Windows 11’s Security Push Puts Microsoft on a Collision Course
When Microsoft debuted Windows 11 at the end of last week, the company heralded the usual advancements in efficiency and design that come with any new operating system. But Windows 11 also comes with a less welcome tick: stricter-than-usual hardware requirements for which PCs can actually run it. Because of what Microsoft has described as security concerns, many devices—even some currently for sale—won't ever be able to upgrade, leaving a generation of PCs stranded on Windows 10.
To run Windows 11, devices must have an Intel Core processor from at least 2017, or AMD Zen 2 processors from 2019 onward. They'll also need at least 4 GB of RAM and 64 GB of hard drive storage. Microsoft's own $3,500 Surface Studio 2 desktop, which you can buy new from the company right now, doesn't make the cut under these requirements. Microsoft is still exploring the possibility that slightly older chips will make the cut, but either way, you'll need a pretty recent device to upgrade your operating system.
“Microsoft has a clear vision for how to help protect our customers now and in the future and we know our approach works,” David Weston, Microsoft director of enterprise and operating system security, wrote on Friday. “We are announcing Windows 11 to raise security baselines with new hardware security requirements built-in.”
That baseline appears to hinge on a Trusted Platform Module, or TPM 2.0 chip, a component Microsoft has required in all new Windows devices since 2016. But not all devices that contain a TPM 2.0 chip actually have it enabled, and the process of activating it is technical and involved when it‘s doable at all. Microsoft or individual PC manufacturers would likely need to offer free, in-person assistance to make it feasible for most customers, both individuals and businesses, to enable latent TPM and other features like SecureBoot. Plus, some current device models that you can purchase today still don't include TPM 2.0s, simply because they've been manufactured since before the requirement went into place.
By tying Windows 11 availability to that specific hardware feature, Microsoft may leave scores of devices even more vulnerable in the long run. Those who can't update to Windows 11 will still have Windows 10, but not forever. Microsoft plans to end support for its 2015 operating system—currently installed on 79 percent of Windows devices worldwide, according to analytics site StatCounter—on October 14, 2025. That will mean no more security patches for the large population of devices that can't transition onto Windows 11.
While Microsoft may hope that most people will have bought a new, Windows 11-capable PC by then, the horror of the decade-long Windows XP migration is still fresh in the security community's memory. Security vulnerabilities discovered in XP after Microsoft stopped supporting it created gaping holes for the millions of devices that never upgraded to Windows 7 or beyond. In fact, StatCounter shows that a full 20 years since its initial release, and after numerous industry-wide upgrade efforts, more than half a percent of Windows devices still run XP.
“The first large vulnerability after Windows 10 end-of-life will cause chaos and put customers in a hard place,” says Marcin Kleczynski, CEO of the antivirus firm Malwarebytes. “Microsoft has the responsibility to protect their customers. If half are still on Windows 10, will they leave them out to dry?”
Microsoft declined to comment on the record to WIRED about its vision for the transition or the potential for Windows 10 to become a ticking time bomb. In a blog post on Tuesday, the company acknowledged confusion and concern about which devices will be eligible for the upgrade.
“It's not a surprising move by Microsoft; trusted boot and TPMs offer significant advantages,” says Jake Williams, chief technology officer of the incident response firm BreachQuest. “However, I'm still working with customers who have significant investments in legacy hardware. They won't be able to make a financial justification for new hardware simply to run Windows 11. Most won't opt to pay for extended support either, leaving them with vulnerable machines until some catalyst forces them to upgrade.”
Lots of computers don't get replaced regularly, and for valid reasons. You may not care about new hardware features, or may not be able to afford a new rig. Businesses may roll out a fleet of devices and then simply leave them in place for 10 years or more so they don't have to pay for replacements or deal with compliance issues that come with making changes. And it's common to leave old equipment running in industrial control and critical infrastructure environments, where a system can't have any downtime and it's very complicated, even risky, to replace them.
Microsoft originally offered a “PC Health Check App” that you could use to assess whether your PC will be able to run Windows 11. But the company has temporarily pulled the feature, because it's not yet clear which devices will actually be supported. The preview builds of Windows 11 aren't enforcing the minimum hardware standards and can be installed on an array of PCs, in part to test how the operating system performs on older chips.
“Based on the feedback so far, we acknowledge that [the app] was not fully prepared to share the level of detail or accuracy you expected from us on why a Windows 10 PC doesn’t meet upgrade requirements,” Microsoft wrote.
Though secure hardware elements like TPM 2.0 chips can theoretically become a single point of failure if they themselves are compromised, embedded device and network security researchers still say in general that it's worth implementing such hardware security “roots of trust.” The chip itself could theoretically be hacked, but for the vast majority of people you'd be no worse off than if you hadn't had the protection in the first place.
That explains, at least in part, Microsoft's dedication to essentially strong-arming the entire world into switching to PCs that include more robust defenses. The company says that the hardware requirements are necessary for Windows to run security features like hardware-enabled device encryption, Secure Boot, and other virtualization protections that are most effective when layered together. "The combination of these features has been shown to reduce malware by 60 percent on tested devices,” the company wrote on Tuesday.
Looking ahead to 2025 and end of support for Windows 10, researchers say that realistically it wouldn't be surprising if Microsoft delays the date to 2026 or beyond. And Malwarebyte's Kleczynski adds that if Microsoft stands firm on the Windows 10 deadline it will almost inevitably be forced to push “out of support” security patches for the ubiquitous operating system, like it's done repeatedly for Windows XP out of necessity.
But even if the transition is messy and painful, as it has been before, Microsoft seems set on carrying it through. In addition to security considerations, the company also cites “reliability” and “compatibility” as two other major justifications for Windows 11's hardware requirements. This indicates that Microsoft may also be using the opportunity to simply streamline the population of devices it supports and attempt to phase out older equipment saddled with compatibility issues that are difficult to deal with. And then there's the business benefit of urging millions of people to get a new device. As the company put it on Thursday, “It’s a great time to buy a PC.”
Windows 11’s Security Push Puts Microsoft on a Collision Course
(May require free registration to view)
- aum and funkyy
- 2
Recommended Comments
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.