"Windows 11 requires Secure Boot to be enabled" - this is incorrect. about win11rct HOT 8 OPEN

Your comment is exactly the reason why this tool exists. Microsoft's documentation and communication is not very clear about the exact Windows 11 minimum requirements and the reasons why. But all the ruckus around Windows 11 starts with the minimum processor hardware requirement. This requirement is to ensure Virtualization-based Security (VBS) - which enables e.g., Hypervisor-protected code integrity (HVCI) - has hardware support, which is powered by a processor feature called Mode-Based Execution Control (MBEC). On CPUs without MBEC, Windows 11 with VBS would run noticeably slower than Windows 10 without VBS. Microsoft doesn't want users to have this experience.

If you would attempt to enable VBS on a system without Secure Boot enabled, VBS will not run. The Windows event system log will reveal this with a Kernel-Boot warning, event ID 156: "Virtualization-based security (policies: Secure Boot,Mmio Nx,Strong MSR Filtering,Hvci,Boot Chain Signer Soft Enforced) is disabled due to secure boot being disabled with status: The request is not supported."

In other words, Secure Boot has to be enabled in order for all the hypervisor-based security features to work, with best performance on Windows 11.

from win11rct.

Well summarized and well speculated. I'm not disputing any of this.

That doesn't, however, change the fact that the current statement "Windows 11 requires Secure Boot to be enabled" is simply incorrect.

Windows 11 currently does not require this and Microsoft has at no point communicated that it will, on the contrary. All documentation, all checks (PC Health App, beta enrollment checks etc.) currently point towards one thing: the system has to be capable but the feature does not need to be active - at least not for the first and upcoming RTM build of Windows 11.

It's likely recommended to enable Secure Boot for security and/or performance reasons, it may become a requirement for future branches, but it's not a requirement nor is it at all likely to become a requirement for the upcoming 22000.x release.

Until that changes I would recommend that a disabled secure boot is not communicated as a missing minimum requirement but merely a "recommended" feature.

from win11rct.

I explained the background for the Secure Boot requirement and why it has to be enabled by default.

In this official “Minimum hardware requirements for Windows 11” document from Microsoft it is clearly stated on page 6 that Secure Boot is “REQUIRED” and “Enabled by default”.
https://download.microsoft.com/download/7/8/8/788bf5ab-0751-4928-a22c-dffdc23c27f2/Minimum%20Hardware%20Requirements%20for%20Windows%2011.pdf

The Win11RCT tool is entirely based on the requirements outlined in that document.

Lastly, Microsoft quite recently stated that current Insider images do not enforce the hardware requirements but they confirm that the "hardware floor" would be real for final versions:
https://arstechnica.com/gadgets/2021/08/microsofts-windows-11-outreach-efforts-arent-going-very-well/

Hope this helps.

from win11rct.

"Enabled by default" is a requirement for system builders and OEMs. It also, by definition, means that the feature can be disabled. There's a tangible difference between "has to be enabled by default" and "has to be enabled".

There is currently no requirement, documented or enforced, for Secure Boot to be enabled.

You're welcome to keep claiming this in your tool, but you're going against Microsoft's own documentation, against Microsoft's own PC Health App check, against Microsoft's own enrollment checks for both the Dev and the Beta Channel and against the checks inside all current builds of the Windows 11 installer.

This was written from Windows 11, build 22000.120, on a fully compatible, Secure Boot capable, system.
Secure Boot is and always has been disabled since it's a pain in the royal buttocks to dual boot to GLPed systems with it enabled.

from win11rct.

"Enabled by default" is a requirement for system builders and OEMs. It also, by definition, means that the feature can be disabled. There's a tangible difference between "has to be enabled by default" and "has to be enabled".

There is currently no requirement, documented or enforced, for Secure Boot to be enabled.

But it is documented and it is pretty clear. It states REQUIRED. It even states required twice!

You're welcome to keep claiming this in your tool, but you're going against Microsoft's own documentation,

Again, I am quoting from Microsoft documentation. I provided the above screenshot for your convenience.

but you're going against ... Microsoft's own PC Health App check, against Microsoft's own enrollment checks for both the Dev and the Beta Channel and against the checks inside all current builds of the Windows 11 installer.

1. Microsoft has taken their PC Health Check tool offline because it does not work correctly and is confusing: https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/
2. Microsoft admits: 'we know it sucks we will still block you'; Microsoft's Program Manager Aria Carley has confirmed that it would not be possible to bypass Windows 11's TPM 2.0 and Secure Boot requirements once the OS launches some time in October: https://www.notebookcheck.net/Windows-11-s-strict-hardware-requirements-cannot-be-bypassed-Microsoft-admits-We-know-it-sucks-we-will-still-block-you.552733.0.html
3. Microsoft allows Windows Insiders to upgrade because "we will learn how Windows 11 performs across CPU models more comprehensively, informing any adjustments we should make to our minimum system requirements in the future.": https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/
4. It is possible you will not be able to move off the Insider Dev channel when Windows 11 goes GA: https://twitter.com/WinObs/status/1423001426817605634?s=20

The entire reason for the minimum requirements in the first place is, going forward, every Windows 11 installation has at least virtualization-based security enabled, which requires Secure Boot to be enabled.

That said, I do think that Windows 11 will have a way to disable virtualization-based security so that IT people and developers can test things (eg. driver development). Same as you can disable Driver Signature Enforcement in Windows 10 nowadays which allows you to run unsigned drivers (not exactly what a regular user wants to do). But these are very specific scenario's.

But the point of the tool is to inform the user as much as possible on the upcoming enforcement of the requirements, Secure Boot has to be enabled per Microsoft's own documentation and communication. Is it not the say that Microsoft will change its stance in the future. The tool reflects what is currently known.

Hope this helps.

from win11rct.

It is possible you will not be able to move off the Insider Dev channel when Windows 11 goes GA

I'm not and never was enrolled in Insider Dev.
I enrolled straight in the Insider Beta channel. I was not unenrolled for not meeting minimum requirements as announced here:
https://blogs.windows.com/windows-insider/2021/06/24/preparing-for-insider-preview-builds-of-windows-11/

Insider Beta goes straight to Windows 11 RTM. The minimum requirements enforced by enrollment in the Beta channel are the exact same minimum requirements enforced by Windows 11 RTM.

According to this blog regarding the early Dev-Channel builds:
https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/

"In support of the Windows 11 system requirements, we’ve set the bar for previewing in our Windows Insider Program to match the minimum system requirements for Windows 11, with the exception for TPM 2.0 and CPU family/model."

The TPM 2.0 / CPU family/model requirements have since been enforced. Affected systems were unenrolled from Dev- and are unable to join Beta.

There is and never has been a Secure Boot "enabled" requirement, there only is a Secure Boot "capable" requirement.

I'm not saying your reasoning isn't sound. I'm just saying that your speculation for this requirement does simply not match the facts.

from win11rct.

PCs non-compliant with Windows 11 are now being kicked from the Insider Program: https://www.neowin.net/news/pcs-non-compliant-with-windows-11-are-now-being-kicked-from-the-insider-program/

"...those on the Dev Channel will only be allowed to receive builds until the general availability of Windows 11 - that is October 5 -, after which they'll need to go back to Windows 10."

from win11rct.

Yes, and by now Microsoft has made it abundantly clear that it does not require Secure Boot to be enabled.

This has been confirmed by the more stringent Insider requirements and first and foremost the updated PC Health Check app.
As mentioned here from the very beginning:

Windows 11 requires a secure boot capable system but not necessarily a secure boot enabled system.

Given that the official PC Health Check app gives reasonably granular information about the failed and passed system requirements now, there's probably little need for this tool giving incorrect information anyways.

from win11rct.