Our resident Windows expert, Ed Bott, has been diligent in his coverage of watching Microsoft walk itself back from compatibility commitments in its pre-release documentation to get down to the bottom of exactly which systems would be orphaned by and which ones would move forward to Windows 11.
That we did not have a definitive answer from Microsoft from the get-go has added a great deal of frustration from Microsoft’s traditional loyalists. I have also not been pleased with this, having discovered that my own PC systems, which I purchased in 2016, will not make the cut.
Fortunately, we now have a definitive answer: The reason why many systems may not make the cut has much to do with Intel (and AMD processor) features in the latest generation of chips related to hardware-based virtualization.
Virtualization? But wait, isn’t that something we are only really concerned with regarding servers that live in datacenters? Traditionally, yes. But there are other uses for virtualization besides increasing workload density.
In 2017, I wrote an article entitled How containers will transform Windows 10 in the next three years; I discussed the various virtualization and containerization technologies Microsoft worked on in their Azure Cloud, Windows Server OS, and desktop Windows.
Now, with this required hardware-enforced containerization and virtualization tech, Windows 11 will isolate applications and processes much more easily. It will be much more difficult for malware in an errantly running application to access resources it isn’t supposed to. It will only access the resources in that specific application task that it infects, such as a particular browser tab.
It won’t have a free run of the OS, and if the infected task is detected based on its known malware signature, it’s nuked in orbit.
Additionally, while not virtualization related, the requirement for Trusted Platform Module 2.0 provides additional features that prevent compromises at the boot level and at the firmware level for an extra level of security that legacy systems without them do not have.
From a security perspective for both end-users and enterprises, that is huge. And it is something you absolutely want to upgrade to in an age where malware threats are constant, and the need to be vigilant against these threats is never-ending.
So yes, this is a significant upgrade. It’s valuable, and if you’re a Windows user – consumer or enterprise – you want this. If you don’t have hardware that supports it, it’s worth getting a new system.
The problem is that Microsoft buried the lead and employed bait-and-switch tactics to induce us to upgrade, rather than simply being straight with us from the beginning. What Microsoft should have said is: “Look, we can’t implement these important architectural changes in the OS to protect you from the bad guys unless your hardware supports this.”
Instead, we got: “Open your mouth, the airplane is landing! Microsoft wants you to eat the improved hardware-enforced security feature because it’s good for you! Woooo! Flashy Windows 11 user interface!”
By the way, if you already have these features built into your Intel and AMD chips, then guess what? Windows 10 already has this enabled, by default, assuming you are at current patch levels. You’re already protected. But Windows 11 will be the first Microsoft OS to require these features to turn on Virtualization Based Security (VBS) and Microsoft Defender Application Guard (MDAG). So future generations of systems will not be vulnerable to the same malware and exploits of previous generations.
It should be noted that Intel Gen6 systems, which did not make the official cut for Windows 11 support, can not only install the Windows 11 prerelease from the Windows Insider developer channel now, but they can also run MDAG, as shown in the screenshots above.
However, they do not have sufficient hardware virtualization technology to run what is referred to as the “Standard Hardware Security” that certified Windows 11 PCs require to make the cut. Gen7 systems do (Which Microsoft is now exploring the possibility of supporting and some older generation AMD systems), but Gen8 does it better. This includes the Core Isolation, Security Processor, and Secure Boot features within the Device Security menu.
Core Isolation requires a hypervisor, whereas MDAG appears to use host-based virtualization (which has less stringent hardware requirements), which could be the difference.
So it’s unknown at this point if Gen6 systems like my 2016-era Dell XPS 8900 (Intel Skylake) running on the prerelease today will still be working on the gold release of Windows 11 in October. It would be nice if they did. I’m not counting on it.
It’s ironic that the hardware-based virtualization technology I have been pleading with Microsoft to implement for years is the very thing that is likely to leave my PC systems behind with this upgrade.
Am I annoyed by this? Yes. Can I accept this now? Also, yes. But the best approach would have been coming clean with its userbase from the very beginning, making security a primary emphasis of the product launch, and not baiting and switching with a pretty user interface.
What is more important to you, the enhanced security enforced by default or the new user interface in Windows 11? Talk Back and Let Me Know.
