Microsoft's muddled message: The necessity of TPM in Windows 11

The most coherent explanation of the need for TPM, albeit still somewhat disorganised, is a video from the MS Mechanics channel released over three years ago. It uses examples to demonstrate the types of attacks that are mitigated by using TPM. Unfortunately, it discusses everything simultaneously, incorporating issues related to RDP, Secure Boot, DMA protection, and UEFI, which gives the impression that these topics are more intertwined than they truly are.

Nevertheless, this offers a more straightforward explanation than Microsoft's December preparation, which extolled TPM with points like compliance with ISO standards, "isolation of cryptographic processes and keys" (a semantic stretch), Windows Hello, BitLocker, and "preparation for future use in the age of AI." While the earlier explanation was disorderly, the current one merely asserts that TPM is beneficial, hence it will be compulsory.

To accurately convey the benefits of TPM, it is essential to distinguish and individually address several related technologies. Even Windows itself, through the Windows Security window, presents these issues separately, indicating missing, partial, or full compliance with the new hardware security model. What does this compliance involve, or rather – what will be lacking without it?

Without installation in UEFI mode (a new bootloader instead of the traditional MBR), you will miss out on support for Secure Boot, implying that the computer will be unable to prevent the loading of malicious software that starts before drivers and antivirus programs (such as the most aggressive rootkits and ransomware). Computers with UEFI have been accessible for about 12 years.

An adequately recent UEFI version also allows for the activation of DMA protection, which can halt malicious Thunderbolt devices from directly accessing memory and attempting to bypass security measures. Thunderbolt devices with USB-C connectors were introduced in 2015. The presence of Thunderbolt ports nearly ensures support for DMA protection.

Memory integrity protection (code integrity, HVCI) introduces mechanisms that prevent malicious software from operating on the system kernel, which theoretically has read/write rights to the memory where the kernel is loaded. CI forces drivers to follow strict memory management discipline. Platforms with drivers adhering to this discipline have only been developed since 2018.

HVCI, however, has further requirements. Since the entire mechanism utilises virtualisation, it requires SLAT, IOMMU, UEFI 2.6, and Secure Boot. For cryptographic needs, it also requires... TPM 2.0. Beyond HVCI, the need for TPM 2.0 arises from other functionalities.

Windows Next Generation Cryptographic Services (CNG) unlock private certificate keys using TPM. Windows also supports virtual smart cards stored as entries in the TPM. Hardware keys and biometrics used for authentication within Windows Hello for Business can also be secured with TPM.

Finally, TPM is also utilised by BitLocker (although it only needs version 1.2). This applies even in a variant with a PIN. Detecting changes results in locking the TPM and requires entering the BitLocker key, which prevents criminals from accessing the data. The concept behind Windows 11's stringent requirements is to ensure that the assumptions allowing the misleading of security states are impossible to counterfeit (TPM) or extract from memory (HVCI, DMA protection, Secure Boot).

All of these mechanisms are optional, yet they are not unnecessary unless the computer is used solely for leisure. If we are unconcerned about identity theft, the theft of our work and passwords, or undetectable spying, the “new” (i.e., introduced since 2012) security mechanisms are indeed unnecessary.

Even utilising a PC for gaming does not justify complacency in the era of ubiquitous accounts and subscriptions. However, Microsoft acknowledges the consequences of password leaks today and implements protective measures even in laptops with the Home version of the system.

The days when the only important password was an email without two-factor authentication – whose compromise would have been merely a temporary nuisance – are definitively over. Although Microsoft appears unable to effectively communicate new needs from a marketing perspective, its technical documentation dispels all doubts. Nevertheless, Windows 11 can function without all these security features and remains installable even on sixteen-year-old Nehalem processors.