Transcript of the video:

In this video I explain what this TPM 2.0 in Windows is actually needed for and why it is criticized so much. And most importantly, what actually happens when I turn it off? What does Microsoft say about it? I try to make everything as easy to understand as possible.

Dear hackers, welcome to c’t 3003.

We’ve already made some videos about Windows 11, I hope you’re not annoyed yet – but such a big Windows update comes only every few years; besides, Windows is installed on 80 percent of all computers in Germany, so there should be interest. However, you had criticized us in our videos for being too tame with Microsoft and not criticizing the hardware requirements more strongly.

The thing is: we are definitely critical of Microsoft, but maybe we should look at the whole thing in a more differentiated way. And that’s what I’m trying to do now.

First, the facts: Windows 11 requires (at least theoretically) a so-called Trusted Platform Module according to the TPM 2.0 specification, which is an additional security controller independent of the rest of the system, i.e. independent of the main processor, RAM and mass storage – although it can also be built into the processor right away. The TPM 2.0 can store data securely and protected from malware and perform some cryptographic operations.

Okay, to put it more simply, TPM 2.0 can store things that the rest of the system can’t access – so malware can’t tamper with it.

Important: TPM 2.0 works completely passive, so it does nothing by itself. It cannot actively influence the boot process or the start of programs. However, in cooperation with the BIOS’s secure boot function – which is also required for Windows 11 – it can prevent the computer from booting if the BIOS has been manipulated by malware. In addition, the security chip can be used to make Windows’ Bitlocker encryption more secure and link it to the hardware: If you remove the hard drive, you can no longer access the data. Both are definitely useful. By the way: If the motherboard breaks, the encryption can be decrypted with a recovery key.

Furthermore, the login method uses Windows Hello [Lionel-Richie-Clip] TPM if desired. On demand is the keyword: Both Bitlocker and Windows Hello [Lionel-Richie-Clip] also work without TPM. However, both are then easier to attack.

There is almost no freely available software that requires TPM; one of the few is the multiplayer game Valorant with its anti-cheat tool Vanguard – since the beginning of October 2021, Valorant only starts with TPM 2.0 and Secure Boot enabled. Otherwise, there is still enterprise software that requires TPM; but that has also been the case for a long time.

Otherwise, as far as we know, TPM does nothing in Windows 11 at the moment. To be on the safe side, I asked Microsoft again, what concrete effects it has, if you use Windows without TPM as a private person. They said “Microsoft doesn’t comment on that” – and on top of that we got a link to a Microsoft support article that explains how to install Windows 11 without TPM. And even though they of course emphasize that there might be compatibility issues and that you won’t necessarily get all updates without TPM, Microsoft itself gives tips on how to turn off the TPM constraint.

Fact is: At the moment, it is not the case that anything does not work without TPM. Instead, you have some very concrete advantages with TPM.

Because: Security chips like TPM that are physically decoupled from the rest of the computer can make the operation of a system much more secure. Android and Apple iOS smartphones, for example, have such chips to secure contactless payments. If implemented purely in software, payment applications such as Apple and Google Pay would probably have been cracked long ago or would not even be certified for payments in stores. MacBooks and iMacs also have such a security chip, called T2. Chromebooks from Google have a security chip called Titan C. In other words, all other mobile or desktop operating systems except Windows (and Linux) have been using security chips for a long time – which cannot even be deactivated there. Oh, and by the way, there is also more and more software on Linux that can be made more secure with the TPM module.

So where’s the big problem with Windows and TPM? We are somewhat to blame for the bad image itself: Many years ago, there were many critical articles in c’t about the so-called Trusted Computing Platform Alliance (TCPA), which wanted to use TPM chips to monitor which software was executed by PCs. Real horror scenarios were conjured up, for example that Microsoft could introduce a blacklist of prohibited programs, for example with competitor browsers. Or that Microsoft could use its power to prevent the use of Linux or other open source software. All of that would have been really terrible – but it didn’t happen that way, and we’re still far from that today.

It is conceivable, however, that software such as Adobe Creative Suite will use TPM in the future to check whether it is running on a computer with a valid license. But that has nothing to do with TPM for now, but with DRM, or digital rights management.

And DRM is always crap from the customer’s point of view. DRM ensures that you don’t get a picture when you connect a laptop to a projector (keyword HDCP), that you can’t use refilled ink cartridges or that a game doesn’t start even though you bought it legally. But fortunately there are alternatives: You can buy your games at GOG, for example, which doesn’t do DRM.

And if you don’t trust Microsoft, Google, or Apple in general, you can just use an open source operating system like Linux – you can look at the source code and know that there’s no government backdoor in there. That’s what it’s all about in the end: trust. And at least I have to say that I don’t really trust a Windows operating system without additional security measures like TPM, Secure Boot and Virtualization Based Security anymore – there have been too many malware attacks and zero-day exploits lately. A solid, tamper-proof trust anchor is simply important these days.

So: if the security measures protect me from that, the benefits outweigh the risks for me. However, if the security measures start to work against me – i.e. annoy me with DRM junk, then I’ll switch to a DRM-free operating system like Linux. And then make a video about it – I might do that sometime anyway. Bye!