Introduction
Earlier today, I wrote about the “Free Upgrade to Microsoft Windows 11” and the Microsoft PC Health Check tool that you can use to check your system. Around the same time, a number of other people and publications were also running the PC Health Check tool and reporting their results. Many modern, powerful systems were failing the upgrade check (with no reason specified). This generated quite a bit of conversation and some excitement on Twitter. All of this caused some Fun With TPM and Windows 11.
Now, upon further investigation, and acting on some helpful thoughts from several people on Twitter, I think I have a better idea what is really happening.
Microsoft PC Health Check Tool Issues
While I like the idea of this tool, I think it could use some improvement… Right now, it is more confusing than it should be. I know it confused me some!
The first issue is that if the tool reports that your machine is not eligible for an upgrade to Windows 11, it does not tell you why. For many people, the fail reason is TPM related, but you have to figure that out for yourself. Microsoft probably figured that showing the fail reason would be too confusing.
The second issue is that items that are flagged as “Needs attention” are not actual blockers. They are really just warnings about things you might want to investigate and correct.
Checking Your TPM Status in Windows
You can run TPM.MSC to see what is happening with TPM on your machine. What you want to see is that “The TPM is ready for use” as you see below.
What you may see instead is “Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has a 1.2 TPM or later and it is turned on in the BIOS”. If you see this, your machine will fail the upgrade check in the Microsoft PC Health Check tool. An example of this is shown below.
Hardware TPM vs Firmware TPM
My initial assumption (which was wrong) was that you had to have a discrete hardware TPM on your machine to get past this issue. Most recent vintage DIY AMD motherboards from ASUS, ASRock, Gigabyte, and MSI have a TPM Header on the motherboard, but they don’t actually have the discrete TPM itself.
You have to buy one of these separately, for your motherboard. These normally cost $5-$10, but they are now in short supply, with much higher prices. This didn’t sound good. Here is what that discrete module looks like.
As it turns out, most recent vintage AMD motherboards also have a firmware TPM (fTPM) that is one of the services provided by the AGESA framework. This is exposed as a BIOS setting that is typically disabled by default. It is usually called something like AMD CPU fTPM. You will have to find it in your BIOS and enable it if you want to use it (instead of having a discrete TPM).
BIOS Settings
On my Gigabyte B550 AORUS PRO AC, this is under Settings, AMD CPU fTPM in Advanced Mode. I set this to enabled.
There is also a Trusted Computing 2.0 settings item that give you some more information about this.
Passing The Check!
Simply enabling AMD CPU fTPM in the BIOS and rebooting let my machine pass the check that the Microsoft tool ran, as you see below.
I have seen reports that hardware virtualization support (AMD-V in this case) also must be enabled, even if you are not using virtualization. That does not seem to be required on this system. AMD-V is shown in red, in HWiNFO64, which means that it is disabled.
This could just be a gap in the Microsoft PC Health Check tool.
Useful Background Information
Final Words
Even though the AMD CPU fTPM feature will work (if your motherboard and AGESA version supports it), you still might want a discrete hardware TPM. There are two reasons for this. First, a discrete hardware TPM is supposed to be more secure than a firmware or software TPM.
Second, since the AMD CPU fTPM is a non-default BIOS setting, it will be reset to the default value of disabled every time you flash your BIOS. That will just be another setting (like XMP) that you will have to remember to enable after a BIOS flash. This is just more Fun With TPM and Windows 11!
Just to be clear, this is mainly an issue with DIY PC motherboards. Recent vintage OEM laptop and desktop machines usually have TPM available and enabled.
If you have any questions about this post, please ask me here in the comments or on Twitter. I am pretty active on Twitter as GlennAlanBerry. Thanks for reading!
1 thought on “Fun With TPM and Windows 11”