Windows 11

Windows 11 new hardware requirements: Justified or not?

With the announcements of Windows 11, Microsoft disclosed new hardware requirements for Windows 11, which has easily become the most controversial and confusing part of the announcement. Even with subsequent clarifications, the controversy (and still some confusion) remains. As noted in those clarifications, these requirements are designed to align with three principles:

  • Security. The hardware features are needed to ensure the OS is secure as possible.
  • Reliability. The hardware requirements will ensure the OS crashes less.
  • Compatibility. The OS shouldn’t have requirements lower than those of Microsoft’s key apps, Office and Teams.

I would add one principle to this list, which is implicit in those clarifications:

  • Rationality. Admit it, you could buy Windows 10 devices that did a shameful job of running Windows 10, so some new requirements could fix that.

So let’s go through the requirements one by one and discuss the justifications for each.

Can you even buy a CPU today that is slower than 1GHz? (If you can, please don’t.). Even the $35 Raspberry Pi 4 Model B would meet these requirements. So the speed is basically a “non-requirement” requirement.

The same would be true for processors with two or more cores. While you might still be able to find one on Intel’s price list, there’s no reason such a processor should ever be shipped in a new PC. If you’ve ever used Windows 10 in a VM with a single virtual CPU, you’ll understand why: At various points in time, the machine will become unresponsive because it’s “doing something” in the background. That could be a check for new Windows Updates, an MDM sync session (repeatedly inventorying all the UWP apps on your device, ugh), or any other random background task.

Strangely, Microsoft will let you create a Windows 365 cloud PC that doesn’t have two virtual CPU cores, as does Amazon and others too. I pity the person who has to use one of those. And since virtual machines are excluded from pretty much all of these requirements (by a general statement at the top of the requirements that says “Windows 11 is supported on virtual machines”), they can get away with this.

So overall, I would say this fits into the “Rationality” principle, as well as Microsoft’s “compatibility” one — easily justified.

Then we’ve got the “compatible 64-bit processor” piece, which it worthy of a section all by itself.

Effectively, this requirement means “all 8th generation and above processors, along with a very small list of 7th generation processors.” I did a quick check of all the laptops and desktops I use for testing Microsoft software (e.g. OS deployment of Windows) and all those presently used by all of my family members, and I found two of 10 met this requirement. Yet all of those devices are being used with Windows 10 without issue (and without complaint). So obviously Windows 11 would be capable of running on these, at least from a performance perspective. So this goes beyond “rationality” and even “compatibility” since Office and Teams run fine on older machines. So this has to be justified by “security” and “reliability.”

How does a CPU help with security, especially since we know later CPUs still have security issues (remember Spectre?)? It’s really not about the CPUs, it’s about the drivers. More specifically, it’s about the requirements for security features based on virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). Beyond the mentioned DCH requirement, which can certainly help with making drivers more reliable, these VBS and HVCI requirements involve more strenuous driver certification processes. So which CPUs are going to be supported? Those that already have supported drivers, typically created by the OEM, supporting VBS and HVCI.

So what exactly happened when Microsoft “reconsidered” the CPU requirements and added some 7th generation CPUs that wouldn’t have otherwise met the bar? My theory is that those CPUs already had drivers that supported VBS and HVCI, so it was a case of continuing to support those existing drivers. (OEMs often stop supporting drivers for CPUs pretty quickly after they no longer sell those CPUs, so it could be Microsoft themselves supporting those drivers, to ensure ongoing compatibility.) And Microsoft did likely ask the OEMs if they were willing to go back to these older CPUs to make them compatible with VBS and HVCI. And you can probably guess what their response was — something pretty close to “no fricken way.”

So this is very clearly aligned with the “security” principle (even if Microsoft didn’t spell it out), and indirectly with “reliability” (better drivers because of a more stringent certification process to support the security features).

The “64-bit” piece is also worth looking at. This means that the 32-bit version of Windows will end with Windows 10; no Windows 11 x86 version will be released. Given that I’ve been pushing for 64-bit OSes since 2005, and that all PCs sold since the “great small Windows 8 tablet” fad (remember the Dell Venue 8 Pro and similar devices with Intel Atom processors?) have been 64-bit, I won’t mourn this development at all. The only people still running Windows 10 x86 are businesses that keep putting off the migration to a modern 64-bit OS that can actually support more than 2GB of RAM. (Want to waste money? Run Windows 10 x86 on a device that has 4GB of RAM. Best case, it uses 3GB of it, but only with a limited number of apps that support PAE.). This is one of those cases where having a completely “new” Windows 11 release provides a good opportunity to draw a line in the sand here, one that probably should have been drawn years ago (complicated by the Windows 10 lifecycle).

  • RAM: 4 gigabytes (GB) or greater.

Given the price for RAM, buying a PC with less than 4GB of RAM is a shame. Not only does it not meet the realities of today’s apps (even if you only use a web browser), it does nothing to ensure a reasonable lifetime for the device. Add in the memory requirements for Teams and the rest of the Office 365 suite (or if you must, “Microsoft 365 Apps”) and there’s no doubt that 4GB is a reasonable “compatibility” requirement. If anything, you might want to consider even more.

  • Storage: 64 GB* or greater available storage is required to install Windows 11.

While you can install Windows 11 on a device with 64GB of storage, that doesn’t mean you can actually use that device through a series of Windows feature updates, quality updates, and just general day-to-day usage. So if anything this requirement doesn’t go far enough, and it’s weirdly written — it might as well say “you can install with 64GB but that doesn’t mean you will be happy with that in the long term.” I would never want to support Windows devices with less than 128GB of storage. (My phone even has more storage than that, and significantly less of that storage is used by the OS.)

But the requirement (and the previous RAM requirement) is designed to try to keep the price down for an entry-level device (which might only be practical in certain education and front-line scenarios).

  • Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver.

DirectX 12 has been around since 2015 and is supported by every modern chipset and driver. This might have been a bigger deal if Microsoft would have supported older CPU generations, but with the 8th generation requirement (with minimal exceptions), this is an insignificant requirement,

  • System firmware: UEFI, Secure Boot capable.

This is another one of those “duh” requirements, clearly in the “security” space: The legacy BIOS used on PCs prior to UEFI was not secure; UEFI addressed many of those issues and more importantly created a codebase that could be carried forward so that it could continue to stay ahead of the bad guys.

You might not be a fan of the Secure Boot feature, but it also provides a key security function: Making sure the device is protected from the moment the hardware is turned on until the OS can defend itself. (You can read more about Secure Boot in previous blogs I’ve posted, such as this one.) Some open source fans may see Secure Boot as a conspiracy theory, but it’s not (at least not on PCs — phones already do the same “locked down” setup that is implemented by Secure Boot).

This one seems to have generated the most controversy. But I do think it’s a reasonable “security” feature. What does it do? Well, you can read the list in the Microsoft docs to get a good overview. Quick summary: It provides a place to securely store secrets and measurements, as well as capabilities to attest to the health and identity of the device. So I do believe this is a good “security” requirement.

The only problem I have with this requirement: For the TPM to be used, it needs to be properly initialized and “bound” to the underlying operating system (in additional to being enabled in the hardware, but that’s easy enough to do). On some percentages of devices, especially those that have been re-imaged without ensuring the TPM is left in a good state (not in a reduced functionality mode), the TPM is not actually functional. Yet the device will still run Windows 11 just fine.

Why is that so? It’s because some of the TPM use cases have “software” fallback mechanisms. “TPM failed, so I’m just going to stash this in the registry instead.” Case in point: Windows Hello for Business. The default configuration for Windows Hello for Business does not require the use of the TPM. From this page:

PolicyScopeOptions
Use a hardware security deviceComputerNot configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
Enabled: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.
Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

What percentage of devices fall into this “TPM isn’t working” category? A non-trivial percentage. And you’d never notice unless you changed the policy defaults to require using the TPM without any fallback. If Microsoft truly wanted this for security reasons, they should also change the operating system defaults to ensure that the TPM is always used, and take any necessary steps (e.g. notifying the user or IT) in cases where that fails.

So I’m on board for the requirement overall, but skeptical if it will truly be used consistently.

  • Display: High definition (720p) display, 9″ or greater monitor, 8 bits per color channel.

Again, not terribly controversial. It’s difficult to buy a display that doesn’t meet this requirement. (Maybe you would care if you’re doing some IoT work and wanted a smaller display for that, but not for a typical Windows productivity use case.) Maybe you could make the case for even higher resolution, e.g. 1080p, but Windows does work fine with 720p so that’s probably sufficient.

  • Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features.
    • Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use.

The first part isn’t really true, since you can still use WSUS or manual “air-gapped” installs (download the files, transfer them onto a private network, install them on the device). The second part is true through the built-in Settings app, but generally there are workarounds to install most features offline. So the only real change I see is the second bullet about Windows 11 Home. This doesn’t really fit into any of Microsoft’s principles described above. This is primarily a move to increase the usage of Windows Live IDs for home users (which obviously requires internet access). So this is one I would argue against — but since it’s only for the Home SKU, it does not really matter to commercial customers.

It’s interesting that this wasn’t extended to the Pro SKU, where having a “required” internet connection would help out Windows Autopilot scenarios (keeping users from bypassing the Autopilot process). I see this as an opportunity lost.

So that’s the full list of requirements. Generally, they are reasonable and justified, with a few small(-ish) exceptions that I called out above.

I do think there is one other requirement that should have been included:

  • A high-speed flash-based drive.

There are still too many PCs sold with spinning disk drives. If you really want to have a device that works well with Windows, Office, and Teams, you want a device with at least a SATA-based SSD drive. The exact phrasing of that requirement is probably a little challenging, but I would suggest something like this:

Windows should be installed on a solid state disk (SSD) using SATA, NVMe, or faster interfaces. eMMC and spinning disks are not allowed.

See this post for more details around that. Overall, PCs that have drives that are slower than even what you would find on a smartphone do nothing to improve the perception of PCs as antiquated. Another opportunity lost, in order to shave a few dollars from the cost of the device.

Categories: Windows 11

Tagged as:

3 replies »

  1. I’m using Intune Ring of Deployment to patch the quality and the feature Deferral. Do we know if W11 will be push through Intune in the Feature Deferral?

    Thank you

    Like

      • I would expect yes, you can configure this via Intune to push Windows 11 when you’re ready to do so.

        Thank you for the information, still in the dark for that. Will Microsoft can guide me to make this happen?

        Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s