27 comments

[ 4.5 ms ] story [ 81.0 ms ] thread
paywall
Guy built custom computer but ran Windows 10 on a MBR disk with legacy boot (BIOS/CSM) and TPM disabled. Ran 11 compatibility check and was surprised that Windows 11 won't work with that.

Also advocating that MS sells a version that relaxes this requirement (AFAIK - Windows will run on the system anyway but support people may* turn you away and your system will be less secure). For reference, the insider preview build works just fine on my 7700k system with TPM disabled.

(comment deleted)
Apparently the insider preview builds have somewhat relaxed requirements, may not be representative of the final product.
I've been running internal builds but you're correct in that they can still make changes to requirement before public release.
Opening it in politics mode (previously known as porn mode) works fine.
> Unless you have a recent store-bought PC that has Secure Boot and TPM enabled out of the box, you probably aren’t going to be able to upgrade, even if your hardware is theoretically compatible.

The vast majority of Windows devices are "store bought". TPM 2.0 has been an OEM requirement from Microsoft for almost five years now, so the only people that need to worry about enabling it are people who built their own PC, as in the exact type of people that would know how to do so.

It doesn't make any sense. He contradicts himself. If you bought a computer in the store (not tech savvy) then you are fine. If you built your own computer (tech savvy) then you can't figure out the bios settings?
Exactly my thoughts. He builds a "custom" computer, mix matches parts but is unaware of the difference between CSM/UEFI or MBR/GPT?

UEFI and GPT have been on the scene since Vista (2007).

Assembling a computer from parts doesn’t really require in-depth knowledge these days thanks to true plug’n’play.

No jumpers to set for CPU multipliers, IDE master/slave or IRQ/DMA/IO etc.

MBR/GPT and BIOS/UEFI aren't anywhere in-depth as clock multiplier, bus master/slave or IRQ/DMA/IO.

MBR/GPT and BIOS/UEFI along with SecureBoot are neatly explained in the UEFI and motherboard manuals. Also custom parts imply you're running XMP memory and need to enter UEFI to enable the advertised clocks anyway (Hello! JEDEC).

I more just hate the principle of tpm, that there's some part of my system running which I have no way to see, no way to hack, no way to modify. give me a special ring -1 that i the owner can use to own my system and I'm ok but what a vile situation that windows now mandates that users can't have control over their systems.

argument against there being the possibility of access all boil down the to apple no-sideloading arguments, that users might possibly do bad things, that the world is scary. it's a lot more scary to me when mega corps can invisibly do whatever they want on hardware I "own". re-personalize the PC, please.

also 4 year old Ryzen processors don't have support for the digital fascism chip so a lot of them would have to spend a court hundred bucks to upgrade.

Ryzen 1000 chips have TPM. We don't know exactly what feature Microsoft wants that they don't have. They announced this morning that they're going to do more testing of Ryzen 1000 and Intel 7th gen chips during the preview in the hopes of officially supporting them.
Internal communication on requirements hasn't been very clear either. I can see them requiring TPM2.0 but Kabylake and Ryzen 1000 cut-off seems unnecessary from my POV.

IHV push back is the only reason I'd wager but then most of the hardware features requiring OS changes are being back-ported to 10 for enterprise support anyway.

The TPM is not “ring -1,” nor is it a DRM device. It’s a little fixed-function cryptographic HSM that can do a limited set of operations. It is possible to use it to make a computer that resists end-users switching OSes without losing access to the data, and this is roughly what BitLocker does. If you want that functionality, then enable it. If you don’t, don’t.

Saying you can’t hack your TPM is like saying you can’t hack your credit card. (Not your credit card account — your actual card.). Making it hackable would defeat the whole purpose. And, unlike your credit card, your TPM will gladly support fully open source Linux SSH key protection, whereas your VISA credit card is not about to emulate a MasterCard.

TPM does contain a secure key store, not just fixed function encryption and signing operations. Unless it's fTPM, in which case the storage and device firmware attestation is handled by firmware - but it is still key functionality.

You really don't need anything particularly special to make a cloneable module that supports all TPM 2 functionality, it's just that the available ones are not and any other would not get certified.

The ring -1 functionality is firmware attestation. It must be supported as per spec.

So no, TPM is not just a chip or just a key store. It is much more than that hence the blobs that handle it had security bugs.

Bad article. Author doesn’t seem to understand the difference between legacy BIOS and UEFI and how these two boot.

He enabled SecureBoot and disabled CSM (BIOS emulation) and was surprised he couldn’t get his system which was obviously installed in legacy mode to boot anymore. I stopped reading after that.

Oh, and he confused SecureBoot and TPM, too.

(comment deleted)
Almost no one understands those distinctions, so this article is representative of the hassles that many many PC enthusiasts face from Windows 11.
If you stopped reading in the middle, then you missed the best part of the article, which is at the end.
I agree with you, I gave up on the article.

However the the point he was trying to make is still valid. He considers himself "computer savvy" and learning all these new concepts is not going to be approachable to most people. And as such hardware that could run will not have the user knowledge to get it working.

That said, I think Microsoft is doing the right thing here. The only way to move physical security forward is to make it mandatory. The same users who consider themselves technical are the most likely to implement the least possible security.

My honest opinion is, We should consider the Ycombinator demographic that is going to go ever younger.

There are going to be younger programmers, what do we do about them?

I have learned a lot from the articles here, but at the cost of being burnt most times, we need a handle or method to make Ycombinator accesible for new learners. Ask HN Noob?

If you're building your own PC and you don't know the difference between BIOS and UEFI, you're going to have a bad time regardless of whether you upgrade to Windows 11.
This is purely a DIY problem for six-month old systems.

Not a single OEM desktop or laptop sold in the past six months as new should have any of these issues.

UEFI is non-negotiable, TPM 2.0 is virtually universal, and you only need to be Secure Boot capable—not actually have Secure Boot on.

This tool expects the person that built the computer (Dell, HP, Lenovo, or the DIY enthusiast) to understand the terms.

But, credit to the author, it presents them in a very poor way. It should’ve noted UEFI / GPT wasn’t enabled first before any other error. But it assumes you know UEFI requires GPT which means using mbr2gpt.exe.