Windows 11

[SpyderTracks]

Many thanks for this. It's encouraging on the one hand but on the other it just looks like more marketing blunders that make the whole Windows 11 announcement seem like something dreamed up by a bunch of 8 year olds. They seem to be making stuff up as they go along!

Totally agreed. I could understand if this was like a pre warning a year or so before they announced the OS, so saying yes, we're going to have to make some significant restrictions, so prepare yourself.

But this is nothing of the sort, this is a 3 month warning just after the most significant uptake in new PC equipment in the history of computing, if they do hold tight to it, it's extremely short sighted and thoughtless.

 

[SpyderTracks]

Update on the compatibility tool, Microsoft have pulled it and intend it to be more granular and give reasons why it’s failed, also likely to be more lenient on cpu compatibility:

Windows 11 System Requirements Shakeup Sees Microsoft Pull PC Health Check App

It's fair to say that Microsoft didn't exactly handle the Windows 11 system requirements situation well last week. With excitement for the newly-revealed OS high,…

www.slashgear.com

 

[ubuysa]

Update on the compatibility tool, Microsoft have pulled it and intend it to be more granular and give reasons why it’s failed, also likely to be more lenient on cpu compatibility:

Windows 11 System Requirements Shakeup Sees Microsoft Pull PC Health Check App

It's fair to say that Microsoft didn't exactly handle the Windows 11 system requirements situation well last week. With excitement for the newly-revealed OS high,…

www.slashgear.com

More muddle and confusion there then!

The minimum system requirements are "a dual-core 64-bit CPU running at 1 GHz", so why is my quad-core 64-bit 3.4GHz i7-6700 deemed to not meet the minimum spec in this paragraph?

“Using the principles above, we are confident that devices running on Intel 8th generation processors and AMD Zen 2 as well as Qualcomm 7 and 8 Series will meet our principles around security and reliability and minimum system requirements for Windows 11 .... We also know that devices running on Intel 6th generation and AMD pre-Zen will not.

A dual-core 64-bit CPU running at 1 GHz is the minimum requirement - except when it's not! For pity's sake Microsoft, get your story straight!!

Later on in there they also say....

If it turns out that the experience on a CPU currently considered too slow to run Windows 11 is actually better than expected, Microsoft could potentially tweak the system requirements down. Conversely, if the experience is poor, it might make the requirements a little tougher.

So what they're really saying is that 6th-gen Intel CPUs are definitely too slow to run Windows 11 and 7th-gen Intel CPUs might be too slow to run it, but they're not sure yet. How CPU hungry is Windows 11?? And if pre-8th gen CPUs really are too slow then why is the minimum system requirement so basic?

 

[Macco26]

I don't know if all comes to new defensive hardware strenghtening technologies, like Core Isolation, Hypervisor-protected code integrity, Memory Integrity and what not.
I am not prepared to know this so the question: is maybe 6th gen lacking some of those techs while 7th and 8th gen got it working? They should almost share the same Skylake cores, but some safety strenghtening occurred during the years when all those malweres were discovered, I guess.

What is your Window Defender showing about those techs? My bet is that MS want them to become mandatory if you want Win11:

 

[ubuysa]

I don't know if all comes to new defensive hardware strenghtening technologies, like Core Isolation, Hypervisor-protected code integrity, Memory Integrity and what not.
I am not prepared to know this so the question: is maybe 6th gen lacking some of those techs while 7th and 8th gen got it working? They should almost share the same Skylake cores, but some safety strenghtening occurred during the years when all those malweres were discovered, I guess.

What is your Window Defender showing about those techs? My bet is that MS want them to become mandatory if you want Win11:
View attachment 27403

Core Isolation is present and is turned on (as in the image you posted).

 

[barlew]

I read today that a lot of PC's were failing due to the Secure Boot option being disabled. Apparently it has to be enabled to use Windows 11.

 

[ubuysa]

I read today that a lot of PC's were failing due to the Secure Boot option being disabled. Apparently it has to be enabled to use Windows 11.

Yes that's true. I do use SecureBoot.

Microsoft are being numberist, 8 and above is good, 7 or below is bad......😤

 

[DarTon]

Yes that's true. I do use SecureBoot.

Microsoft are being numberist, 8 and above is good, 7 or below is bad......😤

It's not about you and your piddly old Intel CPU.

Win 11 is all about this

Announcing ARM64EC: Building Native and Interoperable Apps for Windows 11 on ARM

Today, we’re announcing ARM64EC (“Emulation Compatible”), a new way to build apps for Windows 11 on ARM. With the latest Visual Studio tools in preview and the Windows 11 Insider SDK, you'll be able to take advantage of ARM64EC to incrementally

blogs.windows.com

It's all about getting Windows onto portable devices. They ain't scared of Macs, they think the've got us PC users sown up already. They are scared of iOS, Android, M1/ARM etc.

If it feels like you were an after-thought on this Win 11 annoucement, it's because you are an after-thought.

 

[ubuysa]

 

[Martinr36]

View attachment 27406

is that a ring pull or a zip in his mouth

 

[ubuysa]

is that a ring pull or a zip in his mouth

Yes.

 

[Macco26]

A very nice video explaining the reasons why MS might have chosen to introduce a list of CPU to be eble to upgrade to Win11 and not everything Win10 can handle so far.

(Win11 article starts at 2:58)

tl;dr: the virtualization for memory isolation and other techniques, despite being offered by CPUs older than 7th/8th gen, got increasing speed improvements in latest CPUs. That's why older CPUs could get a very hard hit at performance by using it in the way Win11 is supposed it to use it. However I think they'll check with the Insider builds if it's a hit people are willing to accept.

 

[ubuysa]

A very nice video explaining the reasons why MS might have chosen to introduce a list of CPU to be eble to upgrade to Win11 and not everything Win10 can handle so far.

(Win11 article starts at 2:58)

tl;dr: the virtualization for memory isolation and other techniques, despite being offered by CPUs older than 7th/8th gen, got increasing speed improvements in latest CPUs. That's why older CPUs could get a very hard hit at performance by using it in the way Win11 is supposed it to use it. However I think they'll check with the Insider builds if it's a hit people are willing to accept.

Thank you very much for this. That makes a lot of sense.

 

[ubuysa]

I have substantially edited this post to reflect newer information that I've come across since first posting. It seemed wiser to edit this post than add a new one with additions/corrections.

I've been doing a bit of research around this issue of Virtualisation Based Security (VBS) mentioned in the above video. The Microsoft documentation for VBS is here. It mentions that one of the potential VBS solutions is Hypervisor-Enforced Code Integrity (HVCI) and that's been an option in Windows 10 for some time (though is disabled by default). In Windows 10 HVCI is known as Core Isolation Memory Integrity.

As far as Windows 11 is concerned it seems from the above video and from the above link that HVCI is required by and enabled by default in Windows 11. HVCI virtualisation is implemented in hardware on 8th-gen and later Intel CPUs (by something called Mode Based Execution Control) but has to be emulated on 6th and 7th-gen Intel CPUs (by something called Restricted User Mode). It's the added load of doing the Restricted User Mode emulations in these earlier CPUs that causes the apparent performance hit and which renders these earlier CPUs unfit to run Windows 11.

From a link at the bottom of the VBS page above, Microsoft have provided details on how to enable HVCI in Windows 10. Being an inquisitive and rather adventurous sort I planned to enable HVCI in my Windows 10 Home system running on my ('piddling little') i7-6700 CPU just to see whether a) it would run and b) what sorts of performance hit I'd get.

I soon discovered that I can't turn HVCI on because I don't yet have a TPM, which is a required hardware feature for HVCI. However, since I have a TPM on order I'll try again when it arrives and see what sort of performance hit I get.

If you do turn HVCI on it's important to note that all device drivers must be HVCI compatible so there is a distinct possibility that your system may not even boot afterwards. It's vital therefore that you have a means to get back to your original system - in my case I have images of my system drive that I can restore if needed. There are several ways in which to turn HVCI on, the easiest for most of us running Windows 10 Home will be via the Security app or via a set of registry keys.

The simplest way is via the Security app - where HVCI is called Core Isolation Memory Integrity (Settings > Update & Security > Windows Security (and the Security app opens) > Device Security > Core Isolation Details > Memory Integrity. See also KB4096339.

To turn HVCI on via the registry you have to add five new keys. The details of the keys are here.

The first registry key enables VBS (reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f)

The second enables VBS and requires SecureBoot only (not DMA) (reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f)

The third enable VBS without UEFI lock (reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f)

The fourth enables virtualisation of code integrity policies (reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f)

The fifth enables virtualisation of code itergrity policies without UEFI lock (reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f)

Regarding SecureBoot with or without DMA, it seems that DMA should only be enabled on systems that have hardware input/output memory management units (IOMMUs). I don't know for a fact that I don't have IOMMUs but I seriously doubt it.

Regarding the UEFI lock, if you turn the lock on then the only way to turn HVCI off is via the Microsoft Device Guard Readiness Tool running on the specific PC. With the lock off any administrator can turn if off - hence leave the lock OFF!

Clearly it's way easier to use the Security app Memory Integrity slider to turn HVCI on than it is to add these registry keys. I missed the Security app option on my first reading of the Microsoft docs, hence the later edit to this one.

The Microsoft Device Guard Readiness Tool is a handy little PowerShell script because it allows you to see whether your system is Device Guard (and thus HVCI) capable and (and this is the good bit) is shows you whether these features are turned on or not. Here's the output of the tool on my system (after applying the registry updates above). Note that green text is good, yellow text means the feature is off but present, red text means the feature is not present....

YOu can see that I can turn HVCI on in my i7-6700 system (everything is yellow) but I can't enable it right now because of the missing TPM requirement. I will report back when my TPM 2.0 arrives - which won't be for a while because they don't have any in stock at present. It's good to know that we have a means to test the impact of Windows 11 enforcing HVCI on these pre-8th gen CPUs before going to the hassle of installing it. Possibly.

 

[Andy92]

@ubuysa Do you not see an option to switch on Intel PTT in the BIOS? My 6600K had that option, so now I technically have TPM 2.0 without needing to order that separate module.

 

[ubuysa]

@ubuysa Do you not see an option to switch on Intel PTT in the BIOS? My 6600K had that option, so now I technically have TPM 2.0 without needing to order that separate module.

Nope, already looked. Where did you find it on yours?

 

[Andy92]

Under "Peripherals" on my Gigabyte Z170 motherboard. "Intel Platform Trust Technology"

 

[Macco26]

Regarding this:
"If you do turn HVCI on it's important to note that all device drivers must be HVCI compatible so there is a distinct possibility that your system may not even boot afterwards"

I can say that once you try to enable it on PC without proper drivers Windows notify you that it can't enable it right from the Window Defender panel, and then provides all the names of the drivers cursed.
In my other All In One Dell (Zen 1700, thus theretically not compatible with Win11), I tried to enable it and got a bunch of Logitech driver (be the G430 headset I replaced already or the mouse drivers I don't know) which aren't ready for Core Isolation.
Since I don't have those attached atm, I simply moved away those drivers from the windows drivers folder and was able to enable it.

So, at least, be sure that Windows won't enable that feature if it feels something might be wrong.

PS: on the other hand, 1/2 hour later, I got a BSOD while doing nothing on that PC, whose culprit seems to be the Radeon Graphics driver. I feel also the officially HVCI compliant drivers aren't fully ready for prime time. They have still some months to be fully ready (read: WDDM 3.0 I guess). So I switched back the Core Isolation OFF on that machine (also because I think it'd get performance hit as well, didn't test) and no BSOD ever happened.

 

[AleTax]

ASUS posted all compatible motherboards with Windows 11

[Motherboard] Which ASUS model supports Windows 11 and how to setup TPM 2.0 in BIOS? | Official Support | ASUS Global

 

[ubuysa]

ASUS posted all compatible motherboards with Windows 11

[Motherboard] Which ASUS model supports Windows 11 and how to setup TPM 2.0 in BIOS? | Official Support | ASUS Global

Those are motherboards that come with a TMP2.0 module on the board. There are plenty of other Asus boards (mine included) that have a TPM header that can accept a TPM2.0 module.