Windows 11 wants a TPM2 on the PC. But even if it is present, and detected (in TPM.MSC), and active, and owned, and provisioned by the BIOS, it still alerts us that it is not working (notably for Bitlocker that fails to start on disks that were encrypted in Windows 10 with Bitlocker using the TPM2 chip).
This is a current bug of Windows 11 that affects:
- its new compatiblity check program (PC HEALTH CHECK) on Windows 10 prior to the installation
- the "new" WMI-TPM component used in Windows 11 at runtime (including for Bitlocker)
- the "new" UEFI boot preloader (bootloaderfw.efi) and bootloader (bootloaderfw.efi)
All these "new" components have NEVER been tested by Microsoft on something else than virtual machines and some "new" (but very basic) tablets/notebooks. They all have in common the fact that there's NO real TPM2 device in them: virtual machines use a virtual TPM featuring limited capacities with a single profile with a single set of PCRs registers (and for Windows 11 compatibility, this single profile should support ONLY the "SHA256" hashin algorithm.
This is a clear deviation of the TCG standard for TPM2 which has always allowed for
- the presence of multiple TPM devices, or
- even multiple "profiles" in the same TPM device, with distinct sets of "PCRs" registers, one for each profile depending on the hashing algorithm used in the selected profile.
With TPM1.2, there was only a single profile allowing a single bank of at least 24 registers (each one storing a 20-byte SHA1 hash). As well it described a legacy "FIFO/TIS" interface for use by applications or OS.
With TPM2.0 the specifications (signed years ago by at least two successive engineers from Microsoft) specified multiple banks (the reference opensource implementation made by TCG named "TSS" specific 3 banks and at least 2 profiles, each bank using larger sets of PCR registers). TPM2.0 also deprecated the "FIFO/TIS" interface (without forbidding it) in favor of the newer "CRB" interface (allowing commands to be placed in several queues and run asynchronously on the TPM device, for stronger resistance to time-based side-channel attacks, notably when using stronger or more expensive algorithms, such as the generation of security keys).
All this TPM2.0 was working in Windows 10 and still works with Windows Server 2019 (or even in Windows Server 2022 beta).
It no longer works at all with Windows 11 (Dev channel), because the "new" code (listed above) is clearly unfinished and in fact is broken and gives FALSE hints to users.
In fact the PCs one which the PC-HEALTH check program say they are "Compatible for Windows 11" will sooon be incompatible with it (because they will need more PCRs banks): these are the "new" PCs (tablets or thin notebooks) made by some chinese manufacturers at low cost (these manufacturers did not want to embed a real TPM chip on these devices: they asked to Intel and AMD to provide a "firmware TPM" on their CPUs, but almost all existing CPUs that have a "fTPM" have implemented the strict minimum needed: a single TPM2 bank of PCRs registers, and using only SHA256.
The PCs that currently pass this check will NOT pass the test later if they can't be upgraded with a real TPM. And already there are newer (more costly) series of CPUs that provide multiple PCRs banks ni their TPM2 firmware, and multiple profiles with more algorithms supported. These newest CPUs currently do not pass the BROKEN win11 compatibility check.
Microsoft has given false hints to users. The PCs that don't pass the test are NOT outdated, those that pass it are ALREADY outdated.
There are interesting events in the Event Viewer (in the "System") category: lot of these events are spammed now in Windows 11, where Windows (from the initial boot in UEFI, then during the OS loading, and then every secod after the boot when the OS is loade) attempts to extend hierachies of keys by compting SHA256 hashes and trying to import them in the TPM but not in the correct PCR bank: it uses the 1st bank of PCRs without checking its type by looking at TPM capabilities, and in fact attempts to replace SHA1 hashes by SHA256 hashes in the incorrect profile.
All real TPM2.0 chips have at least 2 banks for 2 profiles:
- the 1st bank is for SHA1 hashes (that Windows 11 no longer supports) and is to be used for legacy apps or OSes that used only TPM1.2 under the legacy FIFO/TIS interface.
- the 2nd bank is for SHA256 hashes (those that Windwos 11 requires now) but Windows 11 is not able to use this 2nd bank. As well Windows 11 has (currently) removed the support of the newer CRB interface.
With the next version of TPM (3.0) there will be larger banks and more complex hierarchies. A true implementation of TPM2+ in Windows 11 is a must have that Microsoft ignores. MS gives false information to users because it does not want to admit its own bug: the problem is really in Windows 11, it affect most machines (and soon will affect ALL of them, including more modern CPUS with more TPM2 capabiltiies and featuring more banks, notably in CPUs for use in servers of container-based applications; servers hosting VMs with an hypervisor are not affected for now because each VM implement their own single virtual TPM2 and you'll be able to configure the virtual TPM capabiltiies inside the hypervisor settings), and NOT a problem of the CPU or the UEFI BIOS, or of the TPM chip.
So it should be good if your tool was getting the real TPM2 capabilities, and notably:
- the number of PCRs banks, and the hashing algorithm (SHA1 or SHA256, possibly others) assigned to each bank,
- which PCR bank is current selected by Windows (for now only the 1st one in Windows 11 or in the PC-HEALTH check program)
- identifying the TPM module used (optional but needed if there are multiple TPM devices enabled, notably on the newest PC where the fTPM in the cPU may be enabled, and the "discrete" hardware TPM chip would be enabled as well).
For now you just display the TPM version (without identifying which TPM device is used)
This can be done using "TpmDiagnostics.exe" (a "feature on demand" in Windows 10/11) from an administrator command line or Powershell: "TpmDiagnostics PrintPCRs". You can as well use "TpmTool.exe" (preinstalled in Windows 10/11) which performs a few less tests (but is translated in the results with its MUI, depending on the UI language installed and user preferences, whereas the newest FOD "TpmDiagnostics" tool is still not translated and displays results only in English for now).
But note that if you use the WMI interface, this will fail in Windows 11 (the new "TPM-WMI" component is broken). The two tools above do not need WMI and properly diagnose the TPM device reading properties via the device driver.
checks PRO