Windows 11

[Dave Rice]

This customer has five desktops; 2nd, 3rd and 4th generation Intel’s, nothing more than an i3, and a J2xxx Pentium SoC which is just past any hope. Only one has an SSD, so the HDDs are well into end of life territory. The boss also has a 13″ Elitebook with a 3rd gen i5, 8GB and an SSD, but that is only used on customer visits.

All their self generated data is stored on a Synology NAS and in this last year we have worked out a WFH model that suits them, just the one last big LOB app to be migrated to the Cloud and we can wave goodbye to the VPN. They are moving to a hybrid office / home model at the moment. First day back in the office yesterday – no BT phones working. That’s convinced them to move to VOIP which has been faultless during WFH and of course extremely flexible.

Given their work cycle, this time of year is the only quiet time they have to do major business changes, so I have to plan around that. Everything must be running smoothly by October 1st as after that they will be flat out for months, so it’s an annual 4 week window. Therefore W11 will be Sept 2022 at the earliest, probably 2023, maybe 2024 with an old estate and limited funds (wholesale replacement not an option).

So I need to keep it all capable of reliably running W10, Office and their LOB software at a decent pace for maybe two years. Take 8GB+ and an SSD as a given whatever the CPU and, although everything is subjective, I’ve found that  CPU Benchmark is a good yardstick with a Desktop Score in the late 70% or more being a good target to aim at.  So I’ve just ordered appropriate i5 CPUs from E-Bay for £20 – £30 each and 250GB SSDs for £30 each. All but one have 8GB of ram and the Pentium J will be donating that.

To replace the Pentium J and to provide a WFH PC for the boss, I’ve gone back to the Asus Mini PC that I used so successfully on my last big project, with 8GB of DDR4 3200 and a Corsair MP510 NVMe PCIe x4 Gen3. He’s grown to love dual monitors whilst WFH and this will support 4 x 4K as well as zipping along. That also gives us two W11 capable machines on which to trial solutions, especially the WFH PC, when the time comes.

The joys of supporting small businesses. Much more satisfying than working in Corporates.

[keith with the teef]

Looks like they trust you Dave. Sadly I cannot trust my self.

[Ed P]

According to M$, Windows 11 comes with a lot of optimisation that ‘should’ make the OS feel snappier and more responsive. Details here:

https://www.onmsft.com/feature/microsoft-windows-11-pc-faster

[keith with the teef]

@Ed P. Nice find. I see M$ want us to run our pc’s like a smart phone. No clean boot and not so bad for instant desk top access and also updates. Obviously the biggest call for updates will be to games library’s and it will do it in sleepy time. I always power off but see the update schedule that never takes place unless I push the button.

Also drivers DCH will be practically crash proof. But I’m sure M$ had a similar policy for 10 and 64 bit from now on. Whorah on that one.

The 365 thing M$ is making a big deal of. Well for sure I wont be going anywhere near that. But?

Now then: The control panel! Have they binned it? It sure looks that way. If so looks like I’m back in my own class room in years. Doh!

[Ed P]

On the latest Win11 update the Control Panel can still be accessed. However, they have cleaned up and rationalised ‘Settings’ and only a few items now appear to be missing from Settings (Win7 backup being one)

[Ed P]

It was previously reported that Windows 11 could not be installed as a VirtualBox guest.

According to this blog Oracle have fixed this issue and given a procedure for a fresh install of Windows 11. I’d emphasise the word ‘fresh’ as upgrading an existing  VirtualBox guest to allow a Windows 11 install is a non-trivial exercise. You could try a version of the method I posted earlier for VMWare, but I do not know enough about VirtualBox to say if it will work.  Good luck if you attempt this and please post your findings.

[Ed P]

ps. If you do succeed you may want to wait a while before putting anything ‘mission critical’ on the VirtualBox guest, as it would not surprise me if M$ insist on VirtualBox having a baked in ‘Secure Boot’ on a Secure Boot Host.  The VirtualBox ‘Secure Boot’ registry hack looks to me to be rather a kludged approach.

[Dave Rice]

I am just avoiding it totally. The only spare kit I have is far too old and I could see the VM issues coming.

[keith with the teef]

I see the latest bios are getting ready to be released.

What’s new:
1. Update to COMBOAM4v2PI 1.2.0.4
2. SMU firmware updated for Vermeer, Cezanne and Picasso
3. TPM enabled by default

[Ed P]

Dave Rice wrote:

I could see the VM issues coming

Actually Dave, setting up a ‘clean’ Windows 11 VM in VMWare is very easy as VMWare have had ‘TPM’ and ‘Encrypted Secure Boot’ for 12 months or more. It is only the process of changing an existing Windows VM to secure boot/TPM that is more difficult. Ensuring security seems to be the M$ watchword for Win11, and that will equally apply to Win 11 VM guests.

M$ seem to have had a good Win11 working relationship with VMWare from the outset. I suspect that M$ see Oracle as a competitor and have not accommodated them so readily. The Surface Pro /Apple M1 relationship also probably accounts for M$ being less helpful over M1 dual boots etc.

[Ed P]

@Dave:

It would appear from published research that most of your old Enterprise friends will be avoiding Windows 11 or risk either, fragmentation of their network, or a visit from the Finance Director complaining about an inflated IT Capital Budget.

El Reg also pick up on the workload of upgrading VMs.  Most will already have hardware with tpm baked-in, and I guess that it will be possible to wheel out upgraded versions of Windows guests, but I am uncertain how the overall process impacts on VSphere guests themselves.

Windows 11  could well turn into another Millennium Bug event in terms of IT Admin workload.

El Reg link

[Ed P]

Just for info., there are a huge number of very good and very new CPUs that are unsupported as far as Windows 11 is concerned. There does not seem to be an easily discernible reason for these exclusions. For example, I have no idea why a 2021 Ryzen 7  5750 is not supported!

https://allthings.how/list-of-all-intel-and-amd-processors-not-supported-by-windows-11/

[Ed P]

In order to drum up support for Windows 11, M$ have demonstrated how easy it is to hack PCs that have neither TPM or VBS security. As said in one review – ‘Really nice of Microsoft to show hackers how to attack Windows 10 PCs’.

https://www.neowin.net/news/microsoft-demoes-hacker-attacks-on-pcs-with-no-tpm-vbs-and-more/

In reality the demo just shows that TPM and VBS add another layer of security. Actually both of these  security options can be turned on in Windows 10 without upgrading to Win11.

[Dave Rice]

I’m going nowhere near it for a long time. The only PC I have that has the required CPU (they all have TPMs) is my new Ryzen 5 and they’ve borked AMDs already.

[Ed P]

M$ seem to have upped the TPM ante!  When I updated my main PC today I received a message that the box was no longer Win11 compatible! When I investigated I found that the TPM2.0 setting was on ‘Discrete TPM’,  setting this to ‘Firmware TPM’ resulted in the PC becoming Win11 ready once again.

I assume that Discrete TPM is a software version and that M$ only likes the real thing!

[Dave Rice]

A Discrete TPM is the chip that plugs into the motherboard, I am assume you don’t have one?

[keith with the teef]

I see MSI have mow released W11 Bios support@7A38v9C4(Beta version) This is for B450 style board but not universal.

– Windows 11 Support.
– Update to AMD ComboAM4PIV2 1.2.0.3c.

I may update to the new bios this weekend. Although I may notice no difference? We will see!

[Ed P]

Not really sure Dave,

The following is the M$ definition:

“There are three implementation options for TPMs:

Discrete TPM chip as a separate component in its own semiconductor package Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components

Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit”

However my Asus ROG Strix X-570E allows three settings, no TPM, Discrete TPM, and Firmware TPM. I initially chose the second and M$ initially accepted this as a valid TPM2.0, and the tpm.msc program stated that ‘The TPM is ready to use’.

Today as posted, I had to switch to the ‘firmware version’ and TPM.msc still gives the same message. Checking the ROG site gives totally confusing accounts with some ‘authoritative’ voices plainly not having a clue.

If I look in the actual Device Manager, there are two ‘security devices’ an AMD PSP 11 and a TPM 2.0. Maybe somehow the AMD device is seen as the ‘discrete’ one, and M$ has got picky in the last few weeks! Luckily I do not use Bootlocker so switching between the two modes did not cause any issues.

The mobo layout chart shows a tpm module, but tbh I have not bothered to check if it is physically there.

[Dave Rice]

Pretty sure it will just be an empty socket. The only time I’ve ever seen a TPM chip included (they’re soldered on) is on business laptops and Corporate desktops.

Maybe the BIOS was semi-intelligent and thought “he wants TPM turned on, doesn’t have a chip so I’ll enable the firmware”? I’ve not seen a mobo yet that will allow you to enable a non-existent TMP device and every business machine I’ve built or bought for the last 5+ years has had a TPM of some description.

Or MS was just looking for a setting and not testing (or enforcing) it’s physical presence? No idea but it’s a mess.

I must have a look and see if a new W11 device can be rolled back to W10, as they’ve done with previous o/s releases. I don’t want it coming in by stealth.

[Ed P]

Although the socket is hidden under a large cooler I’m pretty sure there is a chip in it for the following reasons:-

1) BitLocker is happy to encrypt stuff without the Admin kludge.

2) Devices shows a TPM chip, and that it is working ok

3) tpm.msc gives the ‘Device is ready’ notice

4) Chillblast were told to put in a tpm chip and they are pretty trustworthy.

It looks like M$ are fiddling around the edges at the moment as I would guess they are worried that a large number of Enterprise customers are not going to be happy bunnies. I would therefore say they will not ram the update down anyone’s throat until they have sorted their minimum specs and eased the migration path.

As I posted elsewhere, moving to encrypted GPT from a legacy installation is currently a non-trivial exercise for VMs, so that alone will give Enterprise a large headache.

[Author]

Posts