Bypass Windows 11's Minimum System Requirements
This computer does not support Windows 11, and yet here we are. The Windows 11 rollout is well on its way but some of you will be getting messages like this. Your computer's too old. Buy a new one! Well wait just a minute there, Microsoft! We're not talking about ancient devices here. This Microsoft Surface Laptop is only three years old and is apparently too old to run Windows 11. You'll provide a warranty for it but won't let it run your operating system? To make matters worse none of the features that supposedly require this new hardware are actually new in Windows 11. They're part of Windows 10 already!
Now I get that everything eventually needs an upgrade, but throwing out perfectly good hardware because of an artificial limitation is generating a mound of e-waste for no good reason. I'm going to show you how you can bypass this so you can install Windows 11 anyway, but I'm also going to tell you what you're giving up; because by bypassing these requirements you are opening yourself up to possible risks in the future and it's important that you make an informed decision. Welcome back to The Pro Tech Show. I'll add video chapters so you can skip to the install if you want but I do recommend watching the whole thing so you're clear on the potential consequences.
Why the minimum requirements exist
As I said right at the start: the features used to justify the new hardware requirements for Windows 11 are not new; but what has changed is that Microsoft now wants them to be enabled by default. These are security features and they did exist in Windows 10 but they weren't enforced - they were optional. There are a lot of security quirks like this in Windows where it's actually capable of much better security but out of the box it's turned off in the name of compatibility.
See, Microsoft want it to just work and new security features usually come at the cost of breaking old software or not working properly with certain hardware; so what they often tend to do is they add the new security to Windows but leave it disabled. The intention is that out of the box it will just work and then you can tighten up security having checked for yourself that it isn't going to cause compatibility issues. The problem is: nobody does! They just leave it at defaults. Your average home user isn't going to have a clue where to find this stuff, or what it means; and in corporate IT departments where they should understand it they also have to deal with possibly hundreds of different combinations of hardware and software, which makes changing these settings a risky affair.
The result is that the default settings Windows ships with are the settings the vast majority of computers actually use. If security is optional and not enabled out of the box it's just not going to happen. I am completely in favour of more secure defaults. People shouldn't be getting hacked because of an obsolete feature with known vulnerabilities that only exist to provide compatibility with a legacy service they don't even use; but that's exactly what keeps happening. So I get what they're doing and I support it to an extent. The problem with Windows 11 is they're not giving you secure defaults with the option to downgrade to Windows 10 defaults, they're just saying "No. You can't be trusted to make that decision.
Hardware requirements & security benefits
" So what are the new hardware requirements? Well, in short you need a fairly recent processor and a trusted platform module - a TPM. Version two, specifically. The TPM enables the security features that Windows 11 is pushing. The first is Secure Boot, which ensures that when your computer starts up it will only allow trusted code to run. This prevents malware from inserting itself at start-up and taking control. The next is a suite of technologies that fall under the banner of virtualisation-based security, or VBS. Contrary to what has been reported by a number of YouTube channels, this button does not turn VBS on and off.
Memory Integrity is not another name for Virtualization-Based Security. It is in fact another name for Hypervisor-Protected Code Integrity - HVCI. This is a feature made possible by Virtualisation-Based Security but there are other technologies that fall under the VBS umbrella as well: like Credential Guard, System Guard Secure Launch, and System Management Mode Protection. Most of these are about preventing malware from compromising core parts of the system. HVCI for example prevents malware from injecting itself into your drivers, which should otherwise give it complete control of your computer.
Credential Guard makes it more difficult for malware to steal passwords from Windows. Another thing having a TPM will do for you is enabling hard drive encryption. You can encrypt your drive without a TPM, and there are more secure ways than relying on just a TPM, but having a TPM makes it a whole lot easier by making the process transparent. Most people with a TPM don't even realise the drive is encrypted. It's pretty cool!
The reason for requiring a new processor is a little bit weaker. What it really comes down to is that the newer processors have hardware support for VBS, whereas older processors have to run more in software and this has a performance impact. Microsoft have mandated the use of VSB so they've also mandated the use of CPUs that will provide the best experience when using VBS. They also make an argument about CPU driver reliability but I'm not really sold on this, because it's not new. They brought the same rules in for Windows 10 a few years ago. If your CPU is unreliable in Windows 10 it will still be unreliable on Windows 11, but staying on Windows 10 isn't going to make it any better, so...
Does it really matter?
I suppose the big question is "Does any of this actually matter?" The one feature I think everyone should think very carefully about before skipping is hard drive encryption. For me this is a must-have, and the main reason to use a TPM (even if it's not strictly necessary for it). If your hard drive isn't encrypted then if your computer gets lost or stolen anyone with access to it can easily read all of your data. With the amount of personal and financial information on your devices these days I think there's a very good argument for saying they ought to be encrypted.
When it comes to the Virtualisation-Based Security features, though... it really depends on whether you're a business or a home user. Having more security is always a good idea but practically speaking if you're a home user and somebody has compromised your device to the point where these features start to matter the reality is they've probably got all of your data anyway. For businesses there's a much stronger case for requiring VBS because it could be the difference between the bad guys getting one person's data and stealing all of the data in the business.
The risk of being unsupported
There is, however; one more reason you might want to avoid bypassing Microsoft's compatibility checks; and it's a pretty important one. Microsoft have said that whilst there isn't actually a hard reason to require this newer hardware today, they reserve the right to release an update in the future that legitimately relies on their Windows 11 minimum hardware requirements. If that happens (and it is very much a hypothetical right now but if it happens) then you won't be able to install the update.
That will have a knock-on effect by preventing you from installing any future updates, which will in turn leave your device vulnerable to bugs and exploitation. Let me be clear that whilst this is a hypothetical future we're talking about, it would be a really bad place to be. It could potentially allow people to hack your device at will. A lot of software vendors will also follow the rule of "If Microsoft don't support it then neither do we."
So you may also invalidate support for other applications, which is an important consideration for businesses. I'm not going to tell you that you shouldn't bypass the restrictions because of this. That would make me a hypocrite. But I am going to say that if you choose to do this then you become responsible for making sure you are still getting updates. If in the future Microsoft follow through on this warning and release an update that relies on supported hardware that you don't have, then you need to get yourself off Windows 11 or you will be at risk. If you're a business: don't risk your software support. Windows 10 will be supported until October 2025. Stay on that or upgrade properly. If you've understood and are comfortable with the risks I've mentioned and you want to upgrade to Windows 11 anyway, then watch on.
You might have a hidden TPM
If the only thing preventing you from upgrading is that you don't have a TPM then before bypassing anything you should check to see if maybe you do have a TPM that you can simply enable. Believe it or not this is very common. Traditionally, having a TPM meant having a dedicated hardware device like this installed in your PC, but both AMD and Intel now have their own onboard versions.
AMD's is called fTPM and is built into the system firmware. Intel's is called PTT and is part of the processor. Both of these offer the same functions as a real hardware TPM and can be used to run Windows 11; but until recently these features were often disabled by default. So if your processor's up to spec but you're getting the warning about not having the TPM, have a look in your BIOS for fTPM on AMD machines or PTT on Intel machines and see if you can simply turn it on.
The same goes for Secure Boot. It might just need to be enabled in the BIOS. You may need to refer to your computer or motherboard's manual if you're not familiar with using the bios. Usually, you can get into it by pressing a key as the computer starts. It varies between manufacturers but one way that should work for everyone is to hold shift whilst restarting Windows. Then choose "Troubleshoot" "UEFI Firmware Settings" (you may need to choose "Advanced Options" first) and "Restart". Then have a look around and see what you can find. Maybe you'll be able to install Windows 11 without any workarounds at all. Assuming you don't find a hidden TPM, or the TPM wasn't your problem, then let's move on to bypasses.
Upgrading with an older CPU/TPM
If you do have a TPM but either your processor is too old or your TPM is version 1.2 instead of 2.0 then you're in luck! Microsoft do let you upgrade. They tell you not to, of course; but then they go ahead and publish a way to do it, whilst again warning you not to. If you want to do an in-place upgrade, download the Windows 11 disk image (I'll put a link in the description), double-click it to mount it as a virtual DVD drive and run "Setup". This will tell you your hardware is too old, but we can get that problem to go away.
Read also: Razer Blade 15 benchmarks
Go to your Start menu and open Registry Editor. navigate to HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup if that last one doesn't exist you can create it from the setup folder above it by right-clicking and choosing "New" then "Key". Now right- click on the right-hand side and choose "New" "DWORD". Name it "AllowUpgradesWithUnsupportedTPMOrCPU". I'll to link the official documentation for this so you can copy-paste it. There are no spaces in it. Double-click it and change the value to 1.
Now run Setup again and this time it won't complain. If you want to do a fresh install it's even easier because when you install from USB it doesn't bother to check this. I'm guessing the assumption is that if you're doing this you probably know a bit more than the average computer user so they just let you get on with it. To do this, use the link to "Create Windows 11 Installation Media" on the download page I linked earlier. Create a USB installer then boot your computer from it. Again, see your manufacturer's instructions to find the boot menu or adjust your BIOS as needed, but for most people you can simply restart whilst holding the shift key again and choose "Use a device" and "USB storage".
From here, just run through the Windows installation. If you're new to all of this then for the sake of time I'm not going to do a windows installation tutorial, but you can find those on YouTube. Just be aware that whilst I consider a fresh install to be the best way to install Windows it will wipe all of your applications and data, so make sure you've got them backed up and can restore or reinstall what you need afterwards. Nut this method still requires you to have an old TPM!
Upgrading without a TPM
What if you don't have a TPM at all? There's no semi-official way to do an in-place upgrade, but you can do a fresh install from USB. Be warned, though. Whilst the previous method to use an older TPM is strongly discouraged by Microsoft, but still kind of allowed; installing Windows 11 without a TPM is more likely to cause you problems in the future. It remains to be seen, but if the insider previews are anything to go by it's quite possible that you may not be able to install the major annual updates without wiping your computer and reinstalling from scratch each time. Assuming they don't block it outright, of course!
Tight now we don't know, but we'll probably get our answer in October 2022. Bear that in mind, though. If you continue with this approach that is a risk you're taking. If you click through the USB install you'll hit this block page telling you your PC doesn't meet the minimum system requirements. It's OK. Just click back a step and then hold shift and press F10. A command prompt will appear. Type "regedit" (that's r-e-g-e-d-i-t) and press Enter. Starting to look familiar, isn't it?
Check also: What is Saber (SBR)?
This time we want to go to HKEY_LOCAL_MACHINE\SYSTEM\Setup then right-click and create a new key called "LabConfig" (no spaces). You need to add one or more entries depending what checks you want to bypass. In each case it's a case of right-clicking and adding a new DWORD. To bypass the TPM check, name it "BypassTPMCheck". To bypass the Secure Boot check, name it "BypassSecureBootCheck". To bypass the minimum memory requirements it's "BypassRAMCheck", but honestly: I wouldn't. If you have less than the 4 GB Windows 11 asks for it's going to be a bad experience. In each case double-click and set the value to 1. Close your registry editor and command prompt and click "Next" to try the setup again, and no more block page! You can continue as normal.
Removing the watermark
One thing that has appeared recently in the insider builds is a watermark on the desktop warning if your hardware is unsupported. This may or may not make it into the general release of Windows. At present there is yet another registry tweak you can make to get rid of it, but again this may change. If it stays the same, the registry path is HKEY_CURRENT_USER\Control Panel\UnsupportedHardwareNotificationCache (with no spaces), then a DWORD entry called SV2. This time the value should be set to 0.
One final option
So there you go - it is possible to install Windows 11 even if it tells you otherwise. Whether you should or not, I'll leave that up to you. If you don't want to stay on Windows 10 and you do want to kludge your way into Windows 11, then there is one other option. You could ditch Windows altogether and install Linux instead. If you want to know what it's like then check out this video where I did just that and switched to Linux on my laptop for a couple of weeks. There were good things. There were bad things. You should watch the video. And you should hit the like button. And subscribe.