News

Microsoft Suggests Windows 11 Will Work with Current Tools

• By Kurt Mackie
• 09/09/2021

Microsoft this week outlined perks for IT pros with the coming Windows 11 operating system, suggesting that deployment and management will be similar to Windows 10.

Windows 11 is currently at the preview stage but it's expected to reach "general availability" commercial release in October. The IT pro benefits coming with Windows 11 were described by Steve Dispensa, vice president of enterprise management at Microsoft, in this Wednesday Microsoft announcement.

Current Policies Will Work with Windows 11
Policies for Windows 10 set via Group Policy and tools such as Microsoft Endpoint Manager will "just work on Windows 11," Dispensa indicated. The policies get labeled "Windows 10 and later," rather than "Windows 11." Dispensa added that "Windows 11 can easily co-exist and run side-by-side with Windows 10 as you roll out."

Current tools such as Microsoft Endpoint Manger Configuration Manager, the Microsoft Deployment Toolkit and the Windows Assessment and Deployment Kit "will work the same way in Windows 11."

For Windows 11 updates, there will be "a few more granular controls," Dispensa said. Only the necessary bits get pulled down to a machine when updating, which "reduces update sizes by around 40%," he indicated.

Users of the Windows Update for Business service will be able to use Windows Update to just get "drivers and critical security updates," while separately controlling the arrival of Windows 11 feature updates via Microsoft Endpoint Manger Configuration Manager.

"That way you can set up policies that immediately apply software updates for cases to address zero-day vulnerabilities while keeping control of feature update timelines," Dispensa said.

Dispensa is apparently referring to the Windows Update for Business Deployment Service, a cloud-based service that adds more controls for IT pros and works with Windows Update for Business policies. It requires having E3-type licensing and was supposed to have been commercially released in the first half of this year.

Windows 11 "feature updates," which are new operating system versions that arrive once per year, are said to be less disruptive for end users. Microsoft uses artificial intelligence to gauge user active hours. Feature updates get applied when users are away from their PCs.

A new Windows 11 version is supported for 24 months with the Home and Pro editions. Windows 11 users get 36 months of support with the Enterprise and Education editions.

Windows 11 Hardware Requirements
Microsoft recently solidified the processor requirements to run Windows 11. PCs will mostly need eighth-generation processors (with a couple of exceptions) to run the OS and be supported. That requirement may mean that some 3-year-old PCs won't support a Windows 11 upgrade.

The eighth-generation processor requirement was mostly instituted "to balance security with performance," Dispensa indicated. He also touted security benefits from requiring 64-bit architectures and UEFI firmware, plus mandating DCH drivers, which all contributed to a "99.8% crash-free experience in the preview" versions of Window 11.

Windows 11 is designed for a "zero trust" security approach, Dispensa contended.

"The Zero Trust security model is baked in with layered security from the silicon on the board itself to the actual boot process, your log in as a user and the apps that you use in your Windows session every day," Dispensa said.

Dispensa didn't mention it, but Windows 11 notably has "secure boot" protections, which check for rootkits during the bootup process. The secure boot process is enabled via Trusted Platform Module 2.0 chips on PCs. Windows 11 will require PCs to have TPM 2.0 chips, but they've been required in new PCs since July 28, 2016.

Some years back, Microsoft and its hardware partners started building so-called "Secured-core PCs" running Windows 10, largely because secure boot was deemed insufficient protection. Windows 11, though, will have virtualization-based security (VBS) on top of secure boot, which is also found in Secured-core PCs.

Here's what a Microsoft engineer said when asked if secure boot was deemed an adequate defense, via e-mail:

Secure Boot, alone, cannot fully defend against all rootkits, but it is an essential part of the solution. TPM and VBS are also necessary to provide all of the foundational building blocks we need to deliver a comprehensive defense in the platform, such as we have with Windows Defender System Guard runtime attestation.

Windows 11 Upgrade Blocks
Microsoft talked about hardware requirements and Windows 11 upgrades, in part, during a July 21 "Ask Microsoft Anything" session, which can be viewed here.

During the session, Aria Carley, a program manager focused on the commercial management of Windows updates, explained that PC upgrades to Windows 11 will get blocked automatically if the upgrade requirements aren't met, which will occur before the OS bits get sent.

The automatic Windows 11 upgrade blockage, determined by Microsoft's telemetry information, is being done to assure a good user experience, she indicated:

We know it sucks that some aren't going to be eligible for Windows 11. But the great thing to remember is the reason we are doing that is to keep devices more productive, have a better experience and most importantly have better security than ever before, so that they can stay protected in the new workforce.

IT pros will be able to use Microsoft's Update Compliance or Endpoint Analytics tools, as well as a script that Microsoft will provide, to determine if devices are eligible for Windows 11 as well, she added.

Carley also advocated moving policies to the cloud as a better solution, such as using Microsoft Intune instead of Windows Server Update Services to manage PC updates. The reason is that the cloud-based policies can leverage Microsoft's Safeguard Holds capability, which blocks updates known to have problems.

It's possible to disable Safeguard Holds. However, doing so won't be a way to bypass a Windows 11 upgrade block, Carley explained.

"We're still going to block you from upgrading your device to an unsupported state since we really want to make sure that your devices stay supported and secure," she said.

Carley also touted Intune's Expedite feature to quickly deploy patches, without having to change configured update deferral policies.

Microsoft's odd "commercial preview" term, recently applied to Windows 11 and Windows 10 21H2 releases in the Windows Insider for Business program, was briefly explained by Carley:

Every release we have this thing called a "commercial preview release moment." And a commercial preview release moment is where we actually announce, "Hey, this version is ready for you, IT admins, to not only test but potentially deploy to one percent of your fleet or your organization." It's reached that level of stability.

There also was lots of advocacy during the talk for using Windows Autopilot for provisioning Windows 11 PCs.

Windows 11 Principles
Windows 11 was designed according to three principles, namely "reliability," "security" and "compatibility." Those concepts were weighed by former longtime Microsoft employee Michael Niehaus in a recent blog post.

Niehaus concluded that the vast majority of Microsoft's hardware requirements are justified by its principles for Windows 11. He quibbled over Home edition users being required to have a Microsoft account, though.

Niehaus also thought Microsoft should have required the use of solid-state drives with Windows 11, which was an "opportunity lost."