Install Windows 11 Without TPM 2 on Boot Camp

One of the really interesting features of Winclone 10 is the ability to install Windows 11 onto a Boot Camp partition. I’ve received questions about how this is possible: after all, most Macs do not have a Trusted Platform Module (TPM), and those with a TPM do not expose it to the hardware. Modern Macs have a Secure Enclave, which allows macOS (and Windows 10 to some degree) use Secure Boot.

Secure Boot and TPM in Windows 11

In order to detect malware in the booting process, the boot loader is digitally signed by Microsoft. If Secure Boot is enabled, the boot loader is verified with the Microsoft certificate that signed it. This certificate must be in a location that is trusted: malware could add in a certificate to trust any boot loader if it was in an untrusted location. In T2 Macs, the trusted certificate is stored in the Secure Enclave. In Windows PCs, it is stored in the TPM. When a T2 Mac boots Windows, the T2 co-processor verifies the boot loader if Secure Boot is enabled. This setting is then passed to the EFI boot loader, continuing the secure boot.

In order to increase security, Microsoft wants to validate the boot loader on all PCs. Doing this requires a TCM when installing or upgrading to Windows 11. However, this is the not the same as requiring secure boot to boot the OS. Windows 11 can boot fine without Secure Boot, but the installer requires that the hardware have Secure Boot and a TPM 2 module.

Winclone 10

When using Winclone 10’s “Quick Install Windows” feature, Winclone does not use the Windows installer: instead, it restores the Windows installation from the installer Windows Image (WIM) file. WIM is similar to a ZIP file, as it contains all the base files for booting Windows. This is how Microsoft Tools (such as DISM) deploy Windows in enterprise environments. It is also how Winclone Pro has been working for the last couple of years (allowing you to deploy and customize Windows with settings, drivers, and configurations).

When you select a Windows 11 ISO, Winclone does the following (in order):

  • Winclone mounts the ISO and finds the Install.wim (this is the base install of Windows)
  • The target volume is formatted with NTFS
  • Install.wim is restored to the target drive
  • The hardware is assessed to see what drivers are needed. Those files are then…
    • Configured
    • Copied to the target volume
  • The EFI partition is updated to boot Windows

If Windows 11 is installed on a T2 Mac, the boot loader signature will be verified and the boot process will continue to the boot loader. However, Windows 11 won’t be able to verify the drivers signature since there isn’t a TPM 2. Turning off Secure Boot (in the Mac’s Recovery Mode) resolves this issue. It may be possible that settings for turning off Secure Boot in the Windows registry would allow the Mac Secure Boot to be re-enabled in the future.

Trying Out Windows 11

The new Quick Install Windows feature is a great way to try out Windows 11 on your Intel Mac. Winclone makes it easy to install Windows 11 and try out the new feature in the process. Learn more about Winclone 10 here to give it a try!