Windows 11 Question (TPM? -> External TPM Module = Not Mandatory)

DubStepMad

New member
Joined
Apr 27, 2019
Messages
8
For the time being, you can keep the BIOS in CSM mode, so that you don't have any trouble with your existing installation. Then one day, when you want to install Windows 11, switch it to UEFI first.
Thank you for making that clear as now I understand :)
 

LordElpus162

New member
Joined
Jun 27, 2021
Messages
8
Hi all. Despite following all the above instructions I cannot get Secure Boot to enable. I have followed all the advice & combinations given by Citay above (many thanks) but without success. In each case once I exit the Bios to boot into windows I get a 'Secure Boot Violation' notice and get dumped back into the Bios. I can only boot into windows with secure boot disabled. tpm is enabled. Not sure what else to try. Any further help would be apprecitated.
My System is a self build. MSI MAG Tomahawk B550M; AMD 7 8300X CPU; 64Gb of Gskill Ripjaws V series 3600 DDR4; NVIDIA GTX 1650 GPU;
Windows Device Security says 'Standard hardware security not supported'

Edit: Have just checked Windows Security and it tells me 'Memory Integrity cannot be turned on' saying there are driver incompatibilities. All latest drivers downloaded from MSI.
 
Last edited:

jhd

New member
Joined
Jun 26, 2017
Messages
2
You don't need a discrete TPM chip for that board, see my post a bit higher up, https://forum-en.msi.com/index.php?threads/windows-11-question-tpm.364320/#post-2066837

Most boards from the last 5-6 years have a firmware TPM or "fTPM", on Intel this is called PTT or "Platform Trust Technology" and can simply be enabled in the BIOS.

There is no major difference in how a dTPM chip and the integrated fTPM works. To Windows, it behaves exactly the same. So it is completely unnecessary to buy a dTPM chip when you have a fTPM.

Here is the Microsoft article again: https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-recommendations

If you look at that, you will see that Bitlocker also doesn't require a TPM, you can use that already without enabling the fTPM.
Bitlocker does require a TPM for boot drive encryption, without which I don't see a lot of use for Bitlocker in the first place. You can override it with group policy settings, but there's a good reason why Windows requires a TPM in the first place.
You're right that the fTPM seems to be enough for Bitlocker. I guess I'll risk having to re-enter my backup key next time my UEFI receives an update (if ever). A bit strange that the fTPM is disabled by default if it's supported just fine, but oh well.

As for the differences between the fTPM and the dTPM, Windows 11 does require the TPM 2.0 standard which is not available with my fTPM. I'll have to hack something together to get Windows 11 running on this board, or wait for the TPMs to magically become available.
 

laurence1211

Well-known member
PRIVATE E-2
Joined
Jun 28, 2020
Messages
1,993
Hi all. Despite following all the above instructions I cannot get Secure Boot to enable. I have followed all the advice & combinations given by Citay above (many thanks) but without success. In each case once I exit the Bios to boot into windows I get a 'Secure Boot Violation' notice and get dumped back into the Bios. I can only boot into windows with secure boot disabled. tpm is enabled. Not sure what else to try. Any further help would be apprecitated.
My System is a self build. MSI MAG Tomahawk B550M; AMD 7 8300X CPU; 64Gb of Gskill Ripjaws V series 3600 DDR4; NVIDIA GTX 1650 GPU;
Windows Device Security says 'Standard hardware security not supported'

Edit: Have just checked Windows Security and it tells me 'Memory Integrity cannot be turned on' saying there are driver incompatibilities. All latest drivers downloaded from MSI.
Have you tried reloading the factory default keys in the bios? The memory integrity thing is something else, you need to turn on svm if you want that.
 

LordElpus162

New member
Joined
Jun 27, 2021
Messages
8
Have you tried reloading the factory default keys in the bios? The memory integrity thing is something else, you need to turn on svm if you want that.
Thanks for responding. Yes, several times! 🤪 I turned on 'secure boot' on its own without success. After reboot switched the settings from 'standard' to 'custom' and loaded the keys, saved and reboot. Switched back to standard etc., But each time I left secure boot enabled I got the 'secure boot' violation'.
 

thenewoc

Member
STAFF SERGEANT
Joined
Jun 7, 2012
Messages
73
Hi, Does anyone know please what the correct TPM chip is for a Z77a-GD65 board? I know the Ivy Bridge CPU is not on the approved MS list at the moment but I just want to check if a TPM chip is available.
 

citay

Pro
SERGEANT
Joined
Oct 12, 2016
Messages
9,822
It's hard to say which is the correct TPM chip, because you need a TPM 2.0 chip, but in 2012 when your board came out, there was no TPM 2.0 yet. So the manual doesn't give any hints as to what TPM chip you would need (i checked).

Anyway, TPM chips are scarce, because scalpers bought up a bunch of them in order to re-sell them at higher prices. I've seen some poor souls pay up to 140 € on eBay for a TPM chip, this is absolutely crazy. These chips should cost 10 to 20 bucks at most. But the announcement from Microsoft made people nervous and now they all want to get a TPM chip.

So there's a hype around these modules, coupled with a global chip shortage. Due to that high demand and low supply, it makes no sense to buy a TPM chip now. I would wait it out until Windows 11 is finished and things have calmed down. Then you will also have feedback from people with old mainboards (pre-fTPM) so you'll know what module would be needed.
 

RemusM

Well-known member
LIEUTENANT COLONEL
Joined
Nov 16, 2006
Messages
2,881
Hi, Does anyone know please what the correct TPM chip is for a Z77a-GD65 board? I know the Ivy Bridge CPU is not on the approved MS list at the moment but I just want to check if a TPM chip is available.
Your motherboard and CPU are limited to TPM 1.2
If Microsoft does not drop the TPM 2.0 requirement, your system is not qualified for Windows 11.
 

Alan J T

🙈 🙉🐝 🤬😈
Global Moderator
Joined
Sep 11, 2020
Messages
10,673
Your motherboard and CPU are limited to TPM 1.2
If Microsoft does not drop the TPM 2.0 requirement, your system is not qualified for Windows 11.
Looks like removing it or lowering the requirements for win 11 are getting traction with the insiders portal, forcing the option of TPM is not a popular move at all. I do not think Microsoft will scrap it as they have been pushing for UEFI and Secure boot for years and forcing TPM also forces people to move over to UEFI and Secure boot.

Perhaps Microsoft is getting ahead of the litigation crowd, as I am sure they do not want to get sued for millions for not making there OS secure. Or stupid proof
 

RemusM

Well-known member
LIEUTENANT COLONEL
Joined
Nov 16, 2006
Messages
2,881
Looks like removing it or lowering the requirements for win 11 are getting traction with the insiders portal, forcing the option of TPM is not a popular move at all. I do not think Microsoft will scrap it as they have been pushing for UEFI and Secure boot for years and forcing TPM also forces people to move over to UEFI and Secure boot.

Perhaps Microsoft is getting ahead of the litigation crowd, as I am sure they do not want to get sued for millions for not making there OS secure. Or stupid proof
This is the current status for Intel 7th generation CPUs and Intel 100 chipsets:
i7-7700HQ_HM175.png

An educated guess?
Windows 11 will work on this chipset (Z170 for example) paired with the 6th and 7th generation CPUs.
Right now I cannot say anything about older CPUs and chipsets.
 

LordElpus162

New member
Joined
Jun 27, 2021
Messages
8
Thanks for responding. Yes, several times! 🤪 I turned on 'secure boot' on its own without success. After reboot switched the settings from 'standard' to 'custom' and loaded the keys, saved and reboot. Switched back to standard etc., But each time I left secure boot enabled I got the 'secure boot' violation'.
UPDATE: As a result of other comments regarding updating the Bios, I went on line to check and found that my Motherboard, which I purchased in December, had an August 2020 bios which was quite out of date. I updated to the latest Bios and , hey presto, both TPM and Secure boot are now operational. Thanks all. lesson learned. Check the Bios!!
 

citay

Pro
SERGEANT
Joined
Oct 12, 2016
Messages
9,822
Yep, when you take a brand new mainboard out from its packaging, it usually has a BIOS that's several months old, because a) they don't always put the newest version onto the BIOS chip in the factory, and b) it's usually transported by ship from China, which takes a while. When i get a new mainboard, one of the first things i do (after some initial tests) is to update to the newest BIOS. Especially nowadays, the mainboard makers tend to iron out a lot of problems after a mainboard has been released and not before, plus the microcode updates supplied by Intel and AMD become more and more important.
 

LordElpus162

New member
Joined
Jun 27, 2021
Messages
8
I usually do check when I do a build but, having not done one for a few years I didn't follow my own rules. You can imagine the smug look of satisfaction on my face when I got the 'your system is suitable for Windows 11' message. Now I just need to get a decent GPU instead of the 'this one will have to do for now' GTX 1650.
 

Alyred

Member
PRIVATE E-2
Joined
Oct 31, 2013
Messages
49
Are there any notes in advance about turning on secure boot and loading the default keys? Will I have issues with that for fTPM when doing a BIOS update, for instance? I installed Windows 10 using UEFI bit didn't have secure boot enabled.
Just curious as to what things I'll need to watch out for going forward once turning it on. Thanks!
 

citay

Pro
SERGEANT
Joined
Oct 12, 2016
Messages
9,822
You can switch Secure Boot off an on as you like, it doesn't make a big difference for Windows 10. Don't know how it's gonna be with Windows 11, but Windows 10 doesn't really mind either way.
 
Joined
Jun 30, 2021
Messages
3
Hi!
I'm from Chile, excuse my English.

I have a TPM 2.0 module (MS-4136) with firmware 5.61. I am aware that there is a vulnerability regarding this firmware version. For this reason, most equipment manufacturers released a firmware update to version 5.63.

MSI sells this TPM 2.0 (MS-4136) as of today, with firmware 5.63.

I have looked everywhere for an MSI utility to update the firmware but nothing formally appears on the MSI page.




Greetings to all
 

citay

Pro
SERGEANT
Joined
Oct 12, 2016
Messages
9,822
They mean this: https://www.msi.com/Motherboard/TPM-20-Module

A dTPM 2.0 module that is meant for modern boards. Of course, those discrete TPM modules aren't needed for those modern boards when it comes to Windows 11 compatibility, because all those modern boards they list already have a firmware TPM (fTPM 2.0) which fully satisfies the TPM 2.0 requirements. So they are meant for special purposes that go beyond the Windows 11 requirements.
 
Top