If you're anything like most gamers, you were probably outraged when Microsoft announced that Windows 11 wouldn't officially support any CPU released before about 2017. But as usual, the whole story is a little bit more complicated than that.
By far the easiest way to get up and running with Windows 11 today is the official one. An in-place upgrade via the Insider Program. Sign into your Microsoft account in Windows 10, follow the steps to register online, enroll your device in the settings pane and choose the dev branch. Just make sure that optional diagnostics reporting is enabled, restart your PC, and if all goes well, you should get Windows 11 as an update.
But what if it doesn't go well? Well, chances are that you don't have Secure Boot enabled or your TPM isn't enabled or both. But what are those and why do we need them?
The dreaded TPM
You've probably heard of them by now, but the TPM or a Trusted Platform Module isn't new. It's a pretty simple device that generates and stores cryptographic keys to help protect encrypted data and credentials.
Microsoft has actually required them for system integrators since July of 2016, but they're far less common in the DIY space because for a long time, the only way to get one was to add it to your motherboard with a tiny little PCB like this one. It plugs neatly into a keyed header and the job is done, but that assumes you can find a compatible one in the first place. Traditionally, very few shops have carried them and there's at least three different pin outs from ASUS alone with everyone seeming to have different ideas about how to implement them.
Compact ITX motherboards often omit it altogether. This lack of standardization has made them tough to find even before Microsoft announced you needed one. And I mean, even ASUS could only find one in their US office at all.
The good news is that TPMs have been built into the firmware of our motherboards since around 2015. So chances are, you might have one already and not even know it, but these ones have the disadvantage of being tied to the CPU and many will clear their keys when you factory reset or update the BIOS. Derp.
Manufacturers like ASUS say they'll be enabling it by default going forward. But until Windows 11, this firmware TPM has been disabled by default on most DIY boards. That's because in order to use a TPM module like this that you install yourself, you have to disable the firmware TPM and vice versa.
What are TPMs even used for?
These days, TPM is mostly important for features like Windows Hello and BitLocker drive encryption. So it's no surprise that it's becoming more relevant as they become more popular. There's also additional security that can be gained through using a TPM in conjunction with Intel's Management Engine and AMD's Platform Security Processor. and this is important for Windows 11.
TPMs are good, but why does Windows need it? Short answer, it doesn't. If you install Windows 11 or Windows 10 for that matter, and then disable it, you just need to re-enroll your Windows Hello credentials and use your BitLocker backup key.
But what about Secure Boot?
Short answer, it can provide a security boost in Windows by blocking non-WHQL or non-certified drivers. Long answer, it ensures your operating system and drivers are what they say they are when your PC boots. And Microsoft mandates that their partners include Microsoft keys by default. So all you need to do is turn it on and it should start working.
Of course, this has some fun implications for alternative operating systems that aren't willing to use their keys. For now, toggling Secure Boot off or installing without it doesn't really have any effect on being able to run Windows 11.
So again, good for security in theory, but this is another non requirement. And one you'd probably want to keep off if you want to play with Linux or something.
Turning Secure Boot on
If you do want to turn it on, then good news. Most computers released since Intel's third gen core support Secure Boot. Bad news, not all Windows installs done since then will support it. Secure Boot only works with pure UEFI mode. So if you're using a legacy Windows install, or even if you just have CSM enabled in the BIOS, you're incompatible.
You can check which you're running and whether Secure Boot is enabled or not using the system information app. If Secure Boot state shows on, then you're good. And if it doesn't and your BIOS mode shows UEFI, then all you need to do is turn on Secure Boot in your BIOS. Sometimes this is done by just installing default keys rather than just the toggle. But if the BIOS mode says legacy, you'll need to do some more work.
Converting from Legacy to UEFI
First, make sure your BIOS can enable Secure Boot at all. It should have its own section, usually under the security or boot menus. Don't actually enable it yet though. First we need to prepare Windows by using a built-in tool called MBR2GPT. Go to settings then find the recovery pane under update and security and click restart now under advanced start-up. Choose troubleshooting, then advanced options, then command prompt. Then type this command into the command prompt window and hit enter. If all goes well, it should say validation completed successfully. From here type
mbr2gpt /convert
to convert the install from legacy to UEFI. Once that's done close the window and reboot.
Now you can turn on Secure Boot and enjoy neat UEFI features like this handy UEFI firmware settings button in the advanced startup menu.
Of course we promised there was a backdoor, remember? So don't worry if you don't have Secure Boot or UEFI or even a TPM for that matter, there is still a way forward.
Which brings up an important question. How can Microsoft justify having us jump through all these extra hoops? Well, Microsoft's analytics reportedly showed that Surface devices equipped with a TPM and Secure Boot as part of virtualization-based security reported up to 60% fewer instances of malware infection. That's pretty huge. And even though you can get this level of security in Windows 10 today, it makes sense that Microsoft would want to make that change mandatory for what they're calling the most secure Windows ever. Especially if they want to keep Windows competitive with MacOS and Chrome OS.
So in my mind, if you're running a system with those security features available, there is no question that you should enable them. It's free security. But the problem is that many people don't have those features available. And that's why there's been so much concern about these system requirements. But there's hope if you don't quite meet them.
Getting Insider with old hardware
For our first trick, we're gonna get into the Insider Program with unsupported hardware. You will still need a TPM for this. Windows checks for one at the last mile while downloading, but a little bit of registry hacking will bypass the hardware compatibility checks.
Just enroll with the Insider Program as before, then when you see that your only choice is the release preview branch, play along for now. Reboot and then when you get back to the desktop, go ahead and launch regedit.
Navigate to this key and change these values to read like this, then navigate to this key and change these values. They're basically the same things but pay attention to the names. Once that's done, reboot and look at the Insider Program settings pane again. You should now be enrolled and able to download the Windows 11 update, with the major caveat that you are not allowed to update to the final release when it drops. So if you want to run the full version when it releases, watch on.
Tell Windows 11 you don't need security
The solution here is to use the same method that's used to install a fresh copy of Windows 11 on unsupported hardware, an ISO. Now, Microsoft has yet to make one officially available, but that doesn't mean that you can't make one yourself. They already provide the files that you need. So using UUP dump, you can select Windows 11, then choose the additions that you want to be included. This next screen is a bit confusing, but the TLDR is that we want to choose this option to add additions and then this option to create an ISO with install.esd instead of install.wim.
Click create download package, and you'll be given a zip file that is way smaller than an ISO.
That's because what we downloaded is just a script that downloads and creates the ISO for you straight from Microsoft, not from a third party. The script is readable so you can verify it for yourself before running it if you like.
Once you have a Windows 11 ISO, you can either burn it to a disc or extract its contents to a USB flash drive. Boot from it and you'll see a very familiar screen. From there on it's just one more familiar trick to let us install on any system we want, even so-called incompatible ones.
Hold shift and press F10 to make a command prompt window appear, then type regedit and navigate to this registry key. Right click on it and make a new key called LabConfig. In here create two DWORD values, BypassTPMCheck and BypassSecureBootCheck and set them both to one. Close regedit and the command prompt and continue on your merry way.
If Microsoft breaks things later... (appriaserres.dll)
Now we're not sure if Microsoft will continue to allow this registry hack after official release. They did say though that some OEM and integrated systems will be exempt. And presumably this is how they'll do it, but it is Microsoft and you never know. So if it does stop working by the time Windows 11 is released, you can work around it in one of two other ways, both using a Windows 10 ISO.
First, you copy this DLL file from the sources folder of a Windows 10 ISO into the sources folder of a Windows 11 ISO. This file contains the compatibility checks. So because they didn't exist in Windows 10, you're able to use that same compatibility check for Windows 11's installer.
If Microsoft breaks even more things... (install.esd)
It is possible that Windows 11's installer will change before release, however, so the more future-proof method is to go the other way around. This time copy the install.esd file from the sources folder of the Windows 11 ISO into the sources folder of the Windows 10 ISO, and bam, that Windows 10 ISO is now a fully functional Windows 11 installer. It even works for legacy systems without UEFI. But wait, hold on a second. Why does this work?
Why these workarounds work
The Windows setup process uses a tool called DISM or Deployment Image Servicing and Management. Fundamentally, the Windows installation files are just a disk image that is applied to the target disk when installing. This makes for a very clean and easily verified install, and it makes it far easier to generate custom images that can then be installed on multiple PCs, complete with the normal first time setup. It's how system integrators like Dell and HP make their customized Windows installs.
The setup program isn't actually doing anything more than prepping your drive and applying the image to it. It doesn't care what's in the image, garbage in, garbage out. Windows 11's installer simply has some visual changes compared to 10's, and of course, those extra checks to make sure you're using a TPM and Secure Boot. So putting the Windows 11 install image onto a Windows 10 ISO bypasses all of Windows 11's new installation requirements.
The rest of the install process
The rest of this phase of the install process is the same as Windows 10. Enter a product key if you have one, pick your addition, choose a RAID driver if needed, select which drive to install to, and format it if necessary. When the installer finishes Windows will boot up with a pretty animation and greet you with a region and language selection screen followed by an update, naming the PC, and a reboot.
Windows 11 Home requires a MS account, but...
A word of warning though, once it's back up it'll ask you for your Microsoft account and there is no way of skipping that on Windows 11 Home Edition. Sort of. As of right now, you can actually just unplug the ethernet cable before it reboots, and it will let you set up a local account instead. I wouldn't count on this working in the future though, because Microsoft has indicated that an internet connection will be required for Home Edition moving forward. Although there's nothing that would prevent you then from un-linking your Microsoft account after the initial setup. At least for now, because there's no way to know if it will stay that way in the future.
In Windows 11 Pro though, you can just choose to never input one. On the plus side, if you do sign in with a Microsoft account, you get to choose whether to restore apps and settings from a backup of your previous install, kind of like Android. Although the apps they're talking about are Windows Store apps. But you also get to choose privacy options just like you do in Windows 10 today. And then after a short setting up period, you will be at the Windows 11 desktop.
What ARE Windows 11's system requirements then???
If you can ignore the security requirements and just install Windows anyway, what are the real system requirements? Well, it might not surprise you that we can go back farther than Microsoft's officially listed Coffee Lake and Zen+ CPU's. How about a fourth gen CPU from 2013? Not far enough back for you? How about this Core 2 Duo E 8400 from 2008. Yeah, that's right. It's running Windows 11 without even a UEFI BIOS.
This was as far back as we could go, though, without running into serious issues. The single core Pentium 4630 that we tried should have supported the 64 bit instructions necessary to run the OS, but it ended up just hard resetting every time we tried to run it, even the installer. A single core Athlon 64 might be okay, but we don't have one of those handy to test with.
So clearly the system requirements are nonsense, but here's the thing. What you guys might know is that these shenanigans with minimum system requirements are nothing new. Microsoft actually lists a fifth gen Core CPU as the oldest that can run Windows 7. I mean, that's clearly not true. Windows 7 came out over five years before those CPUs even existed. So what's up with that? Well, the keen-eyed among you might've spotted a pattern here.
It's about validation and vendor support
Between Windows 10 and Windows 11, Microsoft tested and validated only CPUs from as old as one or two years prior to the release of each. And this is what you're seeing on the official support lists, validation. Microsoft made a blog post recently saying as much, calling out security, reliability, and compatibility specifically as guiding principles. They're apparently looking into Zen One and Kaby Lake CPUs now after seeing so much backlash from consumers, by the way. So that's pretty cool. And it's not that Microsoft is recommending the CPUs that they are simply because they're lazy and they didn't feel like testing more.
Windows 11 makes it an official recommendation, and as far as I can tell, a requirement for OEMs going forward, to use a new driver model called Windows Drivers, which Microsoft claims can reduce driver related crashes by 99.8%. That would be great. But the downside is that a new driver model means that they're probably going to need new drivers, assuming that they disallow the previous driver model at some point. Well, this is where the eighth gen Core and Ryzen 2000 recommendations come from. The hardware surrounding those chips is still officially supported by their vendors and is likely to get Windows 11 drivers, while the same is not necessarily true for CPUs from 2017 or earlier. So AMD and Intel actually have their own role to play here in this artificial lockout of older, but not very old hardware.
Conclusion
All of which is to say then that at least for now, you can install Windows 11 on basically anything that you would want to, but the experience might be subpar and might get sub-er, par-er in the future. According to Microsoft, it will be best to run on something newer for official support, both from the vendor and from them. But at the end of the day, if you're worried you won't be able to install Windows 11, don't be. Microsoft hasn't locked it down the way that we feared, at least not yet.
No comments yet