Windows 11

[ubuysa]

Under "Peripherals" on my Gigabyte Z170 motherboard. "Intel Platform Trust Technology"

There is no "Peripherals" option on my Asus Z170 board. I've been through every available BIOS setting and PTT is most definitely not available. The board does have a TPM2.0 header and that's where the on-order TPM2.0 module is going. Thanks for the help though.

 

[Deleted member 41971]

Hackers boot Windows 11 on Android and Windows Phones

It may not be the Windows Phone we want, but it is the one we deserve. One that doesn't really work.

www.pcgamer.com

 

[SpyderTracks]

A very handy guide on how to get windows 11 installed on almost any hardware, obviously this could well change at any time if Microsoft decide to lock it down:

 

[JediMonsoon]

I just wondered if anyone is running this yet and what your impression is?

 

[ubuysa]

Earlier in this thread I said I'd report back once my TPM2.0 module arrives and I've turned HVCI on and done some testing. Well it arrived yesterday so this morning (whilst my wife was swimming and I can make a mess without being nagged about it!) I installed the TPM module and (eventually) activated HVCI.

I thought some might be interested in the process of getting the module fitted and turning HVCI on....

The module itself is tiny....


It was a bit of a fiddle getting it fitted onto the TPM header on the motherboard, it would be very easy to bend the pins here if excessive force were used....


On rebooting I entered the BIOS setup, but the module had been detected and enabled. The Windows Security System settings showed the module details...


Turning Core Isolation (HVCI) on was less than straightforward however. The Core Isolation slider in the Security System settings could be turned on but on reboot it was off again. The Microsoft Device Guard Readiness Tool (it's a PowerShell script) has proved to be an extremely useful tool and ended up being the main way I manage HVCI, and I used this to see what was enabled and what was not.

The first time I used the Device Guard Readiness Tool to turn HVCI on all looked ok until the (necessary) reboot when it showed as being off again. A quick read up on the requirements showed that UEFI MAT was required and when I investigated my BIOS setup to see what that was all about and whether it was on or not I found that the UEFI operating system was set to "Other OS". It's been that way since I got the PC so I don't think I've ever been using SercureBoot? I changed that to the Windows UEFI setting and suddenly everything worked.

The easy way to tell whether you're using SecureBoot (I've discovered) is to go to the Device Security screen in the Windows Security System...


Notice the bottom Secure Boot option - that wasn't present until I changed the BIOS SecureBoot option. After that, using the Device Guard Readiness Tool I was able to turn HVCI on; you run the PowerShell script with the -Enable option. If you then use the -Ready option it will show you what's turned on. Here's mine after turning HVCI on...

(Note that I did do the necessary reboot after the -Enable option, I've shows both options here one after the other just for completeness).

You'll see that HVCI is on (that's Core Isolation) but that Credential-Guard is off. That's because this feature requires Hyper-V which is not available in the Home version of Windows 10 (will it be in Windows 11 I wonder?).

My performance testing of HVCI follows.....

 

[ubuysa]

The excellent Borec Blog on the performance issues of HVCI was my starting point for investigating the alleged performance issues. He reported a 30% to 40% performance degradation using HVCI Based on a number of user scenario based tests, e.g file copy, application open, zip extraction, math calculations etc. so I ran a few timed test before installing the TPM module....

1. I did a file copy (with both source and destination on the same drive - because that's slower) of 10 movies from one folder to another. It took 2 mins 6 seconds to do them all.

2. I used 7ZIP to zip up the same 10 movies using the default setting and the standard zip algorithm. It took exactly 6 minutes to run.

3. I use the 5k Player for videos and if I double click a video to play it takes a few seconds for the player to start and the video to start playing. On a long movie (which must thus buffer) it took 4.13 seconds for the movie to start playing.

4. CorelDraw! also takes a long time to start up even with no drawing selected. I timed it at 9.68 seconds.

After installing the TPM module and enabling HVCI I ran exactly the same tests....

1. The file copy of the same 10 movies to the same destination took 2 minutes and 20 seconds (14 seconds slower).

2. The 7ZIP compression of the same 10 movies took 6 minutes and 22 seconds (22 seconds longer).

3. The 5k Player starting the same movie took 12 seconds until the movie started (7.87 seconds longer).

4. The CorelDraw! startup took 20 seconds (10.32 seconds longer).

Based on these very basic and simple tests, things like file copy and zip files do take longer but not 40% longer. Application startup however, for my slowest applications, do seem to experience much more than a 40% degradation. It's not all applications however. Browsers start normally, as do most (a large majority) of my apps, bu those that don't start quickly (Calibre is another one) do take much longer to start. So far I've not noticed any other performance issues from having HVCI on.

I appreciate that there are other security issues in regards to running Windows 11 on a 6th Generation Intel CPU (the lack of SLAT support in the main), but based on this little set of tests the performance degradation from having HVCI on is not going to be sufficient for me to not give Windows 11 a try out. Microsoft say they won't support it but HVCI at least does not leave my "piddling little" CPU dead in the water.

I hope this helps some.....

 

[B Poot]

The excellent Borec Blog on the performance issues of HVCI was my starting point for investigating the alleged performance issues. He reported a 30% to 40% performance degradation using HVCI Based on a number of user scenario based tests, e.g file copy, application open, zip extraction, math calculations etc. so I ran a few timed test before installing the TPM module....

1. I did a file copy (with both source and destination on the same drive - because that's slower) of 10 movies from one folder to another. It took 2 mins 6 seconds to do them all.

2. I used 7ZIP to zip up the same 10 movies using the default setting and the standard zip algorithm. It took exactly 6 minutes to run.

3. I use the 5k Player for videos and if I double click a video to play it takes a few seconds for the player to start and the video to start playing. On a long movie (which must thus buffer) it took 4.13 seconds for the movie to start playing.

4. CorelDraw! also takes a long time to start up even with no drawing selected. I timed it at 9.68 seconds.

After installing the TPM module and enabling HVCI I ran exactly the same tests....

1. The file copy of the same 10 movies to the same destination took 2 minutes and 20 seconds (14 seconds slower).

2. The 7ZIP compression of the same 10 movies took 6 minutes and 22 seconds (22 seconds longer).

3. The 5k Player starting the same movie took 12 seconds until the movie started (7.87 seconds longer).

4. The CorelDraw! startup took 20 seconds (10.32 seconds longer).

Based on these very basic and simple tests, things like file copy and zip files do take longer but not 40% longer. Application startup however, for my slowest applications, do seem to experience much more than a 40% degradation. It's not all applications however. Browsers start normally, as do most (a large majority) of my apps, bu those that don't start quickly (Calibre is another one) do take much longer to start. So far I've not noticed any other performance issues from having HVCI on.

I appreciate that there are other security issues in regards to running Windows 11 on a 6th Generation Intel CPU (the lack of SLAT support in the main), but based on this little set of tests the performance degradation from having HVCI on is not going to be sufficient for me to not give Windows 11 a try out. Microsoft say they won't support it but HVCI at least does not leave my "piddling little" CPU dead in the water.

I hope this helps some.....

Thanks for sharing.

 

[ubuysa]

A further update for those interested....

After a couple of days I'm really not seeing a massive performance degradation with Core Isolation Memory Integrity (HVCI) turned on. The only area where it is at all noticeable is in application startup for some (but not all) applications and even after only a couple of days I've started to get used to the new timings. IMO Core Isolation Memory Integrity does have a noticeable performance impact in some areas on my i7-6700 but nothing that I can't easily live with.

After messing about with the Device Guard Readiness Tool I mentioned earlier, and/or using the Core Isolation slider to turn Memory Integrity on or off, I realised that you don't need to bother in any case! As soon as your PC meets all of the requirements for it (64-bit CPU, TPM2.0, DEP, SecureBoot, UEFI MAT and all drivers HVCI capable) Core Isolation Memory Integrity is turned on by default as soon as you boot...

 

[ubuysa]

I've come across something else related to Core Isolation Memory Integrity that may impact some on here? If you use a USB attached Western Digital (WD) HDD then this may be of interest, if not then you can close this now.

If you have a USB attached WD drive (as I do) then a device called the SES (SCSI Enclosure Services) will be installed along with its driver (wdcsam64_prewin8.sys). The SES device and driver are required if you're using any of the 'advanced' features of the external WD drive; features like WD Security, WD Utilities, WD backup etc. These features come pre-loaded on a new WD drive in the 'Extras' folder. If you just use your WD drive as an external data drive (as I do) and you don't make use of any of these WD services then you don't need the SES device and driver at all.

The reason that the wdcsam64_prewin8.sys driver is an issue is that it's not HVCI compliant and thus having it installed prevents you from turning the Memory Integrity feature on using the slider in Core Isolation. You can of course uninstall the SES device and driver in Device Manager and that will allow you to turn the Memory Integrity feature on in Core Isolation (and in fact this is the general advice on the Internet for resolving this conflict).

However, as soon as you plug your USB attached WD drive in again the SES device will be installed and, a short while later, the wdcsam64_prewin8.sys driver for it will also be automatically installed. This produces an unwanted result; you have Core Isolation Memory Integrity turned on AND you now have a non-HVCI compliant driver installed.

For me this is a seriously big hole in the whole HVCI security model. If you can't activate Memory Integrity with non-HVCI compliant drivers installed, then you should not be able to install non-HVCI compliant drivers once Memory Integrity is turned on - but you can. I have reported this inconsistency to Microsoft.

I suspect that as long as you don't use the wdcsam64_prewin8.sys driver there are no implications, it will just sit there. But if you do later decide to use any of the WD 'advanced' features (which requires the SES device and the wdcsam64_prewin8.sys driver), with Memory Integrity turned on, I'm not sure what will happen?

I suggest that if you're a USB attached WD drive owner you need to make a choice; either you use the Core Isolation Memory Integrity security feature, or you use one or more of the WD 'advanced' features. IMO it would be unwise to use both.

For those who don't use any of the WD 'advanced' features I've developed a much safer and more elegant workaround for the wdcsam64_prewin8.sys driver problem and that's really the point of my posting all this...

Here's how to remove the wdcsam64_prewin8.sys driver - and keep it uninstalled - so that you can safely turn Memory Integrity on.

1. First uninstall the SES device in Device Manager, be sure to check the box to uninstall the driver as well. Then unplug your USB attached WD drive. I would also reboot (with the WD drive disconnected).

2. On reboot open up Device Manager so you're ready for the next part, you need to complete the following steps before the wdcsam64_prewin8.sys driver is automatically reinstalled.

3. Plug in your USB attached WD drive. The SES device will immediately appear in Device Manager, it will show up in the Unknown Devices section because at this point it's a device without a driver.

4. Right-click on the SES device and select Disable.

That's it! With the SES device present but disabled the wdcsam64_prewin8.sys driver will never be installed. You can now safely turn the Memory Integrity feature of Core Isolation on without worrying whether the wdcsam64_prewin8.sys driver will later be reinstalled.

If you want to check whether the wdcsam64_prewin8.sys driver is present or not, look for the folder C:\Windows\System32\DriverStore\FileRepository\wdcsam.inf_amd64_7ce69fc8798d6116. If that folder exists then the wdcsam64_prewin8.sys driver is installed. If that folder doesn't exist then the driver is not installed.

BTW according to the Western Digital forums, WD apparently take the view that the SES device is required (because they want you to use their tools I guess) and thus the automatic reinstall of the wdcsam64_prewin8.sys driver is 'working as intended'.

 

[Scott]

I say this with the greatest of respect. I think this is the tip of the iceberg. If you've found this "messing" around with your daily config, imagine what anyone with any real drive has found.

I've never been comfortable with "new" when it comes to software/drivers/hardware integration. Isolation just flat out scares me.

 

[Scott]

For poops and giggles I ran the compatibility checker. Passed no problem on my Surface Pro.

Desktop (9900k etc) isn't compatible but only because I haven't enabled TPM2.0. Simple enough to do through the BIOS.

Laptop with the 6700k is a no-go, incompatible processor. Which is just ridiculous.

 

[SpyderTracks]

For poops and giggles I ran the compatibility checker. Passed no problem on my Surface Pro.

Desktop (9900k etc) isn't compatible but only because I haven't enabled TPM2.0. Simple enough to do through the BIOS.

Laptop with the 6700k is a no-go, incompatible processor. Which is just ridiculous.

I know Asus have and I think other manufacturers have too, all the latest Beta BIOSes just simply turn on TPM 2 and get it all setup for windows 11.

New ASUS BIOS updates enable TPM 2.0 support for Windows 11

ASUS has released BIOS updates for over two hundred motherboard models to automatically enable the built-in TPM 2.0 security process so that users can upgrade to Windows 11.

www.bleepingcomputer.com

The recent leaks from microsoft are that they're going to allow the hardware to be installed on "incompatible" hardware, but they won't issue security updates to them.

Microsoft may withhold security updates from unsupported Windows 11 PCs

MS would really, really like you to use an officially supported PC.

arstechnica.com

I can't see how they'll stick to that, there's already a huge backlash, I have no doubt they'll cave, although likely some time after release date in October.

 

[Scott]

Everything is enabled on the laptop, it's literally the fact that anything under an 8 series intel is incompatible.... at the moment. Everything else got a tick, TPM2.0 etc... all checked out.

I have no doubt I'll easily get around this, or that M$ might even open up the compatibility, but at this moment in time.... computer says no.

 

[SpyderTracks]

Everything is enabled on the laptop, it's literally the fact that anything under an 8 series intel is incompatible.... at the moment. Everything else got a tick, TPM2.0 etc... all checked out.

I have no doubt I'll easily get around this, or that M$ might even open up the compatibility, but at this moment in time.... computer says no.

Oh, yeah, wasn't suggesting the BIOS update for yourself, I know you know what you're doing, more for others on this thread.

But yeah, the no security updates nonsense is just ridiculous.

But they're taking the same attitude in the cloud as well, the new Intune which is replacing SCCM is extremely strict on version compatibility, you have to be within quite a tight version window.

In some ways I get it, an awful lot of errors are down to legacy support of drivers and hardware, but still, it's one of the reasons windows is favoured over others.