pixel
TPM 2.0 and Win 11- Part  2

TPM 2.0 and Win 11- Part 2

In what has to be one of the most out of character moves ever, Microsoft recently released a registry hack to install Win 11 on a system that does not meet the minimum hardware requirements set by Microsoft. Why would they do that? It’s a good question that I do not know the answer to, but if allowed to speculate, I have a hypothesis or 2. To get there, let’s go back the beginning of the Win 11 adventure.

  • October 2019– Microsoft announces the development of a dual screen friendly version of Win 10 named Win 10x. MS’s primary stated reason for the new OS was to allow Windows to run on dual screen PCs and laptops with external monitors. For those of us who have been using multiple monitor configurations on Win machines for years, this made very little sense.
  • May 2021– Microsoft announces it will no longer be developing Win 10x. The project was put on indefinite hold. Following on the heels of that year’s continued global cancellation of civil liberties and in person human contact, this cancelation went mostly unnoticed.
  • June 2021– Microsoft announces that it is nearly ready to release Win 11, which came as a bit of a surprise since this was the first mention of the new OS. Also, MS had claimed 10 was going to be the last OS they would release. It was envisioned as an evolving platform and held true to that for about 6 years.
  • June 2021 additional– Microsoft sets the minimum system requirements to an arbitrary standard that would negate the ability to run Win 11 on nearly 90% of the factory built PCs* currently in use, 99% of gaming systems**, and 100% of virtual machines***. Even I had to pick up new equipment to install the dev and beta versions from the Windows Insider Program.
  • October 2021– Win 11 is officially released. Almost immediately, followed by about a half a dozen published ways to bypass those requirement during install and/or regular operation. The simplest of which is to replace a single Win11 registry key with the Win 10 version of the same key.
  • October 2021 additional– Microsoft publishes the Win 10 key to bypass their own requirements, without mentioning that it is simply the key from Win 10.

Hypothesis #1– Not to sound like a conspiracy theorist (mostly because the process by which MS releases and names its operating systems does not qualify as a conspiracy), I think it is fairly safe to say that Win 11 is Win10x with a new desktop style and very little else in the way of new anything. Microsoft has always built their new OS on top of the previous OS and all the core administrative functions, going back to XP, are readily available in Win 11. This release is, however,  quite a few less shiny new  bells and whistles than usual. My only guess is that the OS was intended to enforce an equipment upgrade across the globe, but they reasoned that the registry key bypass was too much of a tell of their tactics,  so they tried to get ahead of it by publishing it in a way that didn’t involving the public noticing the Win 10 & 11 similarities.

Hypothesis #2– They realized that they had limited their new OS’s adoption to about 10% of existing systems* by excluding anything older than a few years, most gaming systems, and virtual machines. This bypass does not help gaming** or virtual*** machines, but it does expand their potential Win 11 customer base to include factory built machines within the last 3 years.

Whichever hypothesis is correct (it is most likely a combination of #2 plus a few other reasons), this seems like a continuation of corporate America’s unwritten policy of cost cutting by skipping in house funded product testing in favor of a general rollout to the public of a beta level product. The results of which could, theoretically, be the cause the historically frequent cascade of OS release problems and their immediate patching with less than optimal fixes, which we’ve experienced  with every major Win OS rollout in the last 20 years. Sounds similar to something else Gates has been rolling out lately, doesn’t it?

  • Best Practices****
    My advice? Simple. Never be an early adopter of Gates inspired technology. It has rarely been rigorously tested or even proven to be a benefit to anyone until the first few service packs or patches have been released.

*TPM 2.0 has only recently been added to and put into use in production model PCs.
**Gamers rarely add security hardware to their self built systems.
***Virtual machines are just that. Virtual. Therefore they do not have hardware TPM’s installed.
****The best thing about Best Practices is that there are always so many to choose from.

TPM 2.0 and Windows 11- Part 1

TPM 2.0 and Windows 11- Part 1

With the roll out of Windows 11, the term TPM 2.0 has been introduced to the general public. What is it exactly? Fundamentally, it is a platform integrity and security device. Beyond that, it depends on who you ask.

For the basics, the TPM (Trusted Platform Module) development has been governed by the TCG (Trusted Computing Group) which is a non-profit (quite lucrative Think Tank) offspring (spawn) of the IT industry (Big Tech). The TCG board is made up of technology manufacturer executives and sadly, has no one from the EFF (Electronic Frontiers Foundation) or any similar consumer advocacy organization, which means caveat emptor as usual. There is a good amount of info to cover about what that means, but for today we will just be discussing what, in a perfect world, the TPM 2.0 was intended to be.

Why was the TPM created?

From Wikipedia– “The primary scope of TPM is to ensure the integrity of a platform. In this context, “integrity” means “behave as intended”, and a “platform” is any computer device regardless of its operating system. This is to ensure that the boot process starts from a trusted combination of hardware and software, and continues until the operating system has fully booted and applications are running.

When TPM is used, the firmware and the operating system are responsible for ensuring integrity.”

Functions-

Encryption– random number generator plus cryptographic capabilities.
Remote attestation*– Device fingerprinting and recognition.
Digital Rights Management– Ensures all media, software, etc. are legitimate and of course, paid for.

What it does not do- Protect your system or data. Although this is being marketed as a consumer protection upgrade, it is merely a corporate profit upgrade. Which is not inherently a bad thing, but they should be honest about it. In the next few posts, we’ll be going over the different hardware and software devices which can be used as TPM 2.0 and in a later installment we’ll go over all the myriad ways one can install, bypass or simply fake this level of compliance. Guess which methods are the cheapest and easiest..

Coming Next Week- Why  did Microsoft do an about face on the minimum requirements for Win 11? I have a theory…

*Yes, a topical search of this subject will produce an overwhelming number of papers and articles lauding the privacy and security of the TPM 2.0 and the inherent goodness of remote attestation, but please realize that these were written by corporations, for the benefit of those corporations.

Author’s vaguely connected tangent-  And this would be an opportune moment to mention that “By Corporations, for Corporations” is a caveat that must be considered when reading, viewing, or downloading any data nowadays. We are rarely presented with any information that is not in the form of an advertisement. Newspapers are owned by the very entities they used to drag across their pages. Medical studies are announced by press release, not peer review. As Howard Zinn said, “The news is what they hide from us. All we have ever seen was advertising.”

So, always ask this question when experiencing prepared information-  Is it BCFC?  (Yes, it sounds like a county jail, which is fitting because it has about as much to offer the average human in the way of personal benefit and assistance as a county jail.)

Back to the subject- When one does a less cursory look into the uses of remote attestation, one will find truly dystopian headlines such as-

Sounds legit, right?  To sum it up, although there are dozens of RA protocols made by different companies, they all fundamentally function by sending some or all of the exact and most likely, unique, hardware and/or software configuration running on your system and can therefor be used to track you anywhere you go, regardless of VPN,  Tor, or any other identity obfuscation techniques you may be using.  With this technology, you are literally starting every internet action with an SSL Handshake which proclaims, accurately, exactly what you running. This can easily be tracked as a single entity with database of past actions. If that database is connected to any other entities’ attestation database,  (Note that there are only a few mega corporations owning everything nowadays) it quickly becomes the complete digital representation of you.   Translates to- knowing exactly who you are and what you are doing at any time online and will be used to predict and manipulate your actions in the future.

What can be done about this? Um… Well,  I’m still working on that. Please comment with any ideas you may have. This discussion is definitely open and your input will help.