Microsoft, time and time again, has explained why features like TPM (Trusted Platform Module) 2.0, VBS (Virtualization-based Security), and Secure Boot are important for a Windows 11 PC. While they have been available since before, Microsoft made these mandatory with Windows 11 citing the enhanced security benefits they brought, and it had also published visual demos to better explain how.
That was back in 2021. Fast forward to these days, with the release of the Windows 11 24H2 feature update (which just became downloadable to more users), the company recently updated one of the support articles on its official website. Neowin discovered this change while browsing the interwebs.
The article is about Automatic Device Encryption via BitLocker, which Microsoft refers to as "Auto-DE", and a particular section of this document was updated to reflect why TPM and Secure Boot are required for Device Encryption.
Previously, it stated:
Why isn't Device Encryption available?
Here are the steps to determine why Device Encryption might not be available:
From Start type System Information, right-click System Information in the list of results, then select Run as administrator
In the System Summary - Item's list, look for the value of Automatic Device Encryption Support or Device Encryption Support
The value provides the reasons why Device Encryption can't be enabled
If the value says Meets prerequisites, then Device Encryption is available on your device.
And here's what the updated page says now:
Why isn't Device Encryption available?
Here are the steps to determine why Device Encryption might not be available:
From Start type System Information, right-click System Information in the list of results, then select Run as administrator
In the System Summary - Item's list, look for the value of Automatic Device Encryption Support or Device Encryption Support
The value describes the support status of Device Encryption:
Meets prerequisites: Device Encryption is available on your device
TPM is not usable: your device doesn't have a Trusted Platform Module (TPM), or the TPM isn't enabled in the BIOS or in the UEFI
WinRE is not configured: your device doesn't have Windows Recovery Environment configured
PCR7 binding is not supported: Secure Boot is disabled in the BIOS/UEFI, or you have peripherals connected to your device during boot (like specialized network interfaces, docking stations, or external graphic card)
Essentially, the article details what those unmet "prerequisites" are. They include TPM, WinRE (Windows Recovery Environment), and Secure Boot. Besides these, Microsoft also mentions PCR7.
PCR, or Platform Configuration Register, is a memory location on the TPM and is used for storing hash algorithms. PCR profile 7, or PCR7, is what BitLocker binds with. This binding ensures that a cryptographic key, in this case, the BitLocker key, loads only during a certain time during booting, neither before nor after.
This is where Secure Boot comes in as it verifies and validates the necessary Microsoft Windows PCA 2011 certificate during booting, since an invalid signature leads to BitLocker using profiles other than 7.
For those wondering what this fuss about BitLocker and encryption on Windows 11 24H2 is, the Redmond giant lowered the OEM requirements for Auto-DE on the latest Windows version and thus even Home PCs can be automatically encrypted. Soon after, the company also released a handy recovery and backup guide for the BitLocker key which should be a smart thing to bookmark.
Third-party backup and cloning apps like Acronis are also baking in relevant changes for the same.
This is Microsoft's way of letting you know why you should stick to an officially eligible PC on its latest version of Windows, and the company's official stance is that you get a new PC if yours is too old.
Recently, the company also clarified its current position regarding the system requirements of Windows 11 on unsupported hardware after explaining how TPM 2.0 is a non-negotiable standard on its OS.
34 Comments - Add comment