Since the launch of Windows 11 on October 5, 2021, Microsoft has emphasized the importance of security features like Trusted Platform Module 2.0 (TPM 2.0), Virtualization-Based Security (VBS), and Secure Boot. If these elements existed before, they are mandatory in terms of security.
Microsoft requires these features for Windows 11
Microsoft's official documentation update specifically addresses automatic device encryption via BitLock, called “Auto-DE”. The document specifies the reasons why TPM 2.0 and Secure Boot are necessary.
Where the old documentation simply indicated whether the prerequisites were met or not, the new documentation specifically details several potentially unmet conditions.
The first therefore concerns TPM 2.0 which may be absent or not activated in the BIOS or UEFI. The second concerns the Windows Recovery Environment (WinRE) which must be correctly configured. Finally, the PCR7 link may not be supported if Secure Boot is disabled or if external devices are connected at boot.
The document also mentions the Platform Configuration Register (PCR), that is to say a memory area of the TPM which stores the hashing algorithms. The PCR7 profile used by BitLock ensures that the cryptographic key only loads at a specific time during startup. Secure Boot intervenes during the process: its purpose is to verify the Microsoft Windows PCA 2011 certificate during startup. If the signature is invalid, it causes BitLock to use other profiles.
Microsoft tells you to buy a new PC
If Microsoft is making these clarifications, it is because with the release of the 24H2 update for Windows, the requirements for automatic encryption of devices have been relaxed. Even Windows Home PCs are.
The Redmond firm has also published a BitLocker key backup and recovery guide, specifying that it is advisable to keep the document. Third-party vendors like Acronis adapt their backup solutions accordingly.
Microsoft therefore confirms the importance of using a PC fully compatible with Windows 11 with this documentation update. To put it simply, the company's position remains clear: if your machine is too old, you need to buy a new one. The Redmond firm maintains that TPM 2.0 is a non-negotiable obligation for its operating system.
Tech
