Windows 11: The Ars Technica review | Ars Technica
Subscribe

Eleven! This is something new. —

Windows 11: The Ars Technica review

Attractive new design overshadowed by regressions and high system requirements.

-

New system requirements

Windows' system requirements have almost always been about performance—the minimum processor speed, disk space, and amount of memory Microsoft thinks your computer will need to run Windows acceptably. Windows 11 still has performance-based system requirements, but they take a back seat to the new security requirements. There's also a long list of additional feature-specific hardware requirements, which we won't cover here.

Here's the bare minimum:

  • A "compatible" 1 GHz or faster dual-core 64-bit processor from Intel, AMD, or Qualcomm.
  • 4GB of RAM.
  • 64GB of storage.
  • UEFI Secure Boot supported and enabled.
  • A Trusted Platform Module (TPM), version 2.0.
  • A DirectX 12-compatible GPU with a WDDM 2.0 driver.
  • A 720p display larger than 9 inches in size.
  • Windows 11 Home requires a Microsoft account and Internet connectivity; Windows 11 Pro can still be used with a local account. Windows 10 Home used to let you create a local account as long as you didn't connect to the Internet during setup, but that trick no longer works.

The processor compatibility requirement is by far the most restrictive, limiting Windows 11's official support list to computers built no more than 3 or 4 years ago. With just a handful of exceptions, you'll need an 8th-generation or newer Intel Core processor (or a Pentium or Celeron CPU based on the same Kaby Lake-R or Coffee Lake architectures) or a 2nd-generation AMD Ryzen CPU or newer (not counting the Ryzen 2200G and 2400G APUs, which are technically based on the first AMD Zen architecture and not the required Zen+). Newer Qualcomm chips in Windows 10-era ARM tablets, like those in the Surface Pro X or HP's Elite Folio, are supported, too.

If your computer meets the "compatible processor" requirements, it is practically guaranteed to meet the others, since all recent PCs will support Secure Boot and include built-in TPM 2.0 functionality. Microsoft's PC Health Check app can confirm whether your PC is officially supported, and if your PC fails the check, it will tell you what (if anything) you can do about it.

It's possible (with varying degrees of difficulty, depending on your computer's hardware) to install Windows 11 on unsupported hardware. We'll dive deeper into the specifics of this in a separate piece. The short version is that it's possible to install Windows 11 on pretty much any 64-bit PC that runs Windows 10 if you use some registry hacks, and it's possible to do a clean install from a USB drive on any computer that supports Secure Boot and any kind of TPM (even older TPM 1.2 modules).

Microsoft has reserved the right to withhold even routine security updates from unsupported machines; in practice, I suspect routine security patches will download and install without incident but that you'll need to jump through more hoops to install Windows 11's yearly servicing updates. Regardless, you can expect installing, running, and maintaining Windows 11 on unsupported hardware to be more difficult than just continuing to run Windows 10 on the same hardware.

Microsoft has long mandated different requirements for Windows based on who's buying it. A PC-maker who wants to sell a PC with an official Windows sticker on it needs to meet requirements that regular end users don't need to meet to install Windows on an older or custom-built PC, including Secure Boot and TPM support. This is just the first time that those kinds of features are being required across the board to run the operating system at all, which is why breaking them down in more detail is worth our time.

UEFI Secure Boot

All OEM Windows PCs since Windows 8 have included Secure Boot, a feature intended to prevent the loading of malware during the boot process by requiring bootloaders and other software to be signed. The Windows installer seems to treat all Secure Boot implementations the same, whether you're trying to install Windows 11 on a computer that shipped with Windows 8, 8.1, or 10—Secure Boot support is Secure Boot support.

Back when it was originally announced, there was hand-wringing among Linux users in particular who worried that Secure Boot support would make it more difficult or impossible to run Linux or other operating systems on PCs designed for Windows. That fear has since proved unfounded—many computers allow you to turn Secure Boot off and use UEFI's legacy boot (also called "CSM") functionality instead. Major Linux distributions circumvent the issue entirely by using a Secure Boot "shim" bootloader so that installing Linux on a Secure Boot PC is indistinguishable from installing it on anything else. Even the Debian wiki acknowledges that "UEFI Secure Boot is not an attempt by Microsoft to lock Linux out of the PC market" or "to lock users out of controlling their own systems." So we are a far cry from where the rhetoric was a decade ago.

Of all Windows 11's requirements, Secure Boot should be the least controversial.

TPM 2.0

TPMs have been included in most business-class PCs for something like 15 years. Microsoft began requiring TPM 2.0 modules in all new OEM PCs in January 2015 or July 2016 (depending on who you ask). TPMs used to be their own discrete chips, but the TPMs in most PCs now are "firmware TPMs" that use the trusted execution mode on your CPU to keep the TPM functions separated from the other software you're running. All Intel and AMD processors made within the last five or six years include firmware TPM support, though you'll sometimes need to enable it in your BIOS, especially if you have a custom-built desktop.

TPMs handle quiet in-the-background features, primarily related to disk encryption and Windows Hello authentication. If your TPM is working properly, you'll never notice it at all. For example, if you use BitLocker to encrypt your hard drive in a PC, you will need to provide a key to "unlock" your disk every time you boot your PC. You can type this key in manually every time, or you can store the key on a USB stick that you insert every time you boot, but neither option is convenient. A TPM is an internal component that can provide that key automatically without exposing it to theft.

If you're worried that TPMs are in some way nefarious and are going to be used to lock down your computer, the bad news for you is that just about any modern PC, phone, or tablet is relying on some kind of TPM or TPM-like device to provide disk encryption and other security protections. ChromeOS uses TPMs, Android phones use TPMs or equivalent features, and Apple's devices all use the "Secure Enclave" to handle many TPM-ish functions. At least most Windows PCs give you the option to disable the TPM if you really want to. But as with Secure Boot, the most dire predictions about TPM's threat to standardized PC hardware never came to pass, and you're better off just leaving it enabled.

The biggest problem with the TPM requirement was the way Microsoft communicated it: a TPM went from "important but mostly invisible" to "new top-line requirement to run Windows on your computer at all" in the space of one afternoon without adequate explanation. This caused a brief panic and a run on (totally unnecessary) standalone TPMs by the same scalpers who have been making PC builders' lives miserable all year.

If you're using a processor on Windows 11's support list, your computer includes a firmware TPM. But if you built it yourself, the TPM might not be enabled. Many motherboard vendors have released BIOS updates that enable the TPM by default to get computers ready for Windows 11. For others, it's usually as simple as toggling a setting. Many Intel boards refer to the TPM as "Platform Trust Technology," or PTT; on the AMD boards I've used, it's generally just called an "fTPM."

A “compatible” processor

Further Reading

Why Windows 11 has such strict hardware requirements, according to Microsoft

Windows 11's processor compatibility list isn't about raw performance—some processors left off the lists are definitely faster than some of the listed processors. In theory, Windows 11 needs some under-the-hood security features that are only included in very recent processors. But in practice, this is the hand-waviest of the new security requirements (which is too bad, because it's the most restrictive).

Microsoft hasn't spelled this out as clearly as it could, but the best rationale for the processor requirement is that these chips (mostly) support something called "mode-based execution control," or MBEC. MBEC provides hardware acceleration for an optional memory integrity feature in Windows (also known as hypervisor-protected code integrity, or HVCI) that can be enabled on any Windows 10 or Windows 11 PC but can come with hefty performance penalties for older processors without MBEC support. We've covered HVCI and MBEC in more detail here.

Assuming MBEC support was Microsoft's goal here, there are two big problems. The first is that not all processors that support it are on the Windows 11 support list (most notably 7th-generation Intel Core CPUs). Some processors that are on the list don't appear to support MBEC (namely AMD's Ryzen 2000-series CPUs and their Zen+ architecture). This may be why Microsoft doesn't explicitly call out MBEC support in any of its posts on the Windows 11 requirements; you have to dig further into the company's documentation to have it spelled out that HVCI works best with MBEC and that MBEC is only available in Intel Kaby Lake or AMD Zen 2 processors and newer.

The other problem is that HVCI isn't even enabled by default in Windows 11. To enable it, open the Windows Security app, navigate to Device security, click Core isolation details, and turn on Memory integrity. This is the exact same way the feature already works in Windows 10. Microsoft does advise OEMs to enable it by default on new systems with 11th-generation Intel Core or AMD Zen 2 processors and newer, though, even then, it's not a strict requirement. This is, again, the state of the feature as it currently exists in Windows 10.

It may be that enabling HVCI by default for all Windows 11 installs and upgrades on all supported PCs could cause compatibility problems or slowdowns in some cases (it does, for example, interfere with some virtualization software, as I encountered when writing this review). And maybe Microsoft doesn't want Windows 11 to be associated with those kinds of problems. Equally likely is that cutting the 2- to 3-year-old Ryzen 2000 lineup from the compatibility list would have caused even more of a backlash (and accusations of Intel favoritism) than Microsoft was prepared to deal with.

Another theory: older processors are more likely to be running in old systems that haven't had their firmware updated to mitigate major hardware-level vulnerabilities that have been discovered in the last few years, like Spectre and Meltdown and their progeny. Intel and AMD have continually released updates to mitigate these flaws in older processors. To benefit from those fixes, however, your laptop- or motherboard-maker needs to release new BIOS versions that integrated the fixes (unlikely if you're not using a business-class desktop or laptop from a major PC company). After that, you need to take it upon yourself to install those updates, which is even less likely for most people. But if this is part of the rationale, Microsoft hasn't advertised it.

The point is that there's no one easy explanation for why the CPU support list is the way it is, and we're left guessing about the rationale. And this is why that cynical argument about Windows 11—that it's a ploy to sell new PCs to people who don't need them yet—resonates. Never mind that Windows 10 will continue to receive security updates through at least 2025 and that its ubiquity (and underlying similarity to Windows 11) means that most major apps will continue to support it for years.

Microsoft's communication on this subject raises too many questions and provides too few satisfactory answers. And for computers that are already out there, installing Windows 11 doesn't seem to actually improve security in any way that wasn't already possible with Windows 10—getting more people to enable Secure Boot and TPM 2.0 on their self-built systems is good for the platform's security as a whole, but these features are already enabled on Windows 10 PCs made and sold by major OEMs. And that accounts for the vast majority of PCs out there, particularly in businesses and governments that stand to gain the most from improved security.

Andrew Cunningham Andrew is a Senior Technology Reporter at Ars Technica, with a focus on consumer tech including computer hardware and in-depth reviews of operating systems like Windows and macOS. Andrew lives in Philadelphia and co-hosts a weekly book podcast called Overdue.

Channel Ars Technica

Related Stories

    Today on Ars