According to Ars [1], it seems that every CPU that is on the supported processor list includes TPM. It's called iPPT on Intel and fTPM an AMD.
Most motherboards ship with it disabled in the BIOS so you have to find that setting (probably somewhere in the "advanced" settings) and change it.
They also warn that some OEM motherboards have it disabled in the BIOS but do not expose a setting to change it, so with those you might be out of luck if the OEM did not include hardware TPM.
"Discrete TPM" means you have a daughter board that you plug in to a physical TPM port on the motherboard (check your motherboard manual for where it is, and which kind is compatible). If that device is physically not actually there, then that BIOS option does nothing for you.
You should check and see if the "Firmware TPM"/"fTPM" option is available, because that one will work without the physical add-in card.
Could it possibly be that they want to compile with support for a specific instruction set extension or depend on spectre/meltdown fixes? Though Wikipedia [0] only lists CNVi [1] as new feature.
I believe that app is currently checking the cpu against the list of compatability for OEMs which tends to be more strict though. So there's a chance an older cpu might work that the app says will not.
My guess is that 8th gen was picked since that's when quad core became standard across the product line, but that leaves out the earlier HQ series (such as the i5-7300HQ on my ThinkPad T470p) that are quad core. And of course the Celerons aren't either, so it doesn't make any sense.
If you search around, there's a few implementations of a virtual TPM around. Vmware does it, Parallels also, and there are also some open source ones. I would guess someone might find a way to graft that into Boot Camp.
On my fairly new second gen Surface Go 2, GetPCHealthCheckApp says that my CPU isn't supported, despite it being an m3 that is explicitly on that list you linked to. The tool at github says everything is supported when I run it. I guess we'll just have to wait and see...
The Microsoft tool won't tell you why it doesn't work though.
Says only: "While this PC doesn't meet the system requirements to run Windows 11, you'll keep getting Windows 10 updates".
The tool told me that it's indeed TPM. I didn't even know what it is and my PC is 2 months old ;)
If you can't boot Windows 11 without having secure boot turned on, I guess I'll have to skip this Windows version for the first time in decades. I've always been an early adopter for new Windows versions, but I really can't be bothered with signing my damn Linux kernels just to boot Windows every once in a while.
I know relatively little about Windows, but toggling Secure Boot by itself should have no such effect. Secure Boot is a firmware policy that affects what OSes are permitted to boot and a few other boot-time things. It has essentially no relation to your disk.
If you have Bitlocker enabled, all bets are off. Make sure you have a recovery key set up.
Because it's a hassle, and I really don't care about that. Given that I'd have to go through the hassle of signing my own kernels just to get Windows to boot once a week, I really don't get why I should do that in the first place.
There's no way Windows _NEEDS_ to be signed to boot. Even macOS doesn't complain that much when booted without Secure Boot. Perhaps someone will find a way to cheat Windows about SecureBoot or TPM by using OpenCore, like the Hackintosh community has been doing for a long time.
Why would you want SB+TPM? It's called TPM 2 because only 2 pieces of software support it. Lol.
I already know where microsoft is going with this - Xbox-like DRM. In a few years they'll probably release pci-e based "security devices" with full DMA privileges, too.
I sure hope this isn't the start of the phone-ification of 'real computers', with the expectation that people buy new hardware every few years lest they get left out in the cold by software vendors.
Seems to be the case. There are laptops manufactured 2-3 years ago using 7th gen Intel, which isn't making the cut. Maybe MS will back off after all the corporate IT people start bitching about their laptops.
Corporates are constrained by application dependencies (not OS), and will likely be the last to adopt Win11 (given how long it took to migrate off win7 to win10 the last round).
>Corporates usually replace hardware every 3-4 years don't they?
Yes and no. 3-4 years from when the person got it maybe, which is usually not the manufacture date. And, it's one of those budget items that tends to get pushed out when there's a financial crisis, like now for many Covid affected businesses. I work for a F500, and my laptop was made in 2018, and is a 6th gen Intel.
> Corporates usually replace hardware every 3-4 years don't they?
At the companies I've worked for the programmers generally get new hardware about as often ...but other workers not so much. They are more likely to get the hand-me-down hardware.
Wow what a good corporation. We rolled windows 10 last month, hardware changes are very rare, maybe every 10 years. Usually done on a rolling when needed basis.
Is there an actual reason why windows 11 isn't supported on older hardware?
I've read the announcements, but from what I've seen Windows 11 is basically Windows 10 with new UI. And a few small details like widgets and "built-in" Microsoft Teams.
My ~~conspiracy theory~~ guess is that the Windows 10 minimum requirements were "If it ran Windows 7 you're good", which means that this upgrade saying "If it ran Windows 10 you're good" would entail supporting machines built in 2009 or earlier. Which is pretty old, so they decided to draw lines that would get rid of machines that old (for example, no more 32 bit). Then they kept going because someone said "legacy BIOS is dumb, UEFI is the choice of a new generation" and then another manager said "nobody uses disk encryption on home edition, let's mandate TPMs so they can do it easier", and sooner or later you have these probably higher than actual system requirements.
The engineering/testing cruft that goes along with testing super old hardware probably also hurts how quick they can iterate and how much they have to spend to validate changes on multiple hardware configurations.
Possibly, but I was under the impression that the free upgrade to Windows 10 (and the inexpensive upgrade for Windows 8) was to entice people to move to the new operating system in order to reduce support costs. By making a hardware upgrade a prerequisite of an operating system upgrade for a larger number of people will just encourage people to stick to Windows 10. That's especially true for desktop computers, where a moderately old machine will outperform many modern laptops.
That’s fair, but having long hardware support periods has been a consistent goal since at least XP, which supported machines with 64mb of RAM. Machines that could run vista well can still run W10 fine!
I'm assuming they simply start with a very restrictive list, as it's easier to say "it's supported anyway" later than to explain to people that their PC is incompatible despite their tool having told them otherwise before. Other reason might be newer CPU instructions and that they can't guarantee a good experience on older hardware. This is just my speculation, though.
if you had recommended updates enabled it would give you a pop up to schedule a upgrade to windows 10 with a recommended date and time preselected, and if you hit X in the popup to dismiss it, it would just use that recommended date and time.
Which is October 2025 apparently. Hopefully they'll be forced to extend it like they did with older Windows.
I built my current PC in 2012 and it still works perfectly well - no slowdown at all thanks to SSDs and the end of Moore's law. I can't imagine I'll want to upgrade it within the next 4 years.
My custom-built PC was flagged as not being compatible due to not having TPM 2.0 module. I have an Asus Prime B450M-A motherboard and a Ryzen 7 2700 processor and was surprised that it wasn't compatible.
But it turned out there was an easy fix. Recent AMD processors have a TPM module built into the processor, and it was just a case of heading into the BIOS and turning it on. Now the PC is compatible with Windows 11.
I'm out of the loop here - I thought windows 10 would be the last version of windows released, and it would just have rolling updates for the foreseeable future?
But macOS 12 will release just before Windows 11 does (shortly after fall iPhone announcement vs. holiday season), since Apple has abandoned the use of yearly point releases for good. So that wouldn't work out very well for MS.
But why would Microsoft care about that? Having the bigger OS number is really unimportant, else ChromeOS would dominate at version 90. Also, if that was really the case, they should've made the jump earlier and/or directly go to 12.
Marketing. People got downright hyphy about Big Sur and the M1 chip, and Microsoft, by comparison, has had virtually zero excitement points in the past decade. Having a new product renews interest in the brand. I haven't run Windows in years, but you bet your ass that when I saw 'Windows 11' I was like, whoa, what's this all about? Turns out it's a pretty tame, incremental update with a major version number slapped on, but I still clicked to find out what was up. That's worth something.
They wanted to look like a dynamic and innovative company so they released a new theme and gave it a brand new version number? That or windows 10 still leave too much control of the machine to the user in their eyes...
I think I'll watch that particular disaster from a safe distance.
Must be partly due to the drastically changed minimum requirements. Would have been awkward to say Window 10.8364837 and earlier need this, but Windows 10.837492 and later need this. Support for Windows 10.8364837 will end in 2025.
IIRC Hyper-V has an additional mode that chains with the real hardware TPM (if I'm understanding the feature correctly), which would allow attestation through the vm to the physical hardware root of trust to work as well. (Please, if this is wrong, please gently correct me ...)
It requires: virtualization instructions enabled and working, legacy bios disabled (not merely just booted with UEFI; workstations that are qualified for this operation usually have the option entirely removed, but simply turning legacy boot off entirely is enough), UEFI on, trusted boot on with Microsoft's keys enrolled, TPM 2.0 on and functioning and the OEM has to physically qualify that no external DMA interfaces can be hacked (ex: my 1660 Super claims it has a USB-C port (due to type-C DP support), the card physically only has DP and HDMI, no type-C, so I have to set a registry key saying "this PCI-E device has been qualified to not be an external concern") (another ex: even with USB3 etc host chips that are qualified (ie, the IOMMU properly sandboxes them), VBS sets the option that disables connecting a USB etc device awhile device is locked; you can only plug in a device while unlocked and have it actually connect).
VBS is for truly secure workstations, the kind that really truly try to defend themselves against all sorts of security issues, including physically there (in concert with Intel vPro deployed correctly for VBS, and AMD's equivalent that I'm blanking on the name for).
And the text list of what's compatible:
https://www.microsoft.com/en-us/windows/windows-11-specifica...
The two that people are complaining about most are:
- Arbitrary requirement of 8th gen or better for Intel i3/5/7/9[1]. Which seems odd, given that some 2017 era Celerons are on the list.
- TPM 2.0 module
[1] Specific Intel CPUs: https://docs.microsoft.com/en-us/windows-hardware/design/min...