Jump to content
  • Microsoft lists a reason why TPM, Secure Boot are required on Windows 11 in 2024-2025


    Karlston

    • 3 comments
    • 261 views
    • 4 minutes
     Share


    • 3 comments
    • 261 views
    • 4 minutes

    Microsoft, time and time again, has explained why features like TPM (Trusted Platform Module) 2.0, VBS (Virtualization-based Security), and Secure Boot are important for a Windows 11 PC. While they have been available since before, Microsoft made these mandatory with Windows 11 citing the enhanced security benefits they brought, and it had also published visual demos to better explain how.

     

    That was back in 2021. Fast forward to these days, with the release of the Windows 11 24H2 feature update (which just became downloadable to more users), the company recently updated one of the support articles on its official website. Neowin discovered this change while browsing the interwebs.

     

    The article is about Automatic Device Encryption via BitLocker, which Microsoft refers to as "Auto-DE", and a particular section of this document was updated to reflect why TPM and Secure Boot are required for Device Encryption.

     

    Previously, it stated:

     

    Why isn't Device Encryption available?

    Here are the steps to determine why Device Encryption might not be available:

     

    1. From Start type System Information, right-click System Information in the list of results, then select Run as administrator

       

    2. In the System Summary - Item's list, look for the value of Automatic Device Encryption Support or Device Encryption Support

       

    • The value provides the reasons why Device Encryption can't be enabled

    • If the value says Meets prerequisites, then Device Encryption is available on your device.

    And here's what the updated page says now:

     

    Why isn't Device Encryption available?

    Here are the steps to determine why Device Encryption might not be available:

     

    1. From Start type System Information, right-click System Information in the list of results, then select Run as administrator

       

    2. In the System Summary - Item's list, look for the value of Automatic Device Encryption Support or Device Encryption Support

       

      The value describes the support status of Device Encryption:

       

    • Meets prerequisites: Device Encryption is available on your device

    • TPM is not usable: your device doesn't have a Trusted Platform Module (TPM), or the TPM isn't enabled in the BIOS or in the UEFI

    • WinRE is not configured: your device doesn't have Windows Recovery Environment configured

    • PCR7 binding is not supported: Secure Boot is disabled in the BIOS/UEFI, or you have peripherals connected to your device during boot (like specialized network interfaces, docking stations, or external graphic card)

    Essentially, the article details what those unmet "prerequisites" are. They include TPM, WinRE (Windows Recovery Environment), and Secure Boot. Besides these, Microsoft also mentions PCR7.

     

    PCR, or Platform Configuration Register, is a memory location on the TPM and is used for storing hash algorithms. PCR profile 7, or PCR7, is what BitLocker binds with. This binding ensures that a cryptographic key, in this case, the BitLocker key, loads only during a certain time during booting, neither before nor after.

     

    This is where Secure Boot comes in as it verifies and validates the necessary Microsoft Windows PCA 2011 certificate during booting, since an invalid signature leads to BitLocker using profiles other than 7.

     

    For those wondering what this fuss about BitLocker and encryption on Windows 11 24H2 is, the Redmond giant lowered the OEM requirements for Auto-DE on the latest Windows version and thus even Home PCs can be automatically encrypted. Soon after, the company also released a handy recovery and backup guide for the BitLocker key which should be a smart thing to bookmark.

     

    Third-party backup and cloning apps like Acronis are also baking in relevant changes for the same.

     

    This is Microsoft's way of letting you know why you should stick to an officially eligible PC on its latest version of Windows, and the company's official stance is that you get a new PC if yours is too old.

     

    Recently, the company also clarified its current position regarding the system requirements of Windows 11 on unsupported hardware after explaining how TPM 2.0 is a non-negotiable standard on its OS.

     

    Source


    Hope you enjoyed this news post.

    Thank you for appreciating my time and effort posting news every day for many years.

    2023: Over 5,800 news posts | 2024 (till end of November): 5,298 news posts

    RIP Matrix | Farewell my friend  :sadbye:

    • Like 2
    • Thanks 1

    User Feedback

    Recommended Comments

    the bitlocker encryption significantly slows down ssd laptop.

    I have win10 in my main laptop and one day suddenly the laptop got very slow. Looked around and found somehow my laptop was encrypted. Took half an hour to decrypt the SSD then it went back to normal. 

    • Thanks 1
    Link to comment
    Share on other sites




    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   1 member

    • oldguy1
×
×
  • Create New...