Windows 11 Upgrade

[Ed P]

As M$ have apparently fixed the NVMe slowdown bug, I bit the bullet and took the upgrade offer on my main rig. My VMs still work and that was the only critical area for me.

First the good news, I have not found any of the programs or apps I use to be broken, it is more tuneful, and prettier. Windows settings have been cleaned up a bit, but luckily they have not killed Control Panel. That aspect is still required for some of the less frequent settings such as sorting out a printer address that had gone walkabout and killed my printer setup. I cannot blame Win11 for the printer as I think the setting got mangled a couple of weeks ago. Under the hood it is supposedly more secure, but that bit is hard to test. Kaspersky took the upgrade with no barfs so that was good.

Bad points, the upgrade was NOT an unattended one. Stupidly although you click the download and update button this only launches the download piece and you have to be around to click yet another button to actually update. I wasted a couple of hours as a result! A few apps and settings disappear. I have to say I did not miss them but some people might. https://screenrant.com/windows10-features-missing-windows11-upgrade/

Bottom line, imo there is absolutely no reason to rush into this upgrade unless there are security aspects that appeal. Equally however, there seems to be no reason to hold back except understandable caution. I would certainly be VERY cautious with a more elderly rig.

The

[Ed P]

Not sure what happened at the end of this post! What I was going to add was a comment on Cortana. I personally hate Cortana, so its loss was of no account to me at all,however if you are one of the few who used it then this guide may be for you.

https://mcmw.abilitynet.org.uk/how-to-use-the-cortana-voice-assistant-in-windows-11

[Dave Rice]

Thanks Ed, all good information.

I still only have 1 rig capable of taking W11, the R5 3600. I’m loathe to upgrade as it has my CCTV “CAD” software installed and if that needs an upgrade that’ll cost me £500+.

I have a 12 month old A320M motherboard with 8GB of ram and spare SSDs, but no CPU. It seems that I will never be able to buy a CPU for it now, which pisses me off mightily. I feel that AMD have totally left us out to dry, but that’s another rant.

My laptop is a 5yo 6th Gen i5 with 12GB of ram, SSD and TPM and still quite capable of running my business, if a little less snappy than the R5 3600. But MS have decided that it’s for the scrap heap.

My VM server is an 8 core FX8350 with 16GB of ram and several SSDs + a 2TB spinner but no TPM. I can happily run 4 W10 VMs plus the host W10, but again it’s not acceptable.

When W11 is unavoidable I’m going to be sending a lot of stuff to landfill. Yes it’s all quite capable of running lots of Linux based solutions, shame no-one wants them.

[Ed P]

The PC I use for security camera control is locked in to Windows 10 despite it having an i5 chip! I like the BlueIris camera software for Windows as it allows me to write my own PTZ tracking scripts, but I guess at sometime I am going to have to make a decision on the PC or look at the Linux options.

Have you looked at any Linux camera control programs which are ONVIF compatible or are you a bit locked in by your use of Hikvision?

[Dave Rice]

I am at the mercy of Hikvision, or Dahua or whoever as Onvif doesn’t get me access to the proprietary smart features these cameras provide.

For most of the larger commercial jobs I’d be using an NVR and for domestic / small commercial these days it’s SD cards and Android / Apple apps. Whilst the Legion has an NVR in the office, I’ve been using a decent Android tablet as the monitor behind the bar for getting on for 2 years. Of course they have first class WiFi there 🙂

So PCs don’t really feature any more.

[Wheels-Of-Fire]

I noticed you mentioned your virtual machines Ed.

Did you know that your entire Windows 11 installation is actually running as a VM on top of the Hyper-V Hypervisor ?

I only read up about the full  implications of virtualization based security last week and only then did I realise what a proper type 1 hypervisor did.

[Ed P]

To be honest, I found the VM settings quite confusing as I use VMWare as my hypervisor rather than the Microsoft Hypervisor.

As it was, VMWare Workstation ran ‘out of the box’ under Windows 11 and I made no changes to the systems settings.  However I noted that there are quite a number of VM settings I could enable, but they had poor M$ documentation on what additional facilities would be enabled in my situation. I assumed that they really only had value for those running a VM server or using the Microsoft hypervisor on top of their bare-metal Win11 hypervisor.  I guess I need to read up on them!

[Wheels-Of-Fire]

Could you do me a favour Ed ?

I would be interested to know what version of schedular you get if you are running 3rd party virtualisation software on Windows 11 so any chance you could launch Event Viewer and run a filter on “system” like in the shot below ?

My system is running type 4 which is the ROOT schedular (the root/host OS gets to choose)  which is the default for non-server versions of Windows.

 

[Ed P]

Not sure what you expect to find.  VMWare runs as an application within Windows, so it displays no hypervisor activity at system level. Hence no screen shot!

In fact the only VM messages I see are those setting up the VM Network. It only makes an appearance in the Application logs for again setting up the network.

[Wheels-Of-Fire]

Well I was wondering how the Windows 11 upgrade would deal with a system that already had a hypervisor but I have now read up on VMware Workstation so now I know it only has a type 2 hypervisor, so its basically just an app.

On the Windows 11 side, you will have the hypervisor, which loads before anything else, running in the CPU’s root mode (people call it ring -1, but neither Intel or AMD do)  and all of the virtualisation stack, which runs as part of the root OS (always Windows at the moment)

The ONLY part of Hyper-V you won’t have running is the virtual machine manager, you only get that if you have Windows Pro or above and enable it.

[Ed P]

As you say, currently I am running it as an app in privileged mode, but if I enable Hyper-V it runs within the Windows 11 then it runs in user mode within the Windows 11 security blanket. I have no idea what this would mean except I guess it means that it then runs like a Hyper-V VM.

This article explains the difference (maybe!)

https://blogs.vmware.com/workstation/2020/05/vmware-workstation-now-supports-hyper-v-mode.html

[Wheels-Of-Fire]

By the way, I had previously looked all over the place for information about Windows virtualisation based security and found almost nothing, then I finally got Windows Internals part 2 7th edition and there it all was 😃

[Wheels-Of-Fire]

Just read your link, so this is what I THINK it means.

Windows 11 uses the hypervisor to set up two virtual trust levels, VTL0 and VTL1. The new secure kernel runs in VTL1 and CPU ring O.

There is also the new secure user mode which also runs at VTL0 but in CPU ring 3,

Microsoft calls apps that run in secure user mode “trustlets” and they gain access to the secure kernel and, through that, the hypervisor API

 

[Wheels-Of-Fire]

I meant secure user mode also runs in VTL1, obviously 😄

[Ed P]

They do not ‘trust’ an awful lot as every Windows 11 VM has to be encrypted and run under a version of TPM!  I was even supposed to encrypt the Linux VMs in preparation for Windows 11 operation though in the end it did not seem to need that step.

Following on from your post I guess I need to explore what benefits the Windows hypervisor adds or subtracts. At first glance, just the virtualization security blanket, but I now need to find if it imposes any limitations on concurrent vm operations.

The other interesting aspect is whether a Hypervisor vm has the same graphics bells and whistles (DX11) or if it is better. If better then it could be that I’ll be able to save money on a future VMWare upgrade to Workstation 17. (I do not bother with VSphere as I’d gain little from networking vms to just two machines)

[Ed P]

Interestingly when I run msinfo32 it informs me that Virtualization Based Security is not enabled, but Hyper-V – VM Monitor Mode Extensions are.

As VBS is reported to screw up games graphics performance I’m not sure that I want it!

Does adding Hyper-V automatically set VBS to enabled?

[Ed P]

You are apparently further along in using Hyper-V than me. Have you tried using DDA for GPU passthrough?

https://searchvirtualdesktop.techtarget.com/tip/Running-GPU-passthrough-for-a-virtual-desktop-with-Hyper-V

[Wheels-Of-Fire]

You will be asking me about SR-IOV next 😁

The answer about DDA is yes it works, but probably not for you.

Making DDA work requires a Single Route capable graphics driver (you may well have one, it was one of the things that only Pro cards had but I think its general release now) and a Server version of Windows 🙄

As far as I knew, VBS was a requirement for Windows 11, you can switch it on or off with Windows 10 but they have removed the setting from the security page on Windows 11.

[Wheels-Of-Fire]

Another thing that may not be obvious, with the Hypervisor running, nothing gets to run on a real CPU.

The Hypervisor creates Virtual Processors on request from a VM manager. A VP is a data structure that represents CPU state and an associated thread which actually gets scheduled to run.

The host/root OS always gets the same number of VP’s as there are logical cores, and they have a higher priority than any other VP, but you can give your VM’s as many as you like.

How the VP’s are scheduled depends on your version of Windows (by default), client versions get the root scheduler where the root OS gets to choose, server versions get the core scheduler where the Hypervisor chooses ( you get to setup VP priorities).

[Ed P]

Thanks. It looks like I stick with VMWare as that supports DirectX 11

[Author]

Posts