Windows 11 TPM 2.0 requirement suddenly leaves virtual machines users locked out

Windows 11
(Image credit: Microsoft)

The ballad of Windows 11’s TPM requirement continues: not only is Microsoft still having to clarify what the requirement means, it’s now been revealed virtual machine users may be missing out.

While virtual machine users were able to run pre-release versions of Windows 11, users have now found themselves unable to update the operating system. The issue seemingly behind this is that they do not have physical TPM modules.

The majority of PCs made in the past few years will already have a compatible TPM, even if the user needs to go into the BIOS and activate it first. The module itself is an "important building block’" for various Windows 11 features, specifically those tied to security — like Windows Hello and Bitlocker. 

It also helps encrypt data, which keeps your hard drive safe from thieves. It’s not too difficult to see why Microsoft opted for the TPM requirement, and why it isn’t likely to relax that requirement. However, it is leaving virtual machine users without an option to upgrade.

As of Build 22000.194, Microsoft is enforcing the TPM requirement for everyone, including virtual machine users. Thanks to this, a lot of VM users running pre-release versions of Windows 11 have been locked out of the software.

It is possible for VM users to mimic the presence of TPM hardware, but it’s not a very common feature. In fact the majority of VMs that can spoof a TPM cost money, like Microsoft’s own Hyper-V Manager, which is only available to Windows 10 Pro and Enterprise users.

The same is true for Parallels Desktop 17, which allows Mac users to run Windows 11 despite the lack of official support for the M1 chip. But a Parallels licence costs a minimum of $80 a year.

Microsoft has always maintained that TPM 2.0 would be one of Windows 11’s system requirements. But the company really should have been enforcing that requirement from day one, rather than locking virtual machine users out after the fact.

We’ve already seen that there are ways around Windows 11’s TPM requirement. After all, Asus has already started updating firmware for older Intel CPUs, optimizing for the operating system. That’s in spite of these older processors not appearing to have physical TPM modules installed. But it's not entirely clear whether other companies will follow their example.

It’s also worth checking if your PC has a TPM module that hasn’t been activated. It's possible to enable them by yourself, provided you’re comfortable heading into the BIOS settings to do it. That doesn’t exactly help virtual machine users, but it means more people will still be able to use Windows 11 when it launches on October 5.

Tom Pritchard
UK Phones Editor

Tom is the Tom's Guide's UK Phones Editor, tackling the latest smartphone news and vocally expressing his opinions about upcoming features or changes. It's long way from his days as editor of Gizmodo UK, when pretty much everything was on the table. He’s usually found trying to squeeze another giant Lego set onto the shelf, draining very large cups of coffee, or complaining about how terrible his Smart TV is.

  • karaliusbronius
    I'm really confused by this article. This doesn't leave virtual machine users locked out and doesn't require any form of physical TPM if you're on a server. Just enable vTPM support that comes with vCenter v7.0.2 and give your virtual machine a vTPM. Works without issues, not sure what the big deal is. vTPM is already a requirement in DOD / Government networks for Server 2019 and newer. Is the fact that this article is saying that it's going to cost money to use Windows 11 as a VM, because if so, that's not true either. If your hardware supports Windows 11 with a physical TPM, then you can also install a Windows 11 VM on that guest OS without issues. This article is really misleading and just trying to spread misinformation. You don't need a physical TPM in HyperV servers for Windows 11 either.
  • hovnohovno
    Please stop these fake news. A virtual machine has a virtual TPM. This has nothing to do with the physical machine or with the presence of a physical TPM in it. Nothing is changing for VMs.
    Of course you are not going to use your physical machine’s TPM directly and/or forward it into a virtual machine (even though you can). For two reasons:

    First, you do not want dangerous and untrusted game console firmware to ever touch your TPM and its key slots. B-class closed-source software waste belongs into a safe virtual machine container with a virtual TPM, not on real hardware.

    Second, your virtual machine should be, ideally, live-migratable or, at the very least, offline-migratable. For that reason you need a virtual TPM that migrates with it, not a physical TPM that hardwires it onto one particular physical host.

    This entire piece of hoax translates into:
    — open your virtual machine settings (e.g. virt-manager),
    — add a virtual TPM to the virtual machine,
    — Click — Click — Done!

    FFS, why is there so much fuss around it??? The interwebs are full of this nonsense. Ain’t there any real problem to write about?