This is why the Windows 11 TPM 2.0 is non-negotiable for Microsoft

Microsoft has set out its argument for why Windows 11 upgrades need TPM chips, following widespread confusion this week after the system upgrade checker warned people with even high-end PCs that they fell short of the new OS' requirements. Announced yesterday, Windows 11 debuts a new UI, Android app support, and new pen features, but it's security where Microsoft is really doubling-down.

Problem is, the way they've decided to do that is by using a TPM 2.0, or Trusted Platform Module 2.0. It's a chip that stores things like encryption keys and account credentials, usually attached to either the PC motherboard or its processor, but not every system has one – or has it turned on.

That requirement, plus a fairly oblique message in the PC Health Check tool that assesses existing computers for Windows 11 compatibility, threatened to overshadow the security message this week, however. Now, in a new article posted to the Windows Security Blog, Microsoft's David Weston, Director of Enterprise and OS Security, has been explaining the thinking behind the decision.

"PCs of the future need this modern hardware root-of-trust to help protect from both common and sophisticated attacks like ransomware and more sophisticated attacks from nation-states," Weston argues. "Requiring the TPM 2.0 elevates the standard for hardware security by requiring that built-in root-of-trust."

Any Windows 11 certified system will include a TPM 2.0 chip by default. It'll be part of a suite of security tools – including the ability to swap using passwords for Windows Hello, and hardware-enforced stack protection on supported Intel and AMD systems – that new PCs include out of the box.

"The new set of hardware security requirements that comes with this new release of Windows is designed to build a foundation that is even stronger and more resistant to attacks on certified devices," Weston says. "We know this approach works – secured-core PCs are twice as resistant to malware infection."

There are, Weston points out, plenty of existing PCs – from manufacturers like Acer, ASUS, Dell, HP, Lenovo, Panasonic, and others – with TPM 2.0 support. Some may, of course, require the TPM be enabled at the BIOS level; that's likely to be something we hear OEMs talk about more in the coming months.

If you built your own PC, however, you could have a cutting-edge rig on your desk that doesn't have the one little chipset that helps Windows 11 reach its full potential. That's good news for driving upgrades, but a whole pit of confusion for existing Windows users wondering why their path to a free Windows 11 upgrade isn't entirely straightforward.