TPM2 KEY

james255 said:

i cant remember the last time i reinstall windows before updating my 6700k build, but i didn`t need to buy anything or modified iso to install windows 11. i had a z270 xi hero mb, that had the option to turn on tpm and everything worked fine afterwards

Click to expand...

Sadly, even though my X99 WS does have TPM 1.2 my 6900K chip is not supported for Windows 11. Some have said the BIOS update will give me TPM2 and if that is the case I already have it. Nonetheless my system is not compliant with Windows 11 and that is when I checked with Microsoft support to learn how to install Win 11 on a non-compliant system. I was surprised to learn that they will tell you how to do it (with a caveat, of course).

what is the advantage of using tpm key»?

Scannerman said:

Sadly, even though my X99 WS does have TPM 1.2 my 6900K chip is not supported for Windows 11. Some have said the BIOS update will give me TPM2 and if that is the case I already have it. Nonetheless my system is not compliant with Windows 11 and that is when I checked with Microsoft support to learn how to install Win 11 on a non-compliant system. I was surprised to learn that they will tell you how to do it (with a caveat, of course).

Click to expand...

It's most likely that a lot of businesses use proprietary software that has not yet been updated for Win11 and even though it works on Win10 it may not work on Win11.

The 2 old Notebooks I've done are working fine.

TechnoMage2021 said:

If I do live to be 100, I'll never understand why anyone would spend good money on something that is not required, to just run Windows 11/Pro/64.

It's a freakin' OS, not the program to launch a moon shot. In fact, what most of us run today is way ahead of that which went to the moon.

I'm sorry, but, us Old Men just don't get it sometimes! KISS! (Keep it simple Stupid!)

Click to expand...

And I don't understand why you give a care what someone else does with their own money. It's their choice - trying to understand is futile. If they were spending your money, I could understand your concern. And, as far as KISS, read on:

iko22 said:

My understanding is that is okay in the short term, but what if you need to change the motherboard or reset/update the BIOS? Then my understanding is that your TPM settings are lost without a standalone module installed and initialised. But this is a new area to me, so I do not know what the likely outcome is. Personally, I just wanted peace of mind.

Click to expand...

This. Every time a new UEFI firmware was released for my mobo (MSI MEG X570 GODLIKE) before I bought the external TPM chip, it would reset the fTPM - and my installed system was rendered useless because Windows 11 refused to recognize me anymore.

Yes, I went through all sorts of troubleshooting methods, and found ways I could (mostly) fix it - but little idiosyncrasies inevitably popped up, every single time.

So, I spent $20-some-odd bucks and put the chip in.

Never had a problem with UEFI firmware date since.

For the record, there have been 8 newer UEFI firmware released since I bought it. Additionally, more than a couple were major and / or minor bug fixes with the AGESA software, and a few were updates to AGESA. So, yeah, they were not exactly things that I should be ignoring.

johnlgalt said:

And I don't understand why you give a care what someone else does with their own money. It's their choice - trying to understand is futile. If they were spending your money, I could understand your concern. And, as far as KISS, read on:



This. Every time a new UEFI firmware was released for my mobo (MSI MEG X570 GODLIKE) before I bought the external TPM chip, it would reset the fTPM - and my installed system was rendered useless because Windows 11 refused to recognize me anymore.

Yes, I went through all sorts of troubleshooting methods, and found ways I could (mostly) fix it - but little idiosyncrasies inevitably popped up, every single time.

So, I spent $20-some-odd bucks and put the chip in.

Never had a problem with UEFI firmware date since.

For the record, there have been 8 newer UEFI firmware released since I bought it. Additionally, more than a couple were major and / or minor bug fixes with the AGESA software, and a few were updates to AGESA. So, yeah, they were not exactly things that I should be ignoring.

Click to expand...

I'm thinking perhaps I should use that key on my X570 ASUS CROSSHAIR VIII HERO instead of my X99 rig. Even though it passed the Microsoft compliance test the upgrade from 10 to 11 resulted in a disaster. I eventually had to reinstall Win 10. So that's where it currently sits. At least this way I can ensure that my Windows 7 remains unscathed on my work station.

They aren't necessarily mix and match - you need to verify from ASUS' website which one that mobo takes. But other than, yeah. Might be a good idea to go that route.

johnlgalt said:

They aren't necessarily mix and match - you need to verify from ASUS' website which one that mobo takes. But other than, yeah. Might be a good idea to go that route.

Click to expand...

Good point. This key was especially designed for ASUS system boards. I don't recall all the boards on the list so I'll have to check that out first. I'm pretty sure the pin out matches though, but yeah that might not be enough.

Well, I finally did it. I plugged in the module. It took a couple of reboots before I could access an OS, but it looks like all systems are "go". The little plug also has a tiny red LED on it to indicate that it is operational. I haven't messed with anything in the BIOS yet so I do not know whether or not it is encrypting any of my data. I rather hope not. It took a bit of time for me to work up the courage to plug in this device so I'm just going to leave it at that for now. I know that TPM has been around for over a decade now and has failed many times since. I can only hope that I will not be another recipient of one of those notorious failures. Windows 11 is working fine (apart from the usual issues) despite this non-compliant platform.

WinKey + R, type tpm.msc to see it if it recognized, if not the BIOS needs to be checked. The OS reads the BIOS as it's starting so as to know what resources are available.

What one of mine shows:

Here's what I get:


Evidently it appears to be working. "Prepare the TPM" is greyed out however, but I'm not so sure I want to clear it at this stage if I already have ownership.

If you go to windows defender both tpm and attestation says that it is not enabled because you need to update the firmware from vulnerable 5.0.1089.2 to 5.62.3126.2.
If you want to try here last post the instructions(for asrock motherboard):

boombastik said:

If you go to windows defender both tpm and attestation says that it is not enabled because you need to update the firmware from vulnerable 5.0.1089.2 to 5.62.3126.2.
If you want to try here last post the instructions(for asrock motherboard):

[OFFER] Asrock z97 aniverssary

-https://www.asrock.com/mb/Intel/Z97%20Anniversary/ The mod is based on the original Bios P2.16A date:01/22/2020 This bios don’t exist on net and was given by asrock to me, to fix the 1 ,2 ,3 and 4 below in change-log after pointed the bugs to them. Change-log: 1)Fixed the code when...

winraid.level1techs.com

Click to expand...

Well, I managed to work up the stupidity or bravery (take your pick) to clear the security keys and give it a go. Result: Loss of both operating systems. Once I managed to get one operating system back up and running I get this in device manager:


So now I have yet another bang to deal with in addition to my TBMT issue. My suspicions have been confirmed. I did manage to get back on Windows 11 by clearing the keys manually, in the BIOS instead of using the WinKey + R, tpm.msc option to clear the keys. I rather doubt that I will be successful in making this device functional in Windows 7U. Attempts at updating the module result in Windows informing me that I already have the latest 'drivers' for this device.

On the Windows 11 side the module appears to be working correctly, but this is only after I cleared the security keys in the BIOS. My system repair disk only resulted in the system informing me that I had the wrong disc so I'm thinking this likely is due to the change in security keys. I will likely need to burn a new disc as a result of installing this module.



I'll see if I can deal with that vulnerability at a later point as I think I am more than adequately establishing why TPM really is an impractical waste of time, energy, and money. The "Unknown device" in the above is my Intel TBMT which was disabled at the behest of another member of this forum. Considering it wouldn't work with Windows 11 anyway, I consider this sound advice.


To be fair, X99 is an older platform. Nonetheless problems with TPM on newer platforms (including those that come with TPM 2 built in) are not uncommon. My opinion remains as ever: TPM needs to be scrapped. My reason for doing this is not because I like TPM, but to investigate it and to learn. I'm a naturally curious person and I like to try new things in the world of PCs. That said after ten years of TPM still generating vulnerabilities it behooves me to say that the writing is on the wall. I'm guessing the Consortium has already made their investments back with this. They need to let it go.

Thank you for the help. I will consider any further assistance I can get with this and I certainly appreciate the patience and advice that I get from my fellow members of this wonderful forum.

1) Did you reset the bios from pins?
2) Also i know that tpm 2.0 need csm disabled by definition it cant work with csm to on.
3) Can i see in a pic what it says defender (like this) ?



Also keep in mind that if you need to update the firmware you need to clear the tpm and go in bios and disable the tpm module.
Or if you clear it from bios dont leave the pc to boot in windows you need to go in bios and disable tpm and boot windows without the tpm module. In simple words after clear tpm you need to disable the module in bios and boot windows without tpm and then update it with my file.

I do not know whether I have TPM disabled in the BIOS or not but both operating systems boot again and I have it in functional condition in Windows 7U now. Device manager says it's working properly.



Maybe best to leave well enough alone on this older platform. I had to repair two substantial RAID arrays as a consequence of all this fiddling.

boombastik said:

1) Did you reset the bios from pins?
2) Also i know that tpm 2.0 need csm disabled by definition it cant work with csm to on.
3) Can i see in a pic what it says defender (like this) ?

Click to expand...

Well, I'm not sure what resetting the BIOS from pins is. I cleared all my security keys and it took me a while but I got it running. My XMP on my RAM dropped for some reason and two of my RAID arrays had to be rebuilt, but everything seems to be working (sort of) now. The BIOS does appear to recognize that I have plugged in a TPM module. I believe CSM is disabled but I can check again to be sure.

Fortunately I don't have to mess with any fTPM settings and I feel badly for those who have to wrestle with stuff like that on AMD builds. This is partly why I opted to install this module in my main PC rather than my X570 HERO which seems to run fine without it. Sadly, Intel also has its own problems. No need to check Defender. I use Kaspersky. I have already confirmed that the module is not attestation ready. Storage ready yes. Part of me wonders if this isn't suffice as this is an older platform after all and if my storage is secure perhaps I should be satisfied with that.



Boot times are considerably slower now for some reason. This is not a big deal for me as I generally turn this PC on and leave it on all day and night normally. I generally only reboot for updates on this unit or when I switch from Win 7 to 11. What concerns me is the SHA. These settings are a veritable nightmare and disabling anything here could result in a rerun of the MONSTER FROM SHA. This is one headache I would seriously like to avoid. So exactly what is it that you recommend that I disable? Thanks again, for your assistance.

If you want to update the tpm module you need to clear the tpm from bios re-enter in the bios quickly (without booting in windows) and change the option in this screenshot: security device support for enable to disable.
After you need to go in windows update the firmware and then reenter in bios and enable again device security support.

The responsibility is yours. This is the only way to update it. And probably you will need to fix your raid again.

Well, that sure didn't make much of a difference. I installed the diagnostic tool and it would appear that I still have that "vulnerability". I haven't attempted updating the firmware yet because I'm really not sure I want to risk it. Firmware updates are pretty dicey. I don't want to brick my system board.

Interesting. The one that I got for my PC was already at a newer firmware than required, and indeed, does not show the vulnerability.



I do wish they mad it easier to update the fw without having to clear the info (or, at the very least, be able to export and then later import it back, like we used t do with old (pre-UEFI) BIOS flashing.

I'm honestly reluctant to try to update that firmware with the module in my PC. I think I have another system board I could use for that purpose. Looks like I'm getting all the prompts to build that old ROGUE PC I've been collecting parts for. Then again, I'm not sure it would be transferable after ward. Perhaps someone here could let me know?