After a lot of confusion last week, Microsoft has tried to explain its hardware requirements again, and the main driver of these changes appears to be security. Coupled with Microsoft’s hardware requirements, there is a push to enable a more modern BIOS (UEFI) that supports features such as Secure Boot and TPM 2.0 (Trusted Platform Module).
When you combine TPM with some of the virtualization technologies Microsoft uses in Windows, there is an understandable security benefit as David Weston noted, Director of Enterprise and OS Security at Microsoft. Microsoft says a combination of Windows Hello, device encryption, virtualization-based security, Hypervisor Protected Code Integrity (HVCI), and Secure Boot * have reduced malware from 60 *%. *
David Weston a affirm :
The Trusted Platform Module (TPM) is a chip that is either integrated into your PC motherboard or added separately to the CPU. Its purpose is to help protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers cannot access or tamper with that data.
The PCs of the future need this modern hardware root of trust to protect against common and sophisticated attacks such as ransomware and more sophisticated nation-state attacks. Requiring TPM 2.0 raises the standard for hardware security by requiring this built-in root of trust.
TPM 2.0 is a critical part of ensuring security with Windows Hello and bitLocker to help customers better protect their identities and data. Additionally, for many corporate customers, TPMs help facilitate zero trust security by providing a secure element to attest to the health of devices.
You obviously need modern hardware to activate all of these protections, and Microsoft has been looking at that moment for years. Support for TPM is a requirement for OEMs who want to achieve Windows certification since Windows 10 was released, but Microsoft has not required businesses or consumers to activate it.
A decision that could take into consideration Meltdown and Specter
Microsoft’s move to force Windows 11 users to use TPM, Secure Boot and more comes at a pivotal moment for Windows as ransomware and malware attacks are on the rise. Things could therefore get worse if the hardware security level of systems in general is not increased by a notch.
While Microsoft is waiving its new hardware requirements during the preview phase of Windows 11, we still don’t know exactly which devices will be supported when it launches later this year.
Microsoft has tried to bring more clarity to this topic: As we release for Windows Insiders and partner up with our OEMs, we will be testing to identify devices running Intel 7.e generation and AMD Zen 1 that could meet our principles, says a blog post from the Windows team. This could be good news for the Surface Studio 2, a device Microsoft still sells with a 7 chip.e generation that is not on the Windows 11 list.
This same blog post also revealed that the 7e generation is probably the oldest with which Microsoft is willing to make concessions: We also know that devices running on Intel 6e generation and AMD pr-Zen will not meet Microsoft’s minimum system requirements, we could read on the post before its modification which resulted in the deletion of this line. If the reason why the Intel 6e generation not listed are not advanced, one would assume that part of that decision is related to Specter and Meltdown, two major computer processor security bugs that have plagued nearly every device manufactured for the past 20 years.
* Microsoft’s processor selections for Windows 11 don’t seem to have much to do with performance, but resemble security mitigations for side channel attacks, * says Patrick Moorhead, senior analyst at Moor Insights and Strategy. It also helps chipmakers focus the work of pilots on the future, not the past.
Side-channel attacks such as Specter and Meltdown were revealed just before Intel implemented hardware mitigations to guard against certain spec-execution attacks in some 8-chip chipsets.e generation in 2018. All 8 Intel chipse generation do not include these hardware mitigations, but Microsoft has defined a specific range of 8e generation and beyond. Microsoft hasn’t fully explained this decision, and the company is asking users to be patient and see if it is able to include older machines in its testing. Either way, there will be an exclusion of certain processors that will affect millions of PCs.
Critics regret this Microsoft approach
Critics of Microsoft’s approach note that this move will generate unnecessary electronic waste as consumers upgrade to PCs more than capable of running Windows 11. The complexities of TPM and UEFI are also debated by consumers. IT administrators, especially if devices are not set up to use these technologies yet.
Security expert Kevin Beaumont, who spent almost a year working at Microsoft during the pandemic, criticized the company for its Windows 11 hardware requirements:
System administrators have respectfully cautioned Microsoft in recent days of the real world situation with Microsoft’s bubble view. Microsoft does not cost.
It was strange because I sat and watched the folks at Microsoft tweet and retweet stuff basically making fun of their customers’ opinion of the hardware requirements. Microsoft customers are smart. The real world is not Microsoft. There is a new Xbox One situation.
As an example, it’s good that OEMs need TPM2 support in 2015. but try to work with that in the field. Many UEFI updates reset firmware settings incorrectly etc. There are so many problems.
Amid a pandemic where organizations are suffering, with a global shortage of chips, Microsoft is trying to get people to replace things for questionable security reasons, Beaumont said on Twitter. Buy a Surface? No. Build a better operating system.
Microsoft’s hardware changes also come just weeks after Apple announced macOS Monterey, with support for Mac Pros sold in late 2013 and beyond, and Mac Mini sold from late 2014. Apple did not. Obviously not support a wide range of hardware configurations like Microsoft does, but the latest version of macOS will still work on systems that are eight years old. Microsoft’s changes mean that some PCs that are only three years old will be excluded from the Windows 11 upgrade.
There will be a few exceptions to Microsoft’s new rules, however: Windows 11 does not enforce hardware compliance control for virtualized instances during installation or upgrade, notes a Microsoft document on minimum hardware requirements for Windows. 11. This means that if you are running Windows 11 as a virtual machine, you can ignore CPU and security requirements. This flies in the face of Microsoft’s big security push here, but the reality is that most consumers and business customers won’t be running Windows 11 in a virtual machine.
Microsoft still has a few months to test Windows 11, and feedback on the Preview will inform * any adjustments that [Microsoft] should bring our minimum system requirements in the future *. The software maker also removed its PC Health Check app, which caused a lot of confusion around Windows 11 upgrades. We recognize that it was not fully prepared to share the level of detail or precision you expected. from us on why a Windows 10 PC does not meet upgrade requirements, the Windows team said.
This gives Microsoft a bit of a break between now and launch, and enough time for testers to be able to use Windows 11 without these new restrictions. But if you’re testing Windows 11 right now on an older processor that’s not on the official list, chances are you’ll need to reinstall Windows 10 when the preview period ends.
Microsoft allows testers to access Windows 11 on a wide range of hardware at preview, but the publisher plans to apply these new restrictions at launch.