving force behind Microsoft requiring TPM 2.0.

The primary reason is security. TPM used in combination with secure boot and virtualization can stop malware attacks at all levels, from firmware on.

EDIT: https://www.microsoft.com/security/...ecurity-by-design-from-the-chip-to-the-cloud/ kind of explains it.

Ah, if only it were true. TPM is a useful tool in preventing some kinds of attacks, and enabling defenses such as encryption. It most certainly cannot "stop malware attacks at all levels", given that many successful attacks operate at the user level (i.e. phishing and social engineering attacks).

 

[Shivansps]

I just enabled the fTPM on bios and this little warning came up.

Good for Asus to actually include that. It just show that 1) Bitlocker with this is a huge NO 2) W11 is going to create and store keys in agesa for other reasons? I really hope it does not.

i would guess that with a TPM module keys will be stored on the module what would be just as bad if the module stops working one day.

 

[Steltek]

I just enabled the fTPM on bios and this little warning came up.

Good for Asus to actually include that. It just show that 1) Bitlocker with this is a huge NO 2) W11 is going to create and store keys in agesa for other reasons? I really hope it does not.

i would guess that with a TPM module keys will be stored on the module what would be just as bad if the module stops working one day.

Yeah, I already have worries about that too. More specifically that what they are doing is going to cause headaches in any system repair that involves swapping out hardware (especially when you have DRM'd and licensed property on such a machine).

I guess technically, depending upon what Microsoft does and how they set everything up, MS could also be preparing to allow itself the option in the long term of (eventually) tranistioning to a closed ecosystem if it proves legally viable once the Apple/Epic lawsuit is done and depending upon how the government deals with Google/Apple's mounting anti-trust issues. Of course, those issues probably won't be resolved for decades at the rate the courts move these days....

Also, curiously, Microsoft has now removed the PC Health Check tool.

I wonder if they are expecting that, without it, all the negative press generated regarding all the systems that won't qualify for the upgrade will just vanish like a fart in the wind....

 

[Geegeeoh]

If you protect something with a password/key you need that to access it.
Shocker!

Windows prompts you to save the recovery key when you first turn on BitLocker encryption.
Any time after that, you can save a fresh copy of the key by going to the Manage BitLocker Control Panel.

BTW it can also be saved online into you Microsoft account / Onedrive.

 

[SamMaster]

Yeah, I already have worries about that too. More specifically that what they are doing is going to cause headaches in any system repair that involves swapping out hardware (especially when you have DRM'd and licensed property on such a machine).

I've had cases in my previous work where Office couldn't connect to the user's account after a motherboard swap. The reason was the TPM chip was activated in the BIOS/UEFI and Office saves some info there when it is first installed. The company had to reinstall Office to resolve that.

 

[plopke]

I have been looking around for possible tools i might need to help out people in the future without reinstalling.

For people who still have drives setup as MBR and not GPT which is needed for windows 11(UEFI) , microsoft did develop a tool for converting without reinstalling.

Comes with a nice video

MBR2GPT - Windows Deployment

Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk.

docs.microsoft.com

The only thing i am not sure of , he boots windows in PE mode , no clue what that is yet.

 

[Steltek]

The only thing i am not sure of , he boots windows in PE mode , no clue what that is yet.

Probably a reference to using a bootable Windows PE drive media (where PE stands for Preinstallation Environment). It is simply a lightweight version of Windows that is included as a part of the Windows Assessment and Deployment Kit (WADK), which is itself a set of tools used to deploy and troubleshoot Windows installations. It has multiple versions, depending upon which OS it is running on. With Win10 machines, you'd use WinPE 10.0. For Win8/8.1, WinPE 5.0, Win7 WinPE 3.1 (included with WAIK, does not include USB3.0 support) or WinPE4.0 (included with first gen WADK, which does have USB3/UEFI support and is Win8 based), etc.

You can build bootable WinPE environments to do a lot of different things.

Personally, I wouldn't waste a lot of time looking for workarounds unless you are just doing it for fun. The builds presently released aren't locked down like the release version will be so it is highly unlikely any workarounds developed using the betas will work on the release version. In fact, it is extremely likely jury rigged beta copies on unsupported hardware configurations will be blocked from upgrading to the final version.

I'm personally suspecting Microsoft will back off at least a little at release. Remember how hard they pushed to get Win10 "on a billion devices"? Well, Win11 will be lucky to get to 25-50% of that with its current intended installation restrictions.

 

[danboo.yale]

is there minimum and recommended requirements to run windows 11?? i have a msi b450 with 3200g and 16gb dual channel ram am i good or??

 

[bigboxes]

guys, if you are having issues installing windows 11 currently, (be careful with this, I would not recommend it on your main system, unless you make a full backup first) just use this simple workaround. It worked for me with an upgrade as well. This was on an X99 system.

How to Install Windows 11 on Legacy BIOS without Secure Boot or TPM 2.0

Want to Install Windows 11 on a Legacy BIOS without Secure Boot and TPM? Well, here's a workaround that works 100%.

allthings.how

Thanks for the heads up.

 

[mikeymikec]

TPM and malware: In my line of work, since UAC was introduced, there's been a massive drop in malware. In the era of WinXP, I had multiple appointments per week typically to remove malware from customers' computers. These days, beyond the 'PUP' class of malware, I may see a few incidents per year at most, and it's been at least 5 years since I've seen a rootkit. Mandatory TPM as a response to an increasingly rare threat seems well over the top to me. But then, like MS making WU mandatory despite the handful of customers I've ever encountered who disable WU, it's not unheard of for MS to do things like this.

The most common 'security issue' I see by a country mile is the abuse of the notifications feature in Chrome/Edge to push advertising / scary messages to scam customers.

I think one of the reasons that MS is pushing TPM (though likely not a major reason) is to screw with dual-booting.