Next version of Windows event... Windows 11 -> Ended

[hishnash]

1 hour ago, Kilrah said:

Response to an environment getting slightly tighter requirements -> moving to a much tighter one? Makes perfect sense... 

Not really true, macOS will boot even if you fully turn of secure boot, in many ways this move to windows 11 to only boot with secure boot turned on (aka you can't boot if you modify the kernel) means it is much more locked down than macOS is. 

The new M1 systems even let you set this security setting on a per partition basis, so you can keep your main os install fully secure (as your employer might require...) but still have a playground install were you can write your own kernel drivers/patch things as much as you like. by default macOS has lots of controls but you can turn them all off if you want to and fully tinker, also having large parts of the kernel being open source makes modifying and understanding the kernel simpler than doing so on the NT kernel (unless you go find one of those illegal source code leaks that happened a few years ago...). 

the Narrative that macOS is more locked down than windows has always been false but it is even more so now.

[Forbidden Wafer]

2 minutes ago, hishnash said:

 in many ways this move to windows 11 to only boot with secure boot turned on 

Wrong. SecureBoot *capable*. 

 

[StDragon]

6 minutes ago, Tieox said:

Yup, requiring a TPM is just a racket to sell more Intel processors.  Ma and Pa see a Intel sticker on their pc take it to a store and ask for a new Intel PC. 

 

5 minutes ago, hishnash said:

Does it also require the TPM to be used for disk encryption?

For BitLocker, yes, TPM is mandatory. Otherwise you do it ghetto style with a USB flash drive stuck in a port. Though that might change in Windows 11 to be TPM regardless.

 

Per Microsoft

• BitLocker Drive Encryption (available with Windows 10 Pro or Windows 10 Enterprise only) requires a Trusted Platform Module (TPM) 1.2 or higher and Trusted Computing Group (TCG)-compliant BIOS or UEFI. BitLocker can be used on devices without TPM, but you will need to save a startup key on a removable device such as a USB flash drive. TPM 2.0 and InstantGo support is required when you want to automatically encrypt the local drive when joining a device to Azure Active Directory (AAD). Check with your PC manufacturer to confirm if your device supports the correct TPM version and InstantGo for the scenario you want to enable.

As to if you have a TPM chip, it will say in the Device manager. Alternatively you can check from tpm.msc command

[OrdinaryPhil]

7 minutes ago, Radium_Angel said:

I'd like to see some proof that they are, this would be the 1st time I've heard about this, other than the...16.04 (IIRC) Ubuntu bit that you could disable, where it sent your search queries back to HQ.

Ubuntu logs keystrokes in exactly the same way that Windows does. And the system logs are user-facing, so they are accessible to most applications that are running outside of a sandbox such as a VM. (See Daemon Listening Services).

They also includes a bunch of software from Mozilla, which is also a telemetry monster now (Still better than Chrome by a mile, but "better than the other guy" isn't the same as "good").

[hishnash]

2 hours ago, DeScruff said:

and more then anything just gets in the way of someone who wants to install a different OS on their system?

So it is possible to build a secure boot system that has settings per partition, (see M1 macs that let you set these settings on a per partition bases) also it is possible to build a secure boot system that lets the user self sign kernels (again see M1) this lets you have the security of secure boot (a virus etc can't just modify the kernel) but you can boot anything you like. 

The issue is doing this requires effort from the hardware vendor and is way to complex for a UEFI implemented secure boot, you would need a much more advanced (and costly) solution.

Also worth noting UEFI based secure boot is a little bit of a joke since with physical access it is possible to inject code into the UEFI (over PCIe) before it has time to isolate the PCIe from full DMA... there was a deportation of this attack on many TB machines a few years ago letting a modified TB controller chip install a key logger into the UEFI... 

[hishnash]

2 minutes ago, Forbidden Wafer said:

Wrong. SecureBoot *capable*. 

you can still boot with it turned off? everything i have seen says you must have secure boot turned on.

[gjsman]

Remember that TPM 2.0 by Infineon had major chip flaws and had the doors blown wide open, and Windows now has to work around that. Secure Boot is also not considered super-secure by Microsoft themselves, which is why they came up with "Trusted Core" computers. 

[Tieox]

5 minutes ago, StDragon said:

 

For BitLocker, yes, TPM is mandatory. Otherwise you do it ghetto style with a USB flash drive stuck in a port. Though that might change in Windows 11 to be TPM regardless.

 

Per Microsoft

• BitLocker Drive Encryption (available with Windows 10 Pro or Windows 10 Enterprise only) requires a Trusted Platform Module (TPM) 1.2 or higher and Trusted Computing Group (TCG)-compliant BIOS or UEFI. BitLocker can be used on devices without TPM, but you will need to save a startup key on a removable device such as a USB flash drive. TPM 2.0 and InstantGo support is required when you want to automatically encrypt the local drive when joining a device to Azure Active Directory (AAD). Check with your PC manufacturer to confirm if your device supports the correct TPM version and InstantGo for the scenario you want to enable.

As to if you have a TPM chip, it will say in the Device manager. Alternatively you can check from tpm.msc command

So could the TPM requirement be for users of Bitlocker and not mandatory for those who don't wish to use it.  And this WHOLE damn thing is a mis understanding of the requirements being listed for use of all features?

[Forbidden Wafer]

3 minutes ago, hishnash said:

you can still boot with it turned off? everything i have seen says you must have secure boot turned on.

People installing from scratch on a leaked build.

[gjsman]

Just now, Tieox said:

So could the TPM requirement be for users of Bitlocker and not mandatory for those who don't wish to use it.  And this WHOLE damn thing is a mis understanding of the requirements being listed for use of all features?

Incorrect. TPM 1.2 is a hard requirement that must be fulfilled to load Windows 11, with TPM 2.0 recommended. Even though BitLocker, which isn't on Windows 11 Home, is the only thing that would use it right now. 

[hishnash]

Just now, Tieox said:

Bitlocker and not mandatory for those who don't wish to use it.  And this WHOLE damn thing is a mis understanding of the requirements being listed for use of all features?

Or maybe you are required to use bit locker at all times... like on apple devices even if you do not turn on disk encryption the disk is encrypted just without a password. Turning it on relay is just changing how the encryption key is generated.

[Tieox]

Just now, gjsman said:

Incorrect. TPM 1.2 is a hard requirement that must be fulfilled to load Windows 11, with TPM 2.0 recommended. Even though BitLocker, which isn't on Windows 11 Home, is the only thing that would use it right now. 

WHAT THE FUCKING FUCK MCFUCK a requirement for a integrated tool not even included in the bloody operation system version? 

 

 

[gjsman]

What's angering about this too is that unlike the Secure Enclave on the M1 or even T2, the TPM has been blown wide open previously. Infineon TPM chips had major problems that Windows now has to work around, and the Intel fTPM (built-in to the Intel processor) was also broken. So it's a mandatory standard to use a broken standard. 

[gjsman]

1 minute ago, Tieox said:

WHAT THE FUCKING FUCK MCFUCK a requirement for a integrated tool not even included in the bloody operation system version? 

 

 

Yes. Serious. 

[GoodBytes]

More info coming:

List of supported CPUs that Windows 11 requires:

• Intel: https://docs.microsoft.com/en-us/windows-hardware/design/minimum/supported/windows-11-supported-intel-processors
• AMD: https://docs.microsoft.com/en-us/windows-hardware/design/minimum/supported/windows-11-supported-amd-processors

[gjsman]

Oh, and there's that too. Microsoft only officially supports 8th Gen Intel and newer, or 2nd Gen Ryzen and newer, or any Qualcomm Snapdragon except the original 835. You can install on lower processors if you have the TPM, but Microsoft will smash you with warnings first that this configuration is not supported. 

[GoodBytes]

3 minutes ago, Tieox said:

WHAT THE FUCKING FUCK MCFUCK a requirement for a integrated tool not even included in the bloody operation system version? 

The OS isn't released. It still in developement.

[gjsman]

Just now, GoodBytes said:

The OS isn't released.

Microsoft's official Enterprise documentation and Windows Blog all say that TPM 1.2 is a hard requirement and TPM 2.0 is a soft requirement and that installing without a TPM will not be supported at all. 

 

The TPM 2.0 requirement in the ISO was, in fact, not an error. A TPM is indeed required. 

[hishnash]

1 minute ago, gjsman said:

What's angering about this too is that unlike the Secure Enclave on the M1 or even T2, the TPM has been blown wide open previously. Infineon TPM chips had major problems that Windows now has to work around, and the Intel fTPM (built-in to the Intel processor) was also broken. So it's a mandatory standard to use a broken standard. 

yer... well MS likely get royalties for the IP in the TMP for every system sold with them...  

[Tieox]

1 minute ago, GoodBytes said:

The OS isn't released.

The requirements are, and as I can see my GF's Skylake system a perfectly useable system is going to need a TPM module of course which is out of stock everywhere, why because it's required for a feature she will never use, and is not even included in the home version.

 

FANTASTIC.

 

Whoever decided upon this needs sending into the sun.

[StDragon]

8 minutes ago, gjsman said:

Incorrect. TPM 1.2 is a hard requirement that must be fulfilled to load Windows 11, with TPM 2.0 recommended. Even though BitLocker, which isn't on Windows 11 Home, is the only thing that would use it right now. 

 

Apparently there's a firmware implementation of TPM called fTPM that I wasn't aware of. 

 

You can read about it on Tom's Hardware and a Reddit thread.

 

But yes, TPM is a physical chip that holds keys to decrypt the boot drive that's encrypted with BitLocker. I'm just not sure if enabling BitLocker is required. If not, then in theory fTPM should suffice.

[Radium_Angel]

13 minutes ago, OrdinaryPhil said:

Ubuntu logs keystrokes in exactly the same way that Windows does. And the system logs are user-facing, so they are accessible to most applications that are running outside of a sandbox such as a VM. (See Daemon Listening Services).

They also includes a bunch of software from Mozilla, which is also a telemetry monster now (Still better than Chrome by a mile, but "better than the other guy" isn't the same as "good").

Mozilla aside, we are talking about the OS. And while I may not be the best at searching for this stuff, all I found was this:

https://www.omgubuntu.co.uk/2018/05/this-is-the-data-ubuntu-collects-about-your-system

 

So if you have any proof of this, please, please! post it, I use Linux, and I"d like to be educated about this

[gjsman]

3 minutes ago, StDragon said:

 

 

Apparently there's a firmware implementation of TPM called fTPM that I wasn't aware of. 

 

You can read about it on Tom's Hardware and a Reddit thread.

 

But yes, TPM is a physical chip that holds keys to decrypt the boot drive that's encrypted with BitLocker. I'm just not sure if enabling BitLocker is required. If not, then in theory fTPM should suffice.

Yes, fTPM which is on 2013 and newer Intel processors, and I'm not sure which AMD version it started appearing in, should help most people. However, it's disabled by default in the UEFI, and not all UEFI exposes a control to enable it or works correctly trying to turn it on. Each UEFI also seems to have different names for what it's called. Also, this doesn't change that only 8th gen Intel and 2nd gen Ryzen and newer are officially supported and you'll need to dismiss warnings before you can install on anything lower.

[Blademaster91]

2 hours ago, LAwLz said:

I also find the TPM 2.0 requirement weird.

I get dumbing some hardware because you want to get rid of some legacy stuff, but in the case of TPM 2.0 it is adding more dependencies even though it seems like there are no technical reasons for requiring it.

I don't see the point in requiring TPM at all, it doesn't make sense for Win11 home, the average person doesn't need that level of security.

[gjsman]

Just now, Blademaster91 said:

I don't see the point in requiring TPM at all, it doesn't make sense for Win11 home, the average person doesn't need that level of security.

You and me both, especially considering fTPM and TPM 2.0 by Infineon were both broken years ago.