Windows 11 [2021]

Some BIOS are really convoluted.

ASROCK under the Security section says to disable PTT to get TPM, but you really need to enable Secure Boot and PTT to get TPM. Then under Advanced >> Trusted Computing enable Security Device Support.

Others are a bit more straight forward to enable secure boot:
Enter. Advanced Mode
Security >> Secure Boot >> Secure Boot Control – Mark as Enable.​
 
btw any info on whether Kinect for windows (xbox one/kinectv2) will continue to be properly supported for W11? The SDK and driver hasnt been updated since eons right?

Im concerned because W10 21H1 kinda borked Kinect support. It now will reboot Kinect every few seconds if its mic is disabled in the sound panel. I thought my kinect was broken, i even disassembled the thing, cut the fan speed wires. Turns out simply enabling its mic fixed the reboot issue.

i dont think W11 will deliberately make kinect not work, but im concerned if even more bugs will come to kinect.
 
There were some rumors about virtualizing x86/64 programs to increase securit?
Do you mean something like VBS (virtualization-based security)? It's already in Windows 10
BTW this includes what they call Hypervisor-Enforced Code Integrity (HVCI) in hardware design documentation and Memory Integrity in Windows Security center settings.

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs
https://support.microsoft.com/en-us...526-de57-b1c5-599f-3a4c6a61c5e2#coreisolation

HVCI was previously advertised as part of Device Guard, aka Windows Defender Application Control (WDAC).

https://www.drware.com/windows-10-device-guard-and-credential-guard-demystified/
https://techcommunity.microsoft.com...-and-credential-guard-demystified/ba-p/376419

https://www.microsoft.com/security/blog/2017/10/23/introducing-windows-defender-application-control/

It looks like HVCI code integrity can work with Intel Mode-based execute control for EPT (MBEC), which is only available since Skylake EX / Kaby Lake, or an equivalent AMD Guest-mode execute trap for NPT (GMET), only available since Zen 2...

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-hvci-enablement
https://docs.microsoft.com/en-us/wi...ualization-based-protection-of-code-integrity


I guess maybe the TPM 2.0 requirement in Windows 11 has something to do with this (and also BitLocker?).
Yes, TPM 2.0 is a requirement for Virtualisation Based Security level in the 'Secured-core PC' spec from 2019, with includes password-less authentification, device encryption, and anti-tampering tracking.

https://docs.microsoft.com/en-us/wi...em-highly-secure#what-makes-a-secured-core-pc
https://docs.microsoft.com/en-us/wi.../tpm-recommendations#tpm-and-windows-features

This originated from an earlier secure device specs from 2015-2017.

https://www.bleepingcomputer.com/news/security/micGuest-mode execute trap for NPT (rosoft-releases-standards-for-highly-secure-windows-10-devices/
PDF: Overview of Windows 10 Requirements for TPM, HVCI and SecureBoot - UEFI Spring Plugfest 2015


TPM is also related to anti-piracy measures for online software distribution and security/authentification in remote domains.

https://www.neowin.net/news/some-thoughts-on-microsofts-requirement-for-a-tpm-module-in-windows-11/
https://www.neowin.net/news/microsoft-details-how-security-is-at-the-forefront-with-windows-11/


AMP EPYC processors have additional security features, such as Transparent Secure Memory Encryption (TSME) .

https://www.platformsecuritysummit.com/2019/speaker/chen/
https://community.amd.com/t5/amd-business-blog/amd-and-microsoft-secured-core-pc/ba-p/418204
 
Last edited:
as for supported CPUs, it should work on older too, the list is just what they guarantee everything works 100%

That's just a list of their test lab systems, and it's intended for OEMs (system builders) to choose their components from.

The original Windows 10 list from 2015 starts with Intel Broadwell processors, yet I've successfully ran Windows 10 x64 on LGA775 Core 2 Quad (Yorkfield) processor, LGA1156 Core i3/i5/i7 (Lynnsfied) processors (with the ED2K/REFIND emulator to support NVMe boot), and LGA1155 Core i5/i7 (Sandy Bridge) processors (with NVMe UEFI firmware mod).

https://docs.microsoft.com/en-us/windows-hardware/design/minimum/windows-processor-requirements


question about TPM modules made by all the board makers are they interchangeable? physically they look to be eg: can I use an asrock tpm on a gigabyte board ?
To my understanding no
They should be interchangeable, the TPM spec defines a common command interface. The card just has to use the same LPC (18/20 pin) or SPI (14-pin) bus as on the motherboard header (or the PCIe raiser card). ASRock x570 have both

BTW TPM 2.0 modules from ASUS, Gigabyte and ASRock use Infineon SLB 9665/9670 and Nuvoton NPCT750/420 security processors.
 
Last edited:
Found an old X1 Carbon gen 2 with a 4600U cpu. It had PTT. Dxdiag said it had WDDM 2.0. Ran the updated PC Health app and this processor isn't supported. Another laptop of that era T440p with a 4800MQ didn't have PTT. Kind of weird why Lenovo shipped it on one but not the other.
 
there are lots of info, some of it is confusing. Tried and my PC passed the "health check".

This webpage says the upgrade from Windows 10 is free, but the TPM limitation remains, as confirmed yesterday by MS, according to them.

Sigh, it's so confusing.

https://www.tomshardware.com/news/windows-11-upgrades-are-free-here-are-the-system-requirements

Updated June 25, 9:30 a.m. ET, with confirmation from Microsoft that all Windows 11 PC's will require TPM, as well as lists of supported processors.
 
The app update is out

I now get this

Is your primary drive partition style MBR rather than GPT? This will certainly cause the tool to report that you're incompatible. I have this issue which unfortunately means a drive wipe and re-partition. I'm in two minds whether to backup and restore or simple go for full clean build (so much work!... but kinda fun too)
 
For what its worth my PC was not showing a TPM 2 device & Failing PC Health Check.
So I turned fTPM on in bios on my B550 mobo. (for this mobo default setting is Discrete TPM = off unless one is installed I guess)
Device Manager now sees a TPM 2.0 device, TPM.msc shows it ready for use & the PC Health Check says I'm good to go now.
 
There's tools to go from mbr to gpt on the system drive without formatting. Win10 itself has one. The few times I tried the /allowFullOS option, it didn't quite work right(some thing with secureboot). All the other times using a booting up from Win10 usb install and running the administrative prompt there did.

Edit: If the Windows key isn't stored in the bios, then you still don't need to as based on hardware activation, Microsoft knows a specific system had activated a specific version of Windows before. But sometimes one sees these weird stories about Windows losing the activation and well they need the key again.

Edit2, the Win10 usb install key does accept Windows 7 keys during install.
 
Last edited:
does ms remember your pc is registered or do you need to re enter the key ?
I only have a Windows 7 key so yeah that could be a problem.
You don't need to re-enter the key. If you've succesfully activated this same PC before, Windows 10 creates a 'digital license' stored on Microsoft activation servers - so you can always choose 'I don't have a product key' or enter a default 'generic' key during Windows Setup, and your copy of Windows will still be activated on next boot.

The only time you would need to enter your Windows key is when you change/upgrade your PC (i.e. motherboard) and need to transfer your license using Activation Troubleshooter from your Microsoft Account, or provide a new retail key if your license is not transferable. Windows 10 still accepts Windows 7/8.x keys for this exact purpose.

I have this issue which unfortunately means a drive wipe and re-partition.
You don't really have to wipe the disk, there are free software tools to non-destructively convert and repartition your disk from MBR to GPT layout.

I've prepared a detailed step-by-step guide for creating a UEFI/GPT bootable system disk with built-in diskpart / bcdedit / reagentc commands and free disk partitioning utilities, based on Microsoft OEM guidelines; here is a condensed version for those familiar with disk management.

There's tools to go from mbr to gpt on the system drive without formatting. Win10 itself has one.
While you can use the built-in MBR2GPT tool, it's designed to run in WinPE from the Windows ADK, and it doesn't repartition your disk to the recommended layout.
 
Last edited:
and to add, if the troubleshooter didnt work, you can call MS by phone and they can auto-reactivate for you, if phone fail, you can chat with them (dunno where the link, it was quite hidden when i used it eons ago) to reactivate
 
Back
Top