Since Microsoft’s announcement of Windows 11 yesterday, one concern has reverberated around the Web more loudly than any other—what’s this about a Trusted Platform Module requirement?
Windows 11 is the first Windows to require a TPM, and most self-built PCs (and cheaper, home-targeted OEM PCs) don’t have a TPM module on board. Although this requirement is a bit of a mess, it’s not as onerous as millions of people have assumed. We’ll walk you through all of Windows 11’s announced requirements, including TPM—and make sure to note when all this is likely to be a problem.
General hardware requirements
Although Windows 11 does bump general hardware requirements up some from Windows 10’s extremely lenient minimums, it will still be challenging to find a PC that doesn’t meet most of these specifications. Here’s the list:
- CPU—1GHz or faster, two or more cores, x86_64 or ARM64 only
- RAM—4GiB or more
- Storage—64GB minimum for installation… but we’d recommend at least 128GB for a vaguely normal system
- Graphics—Compatible with DX12 or later, with WDDM 2.0 driver
- Firmware—UEFI, Secure Boot capable
- TPM—Trusted Platform Module 2.0 is listed as a minimum requirement; TPM 1.2 may or may not be “good enough.” But read on before throwing your hands up in despair!
- Display—720P minimum resolution, nine-inch minimum diagonal measurement, 8 bits per color channel or higher.
In addition to those hardware requirements, Windows 11 Home requires Internet connectivity and a Microsoft cloud account. The Microsoft account and Internet connectivity are only mandatory for Home—not Pro. No word yet on whether there will be a workaround, like the current “don’t plug the network cable in until after setup” dance.
The CPU requirement may be more or less of a problem than it initially seems. Microsoft has a relatively short list of supported CPUs from three major manufacturers (AMD, Intel, and Qualcomm) that generally goes back to Ryzen 2500 or Intel 8th generation Core—no farther. We’re not certain how trustworthy that list is, though. We strongly suspect Windows 11 will work fine on many considerably older processors.
If Microsoft codes a hardware requirement checklist into the installer or boot sequence, many CPUs that would otherwise have worked well will be unusable. This seems fairly unlikely, but (pardon the well-worn expression) only time will tell for certain.
A closer look at the Trusted Platform Module requirement
Most build-your-own-PC motherboards, even flagship boards, don’t come with a hardware TPM module installed. However, most of those boards do theoretically support hardware TPM, with a special 19-pin header ready to plug one in. Honestly, it’s a very niche, specialty device that vanishingly few users have ever purchased.
At least, very few people bought optional hardware TPM until yesterday, after seeing the Windows 11 requirements and subsequently panicking. Within hours of Microsoft Chief Product Officer Panos Panay’s Windows 11 introduction, the entire stockpile of most manufacturers’ readily available TPM modules were sold out by Windows 10 users trying to make certain they could run 11.
If you didn’t get one of the few TPM modules available yesterday, don’t panic—you almost certainly didn’t need one. OEM hardware TPM is generally considered the most hardened version, and it’s soldered directly to the board in PCs intended for enterprise use. And less-hardened firmware TPM support is built right into modern AMD and Intel processors, and that will satisfy Windows 11’s TPM requirement just fine.
It’s a bit difficult to get a complete, accurate list of all CPUs with support for onboard, firmware-based TPM, largely because the demand for it was fairly low until this week. As far as we can see, every x86_64 CPU on Microsoft’s supported processor lists does include that support.
Intel calls its firmware-based TPM iPPT (Intel Platform Protection Technology), and AMD calls its own fTPM (Firmware Trusted Platform Module). Generally speaking, iPPT shows up in most Haswell (4th-gen Core) CPUs, although the K-series gaming models inexplicably fail to get iPPT until Skylake (6th-gen Core). On the AMD side, we see fTPM show up with Ryzen 2500 and up.
There is one more gotcha to navigate, though. Although the vast majority of semi-modern CPUs support firmware TPM, almost all motherboards ship with it disabled in BIOS. So you’ll need a three-finger salute and a deep dive through the “advanced” part of your machine’s BIOS to try to find and enable that support if you need it.
OEM motherboards are just as likely to have fTPM disabled by default—and unfortunately, they frequently don’t expose the setting to enable it, even when the CPU otherwise supports it. If you’ve got a pre-built system from Dell or HP that didn’t include a hardware TPM, you could be stuck with no way forward.
To determine whether TPM support is available and working under Windows, run the command
tpm.msc. This will spawn a TPM dialog that shows whether you have TPM support and what version (1.2 or 2.0) it is. (You can also interact with the TPM by clearing or “preparing” it, but that’s not something you need to do or should do unless specifically asked. Messing with your TPM can permanently brick Bitlocker volumes, and it might even de-activate Windows in some cases.)
Let’s talk about UEFI and Secure Boot
Microsoft lists Universal Extensible Firmware Interface (UEFI) support and Secure Boot capability as hard requirements for Windows 11. Much like the CPU requirements, we’re hesitant to take it at face value right now.
The requirement for UEFI seems likely to be just what it says on the tin—no more legacy BIOS installs for anyone!—but we think there might be a slight odor of weasel in the phrasing “Secure Boot capability.” We won’t know for sure until Windows 11 Insider images start becoming available, but we suspect that “capability” is likely an important word. Secure Boot itself may not be mandatory.
If you’re rocking a pre-built OEM PC, these requirements aren’t likely to affect you. Any system with both CPU and TPM support modern enough to run 11 will have UEFI firmware, and its current Windows 10 installation will be running on it.
But if you built your own PC, you may have an annoying problem. Most enthusiast boards allow booting from either BIOS or UEFI, and if you installed Windows under BIOS, you won’t be able to simply convert it to UEFI. With enough determination and technical ability, it’s possible to Frankenstein a BIOS installation of Windows into new life under UEFI, but it’s simply not going to be worth it for most Windows users, who will need to do a clean reinstall.
The problem becomes even more significant for those running virtual machines. Several virtualization platforms (including Linux KVM) default to BIOS rather than UEFI boot for guests. That’s simpler, it generally boots quicker, and it’s been around a lot longer. Why fix what’s not broken? If your daily driver Windows 10 VM is booting from BIOS, you’ll be stuck with the same can’t-get-there-from-here issues that PC builders who selected a BIOS boot had.