TPM and Secure Boot (and Windows 11)

[Cantab]

I've been exploring options for when and how I should switch to Windows 11. I'm currently using a two-year-old desktop running Windows 10 Pro. It specs were relatively high end and customized when I had the machine built.

According to Microsoft's PC Health Check, the desktop more than meets the requirements to run Windows 11, but with one exception. It currently does not have TPM 2.0. But the Health Check says that it does support Secure Boot.

I've explored the options for having TPM 2.0. For roughly $100 I could purchase an add on TPM chip/module that would plug into a dedicated port on the motherboard. However, the Intel chipset on the motherboard is one that has Intel's PTT built in. From what I've been able to learn from articles on the Internet, if I activate the PTT I would then meet Windows' requirement for TPM 2.0.

I'm in no rush to switch to Windows 11 but do not want to lose the opportunity to acquire a TPM chip if that turns out to be the root I need to go. I'm tempted to activate the built-in PTT and see what happens – I've looked at the relevant switch on the motherboard's UEFI/BIOS to do this but have yet to do anything.

Before going down this route I'm wondering if someone can explain to me the practical consequences of activating TPM. (And I believe Secure Boot would be activated automatically if I activate the TPM – but I may be wrong on this point.)

I've read some of the technical explanations about what TPM and Secure Boot do but I am not at all clear on what they do in the real world. All that I've seen is that they possibly can stop the ability to use some types of operating systems, including legitimate ones such as Linux; but I don't know if that's true.

[Manfred M]

Bruce - with a 2-year old machine you likely have TPM 2.0, but you have to activate it through changing the UEFI settings at boot up. I had to do this to a computer I was upgrading to Windows 11.

[Cantab]

Bruce - with a 2-year old machine you likely have TPM 2.0, but you have to activate it through changing the UEFI settings at boot up. I had to do this to a computer I was upgrading to Windows 11.

Manfred, did you notice any changes in how the W10 computer operated or how you logged on after you activated the TPM? I'm hoping it's a case of life going on as before activating TPM, rather than the creation of new security related issues.

[lunaticitizen]

The short answer is that there is no practical consequence of activating TPM to users.

UEFI Secure Boot does not require TPM, Microsoft insists on the inclusion of TPM mainly for better protection of Windows Hello (ability to log in to Windows using IR-enabled webcam or PIN) and BitLocker (drive encryption).

I said "better protection" because TPM is not even required for either of them. This is just Microsoft forcing OEM manufacturers (and users) to adopt current best practice for security.

I'd recommend to first check with your PC builder whether they have experience about enabling Intel PTT for your particular motherboard and chipset, and whether there was no record of adverse effect on the computer afterwards. This should be a harmless task though.

$100 sounds expensive for a mere TPM chip, although this might be due to the semiconductor shortage...

[Manfred M]

Manfred, did you notice any changes in how the W10 computer operated or how you logged on after you activated the TPM? I'm hoping it's a case of life going on as before activating TPM, rather than the creation of new security related issues.

Nothing changed so far as I could tell. I toggled the "Enable TPM" on the setup screen and the machine rebooted and ran as it always did. I updated to Win 11 after I confirmed that the change made no difference. I suspect that having the feature enabled has more to do with protecting software vendors (read Microsoft, et al) IP than making the end user more secure.

[Cantab]

Manfred and Leo, thank you for your comments. I'm going to activate the built-in Intel PTT and then run Windows' PC health check. I'll report back in a day or so.

Leo, the material at the link you provided was interesting and helpful.

[Cantab]

Good news on two counts.

I've just gone into the BIOS and activated the built-in Intel PTT. The first good news was that when I rebooted the machine it in fact restarted with no issues. The second piece of good news is that when I ran Microsoft's Windows tool for checking whether Windows 11 would work, it declared that my computer is now fit and ready for Windows 11.

Now I need to decide whether to upgrade or whether I should install another drive so I can dual-boot both Windows 10 and 11. The difficulty with the second option is that the motherboard's one and only M.2 socket (NVMe) is currently occupied by Windows 10.

[Stagecoach]

Now I need to decide whether to upgrade or whether I should install another drive so I can dual-boot both Windows 10 and 11. The difficulty with the second option is that the motherboard's one and only M.2 socket (NVMe) is currently occupied by Windows 10.

Some thoughts Bruce from having recently undertaken both an upgrade and shortly after a clean installation.

If you 'upgrade' there is the option of reverting back to Win 10 within 10 days.

If you 'upgrade' that may leave complications with respect to compatibility with existing items loaded.

If you 'install' to another drive could that affect speed?

I have read that there are sometimes complications having two operating systems on the same machine.

With respect to my own clean install no concerns to date other than I have not yet solved how to get back my equaliser for my speakers

[Cantab]

Grahame, thank you for your comments. Yes, I remember the issues you had with an upgrade versus a clean install. That's one reason I'm looking at the possibility of avoiding an upgrade from 10 to 11.

On my previous (and still existing) desktop computer, I ran XP as long as I could and then finally dual booted with windows 7 on a separate drive. I never had any problems with the two operating systems on the one computer. But dual booting XP and Windows 7 may be a different issue from the dual booting windows 10 and 11.

[lunaticitizen]

Don't you have to possess licenses for both Windows 10 and Windows 11 if you want to dual-boot?

[Cantab]

Don't you have to possess licenses for both Windows 10 and Windows 11 if you want to dual-boot?

Yes, I'd need to purchase a licence for Windows 11. I've read somewhere that they're not yet available (apart from buying a W10 licence and then upgrading from that).

Grahame pointed out that if I were to upgrade my current system, I'd have a 10 day window for rolling back to Windows 10 if the upgrade was causing problems. Thankfully, I've no urgent need to move to Windows 11 so have time to ponder the options now that I know my existing computer is competent to run Windows 11.

[lunaticitizen]

I see.

I upgraded my work laptop to Windows 11 when it was still in alpha stage last year and found that it was less snappy, so I had my company buy me a new laptop. I needed a Windows 11 laptop since I mainly deal with Microsoft's technologies at work.

Major upgrade is a nightmare for IT administrators. Nobody wants to do it.

[DanK]

Personally, I see no reason to bother yet. At some point, I’ll get a new computer that will have windows 11, or my university will have done the upgrade and will want everyone on the same page. Until then, however, I’m content to wait. I haven’t seen any new features that I’m in a hurry to get.


Sent from my iPad using Tapatalk