ISSUE 20.27 • 2023-07-03 WINDOWS 11 By Will Fastie Despite our warnings and hesitancy about moving to Windows 11, we’re at a point in time when more s
[See the full post at: What should you do about Windows 11?]
|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
-
What should you do about Windows 11?
- This topic has 108 replies, 20 voices, and was last updated 4 months, 4 weeks ago.
AuthorViewing 32 reply threadsAuthorTiming is everything. Perhaps the observations from Mary, Brian, Randy, Simon, and Peter will help you decide when it’s right for you to finally switch.
If one creates a full drive image of the OS drive/partition, any time is the right time. Returning to Windows 10 if one does not like Windows 11 is a simple matter of restoring the drive image.
Always create a fresh drive image before making system changes/Windows updates; you may need to start over!We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.Short answer – It is still prudent and desirable to avoid Windows 11 like the plague that it is. I will not use, nor will I migrate any of my clients to Windows 11 Pro, until Windows 10 Pro can no longer be used. So Windows 10 end of life means nothing. As long as the user’s key software products run on Windows 10, there is no need to go to Windows 11. In a business scenario, we will continue to test Windows 11, but I have no expectations for this sad excuse for a Windows 10 successor.
It took me long enough to finally get Windows 10 Pro to a usable point where enough of the garbage can be removed to make it tolerable and most of the design flaws can be dealt with using third party software. Because of the substantial number of settings changes and software removals, doing this by hand is a monumental task so this kind of clean up is only viable through a series of .bat and .ps1 scripts run with admin privileges. And realistically, some of the required changes can only be done via scripting since no user interface method exists. I still have no love of Windows 10, but have tamed it enough to be able to use and maintain it. Of course every windows update still manages to screw something up!
Windows 11 Pro has turned out to be a different beast altogether. With the removal of key control panel tools that made Win 10 tolerable, Win 11 continues to be a colossal pain to configure. And with the removal of such basic tools as a proper right click menu and convenient control panel, it is no joy to use. It truly makes one wonder if the people designing and coding Windows have actually even used Windows before. Every time I am forced to help someone with just about any issue in Windows 11, it becomes a frustrating task of tracking down once simple and complete tools that have been dumbed down beyond belief or removed completely. I would be hard pressed to be able to mention even just one new feature in Windows 11 that has any actual value. But I can say jumping through hoops to create local user accounts may be one of my biggest grievances.
4 users thanked author for this post.
-
Windows 11 Pro has turned out to be a different beast altogether. With the removal of key control panel tools that made Win 10 tolerable, Win 11 continues to be a colossal pain to configure.
What can’t be done from Settings (or the reduced Control Panel)?
And with the removal of such basic tools as a proper right click menu and convenient control panel, it is no joy to use.
The right click menu in File Explorer hasn’t been removed. It’s been streamlined, but the legacy options are still available by clicking “Show more options”.
1 user thanked author for this post.
-
Concerning the right click menu, I feel that the items in the “Show more” group should be the primary group, and all the other now standard primary menu items should be under “Show more”. Apparently I am not alone because this is a fairly common complaint and there are now fixes that aim to return the true functionality of the context sensitive right click menu.
And quite frankly, the need to go multiple levels deep in any of the new material design style settings pages is frustrating. Many versions ago, one could do an amazingly large number of configuration tasks from a single screen. This began dumbing down with Win 8, and then much more so with Win 10. Win 11 continues the trend. This is why power users don’t want the new settings app. They want a comprehensive control panel.
Power profiles are a good example of lesser functionality in the control panel in Win 10, and more so in Win 11. One used to be able to specify, in the power profile itself, what the power, sleep, and lid close actions should be. That was later removed and handled in a different place. Now, the only way I know of to preset those choices is through a group policy change.
Setting file associations has become a bit more difficult too. And heaven forbid you want to change anything that Microsoft has preordained as to be handled by Edge or some other sub-par solution! Expect that to change back on you every so often even after you tell Windows what default program you, the user, want to use.
And have you ever counted the steps to select your default printer? Piece of cake back in the Win 7 days – Click Start, devices and printers, right-click your printer, set as default. Win 10 – Click Start, click the Settings gear, click Devices, click Printers & Scanners, click on your printer, click the Manage button, click Set as Default.
I just can’t see the improvement! It ranks right up there with the same brutal efficiency killing “improvement” we were forced to live with when the “Ribbon” was forced upon us.
3 users thanked author for this post.
-
There are technical/architectural reasons the context menus had to be re-implemented. Explorer extensions done the “old, traditional way” brought with them security and hard-to-diagnose performance issues. Not all of the extensions do that, mind you, but some. You – like I – may have a perfectly functioning Explorer complete with the extensions for the tools you love.
I imagine Microsoft craved not having endless support requests because “Explorer” would stall or act up (but was really some users’ extensions at fault).
Hate to say it though… I have a co-worker who says his Win 11 Explorer is having unexpected stalls. I hear him blame Windows 11 all the time. I have set aside some time to look over his system with him, as I experience no such delays. I don’t think everything could/can be blamed on old extensions.
Windows: It’ll work when you love it.
Critics: I’ll love it when it works.-Noel
1 user thanked author for this post.
-
Concerning the right click menu, I feel that the items in the “Show more” group should be the primary group, and all the other now standard primary menu items should be under “Show more”. Apparently I am not alone because this is a fairly common complaint and there are now fixes that aim to return the true functionality of the context sensitive right click menu.
It’s been common everywhere for decades that an extra click gives advanced options. The other way round, with complex stuff before simple stuff, makes no sense.
The easiest “fix”, already provided, is to press Shift while right-clicking.
Many versions ago, one could do an amazingly large number of configuration tasks from a single screen.
That was the problem: Overwhelming for many users.
Setting file associations has become a bit more difficult too.
Very easy in Windows 11, complete with filetype search:
And have you ever counted the steps to select your default printer? Piece of cake back in the Win 7 days – Click Start, devices and printers, right-click your printer, set as default. Win 10 – Click Start, click the Settings gear, click Devices, click Printers & Scanners, click on your printer, click the Manage button, click Set as Default.
No Manage button in Windows 11. Set as default right at the top of each printer’s page:
-
-
-
Yes, certain clients will be mandated to move to the next version when Win 10 goes end of life due to HIPAA and other regulatory dictates. And if any substantial flaw in Win 10 should be discovered after end of life, then that can also force an upgrade.
But, I do not blindly subscribe to the idea that just because Microsoft is no longer updating the software, it is now inherently insecure. Could it be, yes, of course. But automatically so, no. As long as the applications in use are up to date, and the network the computer is on is isolated from the internet by a firewall, realistically, there is little chance of that computer being compromised. Not zero, but substantially reduced. And it’s been plainly apparent that even a fully updated operating system can’t protect against the person that clicks on a poison link or attachment in an email, which these days represents the number one malware issue most users face.
My real world experience starts in 1982, but the largest growth of my business came in 2001 when Sircam arrived and really changed the face of malware delivery and propagation. It has been an uphill battle ever since. But one thing has been glaringly obvious. Very few operating system security updates make any meaningful headway in fighting off these threats. Yes, such operating system updates like those addressing SMB and SSL/TLS were beneficial, and a clear reason why older operating systems that can’t support the newer and/or updated and repaired protocols do have to be retired. But what seems to make the most difference is keeping the application software up to date, and really training the users to not do stupid things.
As for Windows, ever since forced updates became the norm, even though my client base has experienced zero downtime from malware, we’ve had more downtime from Windows Updates than we ever had with malware in the past. Printing issues with no solution in sight, RDP connectivity issues requiring work arounds, no access to SysVol because of a security update that helps no one, issues with iCloud, Office 365 deactivating entire offices even with paid up contracts in good standing, failed updates crashing computers, and on, an on…
3 users thanked author for this post.
-
Indeed, if you hang onto an old system while the malware writers start targeting the new system that everyone’s upgraded to, you may actually start to drift out of the crosshairs.
I’m not advocating a general use computer for use by dummies be kept off the latest updates, but neither am I a subscriber to the “OMG, it’s out of support, I have to upgrade” school of thought.
If Microsoft configured out-of-the-box Windows to be as secure as it could be then I might worry more about their security advice. But to this day, while it has a decent firewall engine, it has a pretty bad user interface from the 1990s to that firewall and no ability at all without 3rd party add-ons to do even basic DNS blacklisting to prevent each of us from visiting the hundred thousand or so KNOWN bad websites.
-Noel
2 users thanked author for this post.
-
-
Late last year I bought a powerful new workstation but requested it be delivered with Windows 10. It came with a free upgrade to Windows 11 for when I should want to make that move.
What I have done, besides using Windows 10 quite productively on this desktop, is set up a full immersive Windows 11 business and development environment in a VMware virtual machine. I have a powerful enough computer that I really don’t feel a slowdown from running it that way. VMware provides an easy ability to go “full screen” across multiple monitors, and this setup allows me to really try it out, tweaking and using Windows 11 in just the way I want to use it when I actually make the switch on the hardware host.
I now know that I can make all my favorite tools work in Win 11, and there have been enough things I initially couldn’t or didn’t know how to do that I’m glad I took this approach. Lastly, there are just some things that didn’t work right at first, or even that one just has to get used to… Having had this setup for some months now I’m getting close to the point where I could make the switch without having to live through a short time of lost productivity where I’m like a fish out of water figuring everything out at once. Once I make the switch, I will easily enough be able to set up VMware on Win 11, then be able to use my virtual machine as a reference to set it up on the hardware just the same.
FWIW, there are a few things about Win 11 that I actually LIKE – for example rounded corners have always been my preference; they make it easier to find window title bars. Not as good as Aero Glass did, but better than Windows 10.
If your computing life is complex, continued productivity with a switch to Win 11 is important to you, and you’re not on a shoestring budget, setting up Win 11 in a virtual machine first is actually a pretty good way to ease into it.
-Noel
1 user thanked author for this post.
Windows 12
Who knows what evil lurks in the heart of Microsoft?
1 user thanked author for this post.
but the legacy options are still available by clicking “Show more options”.
Legacy? Are you calling me old?
I get the streamlining part. But why am I constantly clicking on the more options part? It seems that the options for power users are being pushed one more click away, and it’s not just in File Explorer.
4 users thanked author for this post.
-
-
I dunno, maybe to make a new folder or access the dozens of handy tools you have integrated in the old menu?
New Folder doesn’t need “Show more options” (or even a right-click):
-
Typical Microsoft myopia.
Ah, but where’s the new folder feature when you right click on a folder in the Navigator panel?
Not everyone wants to work the way you think.
-Noel
-
-
-
It ranks right up there with the same brutal efficiency killing “improvement” we were forced to live with when the “Ribbon” was forced upon us.
On that point I don’t agree. My reaction when the ribbon first appeared mirrored yours, but I believe it was one of the last things Microsoft designed well. It is true that some power features are harder to get to, and there are some frustrating choices in some apps (are you listening, OneNote team?). But overall, I concur with the studies that Microsoft commissioned at the time showing that the ribbon was more efficient.
Originally, I didn’t think I’d come to that conclusion, but I did.
-
With the ribbon came some right click feature enhancements that I did actually find beneficial, but even now, many years later, I still hate that ribbon! So many things that could be done with one click in the old 2003 menu and toolbar setup now require two. And things that were two clicks away in 2003 are now three or more.
I had one of my accountant power users remark, after a few years of using the ribbon in Excel, “I think I’m now almost as efficient as I used to be before this change!”
I suspect the opinion on this will hedge on how well optimized one was using the earlier menu and toolbar. For myself, I find having to continuously click on a heading first to get to the subgroup of functions to be counterproductive. I know I can modify the ribbon and add some icons to the little “custom” area Microsoft was so generous to give us, but I still find myself favoring the older menu and toolbar approach.
1 user thanked author for this post.
-
But why does the ribbon have to be so huge, with no tweaks to reduce it?
Some of us like putting data on the screen, rather than chrome. We expect to actually do something with Windows, not just stare at it.
Win 10:
Win 11:
1 user thanked author for this post.
-
The same reason behind so many of the terrible UI decisions in Windows and lots of other software. Touchscreens, the bane of mouse and keyboard users!
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11)3 users thanked author for this post.
-
I think it would be instructive to expand the article graphic to include the Windows 7 timeline above the Windows 10 timeline. We could see just how close to Win7 EOL people waited before switching over to Win10, having deliberately skipped over Win8/8.1.
Windows 11 has similarities to Windows 8/8.1 in that no one really wants to migrate to it until certain UI shortcomings are addressed and fixed. For me, the underlying Windows 11 o/s is a great improvement, but not to the extent that I want to give up my years of familiarity with the Win7/10 UI. And I’m well-aware of workarounds such as Start11, but we shouldn’t have to settle for those non-MS fixes.
3 users thanked author for this post.
“I think I’m now almost as efficient as I used to be before this change!”
During my road warrior days, I was definitely an Excel maven. I needed things that were deep in the menu. But it didn’t take me years to adapt to the ribbon, just a couple of months.
Just to speak in Microsoft’s defense for a second, the company knew that touch was upon them. Deep menus are anathema to touch, so something had to be done. I don’t like the way Microsoft handled the problem, but what was the alternative?
We’re complaining because there are many power users amongst us. Unfortunately, we’re the minority.
-
We’re complaining because there are many power users amongst us. Unfortunately, we’re the minority.
I tend to agree that’s why things are done, but…
It’s giga-sized software. It could actually be coded to support both newbies AND power users. It has been done in the past. Microsoft now just seems to want to spend less time and effort on that. Gee guys, engineering a new version of Windows is harrrrrd. Being able to do that work is what differentiates Windows from yet another Unix derivative.
-Noel
1 user thanked author for this post.
-
Being able to do that work is what differentiates Windows from yet another Unix derivative.
How so? If you used a Unix “derivative,” you could choose a UI that is as simple or complex as you want. The work has already been done. If you want something simplified to not scare a person who has truly never seen a computing device before, to the point that file load dialogs don’t even have a text-entry field anymore, you can have that. If you want something with every conceivable option, you can have that too (and that’s the choice I made). There are endless options in between those two points. Whatever your UI preference, you can have it.
Microsoft could provide the same kind of UI excellence that they have in the past (the peak being Win2k, IMO, which I have modeled my KDE UI to emulate more closely than I actually can in Windows), but there are a couple of things in their way. First, they have a marketing department, and marketing departments always want new! improved! shiny! to sell, so even if the product has reached the apex of usability, it has to be changed, because model year changes keep sales going. Enter “change for the sake of change.”
On top of that, there’s “branding.” Ever since Vista, Microsoft has been more interested in your computer “looking like Windows” so that it can help sell Windows to anyone else who should happen to see it than they were interested in serving your needs as a user.
That was why they removed the option for the classic Win95 style cascading menu in Windows 7. To paraphrase Microsoft’s response to those futile pleas from many customers to leave it in, “It’s been over a decade. It’s time to move on.”
If people still wanted it, why is it “time to move on?” So what if it seemed antiquated and old to some users? They’re not obligated to use it if they don’t like it. But if MS was trying to sell a vision of modernity and freshness, then it would not do for someone to get the idea that Windows was still in any way connected to that ancient, crashy product called Windows 95… even if you were just looking over a colleague’s shoulder to see that dusty old cascading menu.
Now, for better or worse, MS has bought into this idea of “one UI to rule them all.” Touch devices and traditional PC/laptops are too different to be served adequately by a single UI, but it doesn’t stop a variety of software developers from trying. Apple’s Tim Cook had it right when he commented that this (blending iOS and MacOS) would result in compromises that would harm the experience on both platforms compared to having dedicated UIs.
The better solution would be to have the primitives for touch mode and traditional UIs encoded into the OS itself as well as each program, leaving the user to select which to use at run time. The amount of additional disk/memory this would require would be trivial, and both platforms would be served equally well, presuming developers did their job with the applications.
MS could do it, but has chosen not to. To them, Win32 and traditional UIs are two more things for which it is “time to move on.” Don’t you know, phones are cool! That means everything from phones has to be grafted onto PCs to make them cool too. From calling those things that were traditionally installed in C:\Program Files “apps,” to having a phone-style lock screen, to having a touch-oriented UI regardless of whether a touchscreen is present, to having the monolithic updates… if that’s the way it’s done on phones, that’s the way MS wants it done in Windows too.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11)7 users thanked author for this post.
-
-
To an extent. If they had managed to reserve the Metro/Modern/UWP for touch devices and keep the standard Win32/comctl32 UI (even if the underlying technology changed) for touchless devices, I would have been a lot happier with it.
Instead, starting with Windows 8, it was a weird hodge podge of the new and the old. The old is gradually giving way to the new, though a lot of the “advanced” settings (as with the mouse settings, for example) still use the old UI.
There was nothing wrong with the old UI other than that it was not optimized for touch… but it didn’t need to be. Create a new UI for touch, keep the old one for what it was designed for, and have the best of both worlds.
But they didn’t do that. They’re not alone by any means, though. In the Linux world, Canonical’s now-abandoned Unity and GNOME 3 took up the “one UI” mantle, and Firefox’s latest new-new-new UI is more touch-optimized than any before. They eliminated the “compact” UI option that was favored by many desktop users (not useful for touch, but optimal for mouse), only to grudgingly bring it back after many, many complaints– but only hidden behind a user pref, and passive-aggressively marked with a (not supported) comment on the customization menu.
The same idea has infected web sites too. Back in the day, all websites were written for PCs, since that was all anyone had. Then came phones and tablets, so the webmasters began to modify the desktop versions to work better with phones, with the mobile versions served based on useragent strings, or with “responsive” design that dynamically reorganized sites according to screen size, with varying degrees of success. Eventually, that reversed, and sites were written for phones first, then modified for PCs… and then sometimes not modified for PCs. Quite a few sites have only one version, clearly a mobile version, and desktop users just have to accept the abbreviated functionality.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11)3 users thanked author for this post.
-
-
-
include the Windows 7
An interesting point. Official support for Windows 7 ended on January 14, 2020, with paid, extended support ending on January 10, 2023.
But it’s moot. A mere 4% of our readership report using Windows 7 on their primary PC, while a combined 92% use Windows 10 or 11 (see Who are you, 2023-02-27). In addition, our coverage of Windows 11 topics is heavily read. That’s why it didn’t occur to me to put Windows 7 milestones in my diagram.
But why does the ribbon have to be so huge, with no tweaks to reduce it?
Back in the early days of VisiCalc, anger would have ensued if just one character location was taken from the user. Today, most of us have expansive display real estate. I didn’t feel pinched when the ribbon appeared.
-
Expansive or no, I really don’t want to have to stare at empty space. I have 3 x 30 inch monitors and a 20 inch monitor and I still fill them all up. My computer usage really is that complicated. I’m pretty ruthless about closing things I don’t need, too.
-Noel
1 user thanked author for this post.
-
-
Click a newsletter link at the bottom there to get the full article.
1 user thanked author for this post.
-
Touchscreens, the bane of mouse and keyboard users!
I embrace a touch screen if it happens to be available, as it is on my wife’s convertible. That doesn’t mean I become touchscreen-centric; if it’s quicker or easier to touch, why not? And vice-versa.
After all, there’s no mouse on a smartphone – we’re all well trained.
-
The presence of touchscreens as an option makes UI designers lose their focus, and results in compromises to UIs that make it worse for mouse/touchpad users, even on devices that have no touchscreen. Hamburger menus, oversized UI elements, excessive white space, disappearing UI elements, options that used to be up front hidden beneath multiple levels of menus, elements that lack hover or right-click effects (where it would be very useful) are all showing up on desktop UIs, even though they were adaptations to touchscreens with limited space (phones, especially).
Touchscreens are the reason Windows 8 had/has such a regrettable UI, and why all Windows versions from then on have included a “Settings app” that offers fewer options than the Control Panel it is gradually replacing. Control Panel was for mouse and keyboard; “Settings” is for touch.
I do not own any touchscreen PCs, and I do not think I should have to accept any UI compromises simply because others do.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11)5 users thanked author for this post.
Being honest, I don’t know if I’ll ever adopt Windows 11. Even though my laptop is supported (8th gen i7 with a TPM), the mandatory TPM requirement leaves a sour taste in my mouth. I remember when Microsoft tried to do this during the development of Windows Vista (Palladium/NGSCB). I didn’t like it then and I don’t like it now. Combine that with their future plans for subscription-based cloud desktops and it’s a strong ‘no’ from me.
So now my medium term plan is to migrate away from Windows. To where, who knows?
1 user thanked author for this post.
-
-
I’m curious about why you don’t want to use the security hardware you already purchased.
The last time Microsoft proposed mandatory TPMs it was for hardware enforced DRM; see TCPA, Palladium, NGSCB or whatever other names they came up with. I can’t see a clear reason (other than wishy-washy “security”) why it is needed this time round so I simply don’t trust them.
1 user thanked author for this post.
-
-
-
That article is for Windows 10/Server 2016.
Windows 10 and later
It doesn’t mention why Windows 11 needs one. Without a good explanation from Microsoft I don’t trust their intentions.
OK. This does:
Security: Windows 11 has raised the security baseline to make it the most secure version of Windows ever. We have used the more than 8.2 trillion signals from Microsoft’s threat intelligence, reverse engineering on attacks as well as input from leading experts like the NSA, UK National Cyber Security Center and Canadian Centre for Cyber Security to design a security baseline in Windows 11 that addresses increasing threats that software alone cannot tackle. We have carefully designed the hardware requirements and default security features based on an analysis of the most effective defenses. This analysis was based on the Microsoft data set of blocked attacks in 2020 which included 30 billion email threats, six billion threats to endpoint devices and 30 billion authentications. In addition to benefitting from these intelligence sources, Windows 11 enables proven security controls based on industry wide recommendations from global experts like the NSA and NCSC.
The Trusted Platform Module(TPM) requirement enables Windows 11 to be a true Passwordless operating system, addressing phishing and other password-based attacks that are easier for attackers to execute when the TPM is not present. In the FY20 Microsoft digital defense report, Microsoft identified 67% fewer compromises of organizations that disabled legacy authentication and moved towards Multi-factor Authentication (MFA)- or Passwordless-based systems like Windows Hello. With Hello, the TPM works together with a PIN or biometric camera/fingerprint reader to securely store a secret in hardware that replaces a user’s password during authentication and is much harder to steal or spoof. The TPM is also used for numerous other Windows 11 features such as Bitlocker and Device Encryption, which leverages the TPM to store disk encryption keys. Research from Forrester showed that the loss or theft of assets like smartphones and laptops were involved in 20% of the breaches reported by global security decision-makers in 2020. Bitlocker full disk encryption in Windows 11 limits the possibility of sensitive data loss from lost or stolen devices. The TPM is also used to “bind” web-based credentials securely to a machine, preventing extraction and theft of credential types seen in many recent breaches. Windows 11 requires TPM 2.0 vs 1.2 because of the security advantages it provides, particularly support for newer and stronger cryptographic algorithms.
1 user thanked author for this post.
-
-
That doesn’t explain why it is mandatory. Not everyone wants to use passwordless login (I certainly never would), and those that do want to use it have the option of buying hardware that supports it– as it is in Windows 10.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11)1 user thanked author for this post.
-
Good point, it surely should be a case of “no TPM? No passwordless logon for you so” rather than it being a requirement.
1 user thanked author for this post.
-
-
Microsoft has a reputation for security to maintain. 🤨
I think you would find that, deserved or not, Microsoft has a reputation for the lack thereof. I think a lot of that criticism is unfair, as its stature as the top desktop OS makes it a big target, but that does not mean the general reputation of Windows as an insecure platform does not exist.
But even if it was true that MS has a reputation for security… Why should Microsoft’s reputation be of any concern to me as a hypothetical end user who can’t use Windows 11 because of an arbitrary demand for hardware I may not even use?
Given that MS has only very recently started requiring TPMs, how did they build such a reputation in all those years where TPMs were not required, if they are now necessary to maintain that reputation?
Why not (despite advantages)?
Because of the disadvantages. Everything has pluses and minuses. The plus of biometrics is convenience and not having to remember or enter unwieldy passphrases. If people are going to thwart the security measures by using passwords like “1234” or “password,” or their birthday, or their dog’s name, etc., then biometrics would offer a step up from there… but just as I would not use passwordless login, I also would not use such a weak password.
With any sort of biometric login, there has to be a place where the reference data (the fingerprints, the face scans, etc. to which user input will be compared) have to be stored on the device, and they can’t be in the encrypted storage with all of the user’s data, because that is unavailable when the user is logging in. The encryption key is not derived from some algorithm from the fingerprint or facial data… it’s a simple matter of generating an image from the camera or fingerprint sensor, comparing it to the reference image, and deciding whether it is a match or not. If it is, it releases that encrytion key and unlocks the protected volume(s).
The encryption key, if it is not derived from user input, has to be stored on the unit for this to be possible, in a way that makes it accessible even when the encrypted volumes are locked.
TPMs are meant to secure such secrets, but they are not infallible, and most of them on consumer hardware are just software simulated TPMs, nowhere near as secure as a hardware TPM.
On top of that, spoofing is a possibility. You leave your fingerprints all over the place, and while it’s not as simple to bypass one as it is in the movies, it is possible to collect these fingerprints and create a working fake that can fool the sensor.
Facial recognition, by contrast, has been fooled by things as simple as showing the camera a photo of the user. While infrared cameras are meant to protect against this, there are always going to be vulnerabilities, and the user is dependent on what is largely a black box that he cannot control or understand. And as with the fingerprints, the person brings that face with him everywhere he goes. If a person’s biometrics are compromised, the attacker has the keys to the kingdom… there’s no way to change your fingerprints,
In addition, in American jurisprudence, a person cannot be compelled to provide a password so that government officials can decrypt a seized laptop or phone. They can, however, be compelled to provide a fingerprint, face scan, or any other biometric.
If these biometrics were used in addition to a strong password, it would be more secure, but it would be less convenient. I would be happy with that, but that’s definitely not passwordless security.
For my own PCs, I use a strong (and sometimes unwieldy to type in) passphrase. When the device is locked, that passphrase is not stored on the device. The passphrase I enter is salted and hashed a number of times to generate a key of fixed length and to make it more computationally expensive to brute force it, and that hash is used to encrypt the actual (random) key that safeguards the data (so that the user password can be changed at will without having to laboriously decrypt and re-encrypt the data on the disk).
I know my passphrase is not going to be broken with a dictionary attack, or a targeted attack by an AI that will try various permutations of everything anyone knows about me. It isn’t based on anything like that. To brute force it would be brutally difficult with modern computing technology, given its length and complexity (bits of entropy). That passphrase isn’t written anywhere either.
While there is always a concern about insecure code and the possibility of backdoors, the attack surface of a biometrically authenticated system will always be far greater than that of one secured by a strong password. While it is exceptionally difficult to break modern encryption ciphers, the code behind them is relatively simple compared to all that is involved with biometric authentication. There’s far less attack surface with which to work.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11)1 user thanked author for this post.
-
-
Apple is different. They make the OS and the hardware. It’s a very limited set of hardware devices that MacOS has to function on. Anything outside of their own products, as far as MacOS is concerned, does not exist.
Windows, on the other hand, runs on millions of hardware combinations from hundreds, if not thousands of vendors. There will always be issues with this device or that device not working in unusual or untested combinations. It’s impossible to test them all (though it would be nice to have them give it a shot anyway), and some glitches will make it into the wild under such a system where they may not have with Apple.
Mandating a TPM would not even move the needle on the amount of work MS or third-party devs would have to do to accommodate the endless array of hardware out there in PC-land. On top of that, it’s a very limited subset of third-party programs that would even need to be aware that a TPM even exists. It’s nearly exclusively Microsoft itself that would have to write the code, and they already have… it’s in Windows 10 right now. You can enable features that require the TPM if you have one, but not if you don’t. There are endless examples of that being the case in computing, and unless you make the hardware and the OS like Apple, there always will be.
If MS wants to mandate such things be in new PCs sold with OEM licenses, that would be one thing. Including an emulated TPM cost nothing on new machines… Intel and AMD have already done the work of making the thing, and firmware vendors (Phoenix, AMI, Insyde) already have firmware products that enable this functionality. Of course, new machines are also going to be new enough to meet the hardware requirements of 11, since they’re new. It costs nothing to the consumer for MS to mandate stuff that all new PCs already have, and have had for several years now.
That does not mean MS should enforce the same rules on “boxed” copies of Windows sold to comsumers (though it may be a metaphoric box at this point). The largest majority of people upgrading to 11 are those who buy new PCs with it already on there. The upgraders who do it themselves are, and always have been, a small minority. MS could gain a lot of good will by allowing people who would buy and install a new OS to do so on any given machine capable of running 10. If these people want the features enabled by TPMs or newer CPU versions, they can do so, but if not, they can continue to use their hardware for as long as it keeps working.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, KDE Neon
Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11)1 user thanked author for this post.
-
-
-
-
-
-
-
-
-
-
-
The first benefit I’ve been able to glean was decently performing encryption.
Generally speaking, performance of Windows is downright bad, and the justification for most updates in the past years has been security. A little tough not to make a connection there, eh?
-Noel
1 user thanked author for this post.
-
-
-
-
What should you do about Windows 11?
Make it your own. The majority of the complaints I’ve seen here at AskWoody about Windows 11 can be addressed and easily corrected with a third party Start Menu. Several are available. I use StartAllBack, $4.99, and free options are also available.
Microsoft may not be listening to user complaints about the UI, but third party developers certainly are, and the cure is at hand.
Always create a fresh drive image before making system changes/Windows updates; you may need to start over!We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.1 user thanked author for this post.
-
Most Windows shortcomings can be worked-around with tweaks and 3rd party software.
That doesn’t mean it’s not still drifting further and further from a power user’s dream with every update.
There was a simpler time when the numbers of tweaks needed to have a decent, efficient system were quite small.
Ask yourself… Does Windows 11 do that much more than Windows XP did? Vista was touted as unbelievably inefficient, but it was warp speed faster than current Windows implementations. Try booting it up in a virtual machine on a modern computer some time.
There’s no technical need for all the bloat in a modern system. 170+ processes just to boot up to a desktop? And here we’re talking about adding more software just to make it work reasonably.
I use OpenShell by the way in Win 11. It does help ease the transition, especially since I used it for previous versions.
-Noel
1 user thanked author for this post.
the mandatory TPM requirement leaves a sour taste in my mouth
When the original IBM PC arrived, it was equipped not only with the 8088 CPU but also with a socket for the optional 8087 math coprocessor. Software programs included math libraries that would have the 8087 perform the calculation if present; otherwise, the library would do it. It was ten years later, with the arrival of the Intel Pentium, that the function of the math coprocessor was incorporated into the CPU itself. (Some, but not all, 80486 processors had the extension.)
Today, that processor extension is “mandatory.” There’s no reason to keep the software library around when the last 30 years of processors have included math by default. I can’t be sure about this, but I’ll bet that Windows 10 won’t run without the math extension.
I view TPM in the same way. Other extensions, some of which are “mandatory” now, have simply eased into the mix quietly, without us noticing. The problem here is that Microsoft badly bungled the announcement of Windows 11. We weren’t eased into this new requirement.
Apple has done a better job with its security enclave, at least from a marketing and good will perspective.
-
Windows 10 wouldn’t run without SSE2, let alone x87 instructions! 😀
The difference with the FPU is that there was a tangible performance benefit in more intensive applications. My fear is that the TPM will be eventually used to enforce a walled garden, as was Microsoft’s original plan in the early to mid 2000s.
2 users thanked author for this post.
I will do the same with Windows 11 as I did with Windows 10, it will never get the privilege to use my hardware as I consider Microsoft’s WaaS (Windows as a Service) an unacceptable model for an operating system. It takes away too much control from me, the administrator of the system and instead gives it to Microsoft who has subsequently only used and abused that control in an attempt to serve their own wants/needs and increasingly to monetize the end user. That should NEVER happen with an operating system! But Microsoft has been able to do it with little impunity due to their monopoly status.
So I have decided to move on and use Linux Mint instead, an operating system that still respects the end user and provides easy built-in control over the entire system, no need to install third party tools or jump through hoops to try to control anything, and it does not attempt to monetize me in any way what-so-ever. It’s quite refreshing and provides great peace of mind to no longer have to deal with any of Microsoft’s shenanigans or what I refer to now as a “clown show”.
3 users thanked author for this post.
-
And these OSs are
- not connected to the Internet
- isolated from other machines
- have specific uses
- Are controlled by IT staff who know the risk
- Have firms that are paying cyber insurance
Old systems should not be connected like current supported systems. Period.
And they are not being used for personal use./surfing the web etc.
Ultimately everyone needs to eat. See Red Hat strikes a crushing blow against RHEL downstreams • The Register
It’s always the balance you have to find with ANY vendor. They need to pay people. I have to find the balance on this site. I have to have people subscribe to Plus membership, because I have made the obvious choice to not place advertisements on the face of the site. It’s always a balance and choices have to be made. Out of support operating systems are chosen for a specific reason with the risks analyzed accordingly with as much isolation as needed to keep the rest of the network secure.
It’s also why you see so much ransomware in hospitals. They are not running a secure shop.
Susan Bradley Patch Lady/Prudent patcher
-
Now I know I’m not an expert like those writing these columns about switching to Windows 11. In the 40+ years I’ve been using PCs, I’ve built or brought back from the dead only about 70 computers including those in our small office (and did some research for InfoWorld in the early days). But I continue to astounded by how reactionary the computer community is. If we listened to the experts and pundits going back over the past 40 years, we’d all still be running MS-DOS (or even CP/M) machines. Frankly, I’m sick and tired of this behavior. Of course every new version of an operating system introduces changes. And for those who can’t bear some of the most radical changes — like to the Start Menu — there are free and low-cost options like Stardock’s Start10 and now Start11 (which we’ve been using for years) that enable you to seamlessly retain the look and feel of those old Windows 7 and 8 Start Menus for just a few bucks.
What none of these pundits bother to mention is that Windows 11 marks a giant step forward in foregivability — namely it is more difficult to screw up a Windows 11 computer than a Windows 10, 8, 7 or even XP (which is amateur hour compared to Windows 11). Windows 11 is much more foregiving when you mess up, whether it be a crash (which are much less frequent in Windows 11 than in any previous version), or other mishap. It does a much better job of fixing itself than any previous iteration of Windows. It definitely is easier to use than its predecessors, especially for computer neophytes which, actually, includes the vast majority of computer users. I realize that the AskWoody subscriber base consists of folks very well-versed in PCs — likely far more than I. But the vast majority of computer users barely know how to use a file manager, center a line in Word (yes, they still use tabs and spaces rather than the simple Control+E command or even the icon in the ribbon), or use a password manager. But that’s the audience to which both Microsoft and Apple must cater.
So I suggest it’s finally time to stop whining about every new iteration of Windows and recognize the reality that the vast majority of computer users really don’t care about the things about which the pundits and experts agonize, but just want a computer they can works — which Windows 11 computers most certainly do.
8 users thanked author for this post.
Maybe you could hurt yourself with it, so you learn not to do that.
Yes, but you don’t have malicious external influences in your kitchen trying to inflict harm. (Usually. Sometimes in horror movies.)
-
Exactly. I keep them outside. That is a viable strategy.
Not at ALL like the security basis for most modern development, which assumes the malware will be in the kitchen.
If modern security pundits designed kitchens, you’d have to have a conversation with your kitchen knife and prove you have only the best intentions before it would allow you to pick it up. Ultimately you’d give up trying to make your own food and order from their delivery service because it was so difficult to do.
-Noel
1 user thanked author for this post.
the vast majority of computer users really don’t care about the things about which the pundits and experts agonize
Ouch.
And these OSs are not connected to the Internet isolated from other machines have specific uses Are controlled by IT staff who know the risk Have firms that are paying cyber insurance Old systems should not be connected like current supported systems. Period.
Yes. They are connect to the internet and other computers. Yes they are controlled by IT and support by Microsoft extend support pricing for government and businesses.
That article is for Windows 10/Server 2016. It doesn’t mention why Windows 11 needs one. Without a good explanation from Microsoft I don’t trust their intentions.
Check these about TPM and why MS/hackers needs it.
https://www.askwoody.com/forums/topic/tpm-2-0-required-by-windows-11-is-hackable-upgrade-now/
https://www.askwoody.com/forums/topic/trustworthy-computing-memo-is-20-years-old/
2 users thanked author for this post.
-
TPM can be bypassed on W11 installation so, it’s kind of a mute redundancy point that makes users feel better/ safer, pah!. Farcical security FUD, IMHO
Have MSFT been ‘making a security rod for their own back’.. knowing that itch just won’t go away.. deliberate or otherwise?Win8.1/R2 Hybrid lives on..1 user thanked author for this post.
-
-
-
Windows 8 was a complete disaster. The core OS itself had some meaningful updates, but the default tile UI/touch garbage — complete idiocracy.
The UI could be replaced with the Windows 7 UI for $3.99 at that time with StartIsBack.
Windows 10 was an improvement on the default UI, but I’ve never been a fan of being a beta tester for software I’m paying for. I’m not a fan of having ads in software I’m paying for.
Windows 10 was a free upgrade. The only reason to pay for a license would be for a DIY project. I have never seen any ad in any version of Windows.
Windows 11 looks like more of the same “let’s change the UI for the sake of change, add more dependency on internet services and break working functionality for the sake of change…oh and throw in some more spyware and ads too”
StartAllBack is the fix for the Windows 11 menu.
It can fix File Explorer and the right-click context menu, as well.
I have no increase in dependency on internet services; not sure what you mean there. Nor have I had any broken functionality. As for telemetry, O&O ShutUp 10 easily takes care of that, for free.
Microsoft effectively lost me as a customer and proponent with Windows 8.
So you are here in this Windows 11 thread because …?
Always create a fresh drive image before making system changes/Windows updates; you may need to start over!We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.
This week’s newsletter issue was overwhelmingly negative without much justification.
I thought the opinions would be a bit more in the middle or even slightly positive, but I didn’t attempt to bias our contributors in any way.
On the other hand, if you refer back to my article about our survey results (Who are you, 2023-02-27), 23% of the audience reported having moved to Windows 11. But that was much lower than the expected result based on the previous year’s survey. Therefore, half the readers saying they would move to Windows 11 in 2022 did not do so.
It seems as if our writers and audience agree – hesitation seems to be the rule, at least for now.
As for justification, uncertainty may be based on feelings rather than hard facts, but that doesn’t make it any less real.
-
It seems as if our writers and audience agree – hesitation seems to be the rule, at least for now.
Because your writers have been urging hesitation for 18 months.
As for justification, uncertainty may be based on feelings rather than hard facts, but that doesn’t make it any less real.
I had a forlorn hope that you would report facts rather than feelings.
The last article I can find that was useful to Windows 11 users (about a quarter of your customers) was eight months ago:
Windows 11 22H2: Which new features stand out?
Microsoft has beefed up Windows 11 with its first major update. Among all the changes, which ones are worth the upgrade?
…
If you’re running Windows 11 and are intrigued by some of these new features, then the update is certainly worth installing.And that was apparently before “Moments” 1, 2 and 3, which all improved useful features.
1 user thanked author for this post.
-
As for justification, uncertainty may be based on feelings rather than hard facts, but that doesn’t make it any less real.
But feelings rather than facts are much less “real”. Feelings are subjective; facts are objective. Feelings can be (and often are) influenced by the opinions/feelings of others. Facts (as in the usefulness, functionality and efficiency of an OS) are based on personal experience.
Some of the feelings expressed in this thread are from participants who profess to not have used Windows OS for some time, much less Windows 11, and used this thread for ranting against Microsoft rather than providing a user-based evaluation of Windows 11.
Despite our warnings and hesitancy about moving to Windows 11, we’re at a point in time when more serious consideration is in order.
In my experience, a rant is not “serious consideration”, it’s just a rant. The writers who provided the subject matter basis for this thread at least have used Windows 11 enough for evaluation, and can make judgements based on personal use.
23% of the audience reported having moved to Windows 11.
I’m in that 23%. I dual boot Windows. I have been able to evaluate each new upgrade of Windows side-by-side with the previous upgrade on the same hardware. I got a look at each new UI before I replaced it with StartAllBack; their license is lifetime, upgrades are free. I have yet to experience any performance decrease in any upgrade. Each has been at least as good as, and in some cases noticeably better than, the previous version.
Always create a fresh drive image before making system changes/Windows updates; you may need to start over!We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.4 users thanked author for this post.
-
We haven’t seen it yet. I don’t like to merely use marketing blurbs but actual hands on.
Susan Bradley Patch Lady/Prudent patcher
2 users thanked author for this post.
Viewing 32 reply threads
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
End of support W10
by 1 hour, 14 minutes ago
-
MS-DEFCON 2: Copilot for Christmas
by 1 hour, 55 minutes ago
-
Sudden appearance of Edge Search Bar
by 27 minutes ago
-
LogoFAIL firmware exploit bypasses hardware and software security
by 1 hour, 54 minutes ago
-
Microsoft outlook ignores the registry keys
by 23 hours, 41 minutes ago
-
Windows 11 Insider Preview Build 22635.2841 released to BETA
by 19 hours, 4 minutes ago
-
Thunderbird doesn’t open folders at most recent email in Inbox
by 16 hours, 21 minutes ago
-
Three queries about the MS Outlook app on iPadOS
by 22 hours, 38 minutes ago
-
Win 10 22H2 November patches: Why do I have these 4 Windows App Runtime apps?
by 5 hours, 57 minutes ago
-
KB5032278
by 17 hours, 58 minutes ago
-
A web browser security testing & privacy testing tool.
by 1 day, 9 hours ago
-
IOS 17.1.2 looses text alert tone
by 22 hours, 7 minutes ago
-
What to know about CentOS Linux EOL
by 1 day, 15 hours ago
-
ESU announcement coming?
by 14 hours, 7 minutes ago
-
December 2023 Office non-Security Updates
by 1 day, 9 hours ago
-
Widespread Printer Bug caused by Windows Store!
by 15 hours, 50 minutes ago
-
Xbox question
by 1 day, 17 hours ago
-
Unfound Updates
by 1 day, 13 hours ago
-
Thieves rob DC Uber Eats driver, reject Android phone for not being iPhone
by 1 day, 15 hours ago
-
McAfee popup add (from micro. Store)
by 1 day, 16 hours ago
-
Random Screen Shut Downs (Windows 11 Pro)
by 4 hours, 2 minutes ago
-
CPU performance degradation after 23H2 update
by 2 days, 4 hours ago
-
PDFgear
by 13 hours, 46 minutes ago
-
I’m getting a new computer. I need instructions on setting it up CORRECTLY
by 3 hours, 53 minutes ago
-
Microsoft will not activate a valid reinstall of Office 16
by 1 day, 12 hours ago
-
Dell laptop Win 11 BLACK screen!
by 12 hours, 47 minutes ago
-
Firefox change from French to English.
by 1 day, 15 hours ago
-
W10 22H2 Nov 2023 PT Update: No monsters here
by 2 days, 4 hours ago
-
Windows : Is This the End of ‘Intel Inside’ ?
by 2 days, 8 hours ago
-
windows 10 upgrade to 11
by 2 days, 13 hours ago
