When Microsoft announced its plans for Windows 11, it was clear that it wasn’t just another Windows Update exercise. The new version of Windows will require levels of hardware security support beyond anything that’s been required until now. For many companies, meeting those security requirements will be painful. But in the long run, they’re necessary.
The original announcement has already run into some headwinds. On June 28, 2021, Microsoft’s Windows team issued an update regarding the minimum system requirements for Windows and explaining in more detail what those requirements mean. In addition, the team announced that it has withdrawn the PC Health Check app that was supposed to tell you whether your systems could run Windows 11.
In addition, Microsoft has released a preview version of Windows 11 so that you can start getting ready for the new OS. The preview edition does NOT include the mandatory security features including requirements for Secure Boot or the requirement for Trusted Platform Module v.2.0. According to Microsoft, you can run the preview version of Windows 11 on any seventh generation Intel processor.
However, when Windows 11 is released, it will require both the TPM and Secure Boot, so the first thing you should do is conduct an inventory of your Windows machines and see which meet the Windows minimum requirements and which don’t. An easy way to check for the TPM is to right-click on the Windows start button, then click on Device Manager. Find Security Devices, and if the computer has a TPM that meets requirements, you’ll see an entry that says “Trusted Platform Manager 2.0” listed.
Confirming UEFI Secure Boot is implemented may take some time, as it may be different for different computers. Normally, the existence of this security feature will be disclosed on the specifications from your original purchase, but you may need to enter the setup menu for your specific PC to find out. There’s no one way to do this as different makers used different methods, so you’ll need to confirm with the manufacturer.
Normally, Microsoft’s now-removed PC Health Check app would have been an easy and quick method of checking your organization’s computers, but there were some issues with it, which is why Microsoft says the app was removed until later this year. One thing I did find in testing the app is that it provided what appear to be false negatives, meaning that it would say a computer doesn’t meet the minimum requirements when it in fact does. I tested in on two fairly new machines that meet all of the requirements, and the app said that both failed the test.
Once you’re separated the machines that can’t run Windows 11, you’ll know that those machines need to be put on the list for early replacement. In the meantime, Microsoft plans to continue updating Windows 10 until 2025, so you’ve got plenty of time. Remember those machines are probably already old, and adding another four years to their life is probably not financially responsible.
In addition, that four years gives you time to confirm that the applications you currently use will run on the new version of Windows, and get them updated if they don’t. Meanwhile, if your current computers do meet the Windows 11 minimum requirements, you can set Windows 10 to take advantage of them.
While the upgrade process to Windows 11 is going to be expensive for some, and annoying for others, the fact is that Microsoft is taking a big step towards making Windows significantly more secure than it has been. Right now, Windows is a favorite target for hackers, malware purveyors and other band guys, and without the hardware security support offered by modern PC platform, there’s only so much Microsoft can do.
For your company, this is one required step for protecting your data and your users, and while it’ll certainly be expensive, it’s a lot less expensive than a ransomware attack. It’s also a lot less annoying that explaining to your board and your stockholders why you didn’t take the steps necessary to protect yourself when they were made available well in advance.