@f00l TPM has been around for at least a decade. While it’s hardware, if you are issued a work PC, and it has Windows Professional or Enterprise on it, there is a real good chance you already have the module onboard.
I think your major concern for Windows 11 should be if you have enough RAM. With every major release, the minimum requirements goes up.
@f00l@njfan further more there is no reason to be worried about getting windows 11. Windows 10 is fine.
Scalpers are buying up TPM modules because people don’t understand them. Or how to check. And people will have only ever dealt with them on company computers even though they may be there. I believe they have been required for windows based PCs since 2016.
My 2010 build is still rocking everything fine but obviously can’t take TPM and doesn’t need it. May be time for a new build when prices settle
It’s the TPM chip. The purpose is to store keys created when Windows is installed that verify digital sigatures on your system as you install drivers and upgrades to Windows to make sure they are legit, and make sure they haven’t been tampered with.
Most of the ransomware attacks are through device drivers, which because they are devices, have to run “inside” Windows itself. But they’re not written by Microsoft, and have bugs, and manufacturers don’t update them or fix security defects in them. So they are a way for the bad guys to attack and take control of the entire system. To install ransomware, run crypto mining software, attack other computers on your network, steal passwords and login info, spew spam, infect other computers, or anything because they have total control over the system.
So Microsoft is using the TPM to prevent bad people from breaking your Windows installation and from making your computer do bad things.
@f00l Likely only for laptops with last few generation or current generation CPUs. Or laptops will start including the TPM chip as part of the motherboard, and will say so in the specs.
@f00l@mike808
here’s a link to a possible solution to not using a TPM certified machine
as for adding a chip, they are currently in short supply and have been snapped up by scalpers, ala graphics cards ($15 before Win11 announcement… $100+ on ebay now)
@chienfou@f00l
Desktops without the TPM module will need to have the circuitry to add it.
Applying to laptops as well, for older motherboards would have a TPM included when the manufacturer was targeting business use. All of the “managed endpoint” capabilities (theft locator service, remote wipe, etc.) that business users require all rely upon the TPM (and the unique device/OS keys protected within it).
For price conscious motherboard manufacturers, it was easy enough to design the motherboards where the TPM chip was optional, and then included in the “pro” or business models that were being assembled from collections of components going into the different desktop lines.
For laptops, the target market is usually known when the model or product line is being decided, like the HP Elitebooks and other “business class” laptops that have additional security features like fingerprint readers and directly support remote management.
The secret that most people don’t know is that CPUs have had TPMs built into them for many generations now. However, TPM itself has been upgraded, and so only the last few generations of CPUs have the newer TPM baked in.
It will be important for enterprise customers, but not so much for regular consumers.
I would expect Windows 11 to have versions that make that difference clear, along the lines of the Windows Home and Pro versions. Where Pro requires the TPM chip and Home does not.
This is already true to some extent because the TPM chip is already used for your system’s BitLocker keys and Virtual Machines if you’ve used those features. Those features use the older version of TPM, and require Wndows Pro, but Windows 11 will need the newer version, and likely only for the Pro version.
All I really want is a way to irrevocably TURN OFF Autoupdate, and apply only the patches I decide that I need. Ten has broken so many things for me, so many times, that I despise it with a level of loathing unmatched by any other. The breakages have often been discovered only when I was already severely pressed for time to get something out the door, and have caused missed deadlines more than once. It’s been bad enough that I have upretrograded all but one of my systems to 8.1 in order to achieve stable platforms that don’t kick me in the teeth randomly and maliciously.
I should not have specifically targeted MS here. They are only doing what they mobile OS sw owners do, what the cell and internet companies do, what Big Data firms do, what everyone who has the infrastructure and and $ does.
@werehatrack What version of Windows are you using? In Windows 7 and prior I go into Services and set Windows Update to manual. Seems to do the trick. Not sure about Win10 since I haven’t upgraded yet.
@heartny
Tenvirus, aka Malwaresoft Windblows, is so aggressive about keeping the updates turned on that it has multiple interlocking misfeatures that each watch for some or any of the others to be disabled. Even with all known update monitors zapped, they will get reactivated. There is supposedly a way to build a router that can block all packets to and from the servers, and if I can’t regain full control of my system any other way, I’ll go that route.
@werehatrack Why don’t you just use Linux? Then you can audit and review the source code too, since you seem to be saying that doing that for all of the Windows updates is such a chore and after your careful experienced review, find too many don’t pass muster.
Could it be that you’ve turned off and misconfigured so many critical and interdependent services without really understanding them that the cause of your systems’ instability isn’t Windows at all? So, why are you not using Linux?
I’m also curious about how old/obsolete and/or what weird components you have that cause problems with Windows 10. Perhaps your expectations are beyond what Microsoft ever claimed is supported by Windows 10, and the problem isn’t Windows, but your trying to run it on obsolete, old, defect-riddled hardware and devices that were never claimed to work with windows 10 to start with. So why would you expect things to work properly with an arbitrary shitpile of hardware from the 20th century?
@mike808
Twenty-plus years of business data that can’t port to a substitute app in Linux is keeping me stuck in the M$ world, or I would have swapped long ago. And no, the relevant package does not play well with any extant Windows emulator, so that is not an option either. Trust me, I have burned through a lot of shipments of spoons trying to escape.
How you can tell if your desktop (or laptop) already has support for TPM (or partial support - meaning you can run Windows Pro on it and use BitLocker capability) :
run “msinfo” (the “System Information” app) and search for the “Device Encryption Support” and it will tell you if you have a TPM chip and what version it is.
If you do not have a TPM chip and you are running Windows Pro and you are using BitLocker, you do need to know that the primary encryption keys being used are stored on a tiny “unknown” partition on your hard drive. So any backups that don’t include that undocumented partition where Microsoft hid the encryption keys used by BitLocker are completely hosed and unrecoverable.
There is one mechanism left for BitLocker recovery, and that is if and only if you used a Microsoft account to register Windows when it was installed. If you installed using a local administrator, you are SOL - there is no recovery method.
The downside of this “feature” is that Microsoft has a copy of your BitLocker keys in your account, and as a third party, can be the subject of a warrant/subpoena to produce “business records” about your account and served on Microsoft. These warrants or even just “friendly requests from your local law enforcement officer” come with gag orders to enable the government to surveil any investigation target.
The upside is that for most people, being able to recover their BitLocker files on a new replacement machine after they restore them is easy and simple enough for consumers to do themselves without too much help or support. So there is that in favor of bringing the security of BitLocker to as many people as simply and easily as possible. As long as they have Windows Pro.
There are workarounds with the beta W11, so I wouldn’t be surprised if there will be other workarounds in the future too. Given that W10 support isn’t ending until 2025, I’m personally taking the wait-and-see approach.
I use windows 10 which has been yammering at me to install OneDrive. Today it locked my PC until I gave my password, then it installed One Drive. So far no data is in any folders or the cloud. How can I uninstall it and keep it gone. I am not computer smart. I do not want to save to the cloud. Thanks.
Have you tried a clean install of Win10 and then running either or both of these two powershell tool to “clean” Windows 10 of little used features (Mixed Reality Viewer?) and “bloatware” (Candy Crush?):
Windows 10 Decrapifier
and Windows 10 Debloater
This is a good explanation of each and how to use them both.
Is a user allowed to do a clean windows 10 if the original Windows 10 licensing came from one of those free Windows 8 upgrade options?
Or does the user have to first install eight and then upgrade to 10 some horrible sequence of actions?
@f00l MS should have your digital license active, and if you haven’t changed your CPU (they do have serial numbers, btw), disks, motherboard, and GPU, Microsoft will find your license and reactivate it.
Are you doing what Microsoft calls a “refresh” or a drive wipe and a clean reinstall?
Also, you can run some tools (google is your friend, but NirSoft I think is the one I found)) that will display your windows activation code, which is not the same as your license code.
@f00l@mike808 Even the drive doesn’t seem that important. One of the computers at my work serves as a test bench (originally W7) and it’s seen well over a dozen different drives. W10 digitally reactivated every time.
@mike808
If I had an entire week to spend meticulously uninstalling and then reinstalling and reconfiguring single-instance licences as part of a nuke and pave, Tenvirus would NOT be the version present at the end.
@f00l@mike808@narfcake keys are stored in BIOS. Sometimes extra steps needed for “clean install” on Dell for windows to access and activate (maybe just for older computers – haven’t tried recently)
If one has a reasonable external USB hard drive (say, a terabyte or bigger)
And if one wishes to have that drive be read/write for Linux, Mac, and windows:
What’s the best file format for the external drive?
Fat32 => 4GB max filesize. Probably the most compatible and why it is everywhere. Freely licensed helps.
exFAT is MS-proprietary to create, but reading drivers are free and available. But it allows files >4GB.
NTFS This is mostly MS-proprietary, but can be read and written by IOS and Linux drivers. In the past, read-only was stable, and writing to an NTFS system from a non-windows system wasn’t stable or reliably also readable from a real Windows system.
I would personally go with NTFS for cross-platform easy out-of-the-box compatibility. I use it on thumb drives and SSDs that get mounted to my router (Asus RT-AC68, ) running Samba to share files to my network as a poor man’s NAS.
That said, there are readily available and free filesystem drivers for Windows to use Linux-native ext2/3/4 filesystems.
IOS is natively Berkeley (BSD) unix-derived, so Linux ext2/3/4 filesystems are built-in.
There are other filesystems, like JFFS that are geared for flash memory chips and wear-leveling. However, the controllers have gotten so good in the last decade, we now have SSDs that mask all of that and you just format it however you want.
It really depends on which system is the “least flexible” or primary system where you want the most compatibility (i.e. native) and then setting up support (if not native) on the other OSes.
One thing to be careful of - journaling might not be equally supported across the different platform OSes, so you might not want to insist those features be turned on and allow them to be disabled on that disk filesystem.
Another thing - older systems might have a problem with GPT partitioning. Check before you format and load up data.
Here’s mine, to start out (assuming that this topic might have legs):
What’s up with the upcoming windows new major version requiring a special, (out of stock everywhere) encryption chip in the machine?
Suits this mean that older machines (esp laptops) can’t be upgraded?
What’s there do for? Why do I suspect they’ve upgraded the capacity for either corporate or govt spyware?
(windows already went that way since version
Why do we , he consumers/users need or want such a chip? Any goods reasons, or just bad reasons?
Are you planning to upgrade, if you can’t get the necessary chip?
And what’s this with the new Windows requiring that logins are only allowed using a Windows account? I presume this means more M$ spyware?
Thoughts?
@f00l TPM has been around for at least a decade. While it’s hardware, if you are issued a work PC, and it has Windows Professional or Enterprise on it, there is a real good chance you already have the module onboard.
I think your major concern for Windows 11 should be if you have enough RAM. With every major release, the minimum requirements goes up.
@f00l @njfan further more there is no reason to be worried about getting windows 11. Windows 10 is fine.
Scalpers are buying up TPM modules because people don’t understand them. Or how to check. And people will have only ever dealt with them on company computers even though they may be there. I believe they have been required for windows based PCs since 2016.
My 2010 build is still rocking everything fine but obviously can’t take TPM and doesn’t need it. May be time for a new build when prices settle
Use a Mac?
@Kidsandliz
Ship one to me. No charge to me, of course.
It’s the TPM chip. The purpose is to store keys created when Windows is installed that verify digital sigatures on your system as you install drivers and upgrades to Windows to make sure they are legit, and make sure they haven’t been tampered with.
Most of the ransomware attacks are through device drivers, which because they are devices, have to run “inside” Windows itself. But they’re not written by Microsoft, and have bugs, and manufacturers don’t update them or fix security defects in them. So they are a way for the bad guys to attack and take control of the entire system. To install ransomware, run crypto mining software, attack other computers on your network, steal passwords and login info, spew spam, infect other computers, or anything because they have total control over the system.
So Microsoft is using the TPM to prevent bad people from breaking your Windows installation and from making your computer do bad things.
@mike808
Ok that’s helpful. Thx.
You know anything about upgradability about for machines without this chip?
Esp laptops?
@f00l Likely only for laptops with last few generation or current generation CPUs. Or laptops will start including the TPM chip as part of the motherboard, and will say so in the specs.
@mike808
My laptops are still ok but older than what you mention.
I suspect I’ll do without the upgrade for now. No desire for a newer spendy one.
–
What about desktop upgrades to add said chip?
@f00l @mike808
here’s a link to a possible solution to not using a TPM certified machine
as for adding a chip, they are currently in short supply and have been snapped up by scalpers, ala graphics cards ($15 before Win11 announcement… $100+ on ebay now)
@chienfou @f00l
Desktops without the TPM module will need to have the circuitry to add it.
Applying to laptops as well, for older motherboards would have a TPM included when the manufacturer was targeting business use. All of the “managed endpoint” capabilities (theft locator service, remote wipe, etc.) that business users require all rely upon the TPM (and the unique device/OS keys protected within it).
For price conscious motherboard manufacturers, it was easy enough to design the motherboards where the TPM chip was optional, and then included in the “pro” or business models that were being assembled from collections of components going into the different desktop lines.
For laptops, the target market is usually known when the model or product line is being decided, like the HP Elitebooks and other “business class” laptops that have additional security features like fingerprint readers and directly support remote management.
The secret that most people don’t know is that CPUs have had TPMs built into them for many generations now. However, TPM itself has been upgraded, and so only the last few generations of CPUs have the newer TPM baked in.
It will be important for enterprise customers, but not so much for regular consumers.
I would expect Windows 11 to have versions that make that difference clear, along the lines of the Windows Home and Pro versions. Where Pro requires the TPM chip and Home does not.
This is already true to some extent because the TPM chip is already used for your system’s BitLocker keys and Virtual Machines if you’ve used those features. Those features use the older version of TPM, and require Wndows Pro, but Windows 11 will need the newer version, and likely only for the Pro version.
@mike808
Own several windows machines, but haven’t actually touched one (even to open the case) in several years. Hmmm.
(They’re unplugged. I wouldn’t let a plugged in machine go without attention and maintenance.)
@f00l @mike808
Hope you have some spare CMOS batteries lying about.
@chienfou @mike808
Re CMOS: Yeah I know.
The desktops are old. At some point I’ll pull the drives and have them recycled or whatever.
@f00l @mike808
yeah … I have dreams of one day turning a bunch of older hardware into a NAS… some day
@chienfou @f00l @mike808
Electricity
Makes it cheaper to serve from
A Raspberry Pi
All I really want is a way to irrevocably TURN OFF Autoupdate, and apply only the patches I decide that I need. Ten has broken so many things for me, so many times, that I despise it with a level of loathing unmatched by any other. The breakages have often been discovered only when I was already severely pressed for time to get something out the door, and have caused missed deadlines more than once. It’s been bad enough that I have upretrograded all but one of my systems to 8.1 in order to achieve stable platforms that don’t kick me in the teeth randomly and maliciously.
@werehatrack
Good luck with turning off anything MS doesn’t want you to turn off.
Welcome to Big Computer Brother.
@werehatrack
Mea ahead of myself-a.
I should not have specifically targeted MS here. They are only doing what they mobile OS sw owners do, what the cell and internet companies do, what Big Data firms do, what everyone who has the infrastructure and and $ does.
/giphy “digital panopticon”
Oh well.
@werehatrack What version of Windows are you using? In Windows 7 and prior I go into Services and set Windows Update to manual. Seems to do the trick. Not sure about Win10 since I haven’t upgraded yet.
@heartny
Tenvirus, aka Malwaresoft Windblows, is so aggressive about keeping the updates turned on that it has multiple interlocking misfeatures that each watch for some or any of the others to be disabled. Even with all known update monitors zapped, they will get reactivated. There is supposedly a way to build a router that can block all packets to and from the servers, and if I can’t regain full control of my system any other way, I’ll go that route.
@werehatrack Why don’t you just use Linux? Then you can audit and review the source code too, since you seem to be saying that doing that for all of the Windows updates is such a chore and after your careful experienced review, find too many don’t pass muster.
Could it be that you’ve turned off and misconfigured so many critical and interdependent services without really understanding them that the cause of your systems’ instability isn’t Windows at all? So, why are you not using Linux?
I’m also curious about how old/obsolete and/or what weird components you have that cause problems with Windows 10. Perhaps your expectations are beyond what Microsoft ever claimed is supported by Windows 10, and the problem isn’t Windows, but your trying to run it on obsolete, old, defect-riddled hardware and devices that were never claimed to work with windows 10 to start with. So why would you expect things to work properly with an arbitrary shitpile of hardware from the 20th century?
@mike808 @werehatrack
My thoughts exactly
If I’m going to poke around
May as well be free
@mike808
Twenty-plus years of business data that can’t port to a substitute app in Linux is keeping me stuck in the M$ world, or I would have swapped long ago. And no, the relevant package does not play well with any extant Windows emulator, so that is not an option either. Trust me, I have burned through a lot of shipments of spoons trying to escape.
How you can tell if your desktop (or laptop) already has support for TPM (or partial support - meaning you can run Windows Pro on it and use BitLocker capability) :
run “msinfo” (the “System Information” app) and search for the “Device Encryption Support” and it will tell you if you have a TPM chip and what version it is.
If you do not have a TPM chip and you are running Windows Pro and you are using BitLocker, you do need to know that the primary encryption keys being used are stored on a tiny “unknown” partition on your hard drive. So any backups that don’t include that undocumented partition where Microsoft hid the encryption keys used by BitLocker are completely hosed and unrecoverable.
There is one mechanism left for BitLocker recovery, and that is if and only if you used a Microsoft account to register Windows when it was installed. If you installed using a local administrator, you are SOL - there is no recovery method.
The downside of this “feature” is that Microsoft has a copy of your BitLocker keys in your account, and as a third party, can be the subject of a warrant/subpoena to produce “business records” about your account and served on Microsoft. These warrants or even just “friendly requests from your local law enforcement officer” come with gag orders to enable the government to surveil any investigation target.
The upside is that for most people, being able to recover their BitLocker files on a new replacement machine after they restore them is easy and simple enough for consumers to do themselves without too much help or support. So there is that in favor of bringing the security of BitLocker to as many people as simply and easily as possible. As long as they have Windows Pro.
@mike808
I am so out of date re windows now. Long time since I used to be able to machete the registry and still get everything to work.
Oh well. I’m not entirely sorry to be clueless about current windows issues. And current MS acronyms.
Asked the original q just l because a friend was irritable about the upgrade specs and trying to get the chip; snd I wondered why the chip was a req.
These considerations make me want to continue to have little to do with windows.
There are workarounds with the beta W11, so I wouldn’t be surprised if there will be other workarounds in the future too. Given that W10 support isn’t ending until 2025, I’m personally taking the wait-and-see approach.
I use windows 10 which has been yammering at me to install OneDrive. Today it locked my PC until I gave my password, then it installed One Drive. So far no data is in any folders or the cloud. How can I uninstall it and keep it gone. I am not computer smart. I do not want to save to the cloud. Thanks.
@spiralroad After it installs, open the settings and turn off the “Start on Windows startup” option. Then exit the app.
@mike808 Success! Thank You
For @werehatrack
Have you tried a clean install of Win10 and then running either or both of these two powershell tool to “clean” Windows 10 of little used features (Mixed Reality Viewer?) and “bloatware” (Candy Crush?):
Windows 10 Decrapifier
and
Windows 10 Debloater
This is a good explanation of each and how to use them both.
https://www.makeuseof.com/windows-10-decrapifier-debloater/
@mike808
Is a user allowed to do a clean windows 10 if the original Windows 10 licensing came from one of those free Windows 8 upgrade options?
Or does the user have to first install eight and then upgrade to 10 some horrible sequence of actions?
@f00l MS should have your digital license active, and if you haven’t changed your CPU (they do have serial numbers, btw), disks, motherboard, and GPU, Microsoft will find your license and reactivate it.
Are you doing what Microsoft calls a “refresh” or a drive wipe and a clean reinstall?
Also, you can run some tools (google is your friend, but NirSoft I think is the one I found)) that will display your windows activation code, which is not the same as your license code.
@f00l @mike808 Even the drive doesn’t seem that important. One of the computers at my work serves as a test bench (originally W7) and it’s seen well over a dozen different drives. W10 digitally reactivated every time.
(Same CPU/motherboard/RAM every time, however.)
@mike808
If I had an entire week to spend meticulously uninstalling and then reinstalling and reconfiguring single-instance licences as part of a nuke and pave, Tenvirus would NOT be the version present at the end.
@f00l @mike808 @narfcake keys are stored in BIOS. Sometimes extra steps needed for “clean install” on Dell for windows to access and activate (maybe just for older computers – haven’t tried recently)
Next Windows woes question
If one has a reasonable external USB hard drive (say, a terabyte or bigger)
And if one wishes to have that drive be read/write for Linux, Mac, and windows:
What’s the best file format for the external drive?
@f00l
Depends on the max file size.
Fat32 => 4GB max filesize. Probably the most compatible and why it is everywhere. Freely licensed helps.
exFAT is MS-proprietary to create, but reading drivers are free and available. But it allows files >4GB.
NTFS This is mostly MS-proprietary, but can be read and written by IOS and Linux drivers. In the past, read-only was stable, and writing to an NTFS system from a non-windows system wasn’t stable or reliably also readable from a real Windows system.
I would personally go with NTFS for cross-platform easy out-of-the-box compatibility. I use it on thumb drives and SSDs that get mounted to my router (Asus RT-AC68,
) running Samba to share files to my network as a poor man’s NAS.
That said, there are readily available and free filesystem drivers for Windows to use Linux-native ext2/3/4 filesystems.
IOS is natively Berkeley (BSD) unix-derived, so Linux ext2/3/4 filesystems are built-in.
There are other filesystems, like JFFS that are geared for flash memory chips and wear-leveling. However, the controllers have gotten so good in the last decade, we now have SSDs that mask all of that and you just format it however you want.
It really depends on which system is the “least flexible” or primary system where you want the most compatibility (i.e. native) and then setting up support (if not native) on the other OSes.
One thing to be careful of - journaling might not be equally supported across the different platform OSes, so you might not want to insist those features be turned on and allow them to be disabled on that disk filesystem.
Another thing - older systems might have a problem with GPT partitioning. Check before you format and load up data.