Event banner
Event details
37 Comments
- For official information on Windows 10 releases and servicing milestones, plus resources, tools, and news about known issues and safeguards to help you plan your next update. go to: https://aka.ms/windowsreleasehealth
- David_Mebane
Microsoft
Learn more about expediting updates here: https://docs.microsoft.com/en-us/mem/intune/protect/windows-10-expedite-updates. And feel free to reach out at askwufb [at] microsoft.com!
- Hope you're all enjoying the session so far! Tell us if you'd like to see more sessions like this giving you direct access to the product team.
- David_MebaneHere is a link to the Windows Update for Business deployment service that Aria mentioned: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/announcing-the-windows-update-for-business-deployment-service/ba-p/2178419
- As an Org that uses Ivanti for endpoint Windows management, and MDT for on-prem provisioning, is Intune/Autopilot still the best path forward, ignoring Configman? Meaning, should we disregard the idea of co-management and just go whole-hog into Intune?
- If you are not using Configuration Manager today, and you don't have specialized devices or needs that require you to use ConfigMgr customization capabilities, going all in on Intune with Autopilot sounds like an excellent idea. No on prem infra to maintain!
- Has there been any further discussion on the qualifications for Windows 11 with regard to Processor requirements or alternatives to TPM ? Does Intel have any further information that would clarify why certain processors were chosen or not ?
- Microsoft has never explicitly said why TPM 2.0 and processor generation were hard requirements, but this is why: HVCI (and the features that depend on it) is very slow and cripples some CPUs by up to 30%, but with the MBEC feature released on newer Intel and AMD CPUs, it's much faster. Microsoft wants to enable HVCI by default (and probably just want to block the CPUs that would get too slow instead of dealing with the complaints). TPM 2.0 (instead of TPM 1.2) is officially required because of some extra, lesser used features. Pure speculation, but they might also develop new security features that require TPM 2.0.
- Joe_LurieSure. Take a look at our blog here: https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/
Welcome to the Windows 11 upgrade paths and deployment tools Ask Microsoft Anything (AMA)! This live hour gives you the opportunity to ask questions and provide feedback to the engineering and product teams building Windows. Introduce yourself by replying to this thread. Post each question in the Comment on this event… box above.
- Also I wonder what the word was for Zen 1/7th Gen Intel since last time Microsoft was saying that they were investigating "experience" which to me is fine and im even typing this from my Win 11 Machine that has a Ryzen 1000 CPU in There's not been any communication since that comment on "experience" however 😕 Security-wise I can't see a clear enough line from accepted CPU's and rejected ones which honestly felt like an arbitrary line in the sand, people who bought new surface products would automatically be stuck with Windows 10 even if they dont want to be until they can upgrade again. Zen 1/Gen 7 wasn't that long ago 😞
The line is drawn because Gen 8/Zen 2 (technically Gen 7 too) are the first processors to support http://borec.ch/the-potential-performance-impact-of-device-guard-hvci/, a hardware feature to speed up HVCI, a security feature used for kernel driver validation and for some enterprise security features such as WDAG/Device Guard and force-enabled on Windows 11.
Without MBEC on the processor, HVCI is much slower and somewhat cripples the CPU, therefore the "experience" argument from Microsoft.
Opinion: Microsoft have been shady about this from the very start, with no official explanation and false arguments (no, Secure Boot, VBS and HVCI enabled but unconfigured will not stop https://www.microsoft.com/security/blog/2021/01/11/new-surface-pcs-enable-virtualization-based-security-vbs-by-default-to-empower-customers-to-do-more-securely/).
I think HVCI in isolation is useless for consumers and small businesses alike as malicious kernel drivers or Mimikatz usage is not going to be the primary focus for attackers when the user is local admin already.
- If we consider that a device is not fully compatible with Windows 11 will it be offered as upgrade via Windows Update? Some users already reported they have seen "ads" in the Windows 10 notification area about Windows 11 no matter their device being compatible with Windows 11 or not. What is your plan after release how to proceed with these notifications? How can we minimize the impact because the device could be compatible (UEFI / SecureBoot/ TPM) but is not properly configured. Technically this is hard or impossible to estimate. However we could check the mainboard model and see if there is a technical possibility this mainboard would qualify with the requirements if properly set. Will you consider this?
- Also I wonder what the word was for Zen 1/7th Gen Intel since last time Microsoft was saying that they were investigating "experience" which to me is fine and im even typing this from my Win 11 Machine that has a Ryzen 1000 CPU in There's not been any communication since that comment on "experience" however 😕
- From a Windows Update perspective, we will not 'offer' Windows 11 upgrades to devices that do not meet the minimum HW requirements, or devices that are impacted by a 'safeguard' hold, like a known compat issue with an app that was found late in the game.
