If you’re still wondering just why your relatively recent computer may get abandoned by Windows 11, it’s likely because your CPU’s performance would take a nose dive when all of the security features in the new operating system are enabled.
In an in-depth interview with Microsoft’s security skipper David Weston, Branscombe reports that many of the bombshell hardware requirements come from enabling the hardware virtualization features called Virtualization-Based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI).
“Virtualization Based Security is on by default. Obviously the TPM is there, so that’s going to give us the ability to do BitLocker in Windows Hello in more default scenarios,” Weston told Branscombe. “Those are going to allow commercial enterprises to do zero trust and take advantage of things like System Guard. There’s a lot of out-of-the-box security value. I want people to flip their laptop open and feel they are much better protected, and we know that they will be, based on looking at threat intelligence versus the default we changed.”
Did Microsoft do this to sell more new PCs?!
And no Internet, this change isn’t just to sell more PCs (which have already been skyrocketing), it’s to make PCs more secure, Microsoft said.
“If you look at the major attacks out there, whether that’s ransomware or phishing, we’ve struck directly at mitigating those, or at least making them much, much better protected on Windows 11,” Weston told Branscombe.
While you probably acknowledge the value of security, we know you’re also probably still wondering how “security” explains why a 7th-gen Core i7-7500U “Kaby Lake” doesn’t pass Windows 11’s smell test while a Core i7-8550U “Kaby Lake R” does? And perhaps even more infuriating, in what world does an Intel Atom x6500FE get to put on a Windows 11 jersey but a 16-core Ryzen Threadripper 1950X gets cut from the team?
Branscombe explains the reason isn’t arbitrary as it looks: “The breadth and variety of the PC ecosystem makes the specification more complicated than you might think. Intel 8th generation CPUs, AMD Zen 2 and Qualcomm 7 and 8 Series have the right hardware features for security, reliability and performance; they also have full support. While 7th generation and AMD Zen CPUs have the hardware features, they have what Microsoft described to us as ‘limited support’, so one of the things the Windows Insider releases of Windows 11 will show is exactly which of those earlier processors will deliver a good enough experience to be supported” Branscombe reports.
Weston also told TechRepublic Microsoft aimed for a median of hardware.
“We looked at a median that we thought was right in the target range of folks who are going to adopt Windows 11, and then we looked at performance and reliability and what features are available—the virtualization necessary for Android apps, what drivers are available, security features and having efficient security…that was all factored into the decision,” Weston told TechRepublic.
Performance just might stink with all the security on
For those who doubt there’s much of a difference between a 7th-gen Kaby Lake and an 8th-gen Whiskey Lake chip, well, there likely is but it just hasn’t been very visible. During Microsoft’s big push for its Secured-Core PCs for Windows 10—essentially hardened PCs aimed at business users—there were numerous anecdotal reports of major performance hits by enabling aspects of the Secured-Core PC on older computers. Daniel Aleksandersen wrote about how his 7-year-old Windows 10 ThinkPad laptop was slowed to a crawl when HVCI was errantly turned on on his Core i5-3472U CPU.
Others have reported that turning on Secured Core features on Intel’s 6th-gen Skylake would impact performance by as much as 30 percent, which might explain why fairly recent 6th gen chips got cut. But what explains Intel’s $2,000 18-core Skylake-X chip? We initially thought the CPU was a mirror of the cores from the mainstream version, but it turns out the Skylake-X cores are revised supports running HVCI as well as Kaby Lake does.
Skylake isn’t Kaby Lake isn’t Coffee Lake after all
The lack of visibility of the security features which Intel and AMD have added into the CPUs over time may add to the confusion. The casual, cynical nature the press and hardware community has taken with recent CPU designs, especially Intel’s chips, probably doesn’t help either.
Remember that people often dismissed Intel’s generational changes from 6th-gen to 7th-, 8th- and beyond as all the “same old thing with a couple more cores.” While that may have been true on the performance side, that viewpoint largely seems to have overlooked the low-visibility security changes over the years.
Likewise, while the move from AMD’s original Ryzen 1000 (based on the Zen architecture) to the Ryzen 2000-series (based on Zen+) was also viewed as mostly an improvement in pricing, the Zen 2 cores improved performance with HVCI and Mode Based Execution Control.
Microsoft’s own guidance from 2019 said CPUs without the feature (Skylake and older as well as Ryzen 1000) “will rely on an emulation of this feature, called Restricted User Mode, which has a bigger impact on performance.”
There’s also no guarantee even recent CPUs will do all that well either. Dell’s guidance to customers of its commercial Secured-core Latitude or Precision notebooks warned that yeah, those seeing slow downs? That’s a feature.
“There is no failure occurring in these systems,” Dell’s support note says. “While working within the design limitations of Windows 10 and the system design, the reduction in performance is inherent to the behavior of HVCI/VBS. If the performance impact is too large, HVCI/VBS can be disabled via one of the methods in the following Microsoft document.”
There’s also the larger question of why Microsoft won’t simply let people turn off those security features if they slow down the computers so much, but that’s a different discussion around how forward Microsoft wants to move the chain on improving the baseline security of every Windows 11 PC.
For now at least, it does look like any moves to limit 4th-gen, 5th-gen and 6th-gen Intel chips and AMD’s Ryzen 1000 (or older) CPUs is at least based on actual performance when running under the strictest security guidelines, and not just a cynical way to sell more new computers.
(Update: Our original story believed Intel’s Skylake-X chips did not support Mode Based Execution Control when the CPU does.)