Reminds me of my cyber security unit teacher back in the uni, almost the same age, same down to earth friendly vibe, and definitely a professional. makes me seriously consider if i should pursue a career in cyber security.
why would you put RGB onto a PCB with 1 chip? It is that small for serval reasons but most of all to not take up space. IF you wanted to you could buy the TPM module and RGB lights like the ones that flex then use the RGB lighting to go over the TPM module as most if not all of them plug into the motherboard and have very little space between them and the thing the motherboard is on.
@@yumri4 , UM... it was a joke (did you watch the end of the video?). Plus, obviously a TPM module is far too small to put an LED on, nor would there be sufficient space left in a typical ATX case to hold all the photons it would emit.
Way too many Tech Channels are overlooking this level of USEFUL dialog & communication.👏👏 They're way too engrossed in the next expensive gadget to push.🙄
TPM is there to protect Microsoft, Warner Bros, at all, from YOU, making it harder for YOU to make backups of your content, games, etc. It also makes you a tenant on the computer you think you own. It is part and parcel of the Software as service plan. It allows the developer to control when the software you rent stops running.
Thing that gets me about this requirement. Even if your keys are secured in the TPM; for say Bitlocker; once you're in userland those keys become memory resident. Most exploits are software based; its not that hard to execute manage-bde -protectors C: -get or various powershell commands to get the recovery key. For me in the past 20yrs maybe only 5% of security breaches have been physical thief. Most are like hafnium; an exploit on an already running (unlocked) system. I 100% get this for HIPPA/PCI compliance, business clients, and mobile devices. For home desktop users though, hmmm.
You need administrative privileges to get the recovery key. With administrative privileges you can also just dump the decrypted drive. Bitlocker can only do so much, Microsoft should consider that most people don't have any idea of what "yes" on a uac prompt means. Only rootkits are impossible to defend against by the OS itself, that's why secure boot is also a requirement. Without rootkits Windows Defender will always be able to scan the system, if there's malware that's able to exploit some privilege escalation vulnerability, to try to get the bitlocker keys, defender will likely kill it before it runs.
Ever heard of Memory Integrity (HVCI)? Surprise surprise it is only available in processor 8th gen and up using specialised hardware embedded in the CPU. From here you're are intelligent enough about why the 8th gen and up requirement for win11. It not only turns all these security features ON by default but makes it mandatory requirement of the OS. PS: You can simulate software based memory integrity but it really affects system performance by upto 40% depending on memory size and CPU raw power. Definitely not recommended.
@@user-hk3ej4hk7m Look current print spooler exploit. There have been ways to bypass UAC in the past and get an elevated powershell prompt. Not saying more security is bad, just forcing it as a requirement on those of us who know how insecure Windows will always be is a sick joke.
@@rapiddu6482 Thanks both of you for replying. Gave me some things to read up on. techcommunity.microsoft.com/t5/windows-it-pro-blog/comprehensive-protection-for-your-credentials-with-credential/ba-p/765314 (hopefully YT doesn't delete this link) While I agree this is awesome tech; finally plugging the mimikatz hole; I don't see why they are going to make this a hard requirement. What if I don't want the hyperv roles enabled on my system? I've had issues in the past running other hypervisors (Virtualbox / Vmware workstation) while it's enabled. Hope it ends up being enforced on OEM systems, but optional for those of us who are confident in our computing habits.
Of course Windows 11 only supports TPM 2.0, that is newer and has the NSA backdoor implemented. That is why Microsoft has added the approved Windows 11 CPU list. A list that NOT supports some Intel CPUs with TPM2.0, because the NSA backdoor is missing. If you want to keep the US government out of your system, only use CPUs that are NOT on the Windows 11 approved CPU list. Using Linux might help too.
Use Linux and sign your kernel with your own keys. OEMs are required to provide an option to use custom keys for secure boot. From Linux you can save LUKS keys on the tpm and set it up so that it decrypts the drive automatically.
@@user-hk3ej4hk7m What happens if you get a motherboard failure, can you just move the system to an identical system or is your drive locked to that dead motherboard ?
@@mrtuk4282 Of course you can do that, you only need to keep a backup of the encryption keys somewhere safe. Bitlocker as well gives you the option to store the keys in your microsoft account. It's just part data hygiene
@@user-hk3ej4hk7m well with Home users forced to have a MS account then that makes them all safe then ! But if the m/b fails will putting new m/b allow you to boot up into windows so you can access your ms acc ? Backing up encryption keys sounds interesting for hackers using malware !
Secure boot is going to cause a lot of problems. Once you turn it on, now it might not recognize your your drives, your GPU or even your memory. And you won't even be able to boot into BIOS to turn it back off. In essence rendering your mother board into a paper weight. And the solution by Microsoft will be to replace your computer with one that has windows 11 already loaded! I suggest to anyone trying to make these adjustments in their BIOS to have a dual BIOS board such as gigabyte so when you destroy one BIOS you have another one left to try to run windows 11 or switch back to windows 10.
This is not true. You can enter BIOS and turn off secure boot again, or to update the allowed keys. The biggest issue would be if your video driver key is not signed or not permitted then you will not have video, but you can use serial potentially.
If it doesn't recognize a OS and the drive its on. That is because its a OS running on what is called Legacy Bios. Windows 10 at least has a command prompt command that can convert a OS and drive from running on Legacy Bios to UEFI or GPT without harming the OS or drive. Disable secure boot and it should come back up.
Gotta love how the expert carefully and clearly explains what those technologies are, just to pull the rug and say with 100% confidence that Microsoft is not gonna require them 😂
With or without tpm or secure boot, I for one will not be updating to windows 11 no matter what. Nothing ever works properly when released by corporations these days. I’m fed up with paying top dollar for shit that doesn’t work as advertised and to a standard that I agreed to when making my purchasing decision.
right now, TPM modules are extremely hard to buy. I have a MSI motherboard, and when I bought mine in 2011, I added the TPM module at that time. Now 10 years later, windows 11 come out and the module is outdated. I tried to check to see if the newer module was available, and it wasn't. when I enable the existing TPM, windows 10 doesn't see it. can't tell if the module is good or not. for a lot of computers, the TPM module is missing, its was offered as an option and was available until; now. MSI, Asus, and others are having issues with this requirement. a lot of people don't even know what this is all about...this is really causing issues with consumers.
There is no panic or rush to upgrade, win 10 will have support for a long time so you dont need to rush out to buy anything. As always wait for other people to test the OS find the bugs and let Microsoft patch them before you make any jump & by then it will be easy to buy a TPM thing.
@@jonshadow4052 not only is that a lot of time, but windows 10 wont stop functioning, it just wont be supported with regular updates. OPs motherboard is older than 10 years (15 by 2025) very much in the range to replace/upgrade. Also TPM modules arent hard to get, you can find them between 25-100 bucks. if upgrading a system is too much, a TPM module is not a big deal.
Secure boot has been compromised in the past through key leaks etc. So it really is not that secure. And firmware rootkit exploits have gotten around secure boot. So it is NOT as secure as being presented.
Typical YT comment section knowledge flexing. It was never presented as unbeatable, but its importance had to be stressed for a chance of ppl actually caring about it.
As somebody that studies cybersecurity, Microsoft TPM feature is more of a power grab then a security function. Yes it will protect from various types of malware, but Microsoft will have more control over your pc and you could lock your self out. Average users don't have to worry as much about security. Databases and servers are more vulnerable to attacks. Users on the other hand should just keep things up to date and use common sense.
@@coolwin7710 - (Sorry, some of this was written for other readers, not you.) Agreed. If it wasn't for Microsoft baking in so much telemetry, trying to lock down the platform (including WHQL requirements for them to make money, not to fully guarantee that the driver is authentic or safe, while ignoring older drivers modified to work on newer OSes or beta drivers that do not have a signature, which you should know the origin of the driver, of course, if running it like that; which I run a self-modified WHQL Nvidia driver which does not pass the driver signature enforcement found in the OS, with my mods cutting out numerous elements like telemetry), etc. Then again, I strip out a lot from my custom Win 10 ent rom, which you have to dance that line between removing the bloat and making it insecure (please, if you are the type to make your own roms, know or read to understand what each component does; I started years ago using Windows tools, now DISM; learn DISM first to understand what and why of the components and how to remove them that way before moving to something like NTLite, which is a GUI front end). As for TPM, to date, I've only used it primarily when using bitlocker for encryption of my drive. Until I know how exactly Microsoft is using TPM, I have some concerns. Is it like the built in Yubikey? Are they using it to lock licenses to registered keys stored in the TPM? Are they creating an encryption key for system files to prevent modification unless present with a password from the user and the TPM while locally present on an elevated credential screen? Until I know why they want it, this really seems like an annoyance and a reason not to upgrade from Windows 10 until I get new systems that need it (like for the scheduler, etc.). (just spitballing different potential uses for the TPM; I do not know what the implementation here is for). But I hear you. How I handle my server is different from my client systems, though.
@@biquiba - So I am not allowed to tell people that the stated reason for using it is illusory at times? I cannot discuss historic events that cut across current narratives the Microsoft is benevolent and that this is "for your safety," which although there may be some safety involved, this comes off more as a power grab, from WHQL certification to all sorts of other things. And let me guess, you love sending all that telemetry back to Microsoft to tell them how you use your computer, too. And that is just so they can better serve you, not to make money. *rolls eyes*
This was an excellent video. I didn't expect to enjoy this video as much as I did. 24 minutes just flew by. I never felt the need to move forward in the video manually, which I usually do on other RUclips videos. Excellent & conversation between the two individuals. Both interviewer and interviewee were great.
If you go to the Advanced or Security options in the BIOS of your DIY computer, and you are using, let's say, 8th Gen Intel, chances are that you will be able to turn on the Intel PTT (Platform Trust Technology, equivalent to TPM) functionality. It depends much more on firmware/BIOS settings than in own processor's settings.
Nope! You were told right. Guess who controls "digital signatures" and decides what operating systems are "safe" to boot? Interesting that Windows in the most hacked operating system in existence yet it's "digitally signed" as "secure". Yeah right!
TPM also supports authentication, remote attestation etc. so it is a very important building block for WebAuthn TPM variants, Microsoft Azure Attestation, etc. if you want to increase the level of services provided securely, with some percent of clients malware infected, you have to have a trusted computing base to only release keys and attests to correctly booted OS:es.
Microsoft suddenly wanting TPM bodes badly: If you were paying attention to microsoft and what they are doing for the past few years, you would know that microsoft is going the closed system route like MacOS, and TPM is the key to secure transactions via microsoft store as it identifies each machine via encryption... Which is great and all if all you do is game all day, but ur gonna be paying a microsoft tax as well... In the end, the TPM requirement is a signal of the beginning of the end of windows being open, and free/opensource software...
@Chris Not the OS itself... And ur wrong there too: MacOS and iOS are based on open source linux so...... Anyways, in my OP, I was talking about being able to go to any website, download something, install it and go... Something that can't be done on stock iOS, and the direction that MS wants to go: app store controls everything that you install on your machine. They have mentioned this before....
In your BIOS/UEFI, there might be this kind of options to choose from: * Firmware TPM (with the help of your CPU) * Dedicated TPM (done by external Module on the motherboad) * Nothing. Firmware TPM: * AMD: *fTPM* (at least *Zen+* i.e. 2000-series Ryzen Desktop from 2018) * Intel: *PTT* (at least *8th Gen* i.e. Core ix-8xxx Desktop from 2017 & 2018) One way to check TPM's status: Run > *tpm.msc*
11:45 Since TPM & Secure Boot is already build in into the hardware (for years) - WHY would someone "throw out his $3000 Rig now"? Do not believe it would be more then 5 years old at his point. That statement of yours is just false and misleading.
Haven't got that far in the video yet, but in reply to your comment, my x470 board has 'fTPM' and I enabled it but windows refuses to see it. I bought it brand new along with a 2700x at release. (Which is also apparently a not supported processor >.> )
Yes, they did a very poor job of educating which hardware has it native. Every 9th gen intel desktop CPU and every zen+ and newer CPUs have them built in with no additional HW needed. It's a really poor video educating people on the topic. Even microsoft's mentions are horrible. They give a "supported" CPU list without saying once that the list is of CPUs that TPM 2.0 native to them.
@@mhamma6560 fTPM is off at default. Problem is that you would need dozens of videos to show how to turn it on depending on the platform and board manufacturer. Every bios is different from each other.
I know my Ryzen 7 1700X has fTPM but also heard that Win 11 would not support 1st gen Ryzen? 👀 I plan to upgrade my rig regardless but wanted to make sure I'm Win 11 ready so this was good information. Thanks
I think this clearly points to Microsoft having plans to be a bit more iOS like with some sort of "MSpass" that once you're in the system you don't need any passwords (or just one master) for almost anything with the OS handling the "keychain" etc.. This will be marketed as "user friendly" and "more secure" but I highly suggest we wait for version 2 or 3!
To be honest it is the lock in for Home users to have a MS account that is a big worry aswell as they seem to be trying to create a walled garden like Apple so you are forced to use the MS Store and be unable to install from anywhere else - Even so much as welcoming Steam and Epic to join the MS Store - LOL that would be the end of their business models if the do that, because MS could sell the same software/games and undercut them because the will already be forcing a levy on them !
That function (internally named CredWriteA and CreadReadA) was added in WIndows XP. You know that little window that pops up when you connect to a \\shared\folder ? Any Windows app can use it. The database is encrypted with your Windows login password. You are correct with the "wait for version 3" because at least originally there was only one database per user, shared across all apps.
Should have mentioned for anyone that gets curious.. if secure boot is currently NOT enabled on your "working" PC's bios, enabling it will prevent your system from booting (will blue screen). Do not enable in bios unless you are performing a clean Windows install. This has to be enabled before you begin the OS install. Turning on fTPM on the other hand does not cause issues.
I turn on Windows 10 WHQL Support and Secure Boot. The PC won't boot at all and enter bios (it's UEFI). Windows 11 fucking sucks. I'm on R3 2200G + 1050 Ti. BTW, I recommend PopOS or DeepinOS if you like Mac theme. I'm so fucking moving to Linux.
@@ISCARI0T Secureboot is enabled in the bios. Once your settings are in place, you will boot from a DVD/USB and install windows. If you "have TPM" but no secureboot in your current OS install, you will not be able to just "upgrade" from 10-11 (as it is now). Need to do a clean install from scratch.
@@MrCg006 it says secure boot is disabled in my systeminfo, so i cant install windows 11 if i dont turn it on but if i turn it on i wont be able to boot up to the current windows version and get to use all my data and stuff? did i get that right
Microsoft should make it secure by default but allow the user to choose to disable it by acknowledge that they accept the risk and send their acceptance to Microsoft.
Funny how TPM not only stands for Trusted Platform Module, but it could also stand for Tamper Proof Module since he explained it's hard to tamper with :p
I enjoyed the video, however, i feel it is missing two important things, the TPM wont show in tpm.msc if it isnt enabled in the BIOS (often it is disabled by default), and you missed the requirement for a minimum of an Intel 8th Gen CPU or newer (so any PC older than 3yrs old wont be able to run Win11). I agree Microsoft are just testing the water at the moment.
Favorite part of the video: the high end Klein Tool Screwdriver on the peg board. Those of us that do stuff more than just installing a motherboard (putting in a plug, cabling ehternet, etc.) know why high-end tools such as US-made Klein are something we all own.
Cool interview. Id love to see an ABC of security for normal home users. Do I need a password on my home PC? Is there anything I need to change in settings? and all the basic stuff that people forget or dont know.
That's WAAAAAY too simple. Needs to be more complex for more exposure to more people. Remember, bad press is good press. Then they can raise the prices because of the complexity of the situation. Not saying they are doing that but I wouldn't put it past them to do it.
Love the interview, nice to hear from a security expert just what these technologies actually are; however, I will need to correct him on one point. Windows 10 *did* in fact ship with the mandatory update feature, at least on Windows 10 Home. You can "snooze" or delay the updates -- for awhile -- but you cannot turn them off entirely without third-party software, and eventually Windows will stop letting you snooze the update and just install it without user input or consent. I upgraded from Windows 7 during the free-digital-upgrade period, and this extremely annoying "feature" was very much present on the system. It was also present on my daughter's Windows 10 Home install, 3 years later from physical install media. It is still present on both, as it cannot be turned off on the Home edition. So.. yeah, on that *one* point alone, I'll have to disagree with our esteemed expert. For the rest: Thanks for the new info, I do try to learn something new every day!
You need to address GPT in relation to this i think. I had no idea that MBR is not supported for secureboot and therefore my system i've upgraded over the years needed some tweaking.
The idea might be great, but the problem is: whom does Secure Boot trust? Does it work with Linux with custom kernels etc.? Also super secret data (in the TPM) makes a PC possibly traceable and one has no control over it, because it's protected (even from access of the owner of that PC).
I hope they back off the TPM requirement. I neither want to throw my wife's computer away (because she's perfectly happy with it) or try to run Proxmox on her hardware and boot to a win11 VM. This won't work for some people because some multiplayer games will ban you if you run the game in a VM.
It will release in somewhere near 2022 or even 2023 with very stable business version and the older hardware has big security issues like meltdown that are not publicly talked about . For example if you have laptop with Intel gen 5 processors then you might have a really big security problems cause the cpu doesn't actually support security micro code or specialized hardware built into it . That's the difference between Mac os security and windows . Cause they have simple hardware with limiting time OS update then they built new one . But the other hand Microsoft support of million hardware with billions of combinations to support from business/enterprise and home users at the same time! This is why you will see the obvious BSOD( blue screen of death) a lot in many windows computers and not in Mac or Linux distros! Microsoft understand that it is very hard to support many old hardwares without affecting the os speed or keep it secure ! So they drop support of older hardware to keep the security and performance balanced with new fast and secure hardware !
@@alikarbasian8576 #1) Meltdown doesn't affect my wife's CPU and #2) Specter (and Meltdown) isn't a bad enough exploit to pile up our landfills with millions of perfectly functioning computers. Both Meltdown and Specter are read-only attacks that require you to install compromised software than can easily be mitigated using other methods (microcode updates via OS or BIOS, antivirus software, antimalware software). I would be fine with Windows nagging you to update to secure boot/TPM and requiring it from OEMs, but I'm not in favor of this as a requirement to install. These non-Win11 compliant PCs are going to be an even bigger threat than Specter/Meltdown when bot armies compromise them as MS stops security updates for Win10. I love building myself new computers and I like shiny new technology, but this is a case of the fix having far more negative consequences than the original problem.
@@iguanac6466 Microsoft will fall back and it is the obvious truth but even windows 7 got security update even in 2021 . Microsoft has multiple problems to supporting multiple OS . The thing is Microsoft has right to do it for under gen 4 or 3 Intel CPUs . They are old tech and has big security concerns with more ransomware and boot up attack viruses and malwares . This is covid time and you have right but in normal conditions people should stop using 10 years old cpus ! They were many injection codes that can't be patched or even can't publicly expose . So I think 10 years is a good/fair way to support hardwares or even softwares .
I thought I would post this as a separate question, assuming the day comes where secure boot is not some thing that is able to be turned off any longer, who is the organization that actually decides which operating systems are allowed to be used? Does each individual distribution of Linux, forsake, have to get certified with each manufacturer of computers, or is there a notion of installing their certificate into your system, and telling it to trust it, sort of like what has been done with TLS certificates inside of companies for a long time now?
Telemetry has nothing to do with TPM or Secureboot as those are controlled by your BIOS. Telemetry is controlled by the OS and is incredibly easy to turn off.
This kinda reminds me of spectre/meltdown, where vulnerabilities that are valid concerns for specific high profile targets means they must ruin the experience for the masses.
It's really easy to implement win11 capability unless your computer is ancient. It is highly unlikely that a new PC doesn't have 'some' capability to either add a chip or flick a switch in the bios. Turn on PPT in bios security settings and it's all good.
Ultimately any system (like TPM) has to have software access so there will always be a way of spoofing or exploiting it found eventually. TPM or Secure boot do not stop people installing software and that is how Malware and Viruses do the damage.
I've been having awful stuttering on my pc after I enabled fTPM, it goes away when I turn it off in the bios, I think the claim that it doesnt affect performance needs to be looked into, I'm on a 3900xt
One thing I had to do to enable Secure Boot and fTPM........ I had to change the Boot partion from MBR to GPT. Before I did this, disabling CSM in BIOS, I had no bootable disk for the OS Once I made the change, disabling CSM in BIOS, revealed the OS on the Bootable disk and I was good to go.... I passed the Win 11 check...
I have 6 PC, three of them have MB less than a year old, TPM had to be setup at boot bios, then ran mbr2gpt to create secure boot.... once I figured it out set it up was straight forward. The other machines have MB from 2011 or earlier did not have TPM....
So just installed Windows 11 last week. You absolutely 100% need TPM 2.0 to be enabled to install it, Microsoft did not deviate from that requirement. Note that almost every PC motherboard built since 2015 has a TPM 2.0 chip, it just needs to be enabled in the BIOS/UEFI.
as a computer user.....i have no idea how to do that and i am not comfortable doing it. if there was an easy way to make it happen sure. if they wish to require is then they should have a program to do it for me. i know car guys tell me it is easy to change a head gasket....i am not going to try.
TPM itself does nothing until you enable disk encryption. It looks fun that MS requires TPM but has Bitlocker turned off by default. There is another reason - DRM protection. Large companies, such as Netflix, want to identify your PC and restrict access to their content if they want to. Checking serial number or similar codes is not effective since a user can bypass these checks easily. But with TPM endorsement certificates and DRM-enabled browser it becomes really hard. They don't care about your security, they care about their money
This don't bother me to much my pc outdated been plan on upgrading next year. And even had plans to convert this pc over to Linux so nothing has changed for me personally. I think this also helps people who have super old PCs to finally get it upgraded should not keep computers 10+ years. 😉
I live in the Dominican Republic and last month I helped my brother in law with his Pentium 4 HT installing Peppermint 10 (Linux). I myself use a 2003 Pentium 4 HT as backup server using FreeBSD 13.0 and OpenZFS 2.0. I use it for 1hour/week and want to use it till 2032. Don't tell us, what we can use!!!
So, after Windows 11 launch it's possible to bypass TPM requirement on fresh installs with LabConfig registry key, but they say you might not get updates at some point if you bypass those requirements
Cause the mother board ask the firmware (UEFI) to load the os into the guarded memory then the UEFI ask the OS to introduce and loaded up the hardware Drivers like sound cards or graphic cards or ... If they had been digitally sign ( it's a code that Hardware creator vender should got certificates for it's functionality by OS manufacturer like Microsoft (it's called WHQL)) then windows load it into the memory and tell the UEFI that I know this guy and he has valid ID then UEFi ask the security code for the OS and the OS uses the secure boot protocol and its code to load the windows . And the cool thing is the fast boot is a functionality that let the OS uses the fastest way to load OS files and use the private memory/SSD/IO to load very fast . And if you don't have a valid Driver that not digitally signed the OS will said the UEFI that I Have a driver but actually I don't really guarantee it's identity but I will and can work with it . Then UEFI will reject the driver and the OS will not boot correctly or even it will suspend from booting up . And you may wonder why driver is so important ? Cause they have a root OS access for the specific hardware or software and many hackers uses the fake drivers to load up some nasty malware or ransomware viruses hidden into the codes . You can check your WHQL version and information in dxdiag command in windows search/run.
Why aren't environmentalists screaming about Microsoft sending a jillion PC's to the landfills because of their rendering most PC's unable to run Windows 11? That's the real crime.
Big companies in the US are on a 3-year upgrade cycle due to IRS depreciation laws (if your company ISN'T, have them check with the IRS. You could save a significant amount of money by buying every three years!) Every computer sold in the past three years has at least fTPM on board and most have Secure Boot ability. It's not big companies that will complain, it's individual users who can't upgrade as often. And what's wrong with Vista (there, I said it!) After a few patch cycles (OK, after MANY patch cycles) MS fixed the bugs and it was a stable, if unexciting OS.
I just hope TPM 2.0 is not another attempt from Microsoft to bypass and kill dual boot system like they did back in the day, in earlier stage of Secure Boot and UEFI, that was pretty outrageous at the time and it made the whole promise of UEFI pretty silly... You should not trust anyone to keep your data secret, we already had plenty of examples in the past clearly showing no one should lol Thanks for the great video though and happy midweek
Well, TPM has nothing to do with boot, so we can keep it out. Secure boot will just check if the os is trusted in the pre-boot step. You boot as always from multiple drive or multiple partitions with a boot manager. And of course you can use the CSM module to boot in legacy os, I think you'll be fine.
MSI Z390, i run it with i9 9900K If it's for Windows 11 installation, no need to install external TPM 2.0 module for Z390. Just enable "Secury Device Support" in BIOS, and press [win]+[R] key and run "tpm.msc" to check the TPM version in Windows.
A shout out to Mike - a fellow CISSP :) Sorry I missed this when it was live (my Day Job can be a pain sometimes), it was very informative and interesting. David Rivera, PE, CISSP, MBA
You never asked any questions regarding privacy. Each TPM 2.0 install has a unique RSA key which cannot be changed. The RSA key is unique to every machine. This means anyone using TPM 2.0 cannot be anonymous. Even if someone uses TOR Browser, it wouldn't matter. The user can be identified anyway because the software can send the key to the server. If a website can obtain the RSA key from a browser, this means you cannot have anonymity on the web. The Chinese are using TPM 2.0 already. Now American companies want to use it. For example, Valorant published by Riot Games is going to use TPM 2.0 to identify cheaters and permanently ban their machines. Because of privacy concerns, which is bad enough on Windows 10, TPM 2.0 should not be used.
I was surprised that Mike never brought up Intel PTT which is a firmware TPM built in to Intel chips from the 4th generation and newer. My Win10 computer uses a Core-i5 8th generation chip which has the PTT feature. With the feature off (by default) the TPM.MSC command shows no TPM available but when I enabled the Intel PTT feature then the command showed that I had TPM 2.0 in use. Hope this helps.
TPM protects against only a certain class of rootkits. It is a great way to maintain an OS monopoly by making it inconvenient to boot a different OS, requiring the user to enter BIOS and disable the TPM to boot Linux for example. MS is a naked monopoly and they need to get dragged into court like Google has. It is time to break up these computing monopolies that have set computing innovation back by several decades.
Hi, nice video. I'm new to CPU/gpu since about five years or so ago. Thankfully I had recently went amd on this desktop and was wondering since I met the requirements why win 11 wasn't booting( it would loop back to win 10). I believe I finally found the answer; please correct me if I'm wrong:Secure Boot must be enabled before an operating system is installed. If an operating system was installed while Secure Boot was disabled, it will not support Secure Boot and a new installation is required. Thank you sincerely
I don't know if it's been mentioned since this video went out, but according to the latest MS Win 11 requirements, Secure boot needs to be available, but does NOT need to be enabled. "System firmware: UEFI, Secure Boot capable."
On the discussion some arguments I'm not sure about. You are saying they will back of because people won't upgrade, but since it's free upgrade, it doesn't change anything for MS ? They'll still support w10 until 2025 so doesn't change a thing for MS either. So I'm not sure about your arguments ..
So he eventually said it, but just to be clear most DIY PC's just have to enable it in the BIOS. So no, no one with a $3000 dollar gaming rig is going to be left out of windows 11, unless it was $3000 dollars in 2001, at which point you aren't doing much gaming on that anymore anyways.
DIY machine. I didn't buy the TPM chip when I built it three years ago. The motherboard supports TPM (which in on order). Secure Boot was already enabled.
thank fk for this video honestly, could not find any viable information whatsoever on any websites or forums about what tpm is what it does and what difference discrete and firmware ones do and the settings you should look for and stuff. super good video. thanks.
What's retarded is I had an i7 7700 system that had TPM 2.0 and Secure Boot, yet it is not compatible with Windows 11.... So I ended up upgrading to a Ryzen 5 3600 on a B550M motherboard. I have a feeling that you guys are right. Before launch, the i7 7700 will end up working on Windows 11.
It seems like the expert is wrong with the win 11 requirement going to paddle back. It has been 2 weeks since the official release of win11 and the req still stands. Other than that, thanks a lot for a detail explanation of TPM and its features.
There are other reasons why they are pushing these secure features and Microsoft isn't saying why they are really pushing these features. So far they have not rescinded the decision as of yet. At this point I'm only converting certain computers just to see what is being update in the OS. For secure boot the drive has to be converted from mbr to gpt.
I support the hardware TPM 2.0. I constantly received malwares whenever I visited some sites and that caused me to format my hard disk once every year.
![Eminem - Somebody Save Me (feat. Jelly Roll) [Official Music Video]](http://i.ytimg.com/vi/Vwa0HenQMi4/mqdefault.jpg)
TPM is responsible for countless people thinking they had a USB 3.0 header on their circa 2010 mobo.
I never asked to be brought up in this comment section, thank you...
@Chris *you're
?
Would like to see more of this person in the future, great conversation!
Yeah smart and polite and professional that guy
I agree, very nice guy and makes for a good "interviewee". Polite and entertaining. =]
Reminds me of my cyber security unit teacher back in the uni, almost the same age, same down to earth friendly vibe, and definitely a professional. makes me seriously consider if i should pursue a career in cyber security.
lol he's a total sock puppet.
guess after 4 years time to buy another pc guess an i 7 with max ram and ssd not pass Bs
It looks like Microsoft didn't back down on their requirements for security features after all.
Are there any TPM modules with RGB on them? This is a very important question!
why would you put RGB onto a PCB with 1 chip? It is that small for serval reasons but most of all to not take up space. IF you wanted to you could buy the TPM module and RGB lights like the ones that flex then use the RGB lighting to go over the TPM module as most if not all of them plug into the motherboard and have very little space between them and the thing the motherboard is on.
@@yumri4 every hardware has to be RGB even comodos why would any one want without RGB. RGB is must, even food has to be in RGB only
@@yumri4 ,
UM... it was a joke (did you watch the end of the video?). Plus, obviously a TPM module is far too small to put an LED on, nor would there be sufficient space left in a typical ATX case to hold all the photons it would emit.
it would run faster
Linus: "and water cooled!"
Way too many Tech Channels are overlooking this level of USEFUL dialog & communication.👏👏 They're way too engrossed in the next expensive gadget to push.🙄
cough jayztwocents cough
I’m only 5 minutes into the video and already learned a lot. Awesome interview and guest!
TPM is there to protect Microsoft, Warner Bros, at all, from YOU, making it harder for YOU to make backups of your content, games, etc. It also makes you a tenant on the computer you think you own.
It is part and parcel of the Software as service plan. It allows the developer to control when the software you rent stops running.
Thing that gets me about this requirement. Even if your keys are secured in the TPM; for say Bitlocker; once you're in userland those keys become memory resident. Most exploits are software based; its not that hard to execute manage-bde -protectors C: -get or various powershell commands to get the recovery key.
For me in the past 20yrs maybe only 5% of security breaches have been physical thief. Most are like hafnium; an exploit on an already running (unlocked) system. I 100% get this for HIPPA/PCI compliance, business clients, and mobile devices. For home desktop users though, hmmm.
You need administrative privileges to get the recovery key. With administrative privileges you can also just dump the decrypted drive. Bitlocker can only do so much, Microsoft should consider that most people don't have any idea of what "yes" on a uac prompt means.
Only rootkits are impossible to defend against by the OS itself, that's why secure boot is also a requirement. Without rootkits Windows Defender will always be able to scan the system, if there's malware that's able to exploit some privilege escalation vulnerability, to try to get the bitlocker keys, defender will likely kill it before it runs.
Ever heard of Memory Integrity (HVCI)?
Surprise surprise it is only available in processor 8th gen and up using specialised hardware embedded in the CPU.
From here you're are intelligent enough about why the 8th gen and up requirement for win11. It not only turns all these security features ON by default but makes it mandatory requirement of the OS.
PS: You can simulate software based memory integrity but it really affects system performance by upto 40% depending on memory size and CPU raw power. Definitely not recommended.
@@user-hk3ej4hk7m Look current print spooler exploit. There have been ways to bypass UAC in the past and get an elevated powershell prompt. Not saying more security is bad, just forcing it as a requirement on those of us who know how insecure Windows will always be is a sick joke.
@@rapiddu6482 Thanks both of you for replying. Gave me some things to read up on. techcommunity.microsoft.com/t5/windows-it-pro-blog/comprehensive-protection-for-your-credentials-with-credential/ba-p/765314 (hopefully YT doesn't delete this link)
While I agree this is awesome tech; finally plugging the mimikatz hole; I don't see why they are going to make this a hard requirement. What if I don't want the hyperv roles enabled on my system? I've had issues in the past running other hypervisors (Virtualbox / Vmware workstation) while it's enabled.
Hope it ends up being enforced on OEM systems, but optional for those of us who are confident in our computing habits.
@@SinisterPuppy and in the end none of it matters when your average luser downloads exe and lets it run as admin anyway
microsoft biggest e-waste creator of 21st century
Of course Windows 11 only supports TPM 2.0, that is newer and has the NSA backdoor implemented. That is why Microsoft has added the approved Windows 11 CPU list. A list that NOT supports some Intel CPUs with TPM2.0, because the NSA backdoor is missing.
If you want to keep the US government out of your system, only use CPUs that are NOT on the Windows 11 approved CPU list. Using Linux might help too.
how can TPM 2.0 protect us from microsoft
Hahhahaahahaha Brilliant comment - best ever !
Use Linux and sign your kernel with your own keys. OEMs are required to provide an option to use custom keys for secure boot. From Linux you can save LUKS keys on the tpm and set it up so that it decrypts the drive automatically.
@@user-hk3ej4hk7m What happens if you get a motherboard failure, can you just move the system to an identical system or is your drive locked to that dead motherboard ?
@@mrtuk4282 Of course you can do that, you only need to keep a backup of the encryption keys somewhere safe. Bitlocker as well gives you the option to store the keys in your microsoft account. It's just part data hygiene
@@user-hk3ej4hk7m well with Home users forced to have a MS account then that makes them all safe then ! But if the m/b fails will putting new m/b allow you to boot up into windows so you can access your ms acc ? Backing up encryption keys sounds interesting for hackers using malware !
Secure boot is going to cause a lot of problems. Once you turn it on, now it might not recognize your your drives, your GPU or even your memory. And you won't even be able to boot into BIOS to turn it back off. In essence rendering your mother board into a paper weight. And the solution by Microsoft will be to replace your computer with one that has windows 11 already loaded! I suggest to anyone trying to make these adjustments in their BIOS to have a dual BIOS board such as gigabyte so when you destroy one BIOS you have another one left to try to run windows 11 or switch back to windows 10.
This is not true. You can enter BIOS and turn off secure boot again, or to update the allowed keys. The biggest issue would be if your video driver key is not signed or not permitted then you will not have video, but you can use serial potentially.
Bruh fake news much? Sounds like the hackers are hella pissed off their lives are getting 10x harder
If it doesn't recognize a OS and the drive its on. That is because its a OS running on what is called Legacy Bios. Windows 10 at least has a command prompt command that can convert a OS and drive from running on Legacy Bios to UEFI or GPT without harming the OS or drive. Disable secure boot and it should come back up.
16:15 - Note that you do need to be logged in as an administrator for the TPM Console to work. It will say so if you're not.
Gotta love how the expert carefully and clearly explains what those technologies are, just to pull the rug and say with 100% confidence that Microsoft is not gonna require them 😂
I'm from the future and Windows 11 requires them to install. There are ways around it but it's not very secure.
That didn’t age well lol
With or without tpm or secure boot, I for one will not be updating to windows 11 no matter what. Nothing ever works properly when released by corporations these days. I’m fed up with paying top dollar for shit that doesn’t work as advertised and to a standard that I agreed to when making my purchasing decision.
right now, TPM modules are extremely hard to buy. I have a MSI motherboard, and when I bought mine in 2011, I added the TPM module at that time. Now 10 years later, windows 11 come out and the module is outdated. I tried to check to see if the newer module was available, and it wasn't. when I enable the existing TPM, windows 10 doesn't see it. can't tell if the module is good or not. for a lot of computers, the TPM module is missing, its was offered as an option and was available until; now. MSI, Asus, and others are having issues with this requirement. a lot of people don't even know what this is all about...this is really causing issues with consumers.
There is no panic or rush to upgrade, win 10 will have support for a long time so you dont need to rush out to buy anything.
As always wait for other people to test the OS find the bugs and let Microsoft patch them before you make any jump & by then it will be easy to buy a TPM thing.
@@liaminwales WIN10 ends in 2025
depending on if you MB BIOS support the TPM or not.
Your MB
@@jonshadow4052 not only is that a lot of time, but windows 10 wont stop functioning, it just wont be supported with regular updates.
OPs motherboard is older than 10 years (15 by 2025) very much in the range to replace/upgrade. Also TPM modules arent hard to get, you can find them between 25-100 bucks. if upgrading a system is too much, a TPM module is not a big deal.
Secure boot has been compromised in the past through key leaks etc. So it really is not that secure. And firmware rootkit exploits have gotten around secure boot. So it is NOT as secure as being presented.
There are other requirements like VBS and HVCI. That's why 6th and 7th series of Intel is not supported. For now.
Typical YT comment section knowledge flexing. It was never presented as unbeatable, but its importance had to be stressed for a chance of ppl actually caring about it.
As somebody that studies cybersecurity, Microsoft TPM feature is more of a power grab then a security function. Yes it will protect from various types of malware, but Microsoft will have more control over your pc and you could lock your self out. Average users don't have to worry as much about security. Databases and servers are more vulnerable to attacks. Users on the other hand should just keep things up to date and use common sense.
@@coolwin7710 - (Sorry, some of this was written for other readers, not you.) Agreed. If it wasn't for Microsoft baking in so much telemetry, trying to lock down the platform (including WHQL requirements for them to make money, not to fully guarantee that the driver is authentic or safe, while ignoring older drivers modified to work on newer OSes or beta drivers that do not have a signature, which you should know the origin of the driver, of course, if running it like that; which I run a self-modified WHQL Nvidia driver which does not pass the driver signature enforcement found in the OS, with my mods cutting out numerous elements like telemetry), etc.
Then again, I strip out a lot from my custom Win 10 ent rom, which you have to dance that line between removing the bloat and making it insecure (please, if you are the type to make your own roms, know or read to understand what each component does; I started years ago using Windows tools, now DISM; learn DISM first to understand what and why of the components and how to remove them that way before moving to something like NTLite, which is a GUI front end).
As for TPM, to date, I've only used it primarily when using bitlocker for encryption of my drive. Until I know how exactly Microsoft is using TPM, I have some concerns. Is it like the built in Yubikey? Are they using it to lock licenses to registered keys stored in the TPM? Are they creating an encryption key for system files to prevent modification unless present with a password from the user and the TPM while locally present on an elevated credential screen? Until I know why they want it, this really seems like an annoyance and a reason not to upgrade from Windows 10 until I get new systems that need it (like for the scheduler, etc.). (just spitballing different potential uses for the TPM; I do not know what the implementation here is for).
But I hear you. How I handle my server is different from my client systems, though.
@@biquiba - So I am not allowed to tell people that the stated reason for using it is illusory at times? I cannot discuss historic events that cut across current narratives the Microsoft is benevolent and that this is "for your safety," which although there may be some safety involved, this comes off more as a power grab, from WHQL certification to all sorts of other things. And let me guess, you love sending all that telemetry back to Microsoft to tell them how you use your computer, too. And that is just so they can better serve you, not to make money. *rolls eyes*
9:48 Windows v-word?! Oh, _Windows _*_Vista_* ... Took me a looong time to figure that one out. Almost forgot about that one for some reason.
This was an excellent video. I didn't expect to enjoy this video as much as I did. 24 minutes just flew by. I never felt the need to move forward in the video manually, which I usually do on other RUclips videos. Excellent & conversation between the two individuals. Both interviewer and interviewee were great.
it should be an option, not mandatory. A very good interview, thanks for doing it. Helped me understanding it better.
Windows is an option... Linux Mint is a better one
@@markdawson25 Linux is still garbage, and will continue to be compared to Windows or Mac OS no matter how long you Linux fanboys peddle that crap.
If you go to the Advanced or Security options in the BIOS of your DIY computer, and you are using, let's say, 8th Gen Intel, chances are that you will be able to turn on the Intel PTT (Platform Trust Technology, equivalent to TPM) functionality. It depends much more on firmware/BIOS settings than in own processor's settings.
Microsoft : TPM 2.0 and Secure Boot will provide you the best security
Print Exploit : *Bonjour*
Someone once told me that the purpose of TPM/secure boot was to allow Microsoft to lock out competing operating systems. Was I told wrong?
Nope! You were told right. Guess who controls "digital signatures" and decides what operating systems are "safe" to boot? Interesting that Windows in the most hacked operating system in existence yet it's "digitally signed" as "secure". Yeah right!
TPM also supports authentication, remote attestation etc. so it is a very important building block for WebAuthn TPM variants, Microsoft Azure Attestation, etc. if you want to increase the level of services provided securely, with some percent of clients malware infected, you have to have a trusted computing base to only release keys and attests to correctly booted OS:es.
bs when you have a 4 year old hp pc i 7 ssd and wont pass bs
McAfee didn't kill himself
Microsoft suddenly wanting TPM bodes badly: If you were paying attention to microsoft and what they are doing for the past few years, you would know that microsoft is going the closed system route like MacOS, and TPM is the key to secure transactions via microsoft store as it identifies each machine via encryption...
Which is great and all if all you do is game all day, but ur gonna be paying a microsoft tax as well...
In the end, the TPM requirement is a signal of the beginning of the end of windows being open, and free/opensource software...
negative, each machine already has a unique identifier independent of TPM. How do you think MS locks win installs to a specific set of hardware?
@Chris Not the OS itself... And ur wrong there too: MacOS and iOS are based on open source linux so......
Anyways, in my OP, I was talking about being able to go to any website, download something, install it and go...
Something that can't be done on stock iOS, and the direction that MS wants to go: app store controls everything that you install on your machine.
They have mentioned this before....
@Aussie Doomer I have the new 24" m1 imac and its... ARM...
Very limited on what I can run. Rosetta helps but only a little.
Meh.
This was a really nice interview, you should have him on again!
In your BIOS/UEFI, there might be this kind of options to choose from:
* Firmware TPM (with the help of your CPU)
* Dedicated TPM (done by external Module on the motherboad)
* Nothing.
Firmware TPM:
* AMD: *fTPM* (at least *Zen+* i.e. 2000-series Ryzen Desktop from 2018)
* Intel: *PTT* (at least *8th Gen* i.e. Core ix-8xxx Desktop from 2017 & 2018)
One way to check TPM's status: Run > *tpm.msc*
I love how he treats Vista as a swear word.
11:45
Since TPM & Secure Boot is already build in into the hardware (for years) - WHY would someone "throw out his $3000 Rig now"?
Do not believe it would be more then 5 years old at his point. That statement of yours is just false and misleading.
Haven't got that far in the video yet, but in reply to your comment, my x470 board has 'fTPM' and I enabled it but windows refuses to see it. I bought it brand new along with a 2700x at release. (Which is also apparently a not supported processor >.> )
Yes, they did a very poor job of educating which hardware has it native. Every 9th gen intel desktop CPU and every zen+ and newer CPUs have them built in with no additional HW needed. It's a really poor video educating people on the topic. Even microsoft's mentions are horrible. They give a "supported" CPU list without saying once that the list is of CPUs that TPM 2.0 native to them.
@@mhamma6560 that would be really something to say in the video, yes.
@@mhamma6560 fTPM is off at default. Problem is that you would need dozens of videos to show how to turn it on depending on the platform and board manufacturer. Every bios is different from each other.
Just show me where they are throwing them - I'll get my hands into that path...
Great interview! This really explained everything because I was confused. This guy is awesome Adam!
Three years later, TPM is still required for W11. People aren’t screaming; they’re just sticking with W10.
I know my Ryzen 7 1700X has fTPM but also heard that Win 11 would not support 1st gen Ryzen? 👀 I plan to upgrade my rig regardless but wanted to make sure I'm Win 11 ready so this was good information. Thanks
@@ssaini5028 I'm too vain for that... I got to have the new shyt 😁 just unwilling to pay inflated GPU prices 🤑 so I'll wait it out and upgrade later.
@@kmcbayne22 You gain nothing from win 11, it's for alder lake and zen 5, aka when big.little comes to town.
I think this clearly points to Microsoft having plans to be a bit more iOS like with some sort of "MSpass" that once you're in the system you don't need any passwords (or just one master) for almost anything with the OS handling the "keychain" etc.. This will be marketed as "user friendly" and "more secure" but I highly suggest we wait for version 2 or 3!
13:00 Exactly my thoughts! They'll just say that "MSpass" (see above) is only available to those with TPM 2.0 and SecureBoot.
To be honest it is the lock in for Home users to have a MS account that is a big worry aswell as they seem to be trying to create a walled garden like Apple so you are forced to use the MS Store and be unable to install from anywhere else - Even so much as welcoming Steam and Epic to join the MS Store - LOL that would be the end of their business models if the do that, because MS could sell the same software/games and undercut them because the will already be forcing a levy on them !
That function (internally named CredWriteA and CreadReadA) was added in WIndows XP. You know that little window that pops up when you connect to a \\shared\folder ? Any Windows app can use it. The database is encrypted with your Windows login password. You are correct with the "wait for version 3" because at least originally there was only one database per user, shared across all apps.
Mike Dan!!! He is a great friend, an awesome person, and fabulous speaker and instructor.
Great Explanation, well-done PC World!
Yes, no need for a hardware TPM module for Win11. Simply enable TPM in the BIOS [FTPM] - several videos on YT to show you how to do this.
"A+" to the both of you for such a fantastic breakdown of this topic. Much appreciated.
Should have mentioned for anyone that gets curious.. if secure boot is currently NOT enabled on your "working" PC's bios, enabling it will prevent your system from booting (will blue screen). Do not enable in bios unless you are performing a clean Windows install. This has to be enabled before you begin the OS install. Turning on fTPM on the other hand does not cause issues.
but u need secure boot for windows 11, so what am i gonna do? not activate secure boot?
I turn on Windows 10 WHQL Support and Secure Boot. The PC won't boot at all and enter bios (it's UEFI). Windows 11 fucking sucks. I'm on R3 2200G + 1050 Ti.
BTW, I recommend PopOS or DeepinOS if you like Mac theme. I'm so fucking moving to Linux.
@@ISCARI0T Secureboot is enabled in the bios. Once your settings are in place, you will boot from a DVD/USB and install windows. If you "have TPM" but no secureboot in your current OS install, you will not be able to just "upgrade" from 10-11 (as it is now). Need to do a clean install from scratch.
@@MrCg006 it says secure boot is disabled in my systeminfo, so i cant install windows 11 if i dont turn it on but if i turn it on i wont be able to boot up to the current windows version and get to use all my data and stuff? did i get that right
@@ISCARI0T yep, Microsoft really used his big brain this time
Awesome video, wow, I feel much better about Windows 11 after watching it. Thanks!!!
Microsoft should make it secure by default but allow the user to choose to disable it by acknowledge that they accept the risk and send their acceptance to Microsoft.
l0l press f2
FW-TPM (called PPT) has been on intel Core CPUs since Haswell in 2013. Most intel chips less than 8 years old will have it.
Funny how TPM not only stands for Trusted Platform Module, but it could also stand for Tamper Proof Module since he explained it's hard to tamper with :p
I enjoyed the video, however, i feel it is missing two important things, the TPM wont show in tpm.msc if it isnt enabled in the BIOS (often it is disabled by default), and you missed the requirement for a minimum of an Intel 8th Gen CPU or newer (so any PC older than 3yrs old wont be able to run Win11). I agree Microsoft are just testing the water at the moment.
hope they make w11 for everyone
Favorite part of the video: the high end Klein Tool Screwdriver on the peg board. Those of us that do stuff more than just installing a motherboard (putting in a plug, cabling ehternet, etc.) know why high-end tools such as US-made Klein are something we all own.
Cool interview.
Id love to see an ABC of security for normal home users.
Do I need a password on my home PC?
Is there anything I need to change in settings?
and all the basic stuff that people forget or dont know.
That's WAAAAAY too simple. Needs to be more complex for more exposure to more people. Remember, bad press is good press. Then they can raise the prices because of the complexity of the situation. Not saying they are doing that but I wouldn't put it past them to do it.
Love the interview, nice to hear from a security expert just what these technologies actually are; however, I will need to correct him on one point. Windows 10 *did* in fact ship with the mandatory update feature, at least on Windows 10 Home. You can "snooze" or delay the updates -- for awhile -- but you cannot turn them off entirely without third-party software, and eventually Windows will stop letting you snooze the update and just install it without user input or consent. I upgraded from Windows 7 during the free-digital-upgrade period, and this extremely annoying "feature" was very much present on the system. It was also present on my daughter's Windows 10 Home install, 3 years later from physical install media. It is still present on both, as it cannot be turned off on the Home edition. So.. yeah, on that *one* point alone, I'll have to disagree with our esteemed expert. For the rest: Thanks for the new info, I do try to learn something new every day!
You can turn off updates permanently or until you want it turned on. Turn off the service.
You need to address GPT in relation to this i think. I had no idea that MBR is not supported for secureboot and therefore my system i've upgraded over the years needed some tweaking.
The idea might be great, but the problem is: whom does Secure Boot trust? Does it work with Linux with custom kernels etc.?
Also super secret data (in the TPM) makes a PC possibly traceable and one has no control over it, because it's protected (even from access of the owner of that PC).
You forgot UEFI and not Legacy install. You have to have Windows installed with UEFI enabled.
I hope they back off the TPM requirement. I neither want to throw my wife's computer away (because she's perfectly happy with it) or try to run Proxmox on her hardware and boot to a win11 VM. This won't work for some people because some multiplayer games will ban you if you run the game in a VM.
It will release in somewhere near 2022 or even 2023 with very stable business version and the older hardware has big security issues like meltdown that are not publicly talked about . For example if you have laptop with Intel gen 5 processors then you might have a really big security problems cause the cpu doesn't actually support security micro code or specialized hardware built into it . That's the difference between Mac os security and windows . Cause they have simple hardware with limiting time OS update then they built new one . But the other hand Microsoft support of million hardware with billions of combinations to support from business/enterprise and home users at the same time! This is why you will see the obvious BSOD( blue screen of death) a lot in many windows computers and not in Mac or Linux distros! Microsoft understand that it is very hard to support many old hardwares without affecting the os speed or keep it secure ! So they drop support of older hardware to keep the security and performance balanced with new fast and secure hardware !
@@alikarbasian8576 #1) Meltdown doesn't affect my wife's CPU and #2) Specter (and Meltdown) isn't a bad enough exploit to pile up our landfills with millions of perfectly functioning computers. Both Meltdown and Specter are read-only attacks that require you to install compromised software than can easily be mitigated using other methods (microcode updates via OS or BIOS, antivirus software, antimalware software).
I would be fine with Windows nagging you to update to secure boot/TPM and requiring it from OEMs, but I'm not in favor of this as a requirement to install. These non-Win11 compliant PCs are going to be an even bigger threat than Specter/Meltdown when bot armies compromise them as MS stops security updates for Win10.
I love building myself new computers and I like shiny new technology, but this is a case of the fix having far more negative consequences than the original problem.
@@iguanac6466 Microsoft will fall back and it is the obvious truth but even windows 7 got security update even in 2021 . Microsoft has multiple problems to supporting multiple OS . The thing is Microsoft has right to do it for under gen 4 or 3 Intel CPUs . They are old tech and has big security concerns with more ransomware and boot up attack viruses and malwares . This is covid time and you have right but in normal conditions people should stop using 10 years old cpus ! They were many injection codes that can't be patched or even can't publicly expose . So I think 10 years is a good/fair way to support hardwares or even softwares .
I thought I would post this as a separate question, assuming the day comes where secure boot is not some thing that is able to be turned off any longer, who is the organization that actually decides which operating systems are allowed to be used? Does each individual distribution of Linux, forsake, have to get certified with each manufacturer of computers, or is there a notion of installing their certificate into your system, and telling it to trust it, sort of like what has been done with TLS certificates inside of companies for a long time now?
Very much looking forward to watching this! Thanks for setting this up Adam!
It means you won't be able to turn all the telemetry off.
Telemetry has nothing to do with TPM or Secureboot as those are controlled by your BIOS. Telemetry is controlled by the OS and is incredibly easy to turn off.
This kinda reminds me of spectre/meltdown, where vulnerabilities that are valid concerns for specific high profile targets means they must ruin the experience for the masses.
It's really easy to implement win11 capability unless your computer is ancient.
It is highly unlikely that a new PC doesn't have 'some' capability to either add a chip or flick a switch in the bios.
Turn on PPT in bios security settings and it's all good.
Ultimately any system (like TPM) has to have software access so there will always be a way of spoofing or exploiting it found eventually. TPM or Secure boot do not stop people installing software and that is how Malware and Viruses do the damage.
I've been having awful stuttering on my pc after I enabled fTPM, it goes away when I turn it off in the bios, I think the claim that it doesnt affect performance needs to be looked into, I'm on a 3900xt
@Chris I'm on the latest bios and amd chipset drivers.
One thing I had to do to enable Secure Boot and fTPM........
I had to change the Boot partion from MBR to GPT.
Before I did this, disabling CSM in BIOS, I had no bootable disk for the OS
Once I made the change, disabling CSM in BIOS, revealed the OS on the Bootable disk and I was good to go....
I passed the Win 11 check...
I have 6 PC, three of them have MB less than a year old, TPM had to be setup at boot bios, then ran mbr2gpt to create secure boot.... once I figured it out set it up was straight forward. The other machines have MB from 2011 or earlier did not have TPM....
So just installed Windows 11 last week. You absolutely 100% need TPM 2.0 to be enabled to install it, Microsoft did not deviate from that requirement.
Note that almost every PC motherboard built since 2015 has a TPM 2.0 chip, it just needs to be enabled in the BIOS/UEFI.
as a computer user.....i have no idea how to do that and i am not comfortable doing it. if there was an easy way to make it happen sure. if they wish to require is then they should have a program to do it for me. i know car guys tell me it is easy to change a head gasket....i am not going to try.
TPM itself does nothing until you enable disk encryption. It looks fun that MS requires TPM but has Bitlocker turned off by default. There is another reason - DRM protection. Large companies, such as Netflix, want to identify your PC and restrict access to their content if they want to. Checking serial number or similar codes is not effective since a user can bypass these checks easily. But with TPM endorsement certificates and DRM-enabled browser it becomes really hard.
They don't care about your security, they care about their money
This is such a great conversation. 25 mins just flew bye.
This don't bother me to much my pc outdated been plan on upgrading next year. And even had plans to convert this pc over to Linux so nothing has changed for me personally. I think this also helps people who have super old PCs to finally get it upgraded should not keep computers 10+ years. 😉
I live in the Dominican Republic and last month I helped my brother in law with his Pentium 4 HT installing Peppermint 10 (Linux).
I myself use a 2003 Pentium 4 HT as backup server using FreeBSD 13.0 and OpenZFS 2.0. I use it for 1hour/week and want to use it till 2032. Don't tell us, what we can use!!!
@@bertnijhof5413 I agree with you. 1st worlders don't get it, money doesn't grow on trees.
So, after Windows 11 launch it's possible to bypass TPM requirement on fresh installs with LabConfig registry key, but they say you might not get updates at some point if you bypass those requirements
Btw, without disabling "secure boot",some motherboard would not boot with a newer video cards....
Cause the mother board ask the firmware (UEFI) to load the os into the guarded memory then the UEFI ask the OS to introduce and loaded up the hardware Drivers like sound cards or graphic cards or ... If they had been digitally sign ( it's a code that Hardware creator vender should got certificates for it's functionality by OS manufacturer like Microsoft (it's called WHQL)) then windows load it into the memory and tell the UEFI that I know this guy and he has valid ID then UEFi ask the security code for the OS and the OS uses the secure boot protocol and its code to load the windows . And the cool thing is the fast boot is a functionality that let the OS uses the fastest way to load OS files and use the private memory/SSD/IO to load very fast . And if you don't have a valid Driver that not digitally signed the OS will said the UEFI that I Have a driver but actually I don't really guarantee it's identity but I will and can work with it . Then UEFI will reject the driver and the OS will not boot correctly or even it will suspend from booting up . And you may wonder why driver is so important ? Cause they have a root OS access for the specific hardware or software and many hackers uses the fake drivers to load up some nasty malware or ransomware viruses hidden into the codes . You can check your WHQL version and information in dxdiag command in windows search/run.
Why aren't environmentalists screaming about Microsoft sending a jillion PC's to the landfills because of their rendering most PC's unable to run Windows 11? That's the real crime.
Great interview, very informative, great tone, delightful guest! Thumbs up!
Great guy, very knowledgeable and clear...funny question on FPS btw 😁
Big companies in the US are on a 3-year upgrade cycle due to IRS depreciation laws (if your company ISN'T, have them check with the IRS. You could save a significant amount of money by buying every three years!) Every computer sold in the past three years has at least fTPM on board and most have Secure Boot ability. It's not big companies that will complain, it's individual users who can't upgrade as often. And what's wrong with Vista (there, I said it!) After a few patch cycles (OK, after MANY patch cycles) MS fixed the bugs and it was a stable, if unexciting OS.
I just hope TPM 2.0 is not another attempt from Microsoft to bypass and kill dual boot system like they did back in the day, in earlier stage of Secure Boot and UEFI, that was pretty outrageous at the time and it made the whole promise of UEFI pretty silly...
You should not trust anyone to keep your data secret, we already had plenty of examples in the past clearly showing no one should lol
Thanks for the great video though and happy midweek
Well, TPM has nothing to do with boot, so we can keep it out. Secure boot will just check if the os is trusted in the pre-boot step. You boot as always from multiple drive or multiple partitions with a boot manager. And of course you can use the CSM module to boot in legacy os, I think you'll be fine.
Microsoft has already "puled back on these requirements". They removed the 'PC Health Check' application from their download center.
Microsoft has Not pulled any requirements, they just took down the checker app
MSI Z390, i run it with i9 9900K
If it's for Windows 11 installation, no need to install external TPM 2.0 module for Z390.
Just enable "Secury Device Support" in BIOS, and press [win]+[R] key and run "tpm.msc" to check the TPM version in Windows.
Very informative and enlightening! More content like these in the future.
Fantastic interview, Give me MOAR!!!!!
Are there any security implications from one implementation of TPM to another?
A shout out to Mike - a fellow CISSP :) Sorry I missed this when it was live (my Day Job can be a pain sometimes), it was very informative and interesting. David Rivera, PE, CISSP, MBA
You never asked any questions regarding privacy. Each TPM 2.0 install has a unique RSA key which cannot be changed. The RSA key is unique to every machine. This means anyone using TPM 2.0 cannot be anonymous. Even if someone uses TOR Browser, it wouldn't matter. The user can be identified anyway because the software can send the key to the server. If a website can obtain the RSA key from a browser, this means you cannot have anonymity on the web. The Chinese are using TPM 2.0 already. Now American companies want to use it. For example, Valorant published by Riot Games is going to use TPM 2.0 to identify cheaters and permanently ban their machines. Because of privacy concerns, which is bad enough on Windows 10, TPM 2.0 should not be used.
I was surprised that Mike never brought up Intel PTT which is a firmware TPM built in to Intel chips from the 4th generation and newer. My Win10 computer uses a Core-i5 8th generation chip which has the PTT feature. With the feature off (by default) the TPM.MSC command shows no TPM available but when I enabled the Intel PTT feature then the command showed that I had TPM 2.0 in use. Hope this helps.
Exact same thing
i got a computer that supports secure boot, but when i enabled it, my windows wouldnt boot
TPM protects against only a certain class of rootkits. It is a great way to maintain an OS monopoly by making it inconvenient to boot a different OS, requiring the user to enter BIOS and disable the TPM to boot Linux for example. MS is a naked monopoly and they need to get dragged into court like Google has. It is time to break up these computing monopolies that have set computing innovation back by several decades.
Hi, nice video. I'm new to CPU/gpu since about five years or so ago. Thankfully I had recently went amd on this desktop and was wondering since I met the requirements why win 11 wasn't booting( it would loop back to win 10). I believe I finally found the answer; please correct me if I'm wrong:Secure Boot must be enabled before an operating system is installed. If an operating system was installed while Secure Boot was disabled, it will not support Secure Boot and a new installation is required. Thank you sincerely
Good call.
I don't know if it's been mentioned since this video went out, but according to the latest MS Win 11 requirements, Secure boot needs to be available, but does NOT need to be enabled.
"System firmware: UEFI, Secure Boot capable."
Now a RUclips channel featuring Mike Danseglio would be a Godsend indeed ! Oh the Microsoft secrets we could all be privvy to ! Great Video .
I thought TPM was mostly for DRM, not security.
Can be used for DRM but that’s not it’s primary function, it’s primary function is for security purposes. The pirates won’t tell you that though 😉
With this secure boot I hope the venders that utilize bootable media conform to it. Also, what about dual boot systems and/or using vm?
On the discussion some arguments I'm not sure about. You are saying they will back of because people won't upgrade, but since it's free upgrade, it doesn't change anything for MS ? They'll still support w10 until 2025 so doesn't change a thing for MS either. So I'm not sure about your arguments ..
So he eventually said it, but just to be clear most DIY PC's just have to enable it in the BIOS. So no, no one with a $3000 dollar gaming rig is going to be left out of windows 11, unless it was $3000 dollars in 2001, at which point you aren't doing much gaming on that anymore anyways.
DIY machine. I didn't buy the TPM chip when I built it three years ago. The motherboard supports TPM (which in on order). Secure Boot was already enabled.
Excellent video. Enjoyed the guest speaker!
thank fk for this video honestly, could not find any viable information whatsoever on any websites or forums about what tpm is what it does and what difference discrete and firmware ones do and the settings you should look for and stuff. super good video. thanks.
Thanks to you guys I found out I have it.
What's retarded is I had an i7 7700 system that had TPM 2.0 and Secure Boot, yet it is not compatible with Windows 11.... So I ended up upgrading to a Ryzen 5 3600 on a B550M motherboard. I have a feeling that you guys are right. Before launch, the i7 7700 will end up working on Windows 11.
Why don't you just edit TPM and UEFI out of your Windows 11 installer files? It's easier and takes about 10 minutes.
It seems like the expert is wrong with the win 11 requirement going to paddle back. It has been 2 weeks since the official release of win11 and the req still stands.
Other than that, thanks a lot for a detail explanation of TPM and its features.
This was SO helpful. Thank you!
Thanks for making this video this was very helpful.
Cyber Security has always been a great issue as technology keeps developing. Kinda controversy but it's good though.
There are other reasons why they are pushing these secure features and Microsoft isn't saying why they are really pushing these features. So far they have not rescinded the decision as of yet. At this point I'm only converting certain computers just to see what is being update in the OS. For secure boot the drive has to be converted from mbr to gpt.
Some businesses still run Windows 7, why would they care about Windows 11. It's pretty much the same as 10 anyway?
MS left us ? Gamer's assume it's going to be faster. Me? Do I think I need the added security or is W11 just more MS watching me?
I support the hardware TPM 2.0. I constantly received malwares whenever I visited some sites and that caused me to format my hard disk once every year.