Windows 11 hardware requirements will drive security update decisions

Microsoft announced its plans for the next version of Windows, called Windows 11. Built with security in mind, it will once again cause us to make hard decisions regarding investments in hardware and who will get the new operating system on new machines and who will not.

Windows 11 will demand new hardware requirements due to a “redesign for hybrid work and security with built-in hardware-based isolation, proven encryption, and strongest protection against malware.” With those requirements come deployment concerns. BIOS updates are always disruptive, but tracking down and inventorying what devices can and cannot support Windows 11 will once again result in mixed networks of older and newer operating systems.

Trusted Platform Module 2.0 required

Several requirements will force you to separate your network into a series of haves and have nots. First comes the requirement for Trusted Platform Module (TPM) 2.0. TPM 2.0 will be required for “hardware-enforced stack protection for supported Intel and AMD hardware, helping to proactively protect our customers from zero-day exploits.” A root of trust ensures that when you boot a computer, it has not been tampered with in any way. The anchor for the boot process is in the hardware that the computer boots from. A TPM chip is a purpose-built, secure cryptoprocessor designed to carry out cryptographic operations.

I found when inventorying machines that many of my desktops already had TPM chips, but they were TPM 1.2. It was not easy to find a central repository of information on how to upgrade a machine to handle TPM 2.0. Each manufacturer has information and links on its processes to upgrade. Some machines (such as Dell or HP) required a firmware update specifically for the TPM chip to change the chip support from TPM 1.2 to 2.0. Some of these updates could be done remotely or with patching tools. However, the firmware update process can be disruptive.

Some devices, like my Lenovo Thinkpad Laptop, required me to boot into the BIOS and manually change the setting to support the 2.0 specification. To determine what TPM chip you may have on your machine, there are several tools you can use to determine if your system is ready for testing and ultimately deploying Windows 11. One way is to click on start, then on tpm.msc to review the specification setting your computer is currently set at. If you find it’s at 1.2, you’ll need to determine the vendor’s method to move to 2.0 support.

Another way to review your network support for the upcoming version of Windows 11 is to use Microsoft’s tool to review if a standalone machine can support Windows 11. At this time, the tool does not support reviewing a system behind WSUS or System Center and does not detail if multiple reasons keep machines from Windows 11. I recommend using an independent tool that better verifies whether your system can support Windows 11. The tool will be flagged in SmartScreen because it’s not signed. You can review the code used in this tool and use the same commands to review the TPM settings in your network.

If you need to move from 1.2 to 2.0, you’ll need to review if BitLocker or other security software is deployed on that computer. If it is, you’ll need to decrypt the computer before upgrading the firmware. If you fail to decrypt the system, you will lose data on that system and be unable to log back in. For HP systems, follow this blog post to use System Center Configuration Manager to deploy an upgrade from 1.2 to 2.0. If you’ve deployed BitLocker, you know that this upgrade process is not without risks and deployment failures. Any firm that already deployed Bitlocker using TPM 1.2 will probably opt to leave those systems as is and not risk the upgrade to 2.0.

Windows 11-supported processors

The blocker for most of my machines in the office is not the lack of a TPM chip, rather it’s the support of the processor chip on the motherboard. Microsoft lists processor chips that support Windows 11. I don’t upgrade processors in existing equipment. Rather, I purchase new computers. So, I’ll be moving back into a multi-operating system maintenance mode in the future.

Windows 10 and 11 support and deployment

For many of the support tasks in Windows 11, it appears many of the support and deployment mechanisms will still work. There are however, some big changes in Windows updating. Rather than feature updates every six months, Microsoft is moving to an annual feature release process. Each release will be supported for 24 months for Home/Pro and 36 months for Enterprise/Education.

Michael Neihaus has an excellent recap of the decisions you will need to make regarding servicing decisions for Windows 10 and the upcoming Windows 11. For those of you with Windows 10 Enterprise SKUs you’ll need to be aware of the following deadlines:

• Windows 10 1909 Enterprise is supported to May 10, 2022.
• Windows 10 2004 Enterprise is supported to May 10, 2022. However, you should move beyond 2004 earlier than that date.
• Windows 10 20H2 Enterprise is supported to May 9th, 2023.
• Windows 10 21H1 Enterprise is supported to December 13, 2022.

Moving from 1909 to 2004 is a full feature release, so this deployment will take some time. It’s recommended to move to 20H2 or 21H1 via an enablement package before 1909 drops out of support.

To move from 2004 to 20H2 or 21H1 is merely an enablement package, so it will be a quick install.

Bottom line: You will need to inventory your network and determine your plans for Windows 11. Which users and roles will receive a Windows that is built to ensure that we have a more secure computing experience?