Speculating: Why Windows 11 Requirements is Too Strict

We just recently hear an announcement that Windows 11 will require a hard requirement that left out the older machines from installing it. People have been questioning this requirement because it left out the majority of older PC users. In the recent announcement, they even stated that older systems more than 3 years old will not be able to install Windows 11. This includes Intel processors prior to Coffee Lake and AMD Ryzen 2.

Unlike the prior Windows versions which allow any capable x86 32-bit machine powerful enough to run Windows, Windows 11 requirements seem strange. It is not new when a software company makes a steep change in requirement. Back then when Windows 95 was released, it alienated many older PC users with 16-bit processors. However, the scale is not as massive as today where PC usage is already ubiquitous.

The principle of backward compatibility has also been at the core of x86 architecture. x86 machines carried instruction set dated from nearly three decades ago. Since the machine itself supported it, the software that runs on top of it can also do the same. Therefore, we can see new OS version can be installed easily in an older machine unless that OS requires something that the older machine does not have.

Which raises the question: what Windows 11 requires that older machine does not have? From the initial information, we know that Windows 11 requires a system with Trusted Platform Module (TPM) 2.0 and Secure Boot support. TPM and Secure Boot is actually nothing new. It has been there for several years already, but the adoption rate is very slow, especially in the DIY PC market. TPM and Secure Boot allow an OS and software running on it to detect if it is running in a protected/authenticated environment. A software may decide to stop working if it detects the operating system has been modified either intentionally or maliciously.

This security protection has been used quite ubiquitously in mobile devices since it is more vulnerable to physical attacks. For example, if a phone got stolen, the criminal may have access to reinstall the device and tries to access its private data. Also, mobile devices carry more functionality nowadays for identification purposes, hence, contain more sensitive information that requires stronger protection. Particularly since mobile device fills the “What-you-have” roles (and sometimes “Who-you-are” with biometrics) for multi-factor authentication purposes.

In the desktop machine, however, it is rarely thought of as a compulsory feature since the machine typically sits in someone’s living or study room, being used as a workstation. When users try to authenticate themselves to a secure application/system via a computer, they typically only use a single-factor authentication using “What-you-know” a.k.a. password. If the secure application requires stronger multi-factor authentication, a user needs to use an extra device for that. Previously, smart-card or external hardware keys (e.g. Yubikey) were introduced. However, this does not land beautifully as it requires extra hardware for that, such as a card reader. Since mobile device now has the role in multi-factor authentication and almost everyone has mobile devices now, the secure application typically directs the user to a known mobile device to authenticate themselves.

We can say that the desktop platform, particularly x86 architecture is lackluster in this particular security aspect. It cannot serve a purpose as a trusted entity, which requires a secure application to use another trusted device to establish trust. Microsoft and Intel as the majority controller of the platform try to evolve their ecosystem to embrace these security features. However, the adoption rate is still slow and falling behind the mobile device counterpart (Google Android/Apple iOS and ARM architecture). Therefore, it is apparent that Microsoft and Intel try to push and force the consumer to embrace it as soon as possible to accelerate the adoption rate of this secure platform through the strict requirement of Windows 11.

But also, the reason is way far more than that. Since Windows ecosystem is falling behind Android, not only because Windows Store is a ghost town but also feature-wise, Microsoft seems to acknowledge their failure and decide to embrace their competition instead by bringing Android ecosystem directly into Windows. Since Android ecosystem requires a more secure platform compared to the existing x86 and Windows ecosystem, Microsoft needs to make a big change to ensure Windows complies with the strict requirement of Android ecosystem.

This is back again to the security feature in the Android ecosystem that has been in place for quite a long time. Android utilizes Trusted Execution Environment (TEE) to operate its security features. It has a special secure operating system that runs in a “secure world” using ARM TrustZone feature. This particular feature has been missing from x86 ecosystem. So, if Microsoft wants to bring Android applications to Windows, they need to create a comparable feature to Android Trusty within its OS. Otherwise, Windows is unable to run Android applications securely.

But in my opinion, merging a different ecosystem to an existing one in a disruptive fashion is very damaging, particularly in the short term. Microsoft is taking a very huge bet and risk for this, and it looks like they are prepared for now for this backlash (but we’ll see in a couple of months before Windows 11 is actually released). Sure, putting the Android ecosystem and/or implementing a more secure OS opens up a more landscape to the Windows ecosystem. However, it will alienate the majority of existing users who use older machines and have no budget to make a full system upgrade. Basically, for old PC users, the day of using Windows are numbered. We still have until 2025 before Microsoft will abandon Windows 10. The day may be shorter particularly when PC part manufacturers decide to stop updating their device driver before 2025 (*cough* NVIDIA *cough*). I understand the concern for the majority of DIY PC users and gamers since this will be the case.

I may not be going to upgrade to Windows 11 right away and I plan to use my PC until it dies. Even my old Intel Nehalem processor back from 2009 is still running perfectly fine in a Chinese-manufactured motherboard. My family member uses it daily since about 6 months ago without any issue after I rebuilt it upon receiving a new compatible board I found at Aliexpress. It runs Windows 10 perfectly and smoothly. It may not have a more advanced hardware security feature than a newer processor, but it does not automatically render it insecure. Software companies like Microsoft need to realize that not all security measures need to be imposed by hard requirements. Nor can they claim that their software is insecure because the hardware is insecure. Because many CVEs are also within the software implementation, not hardware.

Users should be allowed to make a sensible choice without sacrificing their security by reducing some nice-to-have features, particularly a feature that requires specific hardware requirements. For example, it will be great if Microsoft set the Android ecosystem integration depends on the availability of users’ hardware. This will ease the transition towards a more secure environment instead of alienating the existing unsupported systems. They should actually realize that many users even still use Windows XP beyond its final support date. The same case with Windows 7, and this will be the same with Windows 10. By alienating people like this, it is counterproductive towards improving the security of the people, because more people will continue to use older software as they have no option to get the update. Basically, this move is just to fulfill their business case to elevate Windows to compete with other platforms including Android and Apple.

You may also like...

1 Response

  1. Walter Senn says:

    Fully agree with the author. I have already started using Linux Mint as a dual boot and after 2025 will wipe the windows partition.

Leave a Reply

Your email address will not be published. Required fields are marked *