Windows 11 promises to refine window management, run Android apps, and unify the look and feel of the operating system’s built-in apps after years of frustrating hodgepodge. But none of that matters if your computer can’t run the software, and Microsoft has only promised official Windows 11 support for computers that have been released in the last three or four years. Anyone else can run the operating system if they meet the performance requirements, but they will have to download an ISO file and install the operating system manually instead of getting it through Windows Update.
This is a break with previous versions of Windows, which had more or less the same system requirements for a decade now. Microsoft actually took the ability to run on older hardware as a selling point for Windows 10 and made it available as a free upgrade for all Windows 7 and Windows 8 computers – if you can get as many users as possible to get the latest version of Using Windows, the argument was that it would be easier to get developers to take advantage of the latest features.
Microsoft’s rationale for Windows 11’s strict official support requirements – including Secure Boot, a TPM 2.0 module, and virtualization support – has always been about security, not just performance. A new contribution from Microsoft today goes into more detail on these requirements and also argues with the crash data of older PCs in the Windows Insider Program for system stability.
Driver and stability
Microsoft says that Insider Program PCs that did not meet the Windows 11 minimum requirements had “52% more kernel mode crashes” than PCs that did, and that “devices that did meet the system requirements were 99.8% were crash-free “. According to Microsoft, this is mainly due to the active driver support. Newer computers mostly use newer DCH drivers, a way of packaging drivers Microsoft has supported since Windows 10. To be DCH-compatible, a driver only needs to be installed with a typical .INF file, OEM-specific driver adjustments must separate from the driver itself, and all apps that come with your driver (e.g. a control panel for an audio driver or a GPU) via the Microsoft Store. DCH drivers are common for hardware manufactured in the last four or five years, but are rare to nonexistent for hardware that shipped in the Windows 8 or Windows 7 era.
Certainly, computers built in 2012 or 2014 are running out of date drivers that lead to crashes – using drivers from the Windows 7 era on older computers running Windows 10 can cause instability or general weirdness. But Microsoft’s numbers make no distinction between those older systems and newer computers that almost but not entirely miss the system requirements, such as 6th and 7th generation Intel Core systems and first generation Ryzen systems that include TPM 2.0 modules and still enjoy active DCH driver support from Intel, AMD, and (in many cases) the computer manufacturers. Chances are, installing Windows 11 manually on these PCs will feel more or less stable like installing it on an officially supported device, but we’ll have to test that for ourselves.
A huge pile of security acronyms
This is where the security requirements come into play again. Microsoft is going to greater lengths to explain the benefits of using Secure Boot and TPM 2.0 modules, but the key might actually be the less-discussed virtualization requirement and a alphabet soup of acronyms. Windows 11 (and Windows 10 too!) Uses virtualization-based security, or VBS, to isolate parts of system memory from the rest of the system. VBS includes an optional feature called “Memory Integrity”. This is the more user-friendly name for something called hypervisor protected code integrity, or HVCI. HVCI can be enabled on any Windows 10 PC that does not have driver incompatibility issues, but older computers have a significant performance impact because their processors do not support mode-based execution control or MBEC.
And that acronym seems to be at the root of Windows 11’s CPU support list. Generally, if it supports MBEC, it’s in. If not, it’s out. MBEC support is only included in relatively new processors, starting with the Kaby Lake and Skylake X architectures on the Intel side and the Zen 2 architecture on the AMD side – this is pretty much true, if not exactly, match the Windows 11 processor support lists.
MBEC is most easily thought of as hardware acceleration for the memory integrity function, much like AES-NI instructions accelerated encryption operations about a decade ago. For example, computers without AES-NI can still use BitLocker Drive Encryption, but there is a noticeable decrease in performance. The same is true for the memory integrity function and MBEC – PCs without processors that support MBEC rely on a software emulation called “Restricted User Mode”, which offers the security benefits but has a more negative impact on performance. Some users who have tested the HVCI feature in Windows 10 on processors without MBEC support have seen performance degradation of up to 40 percent, although it depends on the tasks you are performing and the computer you are using.
Storage Integrity, also known as HVCI, is included in Windows 10 but is disabled by default on most systems. This is an important security requirement for Windows 11.
The memory integrity function is fully available in Windows 10 – the “Secured-Core-PC” initiative launched at the end of 2019 prescribes support for all security requirements of Windows 11 and a few others. However, on most PCs, HVCI is usually disabled by default on all but the most recent systems. Microsoft instructs OEMs to make HVCI standard on all Intel Core PCs 11th newer; You also need at least 8 GB of RAM and a 64 GB or larger SSD. If you build a PC and do a clean install of Windows 10 yourself, HVCI will not be enabled by default, even if you meet these requirements.
So if Microsoft mandates MBEC accelerated HVCI support (what kind of phrase) on all Windows 11 PCs, will it surely change the default security settings to take advantage of these features? According to the company’s blog post, the answer is currently no, at least not on existing PCs (emphasis added):
“While we don’t need VBS when upgrading to Windows 11, we believe the safety benefits it offers are so important that We wanted the minimum system requirements to ensure that any PC running Windows 11 would have the same level of security as that [US Department of Defense] based on. In cooperation with our OEM and silicon partners, we will activate VBS and HVCI on most new PCs over the next year. And we will continue to look for ways to expand VBS to other systems over time. “
Assuming the new Windows 11 requirements make up full HVCI and MBEC hardware support, there are still weird inclusions and exclusions from the supported processor lists. Why are only a handful of high-end 7th generation Intel Core chips officially supported even though Microsoft’s own Windows 10 documentation says HVCI will work on all Kaby Lake processors? And why are AMD Zen + processors like the Ryzen 2000 CPUs and 3000 APUs on the support list, even though AMD apparently only added MBEC support from the Zen 2 architecture? These are questions we hope to have answers to by the time Windows 11 releases to the public this fall.