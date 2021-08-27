



Windows 11 promises to improve window management, run Android apps, and unify the look and feel of embedded apps in the operating system after years of frustrating jumble. However, if you can’t run the software on your computer, that’s okay. Microsoft only promises official Windows 11 support for computers released within the last 3-4 years. Everyone else can run the operating system if it meets the performance requirements, but instead of getting it via Windows Update, you have to jump over the hoop of downloading the ISO file and manually installing the operating system. I have.

This is a break from previous versions of Windows that have had about the same system requirements for the past 10 years. Microsoft actually uses the features that run on older hardware as a selling point for Windows 10, and if it gets as many people as possible to use the latest version of Windows, it’s a free upgrade to all computers running Windows 7 and Windows 8. Made available as. It’s easier to get developers to take advantage of the latest features.

Microsoft’s rationale for strict official support requirements for Windows 11, such as secure boot, TPM 2.0 modules, and virtualization support, has always focused on security rather than raw performance. A new post from Microsoft today analyzes these requirements in more detail and also discusses system stability using crash data from older PCs in the Windows Insider program.

Driver and stability

According to Microsoft, Insider Program PCs that do not meet the minimum requirements for Windows 11 “52% more kernel mode crashes” than PCs that meet, so “devices that meet system requirements have a 99.8% crash-free experience. I got it. ” According to Microsoft, this primarily results in active driver support. New computers primarily use the new DCH driver, which is a way to package drivers that Microsoft has begun to support in Windows 10. To be DCH compliant, the driver must be installed using only regular .INF files and the OEM-specific driver customizations must be separated from the driver. As such, you need to distribute all the apps that come with the driver (such as the audio driver or GPU control panel) through the Microsoft Store. DCH drivers are common on hardware manufactured in the last four to five years, but are rarely present on hardware shipped in the Windows 8 or Windows 7 era.

Sure, 2012 or 2014 computers will run old drivers that cause crashes using Windows 7 era drivers on older computers running Windows 10, but Microsoft numbers show these older systems. Does not distinguish between almost new computers, but not completely, including 6th and 7th generation Intel Core systems and TPM 2.0 modules, active from Intel, AMD, and (often) Never miss a system requirement, such as a first-generation Ryzen system that continues to enjoy DCH driver support. ) The company that manufactured the computer. You’ll probably find that manually installing Windows 11 on these PCs is about as stable as installing it on officially supported devices, but it needs to be tested ourselves. Thing.

Towering stack of security acronyms

That’s where security requirements reappear. Microsoft details the benefits of using Secure Boot and TPM 2.0 modules, but in practice, less-discussed virtualization requirements and acronym alphabet soup can be important. Windows 11 (and Windows 10!) Uses virtualization-based security (VBS) to isolate some of your system memory from the rest of your system. VBS includes an optional feature called “Memory Consistency”. This is a more user-friendly name for what is called hypervisor-protected code integrity (HVCI). HVCI can be enabled on Windows 10 PCs without driver incompatibility issues, but older computers will experience significantly lower performance as the processor does not support mode-based execution control (MBEC). ..

And the acronym seems to be at the root of the Windows 11 CPU support list. If it supports MBEC, it is usually in. If it doesn’t, it’s out. MBEC support is only included on relatively new processors such as the Kaby Lake and Skylake-X architectures on the Intel side and the Zen 2 architecture on the AMD side. sidethis isn’t accurate, but it matches very well with the Windows 11 processor support list.

MBEC is easiest to think of as hardware acceleration for memory integrity features. This is like the AES-NI instruction speeding up cryptographic operations about 10 years ago. You can use BitLocker Drive Encryption on computers that do not use AES-NI. For example, performance will be significantly reduced. The same applies to the memory integrity feature, and MBEC PCs without processors that support MBEC rely on software emulation called “restricted user mode”. This has security benefits, but it has a significant performance impact. Some users who have tested Windows 10 HVCI functionality on processors that do not support MBEC have noticed performance degradation of up to 40%, depending on the task they are performing and the computer they are using.

“Memory integrity”, also known as HVCI, is included in Windows 10, but is turned off by default on most systems. This is an important security requirement for Windows 11.

Andrew Cunningham

The memory integrity feature is fully present in Windows 10, and the Secure Core PC initiative, launched in late 2019, requires support for all Windows 11 security requirements and some other requirements. However, on most PCs, HVCI is typically disabled by default on all systems except modern systems. Microsoft enables HVCI by default on all 11th generation Intel Core PCs with either AMD’s Zen 2 or Zen 3 processors (covering Ryzen 3000, 4000, and 5000 series chips), and Qualcomm Snapdragon 8180 SoCs and Qualcomm Snapdragon 8180 SoCs Instruct the OEM to. New; also requires at least 8GB of RAM and 64GB or more of SSD. If you’re building a PC and you’re doing a fresh installation of Windows 10 yourself, HVCI isn’t enabled by default, even if you meet these requirements.

So, if Microsoft requires MBEC-accelerated HVCI support (several statements) on all Windows 11 PCs, you’re not changing the default security settings to take advantage of these features. Is it? At the moment, at least on existing PCs, the answer is no (emphasizing us), according to the company’s blog post.

“VBS is not required when upgrading to Windows 11, but the security benefits that VBS offers are so important that the minimum system allows all PCs running Windows 11 to meet the same security. I needed a requirement. [US Department of Defense] Depends on. In partnership with OEMs and silicon partners, we plan to enable VBS and HVCI on most new PCs next year. And we will continue to look for opportunities to extend VBS to more systems. “

Assuming full HVCI and MBEC hardware support is driving the new Windows 11 requirements, the list of supported processors still has strange inclusions and exclusions. Why is only a handful of high-end 7th generation Intel Core chips officially supported, even though Microsoft’s own Windows 10 documentation states that HVCI works on all Kaby Lake processors? mosquito. Also, why are AMD Zen + processors such as Ryzen 2000 series CPUs and 3000 series APUs included in the support list when AMD just added MBEC support from the Zen 2 architecture? These are the questions we hope to get answers to before Windows 11 is open to the public this fall.

