Microsoft Lists Why TPM, Secure Boot Are Mandatory on Windows 11
When Microsoft announced Windows 11 more than three years ago, it was immediately controversial. Not only because of its unconventional interface, but also because of its high hardware requirements, which left many systems unable to run Windows 11 properly, such as TPM and Secure Boot.
Microsoft has repeatedly explained why features like TPM (Trusted Platform Module) 2.0, VBS (Virtualization-based Security), and Secure Boot are important for Windows 11 PCs. Microsoft requires that users' PCs support these features in order to use Windows 11, because of the enhanced security benefits they provide, and has released visual demos to better explain how these features work.
Recently, with the Windows 11 24H2 feature update, Microsoft updated one of the support articles on its official website titled 'Automatic Device Encryption via BitLocker', which Microsoft calls "Auto-DE". Notably, the document mentions why TPM and Secure Boot are required for Device Encryption.
Below is the content of the supporting document before being edited.
Why is Device Encryption not available?
Here are the steps to determine why Device Encryption might be unavailable:
1. From the Start menu, type System Information, right-click System Information in the results list, and then select Run as administrator.
2. In the System Summary - Item list, look for the value Automatic Device Encryption Support or Device Encryption Support.
- The value provides the reason why Device Encryption cannot be enabled.
- If the value shows Meets prerequisites then Device Encryption is currently available on your device.
And here is the content of the supporting document after it has been edited.
Why is Device Encryption not available?
Here are the steps to determine why Device Encryption might be unavailable:
1. From the Start menu, type System Information, right-click System Information in the results list, and then select Run as administrator.
2. In the System Summary - Item list, look for the value Automatic Device Encryption Support or Device Encryption Support.
The value describes the support status of Device Encryption:
- Meets prerequisites: Device Encryption available on your device
- TPM is not usable: Your device does not have a Trusted Platform Module (TPM), or TPM is not enabled in the BIOS or UEFI.
- WinRE is not configured: Your device does not have Windows Recovery Environment configured.
- PCR7 binding is not supported: Secure Boot is disabled in BIOS/UEFI, or you have peripherals connected to your device during boot (such as a dedicated network interface, docking station, or external graphics card)
The article basically details what those missing 'prerequisites' are. They include TPM, WinRE (Windows Recovery Environment), and Secure Boot.
Additionally, Microsoft also mentioned PCR7. PCR, or Platform Configuration Register, is a memory location on the TPM that is used to store hashing algorithms. PCR profile 7, or PCR7, is what BitLocker binds to. This binding ensures that the cryptographic key, in this case the BitLocker key, is only loaded during a certain time during the boot process, not before or after.
This is where Secure Boot comes into play as it verifies and authenticates the required Microsoft Windows PCA 2011 certificate during boot, as an invalid signature will result in BitLocker using profiles other than 7.
The resurgence of interest in BitLocker and encryption on Windows 11 24H2 came about recently when the Redmond giant unexpectedly lowered the OEM requirements for Auto-DE on the latest version of Windows, so that even home PCs can be automatically encrypted. Shortly after, the company also released a handy backup and recovery guide for BitLocker keys.
Not long ago, Microsoft also reaffirmed TPM 2.0 as a non-negotiable standard on its operating systems.
You should read it
- How to disable Secure Boot mode
- Enable or disable Secure Boot via the ASUS UEFI BIOS utility
- How to disable / enable UEFI Secure Boot in Windows 10
- Features that make Windows 11 the most secure version of Windows ever
- Why is Windows 11 so much more secure than Windows 10?
- How to turn off Secure Boot mode and open Boot Legacy mode
- Free tool to help you install Windows 11 without TPM, bypassing hardware requirements
- How to Use Rufus to Bypass TPM and Secure Boot Requirements in Windows 11
May be interested
- How to bypass Windows 11 minimum installation requirementsofficially you can't install windows 11 on ineligible hardware because of secure boot and tpm hardware requirements.
- How to enable TPM 2.0 to fix 'This PC Can't Run Windows 11' erroras noted by tipsmake.com, there are many cases where readers have run microsoft's pc health check software on their pcs and received the message 'this pc can't run windows 11', which means this pc cannot running windows 11.
- How to implement Clean Boot on Windows 10/8/7clean boot state is used to diagnose and fix problems on windows. if your computer cannot start normally or if during the boot process you receive an error message, then you might consider performing a clean boot.
- Fix This PC Can't Run Windows 11 error when installingwhen running microsoft's pc health check and receiving the message 'this pc can't run windows 11'. you need to enable tpm and secure boot on your pc.
- Microsoft will make the new Outlook mandatory to install on Windows 10microsoft is currently having difficulty converting users to new products and services.
- Windows 10 won't boot? Here are 10 steps to fix Windows 10 not startingyou just upgraded or installed windows 10 operating system and when you try to start your computer, you discover that windows 10 is not booting?
- Why is Windows 11 so much more secure than Windows 10?windows 11 will be a more secure operating system than windows 10. microsoft's new focus on security in windows 11 will revolve around a few key features.
- This is why Windows 64-bit is more secure than 32-bit Windowsin fact, the 64-bit version of windows does not simply allow you to use ram on the 4gb amount, but it also ensures more security than the 32-bit version.
- Windows 365 Boot and Windows 365 Switch are coming soonaccording to microsoft's announcement, the company will officially provide windows 365 boot and windows 365 switch to business and individual users on september 26.
- How to fix Windows 10 not booting errorhave you just upgraded or installed the windows 10 operating system and when you try to start your computer, you discover that windows 10 won't boot? if this is the situation you're facing, try the solutions below to see if they resolve windows 10 startup problems.