Windows 11 [2021]

Guess you need to enable Secure Boot from UEFI then?

 

Some BIOS are really convoluted.

ASROCK under the Security section says to disable PTT to get TPM, but you really need to enable Secure Boot and PTT to get TPM. Then under Advanced >> Trusted Computing enable Security Device Support.

Others are a bit more straight forward to enable secure boot:

Enter. Advanced Mode
Security >> Secure Boot >> Secure Boot Control – Mark as Enable.​

 

As an Asrock B450 Pro 4 owner I sincerely thank you.

 

They got rid of the TPM 1.2 wording and it is now 2.0. Oh well guess we can buy new computers at work.

 

It appears that sideloading apks is confirmed



Verrrry nice

 

btw any info on whether Kinect for windows (xbox one/kinectv2) will continue to be properly supported for W11? The SDK and driver hasnt been updated since eons right?

Im concerned because W10 21H1 kinda borked Kinect support. It now will reboot Kinect every few seconds if its mic is disabled in the sound panel. I thought my kinect was broken, i even disassembled the thing, cut the fan speed wires. Turns out simply enabling its mic fixed the reboot issue.

i dont think W11 will deliberately make kinect not work, but im concerned if even more bugs will come to kinect.

 

BTW this includes what they call Hypervisor-Enforced Code Integrity (HVCI) in hardware design documentation and Memory Integrity in Windows Security center settings.

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs
https://support.microsoft.com/en-us...526-de57-b1c5-599f-3a4c6a61c5e2#coreisolation

HVCI was previously advertised as part of Device Guard, aka Windows Defender Application Control (WDAC).

https://www.drware.com/windows-10-device-guard-and-credential-guard-demystified/
https://techcommunity.microsoft.com...-and-credential-guard-demystified/ba-p/376419

https://www.microsoft.com/security/blog/2017/10/23/introducing-windows-defender-application-control/

It looks like HVCI code integrity can work with Intel Mode-based execute control for EPT (MBEC), which is only available since Skylake EX / Kaby Lake, or an equivalent AMD Guest-mode execute trap for NPT (GMET), only available since Zen 2...

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-hvci-enablement
https://docs.microsoft.com/en-us/wi...ualization-based-protection-of-code-integrity

Yes, TPM 2.0 is a requirement for Virtualisation Based Security level in the 'Secured-core PC' spec from 2019, with includes password-less authentification, device encryption, and anti-tampering tracking.

https://docs.microsoft.com/en-us/wi...em-highly-secure#what-makes-a-secured-core-pc
https://docs.microsoft.com/en-us/wi.../tpm-recommendations#tpm-and-windows-features

This originated from an earlier secure device specs from 2015-2017.

https://www.bleepingcomputer.com/news/security/micGuest-mode execute trap for NPT (rosoft-releases-standards-for-highly-secure-windows-10-devices/
PDF: Overview of Windows 10 Requirements for TPM, HVCI and SecureBoot - UEFI Spring Plugfest 2015


TPM is also related to anti-piracy measures for online software distribution and security/authentification in remote domains.

https://www.neowin.net/news/some-thoughts-on-microsofts-requirement-for-a-tpm-module-in-windows-11/
https://www.neowin.net/news/microsoft-details-how-security-is-at-the-forefront-with-windows-11/


AMP EPYC processors have additional security features, such as Transparent Secure Memory Encryption (TSME) .

https://www.platformsecuritysummit.com/2019/speaker/chen/
https://community.amd.com/t5/amd-business-blog/amd-and-microsoft-secured-core-pc/ba-p/418204

 

That's just a list of their test lab systems, and it's intended for OEMs (system builders) to choose their components from.

The original Windows 10 list from 2015 starts with Intel Broadwell processors, yet I've successfully ran Windows 10 x64 on LGA775 Core 2 Quad (Yorkfield) processor, LGA1156 Core i3/i5/i7 (Lynnsfied) processors (with the ED2K/REFIND emulator to support NVMe boot), and LGA1155 Core i5/i7 (Sandy Bridge) processors (with NVMe UEFI firmware mod).

https://docs.microsoft.com/en-us/windows-hardware/design/minimum/windows-processor-requirements

They should be interchangeable, the TPM spec defines a common command interface. The card just has to use the same LPC (18/20 pin) or SPI (14-pin) bus as on the motherboard header (or the PCIe raiser card). ASRock x570 have both

BTW TPM 2.0 modules from ASUS, Gigabyte and ASRock use Infineon SLB 9665/9670 and Nuvoton NPCT750/420 security processors.

 

Found an old X1 Carbon gen 2 with a 4600U cpu. It had PTT. Dxdiag said it had WDDM 2.0. Ran the updated PC Health app and this processor isn't supported. Another laptop of that era T440p with a 4800MQ didn't have PTT. Kind of weird why Lenovo shipped it on one but not the other.

 

I dont think microsoft had a list of cpu's supported by windows 11 in 2015

 

https://github.com/rcmaehl/WhyNotWin11

 

there are lots of info, some of it is confusing. Tried and my PC passed the "health check".

This webpage says the upgrade from Windows 10 is free, but the TPM limitation remains, as confirmed yesterday by MS, according to them.

Sigh, it's so confusing.

https://www.tomshardware.com/news/windows-11-upgrades-are-free-here-are-the-system-requirements

Updated June 25, 9:30 a.m. ET, with confirmation from Microsoft that all Windows 11 PC's will require TPM, as well as lists of supported processors.

 

Is your primary drive partition style MBR rather than GPT? This will certainly cause the tool to report that you're incompatible. I have this issue which unfortunately means a drive wipe and re-partition. I'm in two minds whether to backup and restore or simple go for full clean build (so much work!... but kinda fun too)

 

For what its worth my PC was not showing a TPM 2 device & Failing PC Health Check.
So I turned fTPM on in bios on my B550 mobo. (for this mobo default setting is Discrete TPM = off unless one is installed I guess)
Device Manager now sees a TPM 2.0 device, TPM.msc shows it ready for use & the PC Health Check says I'm good to go now.

 

When you do that does ms remember your pc is registered or do you need to re enter the key ?

 

Good question. I only have a Windows 7 key so yeah that could be a problem.

 

There's tools to go from mbr to gpt on the system drive without formatting. Win10 itself has one. The few times I tried the /allowFullOS option, it didn't quite work right(some thing with secureboot). All the other times using a booting up from Win10 usb install and running the administrative prompt there did.

Edit: If the Windows key isn't stored in the bios, then you still don't need to as based on hardware activation, Microsoft knows a specific system had activated a specific version of Windows before. But sometimes one sees these weird stories about Windows losing the activation and well they need the key again.

Edit2, the Win10 usb install key does accept Windows 7 keys during install.

 

You'll have no problem. Likely it will just activate itself based on the CPU unique ID. If not, it will accept your prior used Win 7 key.

 

You don't need to re-enter the key. If you've succesfully activated this same PC before, Windows 10 creates a 'digital license' stored on Microsoft activation servers - so you can always choose 'I don't have a product key' or enter a default 'generic' key during Windows Setup, and your copy of Windows will still be activated on next boot.

The only time you would need to enter your Windows key is when you change/upgrade your PC (i.e. motherboard) and need to transfer your license using Activation Troubleshooter from your Microsoft Account, or provide a new retail key if your license is not transferable. Windows 10 still accepts Windows 7/8.x keys for this exact purpose.

You don't really have to wipe the disk, there are free software tools to non-destructively convert and repartition your disk from MBR to GPT layout.

I've prepared a detailed step-by-step guide for creating a UEFI/GPT bootable system disk with built-in diskpart / bcdedit / reagentc commands and free disk partitioning utilities, based on Microsoft OEM guidelines; here is a condensed version for those familiar with disk management.

While you can use the built-in MBR2GPT tool, it's designed to run in WinPE from the Windows ADK, and it doesn't repartition your disk to the recommended layout.

 

and to add, if the troubleshooter didnt work, you can call MS by phone and they can auto-reactivate for you, if phone fail, you can chat with them (dunno where the link, it was quite hidden when i used it eons ago) to reactivate