Windows 11 Question (TPM? -> External TPM Module = Not Mandatory)

[Pangolin]

Note. Below information is based on current latest Microsoft release document (2021/06/25)
Windows Requirement

Secure Boot capable (Not necessarily to be enabled)
TPM version 2.0 (fTPM or dTPM) - Discrete TPM card is NOT mandatory when fTPM works

For information of MSI TPM 2.0 card (dTPM)
https://www.msi.com/Motherboard/TPM-20-Module

Test your compatibility with Windows 11
Windows Official Test Tool (Removed by Microsoft)
Alternative: WhyNotWin11
https://github.com/rcmaehl/WhyNotWin11/releases/latest/download/WhyNotWin11.exe

Step to enable relative BIOS options, you can check the video below. (fTPM)

Intel Platform
BIOS\Settings\Security\Trusted Computing\TPM Device Selection

AMD Platform
BIOS\Settings\Security\Trusted Computing\AMD fTPM switch

For newer PRO series motherboard (Intel 500s or later), security section is not under BIOS\Settings

To verify TPM is enabled in windows, press [Windows]+[R] key, and run "tpm.msc". "TPM Management" will show the TPM version of your system.

For more detail information, you can visit Microsoft website.
https://www.microsoft.com/en-us/windows/windows-11

TPM 2.0 (fTPM) Compatible Motherboard

MSI Global - The Leading Brand in High-end Gaming & Professional Creation

As a world leading gaming brand, MSI is the most trusted name in gaming and eSports. We stand by our principles of breakthroughs in design, and roll out the amazing gaming gear like motherboards, graphics cards, laptops and desktops.

www.msi.com

This is NOT a Win11 compatible motherboard list, it simply means the motherboard BIOS supports fTPM
Intel

Series	Chipset	CPU Supported
500 Series	Z590 / B560 / H510	10th / 11th Gen
400 Series	Z490 / B460 / H410	10th / 11th Gen
300 Series	Z390 / Z370 / B365 / B360 / H370 / H310	8th / 9th Gen
200 Series	Z270 / B250 / H270	6th / 7th Gen
100 Series	Z170 / B150 / H170 / H110	6th / 7th Gen
X299	X299	X-series 10000/9000/78xx

AMD

Series	Chipset
500 Series	X570S / X570 / B550 / A520
400 Series	X470 / B450
300 Series	X370 / B350 / A320
TR4 Series	TRX40 / X399

Link to fTPM BIOS function support motherboard

Unable to boot into operating system once updating to new Windows 11 compatible BIOS
1. Change BIOS\Settings\Advanced\BIOS CSM/UEFI Mode from UEFI to CSM mode
2. Convert storage partition style
3. Change BIOS\Settings\Advanced\BIOS CSM/UEFI Mode from CSM to UEFI mode again

 

[ruzicka4613]

Thank you. I will double-check all that.

One question though....I think I read somewhere that when using a firmware TPM, the security codes reside on in the CPU rather than on a physical TPM. If I then at some point upgrade my CPU, replacing it, all the codes are then lost. If so, would that mean that I would be unable to access my hard drive?

 

[RemusM]

I think I read somewhere that when using a firmware TPM, the security codes reside on in the CPU rather than on a physical TPM.

Not true.
In both cases (TPM module or firmware) the encryption keys cannot be stored inside of the CPU.
Because if you turn the power off ...
The encryption keys are always stored on the encrypted drive.

 

[ruzicka4613]

Thanks for all the help!

 

[laurence1211]

Thank you. I will double-check all that.

One question though....I think I read somewhere that when using a firmware TPM, the security codes reside on in the CPU rather than on a physical TPM. If I then at some point upgrade my CPU, replacing it, all the codes are then lost. If so, would that mean that I would be unable to access my hard drive?

I would like to point out that if you do this, you will lose access to your hard drive, unless you take careful steps before hand. You can not just change any hardware part without planning, when you use secure boot and bitlocker.

 

[ruzicka4613]

I would like to point out that if you do this, you will lose access to your hard drive, unless you take careful steps before hand. You can not just change any hardware part without planning, when you use secure boot and bitlocker.

What "careful steps" do you recommend?

 

[Alan J T]

What "careful steps" do you recommend?

You will need to log in to you MS account on a second device to retrieve the key to activate you computer I think you may also need two factor authorization or to use the Authenticator on your mobile phone. It is a pane it the [***CENSORED***] as just plugin you external USB SSD in to a different USB port that has Bit-locker enabled can can trigger the lock out.
So before charging any thing go to MS account and find you Account access keys

I am a big fan of two factor log in due to attempts from other countries to attempt log in to my account
To check your use this link Review account activity

Looking at this you can see why I advise all to use two factor login. I live in Australia and do not use a VPM

 

[laurence1211]

What "careful steps" do you recommend?

Well this depends on what exactly you are looking to do. But the general sequence is turn off bitlocker, then turn off secure boot. Update the hardware and or bios. Then you will need to turn on secure boot, maybe making sure default keys are loaded, then turn bitlocker back on when in the system. There will need to be reboots for the steps, dont try and do everything in one go. Whether you need to unencrypt your drive first or just turn off bitlocker for a reboot depends on what you are doing. You dont have to use bitlocker* at all, personally i dont. If you do, make sure you have an account setup with Microsoft so you can recover like @Alan J T says. Also secure boot violation my occur where MS account backup might not help you, as the system could be locked before you even get to that point. Furthermore FYI AFAIK the keys are stored inside the CPU**, when you use a fTPM, which is why i wouldnt use that method.
* For Win 11 it's looking like bitlocker is on by default, not sure if it can be turned off completely or not.
** AMD fTPM is located inside the CPU while intel fTPM is actually inside the chipset on the motherboard.

 

[RemusM]

** AMD fTPM is located inside the CPU while intel fTPM is actually inside the chipset on the motherboard.

You are talking about the recovery key.
Again: the encryption keys are always stored on the encrypted drive.
You can backup the encryption keys before the hardware change and you don't need the recovery key in this case.

 

[RemusM]

To make it clear, if you want to upgrade/change the motherboard, CPU, etc:
- you will need the current recovery key to suspend BitLocker
- if suspended, you can shut down and replace the component you want
- after restart you will log in as administrator and enable again BitLocker
But this time it won't ask for the recovery key!
And even more: it will update all the existing encryption keys based on the current hardware.

 

[ruzicka4613]

Thanks all

 

[Alan J T]

Well dang lets toss some fuel on the fire
Win 11 Installed
On this build

MSI MAG B550M MORTAR WIFI AM4 Micro-ATX Motherboard
AMD Ryzen 9 3900X 12 Core Socket AM4 3.8GHz CPU Processor
G.Skill Ripjaws V 32GB (4x 16GB) DDR4 3200MHz Memory
Radeon RX 5700 Has been flashed with the Radeon 5700 XT Bios
OS Drive PCIE 3x4 Patriot P300 1TB M.2
Game Drive Pioneer 2TB NVMe PCIe M.2 2280 Gen 3x4
Game Drive WD Blue 3D NAND 1TB PC SSD - SATA
Enermax REVOLUTION D.F Series 850W 80+ Gold Fully Modular Power Supply


and I get this

All setting in BIOS are correct

 

[dvair]

Its a known bug in the Insider build.

 

[Alan J T]

Its a known bug in the Insider build.

Have been looking in to it looks like it is not recognising the Virtualisation-based security for some reason.
And since it is a option in the BIOS I all ways had disabled I not know all that much about what it is for or how it works, UEFI and Secure Boot was all I ever had turned on in the BIOS security wise up till now.

 

[dvair]

I get the same standard hardware security box on my Insider build, but when I boot back into 10 on the same machine with the same BIOS settings the item you highlighted in System Info shows as enabled. Just a bug right now, should be fixed in the future.

 

[Acenewton156d02de]

Not sure why people panic. Win10 will keep getting support and updates until 2025..

May I ask where you got this info? tbh, i'm just afraid because Windows is known for forcing us to upgrade and I don't want to be forced into an update I can't do.

 

[Acenewton156d02de]

Is there a list of all of the motherboards which have the bios TPM option? I have an MSI Z370 SLI PLUS (MS-7B46).

This would be awesome. I have a X570 Pro Carbon Wifi.

 

[citay]

May I ask where you got this info? tbh, i'm just afraid because Windows is known for forcing us to upgrade and I don't want to be forced into an update I can't do.

Windows 10 Home and Pro - Microsoft Lifecycle

Windows 10 Home and Pro follows the Modern Lifecycle Policy.

docs.microsoft.com

Retirement Date Windows 10 Home and Pro 10/14/2025

This would be awesome. I have a X570 Pro Carbon Wifi.

All mainboards from the last few years support it. A recent BIOS is advised for best function (they found some bugs in the TPM code a while back). A list of sorts is here:

How to Enable TPM on MSI Motherboards Featuring TPM 2.0

Microsoft recently announced Windows 11 and one of its system requirements is TPM 2.0. Thus, many people are now asking questions like “does my PC support TPM 2.0?” or “is a discrete TPM 2.0 module mandatory for installing Windows 11?”

www.msi.com

 

[steven_gilshenan]

Your system looks to be too old to be supported.

I don't like that answer. I have an older X79 system that runs really nice. It has a header for a TPM so therefore, you would think, they made the chip/board to plug to that header that works with the chipset.

I have had a read of the manual and it says to refer to the TPM security platform manual for more information. I don't think that was supplied on purchase. Information is really scarce. Of course, I want to keep up with Windows 11.

 

[laurence1211]

I don't like that answer. I have an older X79 system that runs really nice. It has a header for a TPM so therefore, you would think, they made the chip/board to plug to that header that works with the chipset.

I have had a read of the manual and it says to refer to the TPM security platform manual for more information. I don't think that was supplied on purchase. Information is really scarce. Of course, I want to keep up with Windows 11.

Microsoft are setting the min spec and they have so far said no to a lot of computers out there. X79 will not be supported.

 

[Encryptme]

I have a MEG Z590 ACE and I was unsure whether to enable fTPM or PTT for Windows 11? (I have secure boot enabled)