News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

AskWoody Free Newsletter Logo
ISSUE 18.40.F • 2021-10-18

In this issue

PUBLIC DEFENDER: A single Registry line enables Windows 11 without TPM 2.0

Additional articles in the PLUS issue

LANGALIST: Can you fully delete the Edge browser? Should you?

BEST UTILITIES: Freeware Spotlight — CAD

HARDWARE DIY: Opal: Physical assembly — the motherboard

PATCH WATCH: Windows 11 is officially vulnerable

Not a Plus Member yet? Join today!
Get MS-DEFCON Text Alerts!


ADVERTISEMENT
1Password

The secure enterprise password manager

1Password is the world’s most-loved password manager, with top ratings from G2Crowd and Trustpilot, and has been named top password manager by leading media outlets including Wired, The New York Times, and CNET.

1Password makes it simple to create and share unique, strong passwords. With 1Password, you can securely share everything you need to work together, and give employees access to logins, documents, credit cards, and more, on all their devices.

Try 1Password Business free for 14 days!


PUBLIC DEFENDER

A single Registry line enables Windows 11 without TPM 2.0

Brian Livingston

By Brian Livingston

Microsoft has published a new support document revealing a one-line entry anyone can add to the Registry allowing Windows 11 to install on devices that do not have the so-called TPM 2.0 chip installed on the motherboard.

The Trusted Platform Module, as I explained in the September 6 AskWoody Newsletter, is a small hardware component that generates and stores cryptographic keys, among other things. Until the release of the recent support document, Microsoft had repeatedly stated that the 2.0 version of TPM would be a requirement before Windows 11 would install. In addition, Win11 has CPU and other hardware requirements above those of Win10, as set forth in Microsoft’s Win11 specifications.

Supermicro AOM-TPM-9665V-S moduleIn this column, I’ll show you exactly how you can use this new Registry entry to install Win11 on systems lacking TPM 2.0. TPM 2.0 may be provisioned on a motherboard by a discrete chip (a Supermicro 9665V is shown at left), or it may be integrated into the chipset associated with the processor. Win11 officially supports TPM 2.0 functionality built into the 2017 Intel Core 8th-gen microarchitectures and later, the 2018 AMD Zen+ CPU and later, and others.

However, many machines that came to market as recently as two or three years ago contain an earlier TPM 1.2 version. The final revision of TPM 1.2 was released a decade ago and appeared to be a standard that would endure. As recently as June 24, 2021, Microsoft was officially saying TPM 1.2 would be a “hard floor” for installing Win11. The company’s announcements at that point stated TPM 2.0 was merely “recommended.” But just one day later, MS reversed course, saying it was “required,” as described in a CRN article.

IMPORTANT: Before you make any Registry changes or install anything new, it’s important that you read to the end of this story for valid reasons why you might not want to install Win11 on hardware that Redmond considers “unsupported.”

There’s one Registry key to rule them all

For purposes of this discussion, the following is merely an outline of the Registry tweak. You should first read Microsoft’s official explanation, which is in its new “Ways to install Windows 11” support document.

  • Step 1. In Win10, press Win+R, enter tpm.msc, and verify TPM 1.2 is enabled.
  • Step 2. Run Microsoft’s PC Health Check app, just so you know your configuration.
  • Step 3. Go to the Windows 11 software download page.
  • Step 4. Under “Download Win11 disk image (ISO),” click and read “Before you begin.”
  • Step 5. Below that, click the “Download” button to burn an ISO (to a DVD, for instance).
  • Step 6. Before upgrading to Win11, press Win+R and enter regedit.
  • Step 7. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup.
  • Step 8. Right-click the right-hand pane and create a new DWORD (32-bit) Value.
  • Step 9. Name the entry AllowUpgradesWithUnsupportedTPMOrCPU.
  • Step 10. Give the entry a value of 1.
  • Step 11. Close the Registry Editor.

The above steps should allow you to install Win11 over Win10, even if a device has only TPM 1.2 enabled and not TPM 2.0.

As suggested by part of the Registry key itself — TPMOrCPU — the workaround will do more than just keep Win11 from requiring TPM 2.0. (With the trick, the requirement is only TPM 1.2, which is widely installed.) The “unbound” Win11 will also accept several generations of CPUs that didn’t make it into Microsoft’s Win11 specs.

You may still run afoul of other requirements, such as a 1GHz dual-core 64-bit CPU or better, 4GB of RAM, 64GB of disk storage, and a Secure Boot–capable UEFI (formerly known as BIOS). Since this whole procedure is unsupported, you’re on your own if it doesn’t work.

If the upgrade was unwise, you can revert a machine back to Win10 using the following steps:

  • Start, Settings, System, Recovery, Go back

That sequence will work only within 10 days after installing Win11, according to a separate Microsoft support document. After that 10-day period, the new operating system will automatically delete the reversion files to liberate disk space.

The Registry hack is not for novices nor the faint of heart

For more background on why you might or might not want to use the above Registry trick to install Win11 on unsupported hardware, I spoke with one of the smartest people I know: Carl Anderson. As a contractor, he worked for eight years at DARPA (the Defense Advanced Research Projects Agency). Subsequently based at Bryant University — a private business school in Smithfield, Rhode Island — he was for 24 years the director of the International Trade Data Network, initially funded and governed by the US Department of Commerce and the Small Business Administration.

Although he’s now retired, Anderson still provides consulting services to a few small businesses. For their benefit, he’s put together a four-page, 150KB PDF explaining various different ways to implement the Registry fix.

These ways include:

  1. Microsoft’s officially documented method;
  2. Installing Win11 from an ISO (International Organization for Standardization) image;
  3. Manually changing certain Win10 files so Win11 will install; or
  4. Using an open-source batch file to make the needed changes.

Boy, there are a lot of ways to skin this cat! Anderson has kindly given me permission to let AskWoody readers download the PDF.

Anderson cautions that he won’t support his clients or anyone else who installs Win11 on unsupported hardware. I’ll describe the pros and cons below.

Did Microsoft create its Registry entry due to manufacturer pressure?

First, we need to address the elephant in the room. After loudly claiming that Microsoft would not allow Win 11 to install itself on machines lacking TPM 2.0, why did the company insert a simple one-line command in the Registry permitting exactly that?

Anderson accepts a rumor, which I’ve also heard, that Microsoft was pressed by large system manufacturers, such as HP Enterprise, to provide an easy way for their older hardware to install Win11. As he describes the situation:

After Microsoft made TPM 2.0 a “hard” requirement, HP Enterprise requested MS develop a workaround for its clients with HP hardware that passed all Win11 requirements except TPM 2.0. Microsoft acquiesced and developed the bypass allowing TPM 1.2.

MS likely hadn’t intended the bypass for non-enterprise deployment, and possibly only for specific HP hardware, but the cat was out of the bag.

This leads me to believe that Win updates and patches should continue working using the bypass, but I wouldn’t bet on it long-term without official word from MS.

What does Microsoft itself say about updates and security patches? The company’s “Installing Windows 11” support document clearly states: “Devices that do not meet these system requirements will no longer be guaranteed to receive updates, including but not limited to security updates.”

That seems pretty definite! But predicting what Redmond will and will not do in the future — especially under pressure from some of its largest buyers — is a fool’s errand. Anyone who tells you they know for sure is pulling your leg. Even Microsoft executives themselves can’t be certain what they’ll do in the years to come.

What software runs fine on TPM 1.2, and what truly requires TPM 2.0?

As an encryption generator and secure storage device, every version of TPM is so complicated that I could write hundreds of pages on the subject. In fact — if you really need the details on TPM 2.0 — Will Arthur and David Challener have converted their 2015 book on TPM 2.0 into a free 375-page PDF. It’s a heavy read. They quote one wag as calling the protocol “security through incomprehensibility.”

So let’s cut to the chase: What software actually requires TPM 2.0, and what software can run perfectly well on TPM 1.2? I’ve created Figure 1, based on Microsoft’s own “TPM Recommendations” document:

TPM 1.2 and TPM 2.0 features
Figure 1. TPM 1.2, which exists in most of today’s PCs, can support everything that the new TPM 2.0 can — with the exception of the four categories indicated with a red “X.”  Source: Author’s summary of Microsoft’s “TPM Recommendations” document

A machine with TPM 1.2 enabled supports everything that TPM 2.0 does, other than the four categories with an “X” in Figure 1. Do you really need any apps such as those?

Excellent answers are provided by Steve Gibson, a security expert and the developer of SpinRite and other popular software, in his September 7 “Security Now!” PDF. (In that multi-topic report, his discussion of TPM begins on page 10.) Here’s a paraphrase of his comments on the four scenarios that require TPM 2.0:

  • Windows Autopilot can be used to deploy hundreds of Windows PCs or HoloLens 2 devices. So no big loss there if individuals and small businesses don’t have TPM 2.0.
  • SecureBIO is an enterprise-targeted biometric identity system. As an alternative, Windows Hello works just fine with only TPM 1.2.
  • Windows Defender System Guard is a post-boot integrity verifier that works with TPM 2.0 to verify that the operating system wasn’t compromised during the boot. No one outside of a huge enterprise is likely to use this.
  • TPM 2.0 adds several 256-bit encryption ciphers, but since TPM 2.0 is backward-compatible with TPM 1.2, software could simply continue using the TPM 1.2 functions on platforms having either TPM standard.

Microsoft’s “TPM Recommendations” document also mentions “Device Encryption,” which is a feature that uses TPM 2.0 to encrypt entire disks. But Gibson says MS BitLocker is superior and runs just fine with either version of TPM.

The bottom line: If you need one of those four features, use TPM 2.0

What if your company wants to implement software that works only with TPM 2.0 support? By all means, get TPM 2.0–enabled PCs and run your app. But if you don’t need TPM 2.0, you can tune out all the hype about Windows 11 and ignore the “upgrade” for now.

As Joanna Stern, the personal-technology columnist for The Wall Street Journal, reported in her October 6 review: “I’ve come to the conclusion that Windows 11 is mostly about Microsoft and its partners selling more computers, not about giving your current one a new lease on life.” With its lack of compelling new features, Stern said, “Microsoft’s latest feels more like Windows 10.5 than what the company promised.”

In Gibson’s PDF, he puts it somewhat more bluntly:

There are NO NEW FEATURES in Windows 11 that require anything more of the TPM than Windows 10 already does… yet Windows 11 is refusing to run on the same TPMs as Windows 10… apparently because someone at Microsoft thought it would be cool to enact a more restrictive change in requirements.

Given these realities, the path Microsoft should take for Windows 11 is clear: Simply use the maximum security that’s being offered by whatever, if any, TPM is present in a system. If the platform offers TPM 2.0, great! Use the 256-bit enhanced security that’s available there. If not, settle for the 160-bit security offered by SHA-1 and TPM 1.2’s HMAC — just as Windows 10 does now. If a platform doesn’t offer TPM 2.0, then its user cannot take advantage of those four enterprise-oriented features …

So, explain to those enterprise users that if they want those four features they’ll need to upgrade their hardware. But don’t tell any random home or small business user, who couldn’t care less about Windows Defender System Guard and Autopilot, that they’re S.O.L. if they wish to upgrade to the new Windows … It’s going to be seen as capricious and arbitrary, because as we’ve just seen, it is. [Emphasis in the original.]

The 160-bit SHA-1 encryption protocol was fully broken by security researchers in 2020, as explained in a Threatpost blog. The researchers’ attack required two months of computations using 900 GPUs. But that much computing power costs only $11,000 to $45,000 at current cloud rental rates — well within the means of serious adversaries. So you should never use SHA-1 for digital signatures or any other private communications, although many organizations still do. Only 256-bit or higher protocols are truly secure these days.

Top secret: This is being pushed by the US Department of Defense

I suppose this will cost me my high-level, “eyes only” security clearance, but I’m compelled to tell you that Microsoft’s moral quandary has a lot to do with the United States’ defense-security needs.

To protect my reputation as a “good citizen” — in hopes that Tom Cruise will still consider me loyal enough to play an agent in his next “Mission Impossible” film — I can deflect the blame by pointing the finger directly at Microsoft. This news leak is not my fault! The Redmond tech giant let slip the big secret in the same “TPM Recommendations” document cited above:

For security reasons, some entities are moving away from SHA-1. Notably, NIST [the National Institute of Standards and Technology] has required many federal agencies [including the Department of Defense] to move to SHA-256.

In my defense, so to speak, the Department of the Navy also spilled the beans about this “massive, multiphase” SHA-256 upgrade requirement in a recent article.

The US defense connection is also a major reason why Microsoft will prepare separate Win11 versions for sale in China, Russia, and other authoritarian regimes. In these countries and many others, TPM chips are against the law. These powers may be suspicious that the DoD has inserted a back door into TPM encryption, as I reported in my September 6 column.

Some very big dog walkers are yanking on Microsoft’s collar. Despite the Redmond corporation’s size and wealth, it faces a “damned if you do, damned if you don’t” dilemma:

  • Very big makers and users of PCs, servers, and other devices are pressuring Microsoft not to make hundreds of millions of their deployed units unable to run Win11, which many CEOs will think is an essential new thing. That’s the reason MS added its new, permissive Registry key.
  • The largest defense department in the world — which has a bigger budget than the militaries of China, Russia, and the next five countries combined — is telling Microsoft that DoD won’t buy and use Windows unless SHA-256 is baked in, which requires TPM 2.0. That’s why MS is making Win11 sound like a fantastic, exciting toy everyone needs.

Ignore Win11’s lame new Start menu and other cosmetic changes, such as rounded corners on dialog boxes. The strange, herky-jerky intro of Win11 is all about Microsoft not wanting to lose business from two of its most profitable groups of buyers.

Good things come to those who wait

Win11 isn’t a must-have upgrade yet. It’s not like Win 3.1, which introduced the revolutionary TrueType printing technology in 1992, or Windows 8.1, which rescued people in 2013 from the botched Windows 8 product. For now, Win10 is your best bet for a stable, reliable platform. Microsoft has committed to continue supporting Win10 with upgrades and security patches at least through October 14, 2025 (and probably longer).

That gives you plenty of time to evaluate things. Win11 may turn out to be the Vista of operating systems.

Now you know why it’s not a good idea to install Win11 with a Registry tweak. The main reason to install Win11 is if you need to implement one of the four software features shown in Figure 1. In that case, you need hardware that includes TPM 2.0, anyway — and your machines may need to meet several other system requirements as well.

Installing Win11 on unsupported hardware may simply saddle you with devices that will someday miss out on crucial Microsoft updates.

Before you do anything, read all the documents that are linked to above. Then read one of the following explainers:

  • If you absolutely crave whatever is the latest thing MS has put out, you’ll learn how you can download Win11 now, without waiting for the gradual rollout — which is expected to continue through mid-2022 — in a CNET guide. You may need to enable TPM, if it’s disabled by default on a device, as explained in a Wired article.
  • If you prefer to look before you leap, several deal-breaking bugs and missing features in the “1.0 version” of Win11 are described in a Trusted Reviews evaluation. Poor performance, memory leaks, no Android apps yet, hard-to-customize taskbar — oh my.

As always, watch AskWoody for more news. Features that Win10 has and that Win11 doesn’t are listed in a Lance Whitney critique, while some actual new features of Win11 are in his review (donation required).

Scales of Justice Do you know something that we all should know? Tell me about it! I’ll keep your identity totally confidential or give you credit, as you prefer. Send your story via the Public Defender tips page.
Talk Bubbles Join the conversation! Your questions, comments, and feedback about this topic are always welcome in the AskWoody Lounge!

The PUBLIC DEFENDER column is Brian Livingston’s campaign to give you consumer protection from tech. If it’s irritating you, and it has an “on” switch, he’ll take the case! Brian is a successful dot-com entrepreneur, author or co-author of 11 Windows Secrets books, and author of the new book Muscular Portfolios. Get his free monthly newsletter.


AudiobooksNow - Digital Audiobooks for Less
If you purchase after clicking this ad, AskWoody may receive a small commission.

Stories in this week’s PAID AskWoody Plus Newsletter
Become an ASKWOODY PLUS member today!

LANGALIST

Fred Langa

Can you fully delete the Edge browser? Should you?

By Fred Langa

The answer is yes, no, and maybe, depending on exactly what you’re trying to do and what risks you’re willing to take. You’ll find the how-to information below.

However, because Fred thinks removing Edge is a bad idea, this column also suggests a better, safer way to suppress Edge — a way guaranteed not to cause new problems with other Windows apps and services.

BEST UTILITIES

Deanna McElveen

Freeware Spotlight — CAD

By Deanna McElveen

For those of us who had drafting in high school, we thought our T-squares were expensive. Those new-fangled home computers were going to make things so much easier for designing palaces, office towers, and rockets — but to do so, they needed software. Very expensive software called CAD.

I want software that is much closer to free … or exactly free!

HARDWARE DIY

Will Fastie

Opal: Physical assembly — the motherboard

By Will Fastie

I didn’t realize assembling a PC could be so dangerous.

Like other folks who put together PCs, I usually call them “builds.” That’s a bit generous. As you’ve seen from my previous installment in this series (AskWoody 2021-08-30), I acquired components. I’m not really building anything — I’m assembling those components into the final product, Opal.

PATCH WATCH

Susan Bradley

Windows 11 is officially vulnerable

By Susan Bradley

Call me silly, but I never consider a Windows release as “official” until the first security updates come down on Patch Tuesday.

Windows 11 has 39 vulnerabilities; two of the fixes are deemed critical and 37 are important. KB5006674 also includes several fixes that, according to reports, impact performance on specific computers.

You’re welcome to share! Do you know someone who would benefit from the information in this newsletter? Feel free to forward it to them. And encourage them to subscribe via our online signup form — it’s completely free!


RoboForm box

Like what you see in the
AskWoody FREE newsletter?

Become a PLUS member!

As a Plus member, you’ll receive the full newsletter, including all our great content about Windows, Microsoft, Office, 365, PCs, MS-DEFCON Alert notifications, useful and safe freeware, and Susan Bradley’s sought-after patch advice. Plus membership also allows continuous access to the complete archive of nearly two decades of Windows Secrets and AskWoody Newsletters.

Naturally, Plus members have all the benefits of free membership, including access to the popular AskWoody forums.

The cost? We’re supported by donations — choose any amount for a one-year membership. Every little bit helps.

 Join AskWoody PLUS Today!


Publisher: AskWoody Tech LLC (sb@askwoody.com); editor: Will Fastie (editor@askwoody.com).

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody, Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody Tech LLC. All other marks are the trademarks or service marks of their respective owners.

Mailing address:

AskWoody Tech LLC
3339 East Griffith Way
Fresno, CA 93726

Your email subscription:


Copyright © 2021 AskWoody Tech LLC. All rights reserved.