Windows 11

[Dave Rice]

The TPM sockets are always on the bottom edge of the mobo by the USB and Audio etc. as it’s a board about the size of your thumbnail sticking up. It would be too tall to fit under a heatsink and should be obvious. The empty socket looks much like a USB 3 one.

From what I understand 11’s not going down at all well. Upgrading an estate is always fraught (I’ve done a few), but I feel this one will be by hardware replacement over time; there’s just too much that can’t be automated for non compliant kit. It may be that like 8, 11 is ignored and the time is taken to make sure new hardware is compliant and setup correctly, but with 10 on.

I wonder how the AMD foul up could possibly have happened, especially as they have form in that direction.

[Ed P]

The ROG Strix x570 is an exception to your statement on tpm positioning. (see page 35 of mobo manual link ). As you will also see, the large  CPU heat sink is designed to overlap the tpm socket (see page 40).  I have a an even larger dual CoolerMaster fan. it is not possible to see under it without removing it.

As shown in this YouTube, if I were foolish,  tpm.msc will allow me to “configure” the tpm, so I am fully convinced that I have a working tpm chip in place.

[Dave Rice]

Ah ha! They have a special form of TPM chip designed to lie horizontally https://bityl.co/98pp

You learn something new every day, but why they couldn’t put it on the edge I don’t know.

[Dave Rice]

Got disturbed replying. OK, so the TPM chip is there which makes the Windows bitching a head scratcher. Both the CPU and Discrete are the same version – 2.0 – but a discrete chip can support more things, like Intel’s vPro and Trusted Execution Technology. You’d think, given the choice, the Discrete chip would be preferred.

tpm.msc picks up the Intel or AMD firmware TPM in just the same way as a discrete chip, but it will tell you the manufacturer of what it’s looking at. My guess is yours will now say the firmware one, but how it deals with dual TPM devices I have no idea. It’s not an area I’ve ever needed to bone up on before! TPM is there and enabled, check. Start BitLocker, check. Reboot, check. Never go near it again.

I have a spare AS-Rock TPM and the R5 has an AS-R mobo. I may have a play. I need to open it up to put an internal USB splitter in anyway.

[Dave Rice]

Doh! moment, you can only have one security device which is why the BIOS setting is as it is. Choose which one, firmware or discrete. That makes it even more puzzling that Windows wanted the least capable one, but in it’s eyes they both do everything it wants.

I think this is a mess in the making. If someone has the discrete chip enabled because they wanted the Intel features and Windows tromps all over it…. I’m thinking especially about VPro in Corporate remote support operations. By that I mean software installation and other management rather than remote desktop. If you kill SCCM agents you kill the ability to roll out software fixes as well as apps.

What if you had had BitLocker tied to the discrete chip? I dread to think.

Hmm, I think this maybe another W8 in the making.

[Ed P]

As I posted earlier, it would not surprise me if this is not part of a M$ strategy to only allow physical tpm.

There was a blog (which unfortunately  I have lost) which stated something along the lines that Win11 will only allow Win 11 VMs that support tpm (i,e, M$ virtualisation and VMWare) AND also have a host that also fully supports tpm i.e no host registry/software kludges . The blog also implied for that reason that Mac Win 11 VMs would never be fully supported, and all in the name of Enterprise ‘security’.

Whether the blogger had an inside track or was smoking something, I have no idea, but it sort of makes sense.

As all this alienates a large part of the customer base, I would not be surprised to see a two tier Win11 evolve (like Home & pro)

[Dave Rice]

That’s how it always was back in the days of NT4. It all seems so simple looking back, even if it didn’t feel like it at the time. The first proper networked PCs we had were purely SNA gateways into the data centre AS400 and mainframes. I had to fight like hell to get “office” type tools installed and general purpose PCs rolled out. The mainframe and AS400 community, who basically ruled the roost, viewed them as little more than toys.

No MS Office, no Active Directory – we used Novell Netware, Lotus Notes. Huge dot matrix printers attached to LPT ports. No internet, no anti-virus or firewalls. I quite miss it, apart from Notes, a real PITA.

[Wheels-Of-Fire]

My PC has an ICH10R chip because it came out just before they moved to the PCH setup. Just for fun I downloaded the Intel data sheet for it.

Apparently there are 3 versions of the ICH10, standard, raid and corporate raid. I have the raid.

The ONLY difference between the raid and the corporate raid is that the corporate has a built in TPM, its only version 1.2 though so I would still be stuffed for W11 😁

The other thing I noticed was that the chip has a Serial Peripheral Interface. SPI is mostly used to connect the BIOS chip but its also used to connect a TPM.

SPI can be used to connect several devices but my motherboard only supports two, and I have dual BIOS, so no SPI socket for a TPM 🙄

[Ed P]

Rumour was that  m$ was going to turn allow updates if a firmware tpm of any vintage was installed, but the registry fix for installation would still be required. Like Dave, I think M$ have made an unholy mess of this and I just cannot see Enterprise installations wanting to go near it for at least two or three years.

I’m no longer sure of the time that Enterprise keep their machines but I’d bet on five or six years in the current economic climate, and it will be this timescale that sets general adoption. However, if I had my old job I would be pushing hard to make sure that all ‘work from home’ machines were tpm2. and encrypted GPT. i.e. Windows 11 ready, but purely for the security aspects.

[Ed P]

Somewhat along the lines of my previous post, ComputerWorld have a rationale for Windows 11

https://www.computerworld.com/article/3637054/just-who-is-windows-11-for-anyway.html

[Dave Rice]

I think that just shows the author has no idea about what actually happens in Corporate environments. They clearly have not a clue about how, why and when PC upgrades happen nor the expense and planning involved of mass rollouts. I’ve been through a fair few of these events now and been in charge of planning and implementing a 500 seat one (2000 to XP on the Carrier project). In essence they are all very similar, but the particulars of this one are in a different league. It’s not a case of trying to get it working efficiently, it’s will it work at all.

As far as security is concerned, Corporates will not be ditching their tried and trusted third party solutions and giving it all to MS. TPM chips have been included in PCs aimed at Corporates for years, and they’re used. But take an encrypted machine through the US border and if you can’t give them the pass keys it will be taken from you if they are minded to. They can also legally download the entire contents. The people I use to work for were as worried about industrial espionage from our friends as they were the Russians or North Koreans. W11 won’t stop that and we’ve got quite good at stopping the Ruskies.

An i5 of the age MS are rejecting is still very capable in an office environment. That would not be a justification to upgrade any more. More ram or an SSD? May be, and a lot easier to get past the bean counters (been there). Justifying it on security grounds? Good luck writing that business case.

It’s small businesses, such as those that I look after, that don’t know about such things. Not the Corporates.

[keith with the teef]

I see the bench marks are coming in for W11 vs W10 and currently no difference.

And again with a clean install of both OS a performance increase but no difference.

Looks like I’m going to be in the same boat when moving from 7 to 10.

As I understand both OS have support for the latest DX12 capabilities in storage and VR. So?

 

[Ed P]

Keith, I agree with your comments. If you search on ‘Win10 vs Win11 gaming’  all the test rigs show little or slightly negative performance. For the average gamer there will be no advantage to moving to Windows 11, and a positive disadvantage if you have an AMD rig.

At the moment Windows 11 has all the hallmarks of the Vista launch, much prettier to look at with nicer sounds and usability improvements, but completely sunk by hardware and performance restrictions.  However, M$ appear to have done a lot of code cleaning so like the optimised Vista it might actually become a great OS in three years just before M$ can it!

While I agree with the thrust of Dave’s comments,  Multinational Corporations (MNCs) often have a long hardware tail. It sometimes need things like an OS change to galvanise regional EMEA* CEOs into reluctantly sticking money into their IT budget. I’ll bet the global move to ‘work from home’ resulted in  a very large number of basically insecure non standard issue home PCs accessing Corporate Clouds, and there are still a lot of tempting targets for the Spear Phishers. The security message of Win11 may well fall on some fertile ground as a result.

*Europe Middle East  and Africa

[JayCeeDee]

Ed P wrote:

It sometimes need things like an OS change to galvanise regional EMEA* CEOs into reluctantly sticking money into their IT budget.

Sometimes, not even that!! It seemed more like “If it ain’t broke, don’t spend money on it!!”

My son was contracted to Jaguar Land Rover about 4 or 5 years ago on a project to upgrade their central software so that all the different factories, national HQ’s and showrooms, that over the years had been brought under the JLR umbrella, were on a common global system. The code was written, the prep work done and tested out in UK, US and parts of Europe but come global changeover day they discovered that there were systems in Russia, Romania, Bulgaria etc that were still running  on W95 and 2000 so there was a huge pause in the project and the software side was stood down while a hardware upgrade was put into place.

Don’t know the outcome as he was contracted out elsewhere and never went back.

[Wheels-Of-Fire]

Has it always been possible to put the Windows 11 start button back where it belongs, on the left ?

I only just noticed the option in task bar preferences, so thats what I did.

[Ed P]

I think that was a recent change. However, until M$ solve their NVMe issue I am not going to let Windows 11 near my main rig., as to do so would risk turning it into a tortoise.

El Reg Link

[Author]

Posts