Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Windows 11 System Requirements Announced - does it pose any issues?

Featured Replies

According to MS post here (https://download.microsoft.com/download/7/8/8/788bf5ab-0751-4928-a22c-dffdc23c27f2/Minimum%20Hardware%20Requirements%20for%20Windows%2011.pdf) VM machines are exempt from the requirements:

There will be some exceptions to Microsoft’s new rules, though. “Windows 11 does not apply the hardware-compliance check for virtualized instances either during setup or upgrade,” notes a Microsoft document (PDF) on minimum hardware requirements for Windows 11. That means if you run Windows 11 as a virtual machine, you can ignore the CPU and security requirements. That flies in the face of Microsoft’s big security push here, but the reality is that most consumers and commercial customers won’t be running Windows 11 in a VM.

23 hours ago, Sjaddy said:

That means if you run Windows 11 as a virtual machine, you can ignore the CPU and security requirements. That flies in the face of Microsoft’s big security push here


Does it though? The point of MS's security requirements is to prevent malware from affecting the PC at boot time. Well, we're talking about VMs here, which does not have the same risk associated with it. By definition, the VM is separated from the hardware boot BIOS/firmware, right? It's one of the reasons to run a VM: to separate the OS from the hardware layer.

17 hours ago, quasihellfish said:

Well, we're talking about VMs here, which does not have the same risk associated with it. By definition, the VM is separated from the hardware boot BIOS/firmware, right?

It really depends on how you use the vm.

Most of users, including me, are using one or more vm just as if they use a traditional pc: if this is the case, we want performance on our vm, so we start to passthrough hardware, cpu, gpu, sata controllers. nvme drives, usb controllers, ethernet cards, etc.

Why we do this?

In my case I'm using a mac os vm with most hardware passed through, I decided to go with a vm because it's faster to set up the environment and you have less headache, moreover I have a complete separated environment, so the bootloader cannot mess with windows 10 installed on another drive, which I boot bare metal.

Others prefer performance vms because they can have "more computers" into the same pc, for example different vms for different operating systems, different vms for different fields (school, work, media, firewall, gaming, etc.).

Virtual machines can boot uefi with ovmf, so the malware will act the same if it finds a vulnerability in the firmware: but in this case the firmware is a file (OVMF_CODE and its OVMF_VARS), so if it gets infected all you need to do is delete the files and replace instead of flashing the bios chip.

But if a malware infects the os in the cases I described above it's near the same as having a malware on a bare metal installation.

Another case is if you use vms in a different way, consider for example online services for antivirus scan, all the malwares run on virtual machines which are created and deleted before and as soon as the scan finishes: the base os can be in a vdisk and all you have to do to start fresh is delete and replace the vdisk (some seconds?).

Or if you need only few apps in your vm, installed in vdisk: again backup a copy of the base vdisk and of the firmware and if you get infected just start fresh in few minutes.

What microsoft is choosing, i.e. add secure boot and tpm as mandatory (in addition to a series of other things), doesn't agree with me (but this is a personal opinion, I am the owner of my pc and I want to do all that I want, without having limits).

Edited by ghost82

  • 2 months later...

I think I will move my bare windows (10) installation to qemu too, to upgrade to 11...my workstation is still powerful but doesn't support tpm.

since Win 11 also requires a certain CPU Gen. Is it possible to change the CPUID of my guest VM to a newer Gen CPU, and advisable at all ?

I wonder by doing that there may be other implications for security/proper ISA functions ?

I have upgraded my window 10 VM to Windows 11 a while ago. When trying to update it now says my computer is missing TPM 2.0 and secure boot. I am using a Ryzen 3900X which supports TPM 2.0 as I understand.
Is there any guides of how to fix my VM so that I can update again ?

  • Author
25 minutes ago, Cliff said:

I have upgraded my window 10 VM to Windows 11 a while ago. When trying to update it now says my computer is missing TPM 2.0 and secure boot. I am using a Ryzen 3900X which supports TPM 2.0 as I understand.
Is there any guides of how to fix my VM so that I can update again ?

https://www.linkedin.com/pulse/swtpm-unraid-zoltan-repasi/

 

That worked for me.

On 9/25/2021 at 9:06 AM, unrateable said:

since Win 11 also requires a certain CPU Gen. Is it possible to change the CPUID of my guest VM to a newer Gen CPU, and advisable at all ?

I wonder by doing that there may be other implications for security/proper ISA functions ?

The latest Windows 11 build doesn't even complains about the CPU when you install it... ;)

19 hours ago, Cliff said:

Is there any guides of how to fix my VM so that I can update again ?

 

19 hours ago, Mantene said:

That worked for me.

 

when its integrated it will be sure easier and you dont have to play with more manual entries in your xml's ... so i d suggest to wait a few days until limetech is ready.

 

also a removal will work then regular etc etc ... now after adjusting you have to revert to remove a vm and so on ...

 

and whoever is now capable to run the script, edit his xml's etc etc pretty sure can also make the 2 steps on updating to bypass the checks ..

  • 2 weeks later...

I really can't understand how the linkedin author was able to compile (if he compiled) the OVMF files..

 

I usually don't like "black boxes" so I'm trying to understand how and if he compiled the ovmf package to build OVMF_CODE.fd and OVMF_VARS.fd.
If I use OVMF files from here:
https://github.com/rezo552/unraid-swtpm

Windows 11 installation goes smooth, system is seen as compatible.
However if I boot into ovmf settings secure boot model is DISABLED with that ovmf files, so the first question: why windows 11 doesn't complain about secure boot being disabled?

After trying the "black box" ovmf files, I tried to compile myself the OVMF package with secure boot enabled:
 

git clone https://github.com/tianocore/edk2.git
cd edk2
git clean -ffdx
git reset --hard
git submodule deinit --force --all
git checkout edk2-stable202011
git submodule update --init --force
source edksetup.sh
nice make -C "$EDK_TOOLS_PATH" -j $(getconf _NPROCESSORS_ONLN)
build -a X64 -b RELEASE -DSECURE_BOOT_ENABLE=TRUE -p OvmfPkg/OvmfPkgX64.dsc -t GCC5


Notes:
-DSECURE_BOOT_ENABLE=TRUE allows to build a secboot version of ovmf.
I prefer 202011 stable version.

Now, time to inject the keys, I tried 2 ways:
1- inject keys with EnrollDefaultKeys.efi (built within the ovmf package)--> I put it on another raw image and run it from the uefi shell; from OVMF settings I can see that PK, KEK and DB keys are injected, but windows 11 tells me that the system is not compatible to run windows 11...

2- downloaded:
MicCorUEFCA2011_2011-06-27.cer (2nd import in DB)
MicWinProPCA2011_2011-10-19.cer (1st import in DB)
MicCorKEKCA2011_2011-06-24.cer (imported as KEK)

and generated a DER self-signed certificated, imported as PK.

Here I have another issue, because if I look at the KEK and DB keys (for example by deleting them from the ovmf settings), they seem to be imported as 00000-0000-00000 (only zeroes...???), so something is wrong...

Obviously same issue with 2nd method as the first one, no compatible system.

Note that the xml is the same, what changes is only OVMF_CODE.fd and OVMF_VARS.fd.

Anybody with some lights?I'm currently walking in the dark :D

 

1 hour ago, ghost82 said:

so the first question: why windows 11 doesn't complain about secure boot being disabled?

 

windows 11 secure boot "capable" and NOT "must be enabled", there is the difference

21 minutes ago, alturismo said:

 

windows 11 secure boot "capable" and NOT "must be enabled", there is the difference

Thanks for answering the first question!

 

Still cannoy explain incompatibility with capable secboot ovmf files.

15 hours ago, ghost82 said:

Obviously same issue with 2nd method as the first one, no compatible system.

Problem solved, I was missing some flags for building a proper version of ovmf.

I didn't know tpm has flags too, that need to be enabled.

 

So, summarizing, if one wants to compile himself/herself ovmf (following example build latest stable version at the time of writing, 202108):

 

git clone https://github.com/tianocore/edk2.git
cd edk2
git clean -ffdx
git reset --hard
git submodule deinit --force --all
git checkout edk2-stable202108
git submodule update --init --force
source edksetup.sh
nice make -C "$EDK_TOOLS_PATH" -j $(getconf _NPROCESSORS_ONLN)
build -a X64 -b RELEASE -D SECURE_BOOT_ENABLE -D TPM_ENABLE -D FD_SIZE_4MB -p OvmfPkg/OvmfPkgX64.dsc -t GCC5

 

SECURE_BOOT_ENABLE: build a secure boot compatible ovmf

TPM_ENABLE: enable tpm in ovmf

FD_SIZE_4MB: not sure this is needed, but I read that Microsoft Hardware Certification Kit expects to be able to populate the variable store up to roughly 64 KB, without this flag ovmf varstore area is only 56 KB, this flag increases it to 256 KB

 

-D TPM_CONFIG_ENABLE is not needed, tpm will be auto configured

  • 2 weeks later...

are there any new on when the unraid update will be released ?

6 hours ago, Cliff said:

are there any new on when the unraid update will be released ?

 

I dont know if I am supposed to post a 6.10.0-rc2h Build here... But with this no "external" Patches are needed.

 

Decided to do because it is visible within the forums itself:

https://s3.amazonaws.com/dnld.lime-technology.com/test/unRAIDServer.plg

 

This will bring into the "Test"-Branche but you will be able to get the "OVMF TPM"-BIOS. Just edit then your xml or from the drop down menu..

 

Edited by RiDDiX

12 hours ago, RiDDiX said:

 

I dont know if I am supposed to post a 6.10.0-rc2h Build here... But with this no "external" Patches are needed.

 

Decided to do because it is visible within the forums itself:

https://s3.amazonaws.com/dnld.lime-technology.com/test/unRAIDServer.plg

 

This will bring into the "Test"-Branche but you will be able to get the "OVMF TPM"-BIOS. Just edit then your xml or from the drop down menu..

 

 

Hey, not sure if I will be able to go back to stable version if something goes wrong, you know, like the usual behaviour of standard update, or  is it that the link just simply provides an extra branch additional to "stable" and "next"?

4 hours ago, Ninnetyer said:

Hey, not sure if I will be able to go back to stable version if something goes wrong,

yes and yes

23 hours ago, RiDDiX said:

 

I dont know if I am supposed to post a 6.10.0-rc2h Build here... But with this no "external" Patches are needed.

 

Decided to do because it is visible within the forums itself:

https://s3.amazonaws.com/dnld.lime-technology.com/test/unRAIDServer.plg

 

This will bring into the "Test"-Branche but you will be able to get the "OVMF TPM"-BIOS. Just edit then your xml or from the drop down menu..

 

 

"plugin: not installing older version"
 

43 minutes ago, NLS said:

"plugin: not installing older version"

First upgrade to rc1, reboot, then install the plugin.

- stopped the userscript

- deleted everything in /boot/extra/ 
- upgraded to Rc2 

seems to work better already, i had an issue where windows 11 became sluggish for no real reason. That seems to work better, for now

 

- network shares actually work after a reboot

- docker containers dont have any any issues starting up


i probaly have to reset some Bitlocker keys (disable tpm and enable tpm) due to these changes, but thats something for tommorow

Edited by okkies

20 hours ago, JorgeB said:

First upgrade to rc1, reboot, then install the plugin.

Ups yeah sorry forgot to mention it.

  • 2 months later...
On 10/12/2021 at 9:41 AM, ghost82 said:
build -a X64 -b RELEASE -D SECURE_BOOT_ENABLE -D TPM_ENABLE -D FD_SIZE_4MB -p OvmfPkg/OvmfPkgX64.dsc -t GCC5

 

Just to let you know that with this commit:

https://github.com/tianocore/edk2/commit/4de8d61bcec02a13ceed84f92b0cf3ea58adf9c5

 

from release > 202111 (excluded) "-D TPM_ENABLE" doesn't exist anymore and it's replaced by -D TPM1_ENABLE for tpm 1.2 or -D TPM2_ENABLE for tpm 2.0.

I spent a couple of hours trying to figure out why my emulated tpm didn't start in win 11.

 

TPM_CONFIG_ENABLE is also removed from the code.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.