Windows 11 & TPM

BallistixOnZ490 said:
And if you haven't done it in a while and forget what setting you have to change, that leads to a few hours of trying to figure it out again.

Like when I forgot I had to switch my disk drives to the right mode, or use a driver signing app when using custom AMD GPU bioses.
Click to expand...

Not in my case. Load profile = done.
 
Emlyn_Dewar said:
If you're resetting your bios that often, you've got other issues.
Myself, SSD is more about everything else. Boot up time is completely irrelevant.
Click to expand...

I didn't say I'm doing it often. It can be 20+ times however when stress testing new hardware.

Also I just checked and apparently my bios gives a warning when trying to activate TPM that doing so will encrypt my boot drive and stop it from working on any future botherboards (bios) ...

Am I reading that wrong or is Microshaft absolutely kidding me that I have to encrypt my boot drive for Win 11?
 
Bug One said:
Enabling it on mine didn't trigger any kind of encryption. I think that's only if you encrypt your boot drive.
Click to expand...

I'd seriously make sure you double check that:

'This means an attacker can’t just remove the drive from the computer and attempt to access its files elsewhere.'

https://www.howtogeek.com/237232/what-is-a-tpm-and-why-does-windows-need-one-for-disk-encryption/

My bios warns me that enabling TPM will encrypt my (boot only?) drive which will no longer work on a new bios chip (i.e motherboard). Everything online about TPM says that it encrypts your drives to stop them being used on other computers.

Maybe your bios simply didn't have this warning and now your drive(s) are encrypted and locked to your current motherboard only.
 
I've literally combed through EVERYTHING I can find online about TPM.

EVERYTHING says that its only purpose is generating encryption keys to protect your drives, there is nothing other than this that it does.

Why is this even being considered a requirement for users that do not want to / CANNOT encrypt their drives?

Do people who simply went and blindly switched it on even know this or what they are even doing? Or have you literally simply just done something because Microsoft told you to?
 
TPM 2.0 as a BIOS option has been out for quite a while and I really wonder why every manufacturer has it disabled by default anyway, it's not like its going to cause issues if enabled and you never take advantage of it.

Even had SMART disabled by default for all drives on one of my old Asus Intel boards, why the hell would they even do that!
 
BallistixOnZ490 said:
I've literally combed through EVERYTHING I can find online about TPM.

EVERYTHING says that its only purpose is generating encryption keys to protect your drives, there is nothing other than this that it does.

Why is this even being considered a requirement for users that do not want to / CANNOT encrypt their drives?

Do people who simply went and blindly switched it on even know this or what they are even doing? Or have you literally simply just done something because Microsoft told you to?
Click to expand...

Trusted Platform Module - Wikipedia

Uses
The United States Department of Defense (DoD) specifies that "new computer assets (e.g., server, desktop, laptop, thin client, tablet, smartphone, personal digital assistant, mobile phone) procured to support DoD will include a TPM version 1.2 or higher where required by DISA STIGs and where such technology is available." DoD anticipates that TPM is to be used for device identification, authentication, encryption, and device integrity verification.[11]

Platform integrity
The primary scope of TPM is to assure the integrity of a platform. In this context, "integrity" means "behave as intended", and a "platform" is any computer device regardless of its operating system. It is to ensure that the boot process starts from a trusted combination of hardware and software, and continues until the operating system has fully booted and applications are running.

The responsibility of assuring said integrity using TPM is with the firmware and the operating system. For example, Unified Extensible Firmware Interface (UEFI) can use TPM to form a root of trust: The TPM contains several Platform Configuration Registers (PCRs) that allow secure storage and reporting of security-relevant metrics. These metrics can be used to detect changes to previous configurations and decide how to proceed. Good examples can be found in Linux Unified Key Setup (LUKS),[12] BitLocker and PrivateCore vCage memory encryption. (See below.)

Another example of platform integrity via TPM is in the use of Microsoft Office 365 licensing and Outlook Exchange.[13]

An example of TPM use for platform integrity is the Trusted Execution Technology (TXT), which creates a chain of trust. It could remotely attest that a computer is using the specified hardware and software.[14]

Disk encryption
Full disk encryption utilities, such as dm-crypt and BitLocker, can use this technology to protect the keys used to encrypt the computer's storage devices and provide integrity authentication for a trusted boot pathway that includes firmware and boot sector.[15]

Password protection
Operating systems often require authentication (involving a password or other means) to protect keys, data or systems. If the authentication mechanism is implemented in software only, the access is prone to dictionary attacks. Since TPM is implemented in a dedicated hardware module, a dictionary attack prevention mechanism was built in, which effectively protects against guessing or automated dictionary attacks, while still allowing the user a sufficient and reasonable number of tries. Without this level of protection, only passwords with high complexity would provide sufficient protection.

Other uses and concerns
Any application can use a TPM chip for:

Other uses exist, some of which give rise to privacy concerns. The "physical presence" feature of TPM addresses some of these concerns by requiring BIOS-level confirmation for operations such as activating, deactivating, clearing or changing ownership of TPM by someone who is physically present at the console of the machine.[18][19]
Click to expand...

TPM does not encrypt your drive. BitLocker (and similar apps) do, optionally using TPM.

Now, pay attention to the other uses section - DRM. I'd hazzard a guess that that's the real reason MS are forcing TPM on everybody - they want to use TPM as a way to manage digital rights management.
 
james.miller said:
TPM does not encrypt your drive. BitLocker (and similar apps) do, optionally using TPM.

Now, pay attention to the other uses section - DRM. I'd hazzard a guess that that's the real reason MS are forcing TPM on everybody - they want to use TPM as a way to manage digital rights management.
Click to expand...

True - Turning TPM on in the BIOS just means its "available" in fact thats what the bios option used to be available or disabled. Think VM option, when you turn Virtual Machine on in the BIOS its the same just means VM software can be used thats all.

You then need something like Bitlocker to actually encrypt the drive for instance.

Problem you will have is when the TPM is corrupt or something happens to the security keys it can stop your computer from booting up. It does happen every so often we use bitlocker and you get laptops refusing to boot as they wont accept the pin and the recovery key doesnt work so you cant even get into Windows and you lose all your files.

Not sure what MS are doing but I suspect it will be some security lock or some attempt to manage the windows key.
 
Any more info on this? I read that Microsoft may go back on this and make it a soft lockout, so you can still install but it will point out that you aren't fully supported or whatever. I thought I read that even the Ryzen first gen stuff is not compatible in terms of the CPUs. Then I also read someone say that you can always add on the TPM module on the mobo, but that this is not true TPM support if the CPU does not support it? Not sure on that.
This has the potential to affect builds and purchases if buying second hand older CPUs (that are still decent). Scalpers have been seen trying to buy up and resell the TPM modules for mobos at 10 times the price as well.
 
You can add TPM modules which handle the TPM directly instead of the CPU yes, ... but that doesn't overcome that windows 11 appears to be demanding a minimum processor family level to be met irrespective of TPM capability / devices in the system. I believe its to ensure that windows 11 only uses CPU's which have things like the spectre-type vulnerabilities addressed at a hardware level, and as such windows doesn't need additional code running to mitigate the vulnerability ( which potentially slows down performance on certain CPU's ).

I understand that idea, but it certainly leaves a lot of computers out in the cold from going to windows 11 and with Windows 10 ending (so to speak) in 2025 means that a lot perfectly viable PC's will hit a wall of no longer supported OS, and no new OS to move to.

A windows 11 style Linux distro will come a sweep up the left overs ...
 
Seems to be some debate as to whether the Ryzen 1600 AF will be fully supported. Ryzen 1XXX series CPUs are not supported it seems, but the 1600 AF is special in that it was based on a Ryzen 2600 and is basically the same CPU with slightly different clocks. Imagine if the capability was there, but because it gets detected as 1XXX series, it gets limited. That would suck.
 
My guess is Windows 10 support will be extended beyond the current quoted date. It really depends how well 11 is received. I'm in no rush, let the early adopters break it in and after 1-2 years decide if you wanna try it. Unless it'll be an 'painless upgrade' process like it was from 7 to 10 ;)

There's always Linux.. except for the old catch22 driver issues.
 
You must log in or register to reply here.
Back
Top Bottom