You may have noticed there’s a lot more news about ransomware and other malware attacks on Windows than on macOS, and more on Android than on iOS. The reason is simple. Malware coders hit Windows and Android because that’s where the most security holes are found. As Windows 11 achieves wider usage, that may change. Microsoft has taken the bold step of requiring essential security hardware to run Windows 11, even though it means some older PCs will be stuck, unable to upgrade. With the boot process shielded and cryptographic routines running in protected memory, this Windows edition is thoroughly protected against a wide range of attacks.
Just how does this added security work? Microsoft will happily supply endless pages of detailed descriptions. For those who prefer a broader view, here’s a simple rundown of what I learned—and what I found when I installed the new OS. The TL;DR? Windows 11 may not look like a major update from Windows 10, but when it comes to security, it's a sea change—unless you deliberately cripple it.
Installing Windows 11 on a Virtual Machine
To get started, I needed to install Windows 11 on a VMware virtual machine. I do almost all testing of security products using virtual machines. That way I can release real-world ransomware without worrying about real-world damage if the antivirus fails its defensive task. We’ve covered the basics of how to create a Windows 11 virtual machine, but I found I had to go beyond what our article suggested. The biggest tweaks I had to make involved security.
Initially, I tried updating an existing Windows 10 virtual machine to Windows 11. Unfortunately, the PC Health Check app quickly reported that “this PC doesn’t currently meet Windows 11 system requirements,” noting that it needs Secure Boot support and a Trusted Platform Module (TPM).
Virtual machines are flexible, though, and adding new components can be a virtual experience. Secure boot requires UEFI firmware, for starters. I tried to just change the firmware type to UEFI in Virtual Machine Settings, ignoring the warning that doing so “might cause the guest operating system to become unbootable.”
Surprise! When I made that change, it rendered the virtual machine unbootable. After some research, I concluded that changing the firmware type seems possible, but only for someone with skills far beyond my own. To be fair, changing the firmware in a physical computer would also be too tough for most users.
Starting fresh, I created a new virtual machine with custom settings. This let me choose UEFI firmware with Secure Boot, a good start. In the last step, customizing hardware, I tried to add a TPM. The VMware screen explained, “The virtual machine must be encrypted and using UEFI firmware.”
After some more flailing, I started examining every virtual machine setting, looking for something about encryption. And I found it, “Access Control: Not encrypted.” I clicked to encrypt the disk and nearly whooped with excitement to see that I could now add a virtual TPM 2.0 chip. After that, the installation proceeded without a hitch.
The lesson was clear. Windows 11 is all about security. It requires a PC that’s capable of Secure Boot, which prevents malware from attacking the boot process. And your PC must have a TPM chip to manage cryptographic keys and protect your PC’s operating system and firmware. Without that core of security, you’re stuck on Windows 10, with some hard choices pending next year. Microsoft support for Windows 10 ends on October 14, 2025. Your Windows 10 PC won’t brick itself on that date, but Microsoft doesn’t promise any updates.
What the Heck Is a TPM?
The concept of a Trusted Platform Module for added device security goes back more than 20 years, and PCs have had them since 2005. Microsoft’s BitLocker whole-drive encryption system relies on the TPM to manage and protect its cryptographic keys. The oh-so-handy Windows Hello face recognition login system also makes use of TPM support. Microsoft’s documentation advises that any modern PC probably has a TPM and that PCs less than five years old most likely have the latest version, TPM 2.0.
Presuming your PC is new enough to have a TPM, you can find a Security Processor page in Settings. On this page, you’ll see status indicators for Attestation and Storage (both should say “Ready”). Each TPM includes highly secure storage for cryptographic keys, among other things. Attestation refers to the fact that the TPM can create a snapshot of your system’s hardware and software configuration and verify (when requested) that there’s been no tampering. Since every TPM has a unique and unchangeable key, it can be used to authenticate the PC in which it resides.
Software-based algorithms that generate pseudo-random numbers can be hacked; the hardware-based random generator inside a TPM isn’t vulnerable. Storing cryptographic functions within the TPM rather than implementing them in software likewise protects them from hacking. When a TPM is available, Chrome, Firefox, and Outlook all make use of it for certain encryption tasks.
In short, a TPM is a security powerhouse. It validates hardware and software components, so nobody can tamper with your PC. It stores important cryptographic keys. And it supplies ultra-secure cryptographic functions to Windows and to applications. If you want to know still more, check out this TPM deep dive by PCMag’s Tom Brant.
And Then Microsoft Caved
Apple’s operating systems have security baked in from the very start, with iOS even more locked down than macOS. Windows, on the other hand, is still in the process of locking down endless system vulnerabilities. By requiring Secure Boot and a TPM 2.0 chip, Windows 11 totally neutralizes a whole class of malware attacks, attacks that gain root-level control over the computer by subverting the Windows boot process or loading into the system before bootup. Sure, some older PCs get left behind, but Microsoft will maintain Windows 10 for them, at least for a while. It’s a big step in the direction of being Apple-level secure.
And then Microsoft poked a big hole in the new wall of boot-time security. Right on the Microsoft site, there’s now an explanation of how to bypass the Windows 11 installation check for TPM 2.0 and for a sufficiently advanced processor. It’s a simple Registry tweak. Some have commented on the dire warnings that “Serious problems might occur if you modify the registry incorrectly.” But Microsoft adds this disclaimer in any support article that involves tweaking the Registry.
Following Microsoft’s instructions on tweaking the Registry didn’t allow upgrading my Windows 10 virtual machine to Windows 11. You still need a TPM—the tweak simply makes an old TPM 1.2 acceptable. But with that special Registry value in place, you can install Windows 11 on a PC that has a too-old TPM and an outdated CPU. In a move reminiscent of Willy Wonka’s faint “no… stop… don’t…” advice, the instructions warn that Microsoft “recommends against” installing Windows 11 on a machine that doesn’t meet the minimum.
To be fair, those digging a bit deeper will find some stronger warnings. If you install Windows 11 on unsupported hardware, “your PC will no longer be supported and won't be entitled to receive updates.” It clarifies that you may receive updates; you’re just not guaranteed to get them. The page adds that “Damages to your PC due to lack of compatibility aren't covered under the manufacturer warranty.” Microsoft does give you a 10-day grace period to revert to Windows 10 after installing Windows 11 on unsupported hardware.
Support Windows Security
Familiar security features like Microsoft Defender Antivirus don’t seem much changed in Windows 11. Microsoft is pushing password-less security, which uses some of the advanced security tech that Windows 11 requires, but password-less security is available in Windows 10. It’s the secured boot and reliance on TPM 2.0 that vastly enhance security in Windows 11—presuming you don't disable it!
If your computer has a TPM 2.0 chip and supports Secure Boot, go ahead and upgrade to Windows 11. According to Microsoft, “secured-core PCs are twice as resistant to malware infection,” so you’ve just cut your malware attack surface in half.
With a computer that doesn’t meet the requirements for Windows 11, please don’t use the bypass. Stick with Windows 10 and start saving for a new, more secure computer.