Security boost in Windows 11 limits PC reuse

Data from Lansweeper has found that almost a fifth of PCs will be unable to run Microsoft’s newest operating system (OS), Windows 11.

Although it can be manually installed on any PC, Windows 11 is only certified to run on equipment with processors less than four years old. An automatic upgrade to the new operating system is only possible if the PC is running a supported processor and has the minimum 4GB of required memory.

Specifically, to run Windows 11, PCs need a trusted platform module (TPM version 2.0), which Microsoft describes as a secure crypto-processor designed to carry out cryptographic operations. It said the TPM includes multiple physical security mechanisms to make it tamper-resistant.

Malicious software is unable to tamper with the security functions of the TPM, Microsoft noted in the Windows 11 specifications webpage. The TPM is used to store cryptographic keys and helps to maintain the integrity of the system. Newer hardware tends to have the TPM built-in, such as Intel Platform Trust or AMD Platform Security Processor. 

However, analysis from Lansweeper, based on an estimated 30 million Windows devices from 60,000 organisations, found that many PCs lack TPM capabilities. It reported that, on average, only 44.4% of the workstations were eligible to receive the automatic upgrade.

Lansweeper’s analysis found that while the majority of PCs (91%) had sufficient RAM, only about half of the workstations met the TPM requirements. Of the PCs it analysed, almost a fifth (over 19%) failed and 28% were not TPM-compatible or did not have the crypto-processor functionality enabled.

For PCs with a TPM 2.0 module, the function can be enabled in the Bios menu. For older devices, some PC motherboard models offer an add-in TPM 2.0 card which can be purchased. But some organisations may need to scrap their old PC hardware altogether if they want to install Windows 11.

Organisations using virtual desktop infrastructure (VDI) also face challenges in updating virtual machines (VMs) to Windows 11. When Lansweeper analysed virtual machines, it found that CPU compatibility was slightly higher, at 44.9%, but only 66.4% of the VMs had enough RAM. It’s analysis also found that very few Windows VMs (0.23%) had TPM 2.0 enabled.

While TPM passthrough (vTPM) exists to give virtual machines a TPM, Lansweeper said this feature was rarely used. It warned that Windows VMs would need to be reconfigured with a vTPM before they could upgrade to Windows 11.

It also found that TPMs on physical servers only passed the test 1.49% of the time. This, according to Lansweeper, means about 98% would fail to upgrade if Microsoft were to create a server operating system with similar requirements in the future. Its analysis found hardly any virtual servers with TPM enabled.

Discussing the data, Roel Decneut, chief marketing officer at Lansweeper, said: “Microsoft justifies the need for these requirements to allay security fears, as many devices won’t be able to upgrade, even some that are fresh on the market.”

Decneut said the improved security might drive organisations that are early adopters of new technology to upgrade their PC estate, but in enterprises with thousands of Windows machines the upgrade would be a massive task, requiring a full inventory of the PC estate.