Windows 11 system requirements - Bad news for old PCs

@CataclysmZA does it still use traditional Bitlocker with TPM or PIN/Passphrase as the unlocking keys? It would be beneficial if it backs up the recovery keys to say, the MS Account, but how many of those are really secure? Just something that I thought about now
 
PhireSide said:
@CataclysmZA does it still use traditional Bitlocker with TPM or PIN/Passphrase as the unlocking keys? It would be beneficial if it backs up the recovery keys to say, the MS Account, but how many of those are really secure? Just something that I thought about now
Click to expand...

Indeed. The passphrase should be their account credentials, IIRC.

By default, machines that meet the min spec requirements for running Windows 11 will start automatically encrypting the device after the OOBE is completed. The Bitlocker key should be stored in their Microsoft account, which is accessible here:

Sign in to your account

account.microsoft.com account.microsoft.com

That also means that a min spec machine needs to also support everything else like Secure-Core PC, Defender Credential Guard, HCVI, have passed HSTI vailidation, and so on. Most of that stuff used to be enterprise-only, but Home users will now get access to the same stuff for free on their Microsoft Accounts.

Pro and up will still have better security and more options through InTune and Autopilot.

I also expect Microsoft to require 2FA on all accounts, which just makes sense.

Also, this means that Windows 11 effectively runs in a hypervisor now, just like Xbox One and Series consoles.
 
CataclysmZA said:
I've been doing a lot of testing and sleuthing in the past week on the leaked build and the dev release that came out recently.

It's good, especially with the redesigned Settings app and the more condensed UI. It's a tad slower on my notebook compared to the leaked build, but that's because several of the new security measures required by their CPU requirements are enabled on my machine, including memory ansd core isolation.

All the requirements that Microsoft has for WIndows 11 are well thought-out and logical, but it takes some explaining to show how it's beneficial. Home users finally will get access to full disk encryption out of the box, and security is better all-round even if malware somehow finds its way onto the system. There's a hardware root of trust that works against persistent malware and rootkits, and it makes securing things for data requirements like POPIA much simpler.

This is a good step forward.

Edit: I also have a good idea of how and why Microsoft are figuring out what's compatible, so the only unknown at this point is Zen 1 and Kaby Lake compatibility. There are ways to figure out why you might have a compatible system but the PC health check still complains.
Click to expand...
:ROFL: :ROFL:
 
CataclysmZA said:
I've been doing a lot of testing and sleuthing in the past week on the leaked build and the dev release that came out recently.

It's good, especially with the redesigned Settings app and the more condensed UI. It's a tad slower on my notebook compared to the leaked build, but that's because several of the new security measures required by their CPU requirements are enabled on my machine, including memory ansd core isolation.

All the requirements that Microsoft has for WIndows 11 are well thought-out and logical, but it takes some explaining to show how it's beneficial. Home users finally will get access to full disk encryption out of the box, and security is better all-round even if malware somehow finds its way onto the system. There's a hardware root of trust that works against persistent malware and rootkits, and it makes securing things for data requirements like POPIA much simpler.

This is a good step forward.

Edit: I also have a good idea of how and why Microsoft are figuring out what's compatible, so the only unknown at this point is Zen 1 and Kaby Lake compatibility. There are ways to figure out why you might have a compatible system but the PC health check still complains.
Click to expand...
I don't have a problem with the extra security in general and Windows should have been more like Linux in this regard looooooong ago. What I have a problem with is the forced approach considering TPM isn't even needed for that. This is too much of a move towards "trusted" systems, which is really just a fancy name for DRM and deciding what you should or shouldn't run on your system. I also have better disk encryption that works across systems so a default to that is just a no for me.
 
Here is from the Truecrypt, now Veracrypt FAQ:
No. Those programs use TPM to protect against attacks that require the attacker to have administrator privileges, or physical access to the computer, and the attacker needs you to use the computer after such an access. However, if any of these conditions is met, it is actually impossible to secure the computer (see below) and, therefore, you must stop using it (instead of relying on TPM).

If the attacker has administrator privileges, he can, for example, reset the TPM, capture the content of RAM (containing master keys) or content of files stored on mounted VeraCrypt volumes (decrypted on the fly), which can then be sent to the attacker over the Internet or saved to an unencrypted local drive (from which the attacker might be able to read it later, when he gains physical access to the computer).

If the attacker can physically access the computer hardware (and you use it after such an access), he can, for example, attach a malicious component to it (such as a hardware keystroke logger) that will capture the password, the content of RAM (containing master keys) or content of files stored on mounted VeraCrypt volumes (decrypted on the fly), which can then be sent to the attacker over the Internet or saved to an unencrypted local drive (from which the attacker might be able to read it later, when he gains physical access to the computer again).

In short TPM only provides protection in cases where the computer will remain compromised and is thus false security as it can't mitigate against any attacks. One has to ask if it then provides any security at all. You also have no way to know if it contains any back doors. MS flaunting one proprietary solution with another. Funny how the site where this is hosted is being shut down by MS tomorrow after being broken and inaccessible for years...
 
Microsoft released a document saying that OEMs will be able to, with permission and a valid reason such as commercial or custom orders, ship new products without a TPM.

Microsoft OneDrive

onedrive.live.com onedrive.live.com
 
Swa said:
I don't have a problem with the extra security in general and Windows should have been more like Linux in this regard looooooong ago. What I have a problem with is the forced approach considering TPM isn't even needed for that. This is too much of a move towards "trusted" systems, which is really just a fancy name for DRM and deciding what you should or shouldn't run on your system. I also have better disk encryption that works across systems so a default to that is just a no for me.
Click to expand...

I think you're missing the point.

The TPM is used for a bunch of cryptographic stuff that works in a standardised fashion - key stores, generating new keys, hashing, etc. Linux will use a TPM if it's enabled in the system. The reason you want one in a system is so that none of this is done in userland, in system memory.

This is one of the reasons why Microsoft is working on their Pluton co-processor, because they need a root of trust set up for devices that need to meet certain security standards, and they can't guarantee that TPM suppliers from China aren't putting in back doors or weakening the encryption.

This doesn't have anything to do with DRM either, really.

Swa said:
Here is from the Truecrypt, now Veracrypt FAQ:
No. Those programs use TPM to protect against attacks that require the attacker to have administrator privileges, or physical access to the computer, and the attacker needs you to use the computer after such an access. However, if any of these conditions is met, it is actually impossible to secure the computer (see below) and, therefore, you must stop using it (instead of relying on TPM).

If the attacker has administrator privileges, he can, for example, reset the TPM, capture the content of RAM (containing master keys) or content of files stored on mounted VeraCrypt volumes (decrypted on the fly), which can then be sent to the attacker over the Internet or saved to an unencrypted local drive (from which the attacker might be able to read it later, when he gains physical access to the computer).

If the attacker can physically access the computer hardware (and you use it after such an access), he can, for example, attach a malicious component to it (such as a hardware keystroke logger) that will capture the password, the content of RAM (containing master keys) or content of files stored on mounted VeraCrypt volumes (decrypted on the fly), which can then be sent to the attacker over the Internet or saved to an unencrypted local drive (from which the attacker might be able to read it later, when he gains physical access to the computer again).

In short TPM only provides protection in cases where the computer will remain compromised and is thus false security as it can't mitigate against any attacks. One has to ask if it then provides any security at all. You also have no way to know if it contains any back doors. MS flaunting one proprietary solution with another. Funny how the site where this is hosted is being shut down by MS tomorrow after being broken and inaccessible for years...
Click to expand...

TrueCrypt runs in RAM, however. If TrueCrypt kept keys in a TPM store instead of RAM, a keylogger wouldn't be useful in retrieving those keys because you're not physically entering in the master password. They went this route to offer drive encryption for a wider range of users, but they're just as vulnerable as anything else running in userland.

Physical access is always the worst-case scenario. This is why even a NAS with disk encryption is a security risk. If you can just walk off with the device, you have a lot more time to get around security measures.

Further, the root of trust that Secured-Core PCs sets up is more advanced than you think. Rootkits and persistent malware are unlikely to be successful on PCs that meet the spec and ship with Windows 11 thanks to the hypervisor boundary. BIOS hacks are less of an issue with modern firmware protection that doesn't allow external users to update the BIOS on the machine. You can't put the malware in the bootloader because that forms part of the root of trust, and the UEFI won't run unsigned code when Secure Boot is enabled.

Microsoft has an evaluation guide for Secured-Core. You should read through it. They mention that there are things that just don't work because the way things are authenticated is completely different, so applications that use old mechanisms need to either be run in another suitable environment, or replaced with something that supports single sign-on.

www.microsoft.com

Windows for Business | Microsoft

Elevate your organization with Microsoft Windows for business. Leverage AI-powered tools, robust security, and Windows 11 business devices for enhanced productivity.
www.microsoft.com

This does not mean that every PC that comes with Windows 11 will be Secured-Core, far from it. Every machine will be capable of it, but only the ones that ship with Pro and up, and that are connected to a domain with the right policies, will behave like that.

Vorastra said:
Microsoft released a document saying that OEMs will be able to, with permission and a valid reason such as commercial or custom orders, ship new products without a TPM.

Microsoft OneDrive

onedrive.live.com onedrive.live.com
Click to expand...

Which makes sense. Some customers will have custom images, like for virtual machine use. Others will be customers in countries like China, where weaker security is used instead, with backdoors embedded by the CCP. Some machines don't need a TPM to be secure, or you've standardised on something else like a Yubikey.
 
Last edited:
Get ready for endless updates f* up everything. Not interested with ur windows 11 microsoft!
 
CataclysmZA said:
I think you're missing the point.

The TPM is used for a bunch of cryptographic stuff that works in a standardised fashion - key stores, generating new keys, hashing, etc. Linux will use a TPM if it's enabled in the system. The reason you want one in a system is so that none of this is done in userland, in system memory.

This is one of the reasons why Microsoft is working on their Pluton co-processor, because they need a root of trust set up for devices that need to meet certain security standards, and they can't guarantee that TPM suppliers from China aren't putting in back doors or weakening the encryption.

This doesn't have anything to do with DRM either, really.



TrueCrypt runs in RAM, however. If TrueCrypt kept keys in a TPM store instead of RAM, a keylogger wouldn't be useful in retrieving those keys because you're not physically entering in the master password. They went this route to offer drive encryption for a wider range of users, but they're just as vulnerable as anything else running in userland.

Physical access is always the worst-case scenario. This is why even a NAS with disk encryption is a security risk. If you can just walk off with the device, you have a lot more time to get around security measures.

Further, the root of trust that Secured-Core PCs sets up is more advanced than you think. Rootkits and persistent malware are unlikely to be successful on PCs that meet the spec and ship with Windows 11 thanks to the hypervisor boundary. BIOS hacks are less of an issue with modern firmware protection that doesn't allow external users to update the BIOS on the machine. You can't put the malware in the bootloader because that forms part of the root of trust, and the UEFI won't run unsigned code when Secure Boot is enabled.

Microsoft has an evaluation guide for Secured-Core. You should read through it. They mention that there are things that just don't work because the way things are authenticated is completely different, so applications that use old mechanisms need to either be run in another suitable environment, or replaced with something that supports single sign-on.

www.microsoft.com

Windows for Business | Microsoft

Elevate your organization with Microsoft Windows for business. Leverage AI-powered tools, robust security, and Windows 11 business devices for enhanced productivity.
www.microsoft.com

This does not mean that every PC that comes with Windows 11 will be Secured-Core, far from it. Every machine will be capable of it, but only the ones that ship with Pro and up, and that are connected to a domain with the right policies, will behave like that.
Click to expand...
I'm not missing anything here. TPM protects against attacks where the attacker has administrative privileges. In that scenario all security should already be deemed compromised. The point about the keylogger is that you don't need to fiddle with gaining access to accounts when you have physical access and can monitor everything. Data stored in a TPM is also not any more secure than data in RAM as it can be accessed in the same way.

Veracrypt does employ TPM after it was resisted for a long time but it should not be seen as a replacement for good security practices or relied on and indeed it's limited as decrypting a disk using it would take a very long time. Most operations would still occur in RAM.
 
Last edited:
Interesting article on The Verge about the minimum system requirements....

www.theverge.com

Windows 11 will leave millions of PCs behind, and Microsoft is struggling to explain why

At the heart of these changes is a security push.
www.theverge.com www.theverge.com

Microsoft still has a few months left to test Windows 11, and feedback from the preview will inform “any adjustments [Microsoft] should make to our minimum system requirements in the future.” The software maker has also removed its PC Health Check app that led to a lot of confusion around Windows 11 upgrades. “We acknowledge that it was not fully prepared to share the level of detail or accuracy you expected from us on why a Windows 10 PC doesn’t meet upgrade requirements,” says the Windows team.
 
No issues running it on my AMD A10 with TPM 2.0 and secure boot.

So the processor requirement is moot from my experience. This was running off a cheap 16GB USB flash drive.

Win11_on_A10.png
 
Rouxenator said:
No issues running it on my AMD A10 with TPM 2.0 and secure boot.

So the processor requirement is moot from my experience. This was running off a cheap 16GB USB flash drive.

View attachment 1113156
Click to expand...
Dev builds have had the requirements disabled.

If you start with a Windows 10 install and jump to the development ring you'll be blocked because a different system checker is used there, and blocks incompatible systems.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter