Some TPM 2.0-Capable Systems Are Still Ineligible for Windows 11
Microsoft’s Windows 11 unveil has quickly devolved into a confused mess regarding which CPUs will and won’t be supported under the new operating system. While I touched on this Friday, new information from both Microsoft and end-users has shed a bit of light on a confusing topic.
Here’s what we know so far:
TPM 2.0 Support Is Not the Only Variable in Play
Simply having TPM 2.0 support in your system does not appear to be sufficient to install Windows 11. Microsoft has confirmed to PCWorld that machines like the Surface Studio 2 ($3,499 and up) — which isn’t quite three years old and supports TPM 2.0 according to Microsoft’s own spec sheets — will not support Windows 11. This machine is ineligible to upgrade. You can still buy a Surface Studio 2 from Microsoft today.
Microsoft executives, the company’s list of supported CPUs, and various statements to other press outlets all consistently claim a few things:
1). TPM 2.0 support is required: There is no longer any mention being made of a “soft floor” for TPM 1.2. We do not know if such a floor is still under internal discussion or if Microsoft intends to stick to its guns on this one. Older systems that supported TPM 1.2 can sometimes upgrade to TPM 2.0 if your motherboard vendor released a UEFI update, but this will not help you if your chipset or CPU is unsupported. This brings us to our next point:
2). Limited official compatibility with older devices. Microsoft isn’t just limiting installation based on the presence or absence of TPM 2.0. The Surface Studio 2 is TPM 2.0-enabled, but uses a Core i7-7920HQ processor based on Kaby Lake. According to Microsoft’s support documents, no Intel CPU earlier than 8th Gen will support Windows 11. No first-generation Ryzen or earlier CPU is listed as compatible with Windows 11.
According to Microsoft executives, these restrictions are being enforced at the chipset level.
As of this writing, we’re assuming there must be a CPU component as well. Intel may not have offered a platform upgrade between 7th and 8th Gen, but AMD’s Ryzen 2000 CPUs worked in 300-series boards and the Ryzen 1x family similarly functioned in 400-series boards. One possibility — and this is supposition on our part — is that differences in how AMD and Intel rolled out features might mean that a 300-series motherboard + Ryzen 2xxx is still Windows 11-compatible if TPM 2.0 is available and active, while for Intel, chipset and CPU guidance are linked. It is also possible Microsoft is blocking either CPUs or chipsets of a given generation and checks for both.
Microsoft may make additional disclosures on this topic to clarify it at a later date.
3). Windows Insider Preview Builds are not locked down (but will be): Right now, Microsoft is allowing Windows 11 to install to systems that will not qualify to run the final version. The company has made this explicit in some recent documentation updates.
End users who were already enrolled in the Windows 11 Insider program can continue to test builds on their PCs, but they will not be eligible for Release Candidate preview testing. This has injected additional confusion into this discussion. Right now, the only two groups of people running Windows 11 are folks who are part of the Windows Insider campaign and folks who downloaded a leaked build of the operating system. The leaked build seems to require TPM 2.0 (we couldn’t install it to any system that lacked support), but since it’s an early version of the OS, it may not lock out all the devices that Microsoft apparently intends to restrict.
4). A special edition of Windows 11 will exist that does not require TPM. This version is intended only for markets where Western encryption is not used and does not require a TPM 2.0 module. Everyone else, however, is expected to have one.
Not much ambiguity about that. Later in the document, Microsoft states:
A UEFI firmware option to turn off the TPM is not required. Upon approval from Microsoft, OEM systems for special purpose commercial systems, custom order, and customer systems with a custom image are not required to ship with a TPM support enabled.
So customers in certain markets will be able to buy a system without TPM 2.0, but for everyone else, the feature is required. Hat-tip to THG for finding this bit.
5). Skylake-X may work: We haven’t heard back from Intel on our question regarding Core i9-9980XE support, but Brad Sams on Twitter has a 7900X and reports the CPU scans as Windows 11 compatible:
My workstation is a 7900x (7th gen) and is not on Microsoft’s Intel list for supported chips but the PC Health Check app says it will run Windows 11. pic.twitter.com/RQMAGDH2CT
— Brad Sams (@bdsams) June 26, 2021
This is not an official confirmation from Intel or Microsoft, but it may be a sign that a few more chips could be added to Microsoft’s list.
6). The new Windows PC Health Check differentiates between “No TPM 2.0” and “Your CPU is unsupported.” We covered this on Friday, but we want to include it again based on how much confusion there was over whether we had re-described the TPM 2.0 problem.
This is what the PC Health Check app displays if you run it against an eligible machine without TPM 2.0 enabled:
This is what the PC Health Check displays if you run it against 6th Generation Broadwell-E, 6th Generation Skylake, or Kaby Lake CPU:
The fact that the application distinguishes between these two states implies it’s detecting two different things and that Microsoft has done this deliberately. The previous version of the app literally only told you that you couldn’t update to Windows 11 while giving no explanation as to why.
7). Many people we spoke to think Microsoft will change these requirements. We’ve talked to a number of folks we know in various types of jobs in the PC ecosystem, including corporate IT staff, PC OEMs, and hardware manufacturers. The general opinion is that these are very restrictive requirements and that Microsoft is likely to loosen them.
If I’m being honest, I’m not so sure about that. I think there’s room for Microsoft to officially announce support for platforms like Skylake-X and Threadripper, but the company has been unequivocal about certain requirements: TPM 2.0, 8th Gen Intel CPU, 2nd Gen AMD Ryzen CPU (thus far). It’s entirely possible that whether Microsoft changes these requirements will depend on how much blowback the company gets. Microsoft executives have confirmed that while the CPU support list will “evolve,” the chips currently listed are the supported CPUs.
Yep, these lists (Intel, AMD, and Qualcomm) are the currently supported CPUs. The lists will evolve over time, of course, but these are the supported CPUs.https://t.co/Y26xrKvg8g
— Steve Dispensa (@dispensa) June 26, 2021
8). Not all systems that technically support TPM 2.0 can enable it. This depends on the make and model of your computer, but OEMs may not enable it. Getting TPM 2.0 up and running on a system that hasn’t previously used it isn’t impossible, but it should be approached with caution. If you installed Windows under BIOS instead of UEFI, there’s no simple way to convert to a TPM-enabled Secure Boot configuration. There is a way to do so, discussed by various commenters in this Ars Technica conversation thread. The linked article covers how to build a proper Windows 11 VM with TPM 2.0 enabled.
One big remaining question: Will individuals be able to upgrade to Windows 11 even if their hardware doesn’t meet requirements? Several people I spoke to brought up the fact that Microsoft never officially listed Haswell support for Windows 10, even though Haswell installed fine.
Our attempts to upgrade a computer to Windows 11 from Windows 10 using the previously leaked installer failed, so we can’t speculate on what the eventual state of the software will be. Microsoft did not release a utility telling people with three-year-old PCs that their CPUs were not supported under Windows 10 when it launched that OS, so the situations may not be analogous.
Where We Stand Right Now
To sum it all: TPM 2.0 support appears necessary but not sufficient to guarantee Windows 11 compatibility. Skylake-X is not currently listed on Microsoft’s Windows 11 Intel support list but may be supported. Current Windows Insiders are allowed to test Windows 11 but have been informed they cannot update to Release Candidate builds when such software is available.
End-users may find themselves in a situation where TPM cannot be enabled in firmware despite being technically supported. Absent a physical TPM 2.0 module, there may not be a way to enable TPM 2.0 on such a machine. This may or may not matter, depending on whether Microsoft will enable upgrades for your platform in the first place. This may be part of why Microsoft locked out older systems; it’s possible that OEMs only began shipping all of their systems with UEFI-accessible TPM options when AMD launched Zen+ and Intel was shipping Coffee Lake. This would explain the lockouts.
For now, ExtremeTech is taking Microsoft at its word. The company has repeatedly stated that 6th and 7th Gen CPUs will not be compatible, so we’ll be treating them as if they aren’t until we hear differently. Skylake-X appears to work, Threadripper 1x is an unknown. Buying a TPM 2.0 module for a 7th Generation Kaby Lake CPU may not be enough to get that CPU working under Windows 11.
That’s the state of things as of now, as near as anyone can tell. “Clear as mud” could have been coined to describe this situation.