Windows 11: Should you bypass the hardware block?

Credit to Author: Susan Bradley| Date: Tue, 31 May 2022 12:55:00 -0700

If you’re like most PC users, your current computer can’t run Windows 11. Microsoft has placed a line in the hardware sand to ensure that only modern machines with certain specifications that harden security can run Windows 11. 

Well, sort of. The company provides a workaround, as I’ll discuss in a moment. Whether you should take advantage of this loophole to upgrade PCs (whether yours or your users’) to Windows 11 is the question.

First, if you want to know if a computer can run Windows 11, you can use the PC Health Check app, Microsoft’s diagnostic tool. But if your PC doesn’t support Windows 11, Microsoft’s app doesn’t do a great job of explaining why. Instead, I recommend using either the Windows 11 Requirements Check Tool from ByteJams.com or WhyNotWin11, available on Github. Both tools provide granular detail about why a machine won’t run Windows 11. On my personal laptop at home, for instance, the processor can’t support hardware for hypervisor enforced code integrity, nor does Windows 11 like the graphics display.

But do you have to meet all of Microsoft’s requirements to have an acceptable experience with Windows 11? What if a machine isn’t that old but has one item keeping it from Windows 11?

As it has often done over the years, Microsoft put a bit of wiggle room into the hardware mandate for Windows 11, indicating that you can use the following registry key to bypass the hardware block:

Registry Key: HKEY_LOCAL_MACHINESYSTEMSetupMoSetup

Name: AllowUpgradesWithUnsupportedTPMOrCPU

Type: REG_DWORD

Value: 1

This technique comes with a caveat from Microsoft, namely that if you install Windows 11 on a PC that doesn’t meet the minimum hardware requirements, “your PC will no longer be supported and won’t be entitled to receive updates. Damages to your PC due to lack of compatibility aren’t covered under the manufacturer warranty.”

Note, however, that Microsoft has yet to enforce its threats of such users not receiving updates. I personally think it’s more of a performance warning: if there’s some sort of performance issue with certain unsupported CPUs, my guess is Microsoft won’t work to fix the problem.

For personal computer systems — especially for savvy end users who love to try new things and have good backups, and in particular have additional computers to fall back on — I have fewer concerns about using the workaround that Microsoft itself has provided. Clearly it is turning a blind eye and understands that we may want to play around.

But do you want to really use this workaround in business?

For some businesses I’d argue that you don’t need some of these hardware mandates. The truth is that Microsoft has added these security mandates more for its enterprise customers than for individuals or small businesses. Several of the key security features for Windows 11 are only supported if you have the appropriate licensing and Windows Enterprise — for example, Credential Guard, of which Microsoft writes:

For this reason, you need hardware virtualization support and TPM 2.0 chips to run Windows 11. But unless you purchase Windows 11 Enterprise, you will not be supported to deploy Credential Guard.

That said, it may be premature to move your users to Windows 11 at this point anyway. Even businesses buying computers now that can run Windows 11 may be better off running Windows 10 for many years to come.

For many of us who have a computer at home as well as one we use at the office, having a different operating system on the two machines can be confusing. The two items that trip me up going back and forth between Windows 11 and Windows 10 are the centered Start menu and the taskbar. With Windows 10’s menu being on the left-hand side of the screen and Windows 11 widgets now being on the left, I find myself clicking on the widget menu when I want to shut down the Windows 11 computer. And the changed Windows 11 taskbar means that I’m still stumbling a bit finding cut, paste, and other tools.

If your machine is managed by Windows Update and qualifies for Windows 11, it should be offered up to your system by now. If you choose not to install Windows 11, you may be offered it at a later date. Remember, you can use registry keys or Group Policy as well as Intune to keep machines on Windows 10 rather than moving to Windows 11. Business devices that are managed by Intune or WSUS will not be offered Windows 11; an administrator has to specifically approve the Windows 11 upgrade.

Lately I’ve been helping people buy new computers, often slightly older laptops that are a good value. These PCs do support running Windows 11, but for now I’m putting registry keys in place to keep the systems at Windows 10. I’m planning to help them migrate up to 11 when the right time comes.

As for my own business, given that many of my users still have Windows 10 at home, I’m opting to keep the firm’s computers on Windows 10 for now. I find it easier for users to have similar computers at home and at work. Over time, we will migrate to more and more machines on Windows 11, and then I’ll decide if I’m going to use the bypass technique to put any older systems on Windows 11.

http://www.computerworld.com/category/security/index.rss