I have a Ryzen 5000-series PC that I built about 6 months ago using mostly new parts. Yesterday I was curious whether my PC was compatible out of the box, so I downloaded Microsoft's compatibility checker. It told me that my PC didn't have Secure Boot enabled. I figured that I would just enabled that in my BIOS (haha).
I went into the BIOS (sorry, UEFI setup) and enabled TPM, which I had read about as being one of the major issues. That wasn't enough, and I was informed that my PC still isn't compatible. I tried enabling Secure Boot, and got an error message that there was something else I had to do first (generate a security key). I figured out how to do that, and I still couldn't enable Secure Boot because my PC was in CSM mode. CSM mode is my B450 motherboard's default mode.
I tried disabling CSM mode, and then I was able to turn on Secure Boot. However, when I rebooted, my computer couldn't find my SSD, and kicked me back to the BIOS, with no message other than a beep. I turned everything off and gave up for the evening.
Then this morning I Googled some of the messages I got and realized that the problem might be that my SSD doesn't use GPT but MBR for the partition table (it was pulled from my previous PC). After thinking I was going to have to back up and recreate my hard drive, I realized that there is a command-line tool I could use, helpfully named mbr2gpt. I ran that with the appropriate options, ignoring some warnings. It ran successfully, although I got an error about my recovery image, which was spurious so far as I can tell.
Once I did all of this, I was able to switch on Secure Boot, and the compatibility checker informed me that my computer is compatible.
The point is that I'm pretty computer-savvy and have a pretty new PC. It still took me quite a while to figure this out, and a lot of people would have given up around the time they had to go mucking around in the BIOS. Unless you are have a recent store-bought PC that has Secure Boot and TPM enabled out of the box, you probably aren't going to be able to upgrade, even if your hardware is compatible.
I'm guessing that Microsoft walks back on this decision.
This is a BIOS vs. UEFI thing, it has nothing to do with Windows or Secure Boot or the TPM requirement.
When you do an initial OS install today, you have to boot the computer in the mode that you intend to use (Legacy BIOS / CSM mode vs. UEFI mode, with or without secure boot). This is the case with Linux too. You can't really just switch modes afterwards.
For Windows, you'll definitely need a reinstall. (Edit: I didn't read your post carefully, apparently there's a tool to fix it? Neat!)
For Linux, there's probably a way to re-bootstrap everything yourself (reorganize your partitions, create the EFI partition, copy your kernel and initrd, etc.), but reinstalling is preferred, and will almost certainly be easier.
Several years ago I screwed up a Windows/Linux dual boot by installing one under BIOS and the other under UEFI. The only way to select the operating system was to go into the firmware settings and flip the CSM/UEFI bit each time. That was an annoying week, but the fix was to turn off CSM and reinstall everything under UEFI.
There is this base assumption that UEFI=GPT and that BIOS=MBR which is only partially true (at least for windows 7/8/8.1/10).
In fact the UEFI is perfectly capable of booting from both GPT and MBR disks, the issue is only that when you install an OS in CSM (or BIOS) on a MBR disk, the OS loader/boot manager installed will be the one needed for BIOS booting, and the UEFI one won't be installed.
Besides there is the requisite of having a FAT32 (this can usually be worked around with a UEFI NTFS driver).
But a "normal" BIOS install on MBR (with a dedicated, without drive letter automatically assigned, FAT32 primary partition dedicated to the boot files) can be booted just fine in UEFI by simply adding to that partition the needed UEFI loaders.
The opposite (booting with BIOS from a GPT disk) is as well possible but needs some non-standard modifications/hacks to the disk MBR, that - although proved in the years to be "safe" remain a sort of hack (not recommended if not really-really needed).
>When you do an initial OS install today, you have to boot the computer in the mode that you intend to use (Legacy BIOS / CSM mode vs. UEFI mode
That's one worthwhile technique.
Not many users want to go much further since then you need at least twice as many boot files as the minimum and it's best to test each configuration thoroughly.
If you're dual-booting you are already putting twice as much effort into OS installation & maintenance already, this is not really popular but I did post my latest findings just a couple days ago how I use 4 sets of boot files for W10 & Ubuntu on BIOS & UEFI:
I don't think you need to reinstall much. As long as you have a UEFI-compatible bootloader after converting your hard drive to GPT partition scheme, your UEFI should pick it up. Windows certainly installs one.
The only theoretical value I see in Secure Boot is if you're trying to build a tamper-resistant laptop. You'd have to only run Linux, you'd have to disable everything except your own signing keys (rather than using the shim, or anything else signed by Microsoft, because they'll sign (or can be coerced into signing) basically anything), you'd probably want to skip GRUB and boot an EFI executable directly without editable kernel arguments, and you'd have to manually sign every kernel update or module that you wanted to load.
But even then, I see no reason to trust that a given UEFI implementation won't quietly accept some secret hard-coded key even after all of the defaults have been removed, so now I guess we're stuck with older machines that can be flashed with Coreboot?
Yeesh. The number of people who can get this to work has got to be vanishingly small...
Secure boot and corresponding protection is just like security protection on Mac/iPhone/Android by Secure Enclave / TrustZone. Maybe users something like using FOSS phone don't like them, but it seems to better to have it in general.
On Windows 10, turning on Secure Boot then requires every boot driver to be manually signed by Microsoft themselves, in addition to the dev's code signing cert. This is a significant security boundary, given that most malicious actors won't go through the process of EV registration with Microsoft to gain this. (I guess netfilter is an interesting exception) If they compromise someone's credentials and still get a driver signed, Microsoft have a copy of the driver and when/where it was signed.
In addition, Secure Boot prevents malware from changing the bootloader (and helps stop boot-time ransomware). It's just a good sense fix to many attack vectors left alone for years.
Manufacturers don't generally ship internal drives with any kind of partition table at all in my experience - that gets added when you do the initial install, which generally depends on what mode you booted the installer from and in turn probably on your motherboard BIOS defaults...
Correct, Dell, Lenovo, HP even enable the basic EFI(bios) menu with Secureboot enabled, granted this is a bit disabled if you get an Ubuntu/XPS model but can be enabled easily for dual booting.
This is relatively a non-issue for most orgs, you should have an imaging solution in place, if not there is Windows Hello/Autopilot, not free but easy to deploy and helps you manage and orchestrate, which is what every corporation should do with owned devices.
Machines 5yrs+ support TPM 2.0 unless you bought absolutely bargain basement prices like Dell Inspirion models from Walmart instead of Dell.com and such, but even lately those also include TPM and Secure Boot as Microsoft demanded it from it's vendors.
Building your own PC, is something that, is kinda dead in todays times though.
I have a Lenovo desktop with a Ryzen 4000 series APU, and the only way I can reliably install BIOS updates is to disable Secure Boot, as the other methods just never work.
It doesn't help that the Lenovo BIOS updating software is crap too. I don't know why it asks me if I want to change the serial number every time it runs (and it doesn't default to "No").
Most people just bought Windows 8/10 preinstalled PC that is installed with UEFI/GPT, probably CSM disabled by default, and hopefully TPM enabled by default. Most Windows 7 PCs are old to be supported by Windows 10.
So, who still using Windows 10 on MBR/BIOS installation is mostly beginner for DIY PC.
Thats a whole lot of generalising, and a broad assumption at the end there. Even with UEFI enabled there can still be hudles to getting secure boot and TPM2.0 enabled without messing up the current install.
So the moral of this story is that your recent computer was actually compatible with Windows 11 and that installing an OS that's currently in alpha onto a computer that you built yourself requires being computer savvy - yeah?
No, the pc does contain compatible hardware but by default configured in a way which is not compatible.
Even a tech savvy user then gets bored of the process to change the configuration.
Most other people will simply give up and either not use the new windows version or replace the perfectly good hardware with something else that someone else has already configured.
Now I'm also bored already just trying to explain what's going on here.
Most people will not have an MBR scheme on an ssd. Most people who have a Windows PC they bought towards the end of Windows 7/Windows 8 era will have secure boot on already and working. This user is an outlier.
Most other people aren't going to build their own computer and try to install an alpha preview of an OS on it. It kinda sounds like you signed up for that boring work to me.
Installing the non-alpha upgrade will improve this experience how?
Things like this not being setup optimally on pre-built PCs is also not exactly unusual. Although I assume it'll mostly lead to people sticking with Win10 for longer.
While true, I think his point is more about how many computers will be scrapped because non techie people won’t know to do the above and assume that they need a new computer. Then massive e-waste pile grows. Do we even know if UEFI compatible hardware and SecureBoot is enabled by all OEMs by default? I could see a scenario where that’s not true. Microsoft should have made this a suggestion and warned about why it’s better for the end user rather than forcing the issue.
I could also see “Your computer is not compatible. Get Surface Pro for XX% off at the Microsoft store!” Because antitrust and MS are a thing, historically.
Why would non techie people be building their own computers instead of buying from an OEM? Or installing an alpha OS that, on first release, didn't even tell you why it wasn't compatible?
> Do we even know if UEFI compatible hardware and SecureBoot is enabled by all OEMs by default?
If they have a Windows 8 sticker on them, or above, yes.
>Why would non techie people be building their own computers instead of buying from an OEM?
Because building a computer is very easy as doesn't require deep knowledge of the inner working of BIOS. I put together IKEA furniture, despite not having a deep understanding of carpentry. I added a dimmer light switch in my house, despite not being an electrician. There are many people that can build a computer and troubleshoot 95% of the basic simple problems that come with that, but are not deeply technical.
“has been shown to reduce malware by 60 percent.” is hilariously vague. The statement means absolutely nothing! 60 percent compared to what? Is the metric that's decreased the number of infections or the number of infections by unique malware? Was this 60% observed in a lab, and these measures defeat 60% of some test set of malware? Is there any reason to believe that malware won't adapt once these features are released? It is infuriating to see these kinds of vague numbers thrown about.
Seems to me that OS design is starting to be a solved problem - and Microsoft was ready with W10 to just coast for a while. It also seems (Ryzen & M1 notwithstanding) that hardware is coasting too. There just isn't much anymore that needs to be done.
Microsoft was probably content to use Windows 10 as a moat / loss leader, and make their money off Active Directory subscriptions (you pay through the nose nowadays for user accounts) and Office subscriptions.
Too bad the hardware manufacturers and resellers can't sell software subscriptions. I'd guess the hardware folks had a nice long chat with Microsoft and made it clear that the only way forward is for Microsoft to continue to use their OS to 'encourage' people to upgrade their hardware.
> Microsoft was probably content to use Windows 10 as a moat / loss leader
Windows isn't a loss leader. It's actually quite profitable. Which is exactly why they are releasing a new version of Windows; they want to drive sales of Windows. It's been five years since the last major release, and a new release will boost revenues nicely.
There's allegedly an old quote from Microsoft (ca. 1992), "software should get bigger every year."
They make a lot of money from copies of Windows that ship preinstalled on new computers. So Microsoft is actually in the business of encouraging consumers to buy new computers.
Windows 11 compatibility is representative of the Microsoft failure pattern I see again and again.
They introduce some new thing to replace an old thing and the new thing is indeed better than the old thing, but also pulls in a web of dependencies you don't really want while not fully replacing the old thing - thus everybody avoids the hassle of switching and they have to support the old things that stuck eternally.
They probably went "This time we'll do it like Apple!" and ... just made a hard cut for no reason, while not using the opportunity to actually significantly change things (despite having the things to change lined up; 10X had great ideas!).
Why do they keep messing up ecosystems so spectacularly? Are there any deep incentives at play or obvious things I'm missing? It doesn't seem like the CEO change had that radical of an effect on that behavior.
Other example off the top of my head: Microsoft Store/UWP/MSIX, (Windows Phone, API shenenigans)
Windows 11 is quickly shaping to become the new Windows 8 or Windows Vista (or a Kinect-like fiasco). Microsoft risks losing mindshare on that segment of "technical-but-not-really" people that actually recommend and spread opinions around by taking care of non-technical people's computers. One of the biggest reasons people weren't using Vista back then is that their tech-savy friend told them it was bad (often for no reason) and reformatted their PC with XP. After a while people were doing that without even considering the reason behind it.
People are naturally reluctant when upgrading Windows, so the update needs to be as painless as possible, given that the OS you already have installed often has still several years of support left from Microsoft.
I think that is one of the lessons Apple learnt a long time ago, and that's why its software frequently changes aesthetics, but rarely in functionally (the dock is the same, system settings are mostly the same, and so on). If you stay on the old version, you know things might stop working soon.
It seems to me that since XP Windows has been for some reason engulfed in a nonsensical crusade to change those things that worked so well already. I still consider the Windows 2000 UI as the most refined and easier to use in all of Windows, and everything after that just complicated and messed up the OS without a real vision (the only good improvement in the UI I think was the 7 taskbar). To see what I'm talking about, it's sufficient to see the mess they made with the control panel, which was clear and easy to use in 2000, then became cartoonish and dumb in XP, and then it got partially replaced by Settings in 8 (and the migration is still incomplete to this day).
A lot of criticism for Vista was because of its poor performance, it was too heavy for the hardware of the time. That won't be the case for Windows 11 - it will mostly be run and benchmarked on new hardware. All Microsoft needs to do to convince users to upgrade is to market new features like DirectStorsge well.
Yes, that is true, but hard to convince users to upgrade when the installer refuse to run on their 3+ years old computer.
My desktop is less than 1 year old and still Windows 11 wont install because the disk is formatted using MBR. I know how to fix that. It involves formatting the disk and change bios settings and a lot of work. I can do that. I don't know anyone outside my tech circle that could do the same.
When a <1 year old computer cant be effortless upgraded Microsoft has a big problem.
One big issue with this is that Microsoft has supported BIOS/MBR for way longer than it was needed - "MBR" is a legacy from the past, and having an executable UEFI bootloader in a GPT ESP is so vastly superior to just loading the first 512B of a disk and jumping to whatever there is in there. I haven't seen a BIOS-only system after 2011, so there's basically no reason at all to boot in Legacy/CSM mode.
I have the insider preview of Windows 11 running on a 6th gen i5, and it works fine. So the CPU requirements are just arbitrary. There are warnings and text that I'll be forced at some point to reinstall Windows 10 after the insider program for early Win 11 builds is done.
Fwiw, windows 11 appears to be just windows 10 with a centered taskbar and rounded corners on the windows.
TPM 2.0 seems straightforward. Windows is their client for integrating with services they actually monetize - Sentinel, Azure, 0365. In order for those services to compete they need a client that has these capabilities. TPM 2.0 provides that.
The intel generation could be moved back one, I believe, and still meet their requirements though.
I've been putting off replacing Windows for a while now. Windows 11 not being compatible with older hardware is the straw that breaks the camel's back. Here I come, Linux!
Yes, I’m very much the same. Windows 10 has been getting on my nerves for some time now, and the TPM requirement is the nail in the coffin, I’ll be switching to Linux desktop for my primary machines.
I used a new computer to install Windows 11 onto an SSD, then I pulled out the SSD and popped it into an old computer with no TPM and and an unsupported third-generation Intel CPU. It works great!
For now. They seem to be somewhat upfront about the insider releases having relaxed rules for now, but that you will probably need to reimage with Windows 10 later.
the desktop will have linux on it, for the year of 2021
But seriously, MS has a long history of alternating dodgy and solid windows releases. Windows 12 will be a big hit, probably leveraging office/business standardization and games (integrating xbox).
Prediction: TPM modules are going to be sold out everywhere
I have a motherboard released in 2020 (intel) and apparently I as a user need to go buy some piece of hardware that I had no idea existed for a feature I didn't ask for and plug it into the motherboard just to run Windows 11.
The fact that the TPM module goes from being an addon to mandatory hardware for running Windows seems like a recipe for shortage.
Think about IT departments everywhere who want to upgrade for compliance reasons all trying to buy these modules.
If you have a 2020 motherboard, your Intel CPU almost certainly supports PTT, and you don't need a standalone TPM module.
But you're right about the demand - I had a TPM 2.0 module listed on a local buy/sell site for the past couple years, and received a dozen inquiries after the Win11 news.
No, not really, you don't add TPM to a computer, it's integrated at time of motherboard manufacture and most PC's have them already but are not enabled.
Took me way too long to enable secure boot on my 2012 built PC, it's now on but I should've read closer, my CPU is simply too old and I still don't have TPM 2.0 so it's still showing as not supported.
> Deprecating a whole generation of hardware that do not meet minimum requirements will generate sales for Intel, AMD, and PC OEMs.
Is Windows 11 even compelling enough for people to break their normal hardware upgrade schedule?
I have more Windows machines than I'd like to admit, and only one of them (purchased this year) can run Windows 11. I'm in no rush to upgrade any of the other, non-qualifying devices any time soon, as they are more than usable in their current state.
This makes sense if you know nothing about how Microsoft is structured or making money, but otherwise falls apart. Windows licenses are not what they're prioritizing.
But it is obviously money - kinda silly to point out that that's why a business does things, but yeah, you nailed it.
Microsoft sees threats to its business in a number of forms, and believes that this hardware requirement will address them.
No need to be sorry, it's a perfectly reasonable question.
1. Security is a huge threat to Windows, 0365, etc. Microsoft and "malware" go together a little too much in the public's eyes and that hurts their business. Addressing this through hardware is reasonable, but they even have an entire product line now around this - Sentinel.
2. Microsoft likely sees GSuite as a major threat to 0365. Where Microsoft's major client is Windows, GSuite's client is ChromeOS. ChromeOS has mandated TPM 2.0 and baked it into every system, and they offer GSuite features that integrate with that - it's a massive security win for ChromeOS users, and Microsoft has to have TPM 2.0 to compete.
I hope that clears this up for TPM 2.0.
As for the intel series, I can't comment, I haven't looked into it and as I said elsewhere I feel that MS could easily reduce the requirement.
Windows 11 has default integration with Microsoft Teams.
Windows 11 is Microsoft's Android play. The purpose is to drive adoption of Microsoft services, gaming on Microsoft platforms, and boost the PC ecosystem.
Right, but approximately 0 people are going to buy a new computer just to get Windows 11.
That is: If I've got to have 11, I'll buy a new computer to get it, but my goal isn't a new computer, it's Windows 11. Selling a new computer vs selling me Windows 11 for an old computer doesn't put a lot of extra money in Microsoft's pocket, so why do they care?
But if they did it the other way, they'd get all the people who buy new machines, and they'd be able to sell upgrades to people who wanted 11, but didn't want it bad enough to buy a new machine.
>Right, but approximately 0 people are going to buy a new computer just to get Windows 11.
No, but people who need a new PC won't be able to get one with any Windows other than W11, and if the Legacy BIOS CSM option is removed from UEFI motherboards then those who need Windows 7 will no longer be able to run it on the bare metal.
So there will be reduced possibility of mass awareness among busineses where speed is an issue, about how much faster W7 is compared to W11 on the exact same hardware.
The hardware is definitely getting faster and Windows is getting slower.
As Windows performance slows down for W11, a lot of businesses still are licensed to use W7 if they wanted to switch back, it's a viable option for the majority of PC's that don't need to be on the internet, and of course it's a breeze to dual-boot to W10 when you need the web right now.
When W7 was finally very mature & reliable I see the purpose of rushing to W8, w10, & W11 as simply the same anti-competitive forced hardware obsolescence as if there was a competitive offering from a different company which couldn't keep up.
But Linux is not a threatening competitor yet, plus it's open source and already infiltrated by Microsoft.
Tne only real competition is W7.
As we have seen W11 can actually function ideally on a BIOS mainboard. Plus some UEFI boards do not fail to support Microsoft SecureBoot even when the Legacy CSM is enabled.
Whoever would ultimately benefit from running older Windows on a brand new PC, that possibility is targeted for extinction with the continued movement in this direction.
I don't understand why MSFT didn't simply make this a requirement for Windows Pro, and grandfather in Home, and then update Home next year as Windows 12
I went into the BIOS (sorry, UEFI setup) and enabled TPM, which I had read about as being one of the major issues. That wasn't enough, and I was informed that my PC still isn't compatible. I tried enabling Secure Boot, and got an error message that there was something else I had to do first (generate a security key). I figured out how to do that, and I still couldn't enable Secure Boot because my PC was in CSM mode. CSM mode is my B450 motherboard's default mode.
I tried disabling CSM mode, and then I was able to turn on Secure Boot. However, when I rebooted, my computer couldn't find my SSD, and kicked me back to the BIOS, with no message other than a beep. I turned everything off and gave up for the evening.
Then this morning I Googled some of the messages I got and realized that the problem might be that my SSD doesn't use GPT but MBR for the partition table (it was pulled from my previous PC). After thinking I was going to have to back up and recreate my hard drive, I realized that there is a command-line tool I could use, helpfully named mbr2gpt. I ran that with the appropriate options, ignoring some warnings. It ran successfully, although I got an error about my recovery image, which was spurious so far as I can tell.
Once I did all of this, I was able to switch on Secure Boot, and the compatibility checker informed me that my computer is compatible.
The point is that I'm pretty computer-savvy and have a pretty new PC. It still took me quite a while to figure this out, and a lot of people would have given up around the time they had to go mucking around in the BIOS. Unless you are have a recent store-bought PC that has Secure Boot and TPM enabled out of the box, you probably aren't going to be able to upgrade, even if your hardware is compatible.
I'm guessing that Microsoft walks back on this decision.