Windows 11 for Enterprise Administrators E-Book

Windows 11 for Enterprise Administrators

Unleash the power of Windows 11 with effective techniques and strategies

Manuel Singer

Jeff Stokes

Steve Miles

Thomas Lee

Richard Diver

BIRMINGHAM—MUMBAI

Windows 11 for Enterprise Administrators

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Prachi Sawant

Book Project Manager: Neil Dmello

Senior Editor: Arun Nadar and Athikho Sapuni Rishana

Technical Editor: Irfa Ansari

Copy Editor: Safis Editing

Language Support Editor: Ashwin Kharwa

Proofreader: Safis Editing

Indexer: Hemangini Bari

Production Designer: Prafulla Nikalje

Marketing Coordinators: Marylou De Mello and Shruthi Shetty

First published: September 2017

Second edition: September 2023

Production reference: 1131023

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB

ISBN 978-1-80461-859-2

www.packtpub.com

Contributors

About the authors

Manuel Singer works as a Surface cloud solution architect at Microsoft and is based in Germany. He has over 20 years of experience in system management and deployment using Microsoft technologies and has worked for more than a decade for Microsoft. He helps Surface and Surface Hub customers to get the best experience with these devices and small, medium, and large-sized organizations transition from Windows 10 to Windows 11, AD to AAD, and Intune to Autopilot to get the most out of Microsoft 365. He specializes in client enterprise design, deployment, performance, reliability, and Microsoft devices. Manuel works with local and international top customers from the private and public sectors to provide professional technical and technological support.

First and foremost, I would like to dedicate this book to my family, especially to my wife, Renate, for her patience and continued support in allowing me the time to research and write this book. She is the reason I can fulfill my dream and follow my passion. I would also like to extend an acknowledgment to all the people who have supported me throughout the writing of this book, especially the technical reviewers, for providing their efforts and time along with keen suggestions and recommendations. Last but not least, I would like to thank the entire Packt Publishing team for their support and guidance throughout the process of writing this book.

Jeff Stokes works at Tanium as a Distinguished Engineer. He’s an author, blogger, gamer, dad, and husband. He has worked in most areas of IT operations in the last 29 years, specializing in Windows debugging and performance analysis. His side interests include SANs, NLP, VDI configuration and optimization, and Windows imaging and deployment.

I want to thank the people in my life who have supported and encouraged my career over the years, including Vince Zolkosky, Carl Luberti, Clint Huffman, Yong Rhee, Mark Rowe, my family and friends, and my wife, Ana.

Steve Miles is a Microsoft security and Azure/hybrid MVP and MCT with over 20 years of experience in security, networking, storage, end user computing, and cloud solutions. His current focus is on securing, protecting, and managing identities, Windows clients, and Windows server workloads in hybrid and multi-cloud platform environments. His first Microsoft certification was on Windows NT and he is an MCP, MCITP, MCSA, and MCSE for Windows and many other Microsoft products. He also holds multiple Microsoft Fundamentals, Associate, Expert, and Specialty certifications in Azure security, identity, network, M365, and D365. He also holds multiple security, networking vendor, and other public cloud provider certifications.

This book is my contribution to the worldwide technical learning community, and I would like to thank all of you who are investing your valuable time in learning new skills and committing to reading this book.

Thomas Lee is a consultant, trainer, and writer from England. He has been in the IT world since the late 1960s and has worked around the world. Thomas was one of the first to discover PowerShell and has written numerous books on the subject. He has worked for a range of small as well as global firms, including Microsoft. He is semi-retired and spends his time with his family.

I love PowerShell and enjoy helping others to see the value of this amazing technology. If you are new to PowerShell, I hope you get to grips with managing Windows 11 using PowerShell.

Richard Diver is a senior technical business strategy manager for the Microsoft Security Solutions group, focused on developing security partners. Based in Chicago, Richard works with advanced security and compliance partners to help them build solutions across the entire Microsoft platform, including Microsoft Sentinel, Microsoft Defender, Microsoft 365 security solutions, and many more. Prior to Microsoft, Richard worked in multiple industries and for several Microsoft partners to architect and implement cloud security solutions for a wide variety of customers around the world. Any spare time he gets is usually spent with his family.

About the reviewer

Anton Romanyuk is an accomplished IT professional with years of experience in enterprise IT. He specializes in Windows devices, virtualization, and automation. Currently, Anton holds the position of cloud solutions architect at Microsoft, where he ensures customers have a great experience with Windows devices at work. Beyond his work at Microsoft, Anton is an enthusiastic and committed media informatics graduate with a strong background in freelance design. He also has a notable history in the indie gaming industry, having co-founded the highly successful Wing Commander Saga: The Darkest Dawn project in 2002. Anton’s dedication to the project was unwavering, and his constant advocacy was instrumental in bringing the project to fruition.

The act of reviewing this book is Anton’s sincere gesture of “giving back” to the IT community, which has imparted a number of techniques to him. Anton considers it his responsibility to share his knowledge with others, as he firmly believes that sharing is the key to community growth. He takes great pleasure in sharing his experiences in such a creative, engaging, and innovative environment as enterprise IT.

Table of Contents

Preface

1

Windows 11 – Installation and Upgrading

Selecting the edition and channel version

General Availability Channel (GAC) and support timeline

Long-Term Servicing Channel (LTSC) and support timeline

Recommendations

Hardware requirements for Windows 11

Official (minimum) requirements

CPU limitations

Hardware requirements for additional features

Recommendations for a future-oriented hardware choice

Upgrading to Windows 11

In-place upgrades

Limitations and blockers of an in-place upgrade

Traditional wipe-and-load

An alternative – provisioning package (PPKG)

The modern way – Windows Autopilot

Activation of Windows 11

Classic activation by Multiple Activation Key (MAK) or Key Management Services (KMS)

More modern via Active Directory-based activation

Future-oriented via Windows 10/11 Subscription Activation

Tips and tricks for a smooth in-place upgrade from Windows 8.1 or 10 to Windows 11

Looking up SetupDiag data in case of error/rollback

Integrating cumulative updates into install sources

Updating drivers

Looking at Setupact.log and Setupapi.dev.log

Desktop Analytics and Microsoft Endpoint Manager admin center

Selecting the deployment tools

Summary

2

Introduction to PowerShell

What is PowerShell?

Windows PowerShell versus PowerShell 7

Installing PowerShell 7

Keeping PowerShell up to date

The three key pillars of PowerShell

Cmdlets

Objects

The pipeline

PowerShell’s scripting language

PowerShell’s formatting features

Getting help

Modules and commands

Commands

Modules

Discovery

PowerShell and security

Security by default

PowerShell logging

PowerShell script block logging

Module logging

Execution policy

Transcription

Configuring PowerShell

Adding modules

Profiles

Group Policy

Using PowerShell

The PowerShell console

The Windows PowerShell Integrated Scripting Environment (ISE)

Windows Terminal

Microsoft Visual Studio Code

Desired State Configuration

Summary

3

Configuration and Customization

Evolution of WaaS

Image customization

Imaging process

Customizing the image

Microsoft Autopilot

BYOD scenarios

Upgrade expectations

Security mitigation

Internet Explorer 11 retired

Windows Store for Business EOL announced

Windows 11 Start and taskbar layout

Audit mode

Tips

Virtual Desktop Infrastructure

SCT

AppLocker and Windows Defender Application Guard (previously MDAC)

Microsoft telemetry

Windows Spotlight

Mandatory user profiles

Summary

4

User Account Administration

Windows account types

Account privileges

Local Administrator Password Solution

Creating policies to control local accounts

Password policy

Account lockout policy

Managing user sign-in options

Mobile device management security settings

User Account Control

Privileged Access Workstation

Summary

5

Tools to Manage Windows 11

RSAT

Installing the RSAT tools

Updating the RSAT tools

Using the RSAT tools

The Sysinternals tools suite

Downloading the Sysinternals tools suite

Introducing the Sysinternals BGInfo tool

Introducing the Sysinternals PsTools suite

Summary

6

Device Management

Evolving business needs

MDM

Changes to GPOs in Windows 10/11

Enterprise- and Education-only GPOs

Known issues when upgrading the central policy store

Known issues with GPPs/GPMC

Servicing and patching

Why CUs?

Update deployment solutions

Windows 10/11 servicing

Summary

7

Accessing Enterprise Data in BYOD and CYOD Scenarios

What are the EUC device models?

The bring your own device model

The choose your own device model

Key considerations

Comparing options

Protection and governance options

Identity and access management

Information protection

Device configuration

Application management

Storage sync options

OneDrive for Business

Work Folders

Alternative EUC delivery options

Windows 365 Cloud PC and Azure Virtual Desktop

Enabling virtual private networks

Publishing applications via proxy

End user behavior analytics

Summary

8

Windows 11 Security

Introducing security posture

Zero trust

Defense in depth

Ensuring hardware security

TPM

Microsoft Pluton security processor

Windows Defender System Guard

Hypervisor-protected Code Integrity

Ensuring that we operate system security

Introducing Secure Boot and Trusted Boot

Exploring the Windows Security app

Using BitLocker for encryption

Security baselines

Ensuring user identity security

Windows Hello for Business

Microsoft Defender Credential Guard

Summary

9

Advanced Configurations

Virtual desktops

On-prem virtual desktop best practices

VDI configurations

The Windows Configuration Designer

Windows 11 Kiosk Mode

Windows Autopilot

The Set up School PCs application

Device lockdown

Windows Subsystem for Linux

Group Policy Editor

Remote Desktop Protocol

Windows Hello and Windows Hello for Business

Windows Firewall with Advanced Security

Hyper-V

Windows Task Scheduler

Enabling BitLocker drive encryption

Storage Spaces Direct

Windows Defender Application Guard

Summary

10

Windows 11 21H2 and 22H2 Changes (versus Windows 10)

New Start menu and taskbar

New docking and multi-monitor experiences

New patch file format

“New” security options

Other technical changes in 21H2

Deprecated and removed features in 21H2

Windows 11 22H2 (build 22621)

New security options

Improved Start menu and taskbar

New inclusive features

Windows Studio effects

Further improvements to the size and speed of updates

New Windows Subsystem for Android™️

CI aka Moments

Other technical changes in 22H2

Deprecated and removed features in 22H2

Other changes

Further references for Windows 11 22H2

Summary

Index

Other Books You May Enjoy

Preface

Microsoft’s launch of Windows 11 is a step toward satisfying Enterprise administrator needs for management and user experience customization. With its improvements and continuous developments since the first Windows 10 releases, it represents the latest and most secure Windows version to date. But to make the most of this security, it is necessary to deal with the new requirements and changes of Windows 11. This book provides Enterprise administrators with the knowledge required to fully utilize the advanced feature set of Windows 11 Enterprise. This practical guide shows Windows 11 from an administrator’s point of view.

Who this book is for

If you’re a system administrator tasked with upgrading to Windows 11, then this book is for you. Having deployed and managed previous versions of Windows in the past will help you follow along with this book, but you can also use it as a guide if Windows 11 is your first foray into system administration.

What this book covers

Chapter 1, Windows 11 – Installation and Upgrading, covers concepts and best practices for installing the new Windows 11 to prepare you for the move to Windows 11 in the most feasible way. It covers the new hardware requirements for Windows 11 and discusses different installation options. The chapter shows under which conditions an in-place upgrade is possible. It will also explain the new Lifecycle Policy of Windows 11.

Chapter 2, Introducing PowerShell, provides an introduction to PowerShell/PowerShell 7. The chapter explains the key concepts and shows how you can learn more about PowerShell.

Chapter 3, Configuration and Customization, discusses configuring Windows 11 to your needs, supported customization options, and how to configure Windows 11 for end users.

Chapter 4, User Account Administration, covers the administration of user accounts in Windows 11, including Azure AD, local accounts, and domain accounts usage.

Chapter 5, Tools to Manage Windows 11, discusses two sets of tools that you can use to manage Windows 11 and your Windows Server environment. Remote Server Admin Tools (RSAT) are produced by Microsoft and are available to download and use. The chapter also discusses the Sysinternals tools from Microsoft. Both tool sets are invaluable – and are both free and easy to obtain.

Chapter 6, Device Management, describes the new mobile device management (MDM) capabilities of Windows 10 and 11, discusses caveats of the Windows 10/11 GPO processing, and has a deeper look at patching and servicing, including the deployment solutions of the needed quality and feature updates such as Windows Update for Business, WSUS, MECM (aka SCCM), and third-party solutions.

Chapter 7, Accessing Enterprise Data in BYOD and CYOD Scenarios, covers an understanding of Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD) models. You will see and understand how to handle the scenario of user access to corporate data on personally owned Windows 11 devices.

Chapter 8, Windows 11 Security, covers all aspects of Windows 11 security. While you have covered some aspects of security in some of the other chapters in this book, you will look at them collectively and in more detail in this security-focused chapter. If you are a security professional, then this chapter is dedicated to your role and responsibilities in securing Windows 11 in a company.

Chapter 9, Advanced Configurations, goes over a variety of different configurations used in enterprise environments, including VDI, kiosk mode, Autopilot, configuration for schools, Unbranded Boot, and WSL2.

Chapter 10, Windows 11 21H2 and 22H2 Changes (versus Windows 10), gives an overview of all the new features and the numerous changes of the first two Windows 11 versions compared to the previous Windows 10 versions. This chapter is intended to give an overview of all the new features you should take a look at. It is a good start to familiarize yourself with the new features.

To get the most out of this book

We recommend that you install and activate a copy of Windows 11 Enterprise in a test environment. An Active Directory domain is required in order to test new Group Policy options. An Azure subscription is required to test the following features covered in this book:

You may also want a Microsoft 365 E5 trial subscription to see the full potential and complete integration.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “You can check SLAT availability via coreinfo.exe -v from Sysinternals Suite.”

A block of code is set as follows:

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: "From Windows 11, you can use the Microsoft Store and search for PowerShell 7."

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Windows 11 for Enterprise Administrators, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?
Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application. 

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781804618592

1

Windows 11 – Installation and Upgrading

In this chapter, you will learn the concepts and best practices for installing the new Windows 11 to prepare you for the move to Windows 11 in the most feasible way. We will cover the new hardware requirements for Windows 11 and look at different installation options, such as the classic and well-known wipe-and-load option, the frequently used in-place upgrade option, and the more modern Windows Autopilot option.

This chapter demonstrates the conditions under which an in-place upgrade is possible. It will explain the new Modern Lifecycle Policy of Windows 11 and what effect it has on the older Windows 10. We will provide decision support for choosing the right channel (annual or LTSC). Additionally, we will show which activation options are available in an enterprise environment. We will round this chapter off with tips and tricks for a smooth in-place upgrade.

In this chapter, we will cover the following topics:

Selecting the edition and channel version

Windows 11 is available in different stock-keeping units (SKUs) (also known as editions) besides the Home edition, which doesn’t play a role in the professional environment. Other available editions include Pro, Pro for Workstation, Education, Enterprise, and Enterprise LTSC. For business use, you should go with Enterprise or Pro/Pro for Workstation, depending on your licensing.

There are also other special editions, such as the Team edition, which is installed on the Surface Hub, the Holographic edition, which runs on Microsoft Hololens, and the IoT Enterprise edition, which is a variation of Enterprise LTSC in terms of licensing, but not in terms of bits and bytes.

In addition, there is a new SE for Education version, which is kind of “Windows 11 light.” It has a reduced hardware floor for cost-effective devices in education, as well as SKUs such as Multi-Session, other special SKUs, and regional variants (N/KN/China); however, these are not within the scope of this book.

An explicit Windows 11 S edition is no longer offered. S mode is only available in the Home edition as an option. If you have Windows 10 installed, for example, if you’re in Pro with S mode and want to do an in-place upgrade, you must first exit S mode and then see the Limitations and blockers of an in-place upgrade section of this chapter.

Important note for enterprise customers

There are no special licensing requirements for Windows 11 beyond those for Windows 10 devices.

Microsoft 365 licenses that include Windows 10 licenses allow you to run Windows 11 on supported devices. If you have a volume license, it covers Windows 11 and Windows 10 devices equally, before and after the upgrade.

Home users can currently upgrade from Windows 10 to Windows 11 for free.

General Availability Channel (GAC) and support timeline

Windows 10’s new “Windows-as-a-service” concept is continued with Windows 11, and you can choose between two main flavors. All Home, Pro, Pro for Workstation, Enterprise, and Education SKUs are available in the regular updating channel, which is now called the General Availability Channel (GAC).

In addition, the Long-Term Servicing Branch (LTSB) was renamed the Long-Term Servicing Channel (LTSC) in 2018. LTSC is only available for the Enterprise SKU. More details on the LTSC are in the next section.

In 2015, the early days of Windows 10, the regular updating version was known as the Current Branch (CB) and in 2017 was renamed the Semi-Annual Channel (SAC). For a while, there was also the Current Branch for Business (CBB), which was supposed to symbolize the status of Enterprise Ready for the current Windows 10 edition. The name CBB was retired without replacement a long time ago.

Also, the term Semi-Annual Channel (Targeted), which was supposed to help with piloting, has disappeared in the meantime.

With the release of Windows 11, the release cadence was decreased from semi-annually to annually. Therefore, the Spring issue was canceled. For internal and logistical reasons, the decision was made to release in the second half of the year in the future (aka H2). Until further notice, a new version will be published annually, and this will take place in the second half of the year.

In addition to this change, the support periods have now been increased from 18 (Consumer edition and Spring edition for corporate customers) and 30 (Fall edition for corporate customers) months to 24 (consumer) and 36 (enterprise) months, respectively. In respect of these changes, the previously named Annual Channel is now known as the General Availability Channel (GAC), which is the channel used for software updates.

We are pleased that Windows 10 will begin with 21H2 and only be released in an annual cadence from now on. These decisions help enterprise customers with the transition to Windows 11. Future annual Windows 10 versions are also planned for the second half of the year; however, the support period for Windows 10 will not change.

The first Windows 11 version was technically Windows 11, version 21H2, and was released in October 2021, carrying the build number 22000. Build numbers are currently the only way to clearly differentiate Windows 10 and Windows 11 and distinguish the different yearly releases from one another. We’ll explore this more in a later section.

To have less confusion between Windows 10, version 21H2 and Windows 11, version 21H2, it was decided to market the latter as simply Windows 11 in the beginning. Microsoft then changed the name of the release back to Windows 11, version 21H2 with the release of Windows 11, version 22H2 to enable differentiation between the two versions.

Windows 11, version 22H2 is the second version of Windows 11 and was released in September 2022. The build number of the latest edition is 226xx. If you come across a build number of 25xxx or greater, these are the first Insider builds of the 2024 (or later version) development branch.

This annual channel is the recommended channel for most enterprise customers and standard Office PCs. Office 365 is fully supported on the annual channel.

In the annual channel model, the system is updated yearly. As soon as a new version is available, it will be rolled out to all Windows 11 installations, which will get their updates directly from Windows Update (WU) or Windows Update for Business (WufB) online. The rollout will be done in stacked waves.

If you want to postpone such a rollout, you need to defer feature updates, which is an option only available in Pro, Pro for Workstation, Enterprise, and Education. You can defer updates per Group Policy Object (GPO) (Windows Components | Windows Update | Manage updates offered from Windows Update) when using WU for up to 365 days.

Please refer to GPO’s Select the target Feature Update version and Select when Preview Builds and Feature Updates are received. (See https://packt.link/sY5trandhttps://packt.link/G5EIm.)

With Microsoft IntuneModern Device Management (MDM), you have more granular settings under Devices | Windows | Feature updates for Windows 10 and later. In addition to the available ASAP option, there is also the possibility to define a specific time for the global rollout as well as a gradual rollout with a start date, end date, and the number of days between these auto-created groups.

Figure 1.1 – Intune feature update deployment settings

A new cloud service called Windows Autopatch is now generally available. It automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates, and can help with automatically patching the devices in waves driven by automatic issue detection for pausing and rollback. Learn more about this new option at https://packt.link/SWVXs.

In on-premises environments, you can directly defer feature updates inside your Windows Server Update Service (WSUS), Microsoft Endpoint Configuration Manager (MECM aka SCCM), or third-party deployment solution for an even longer time frame. For more information, see Chapter 6, Device Management.

Long-Term Servicing Channel (LTSC) and support timeline

Since 2021, the Long-Term Servicing Channel (LTSC) has only had a five-year support time frame, which is the same time frame as former Windows releases. During this five-year time frame, the LTSC will get security and quality updates, but no feature updates. Stability and not breaking anything are the critical focus points of updates during this time frame.

LTSC versions are only available as Windows 10/11 Enterprise LTSCs. So, if you do not have Windows 10 or 11 Enterprise, you won’t qualify for LTSC. The version always contains a year in its name. LTSB/LTSC versions are referenced as Windows 10 Enterprise LTSB 2015, LTSB 2016, and so on. Since the change to LTSC, they are known as LTSC 2019, with the latest version being LTSC 2021. New LTSC releases are planned typically every two or three years.

To get new features, you will need to install a newer LTSC version. Microsoft never publishes feature updates through Windows Update on devices that run Windows 10/11 Enterprise LTSC.

No LTSC version for Windows 11 has been released yet. The last LTSC version was released in 2021 and is still a Windows 10 edition (technically corresponding to Windows 10 21H2). Upon release of the LTSC 2021 edition, the maximum support period was also shortened from 10 to 5 years, meaning that from now on, this and all future LTSC versions will only be supported for a maximum of five years. The former 2015, 2016, and 2019 releases will have 10 years of support.

According to an announcement via the Microsoft Tech Community, an LTSC version based on Windows 11 is not planned until 2024.

IT pros who are getting nervous when reading about the former two updates per year in the SAC now becoming once a year in the GAC may be tempted to select the LTSC as it looks like all the previous Windows versions’ support strategies at first glance. However, there are several risks and limitations when choosing the LTSC.

The LTSC was designed for specialized systems such as controlling medical equipment, point-of-sale systems, and ATMs. These devices typically perform a single important task and don’t need feature updates as frequently as other devices.

Microsoft’s statement from the LTSC documentation

The LTSC is not intended for deployment on most or all of the devices in an organization; it should be used only for special-purpose devices. As a general guideline, a device with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the GAC (https://packt.link/WHc6o).

Maximum compatibility, reliability, and stability are the key focuses of the LTSC, which makes changes to the kernel and system less possible. Using MS Office and other products on your system that require changes to the system would block a patch. Therefore, you could end up in a situation where the only workaround would be waiting for the next (fixed) LTSC or changing to the GAC in the meantime.

In the LTSC version, some programs (modern apps) are removed or replaced by the older legacy Win32 apps (for example, calculator, notepad, etc. are replaced, and Edge and others are missing) compared to a SAC/GAC version. In the LTSC version, modern apps (appx) are not supported for sideloading (even if technically possible). Official note from Microsoft to this topic:

Microsoft’s note on the support of APPX on the LTSC

The LTSC is available only in the Windows 10 Enterprise LTSC editions. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge (classic), Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in the Enterprise LTSC editions, even if you install using sideloading. (https://packt.link/jEDVo.)

In 2020, Microsoft also updated its Office 365 system requirements, and as of January 2020, Office 365 is no longer supported on any Windows 10/11 LTSC/LTSB release. If you plan to use an LTSC version, you will need to also use an LTSC version of Office (for example, Office 2021 LTSC). An explanation of this topic can be found at following Microsoft article: https://packt.link/PbAFR.

Silicon support policy and the LTSC problem – a potential risk with CPU availability and newer CPU generations

Besides the matter of app support, there are also important things to note on the hardware compatibility of future CPU generations in the LTSC.

Microsoft’s note on LTSC CPU support

LTSC releases will support the currently released processors and chipsets at the time of the release of the LTSC. As future CPU generations are released, support will be created through future LTSC releases that customers can deploy for those systems. For more information, see Supporting the latest processor and chipsets on Windows in Lifecycle support policy FAQ - Windows Products: https://packt.link/pcVgoandhttps://packt.link/oWgse.

At the time of the LTSC 2021 release, the latest processor families in 2021 were Intel’s Alder Lake (12th Gen) and AMD’s Zen 3 platforms. Newly released processors such as AMD Zen 4 or Intel Raptor Lake (13th Gen) are not guaranteed to be supported on LTSC 2021 as they may need modifications to the kernel and the system, and this conflicts with the maximum reliability and compatibility goals. Each new CPU generation will be decided on a case-by-case basis depending on the changes needed to the system. The decision will be communicated as soon as the CPU generations are officially released.

So, even if AMD’s Zen 4 and Intel’s Raptor Lake get support in LTSC 2021, you can end up with the next CPU Generation Zen4+ or Meteor Lake (14th Gen) without support in your LTSC 2021 and may need to wait for LTSC 2024 or switch to the GAC version. This will significantly impact your five-year usability of the LTSC.

The supported CPU generations for each Windows version are documented at https://packt.link/cmIWa.

Further limitations of the LTSC

The LTSC has some more important limitations:

Although it would be possible to circumvent these limitations by procuring sufficient supported hardware and stockpiling replacement devices, this would involve additional costs. Also, people might now say lightly that they don’t need the in-place upgrade anyway. However, I have already seen several companies maneuver themselves into dead ends because they suddenly needed this feature and could only perform a time-consuming wipe-and-load. This leads us to our LTSC deployment recommendations.

Recommendations

With all the limitations and caveats of LTSC, it is best to stay with the GAC for most of your PCs. Use the LTSC only in situations where long-term maintenance is essential, such as in production lines, point-of-sale systems, and medical control systems. Most enterprise customers decide to roll out the GAC on their main general-purpose systems, and so should you.

Hardware requirements for Windows 11

In many ways, Windows 11 represents an innovation, coming six years after the release of Windows 10. Not only is it a major release for the first time since Windows 8.1, which causes support for several older CPU generations to expire, but it also represents a milestone on the client level with the end of 32-bit support. What we are already used to on the server side beginning with Server 2008 (Server 2008 was the first server OS offered as a 64-bit version only) will now also become standard for client operating systems. Windows 11 and all future versions will only be released as 64-bit (also on the ARM side). More details about the reasons for this CPU decision can be found in the CPU limitations section further on in this chapter.

Official (minimum) requirements

There are other important system requirements that can also be a stumbling block, such as UEFI, TPM 2.0, and so on. Therefore, let’s take a closer look at the minimum requirements from https://packt.link/KJFRa.

Processor

1 gigahertz (GHz) or faster with two or more cores on a compatible 64-bit processor or System on a Chip (SoC).

RAM

4 GB.

Storage

64 GB or larger storage device.

System firmware

UEFI, Secure Boot capable.

TPM

Trusted Platform Module (TPM) version 2.0 or Pluton Security Module.

Graphics card

Compatible with DirectX 12 or later with a WDDM 2.0 driver.

Display

High-definition (720p) display that is greater than 9” diagonally, 8 bits per color channel.

Internet connection

Windows 11 Home edition requires internet connectivity and a Microsoft account. For all Windows 11 editions, internet access is required to perform updates and to download and take advantage of some features. A Microsoft account is required for some features.

S mode support

S mode is supported only by the Windows 11 Home edition. If you are running another edition of Windows 10 in S mode, you must first switch out of S mode before upgrading to 11. Switching a device out of Windows 10 in S mode also requires an internet connection.

Table 1.1 – Minimum Windows 11 requirements

Let’s walk through these values together and give complimentary notes on each.

We have dedicated a separate section called CPU limitations to the topic of Windows 11 processors.

Windows 11 requires at least 4 GB of memory, but this is the minimum required only for basic functions. Application programs can have higher requirements, but Windows 11 functions also have significantly higher requirements. For example, Application Guard for Edge requires at least 8 GB of RAM. If you run several application programs, you will very quickly fall below the minimum RAM requirement with only 8 GB RAM to start Application Guard for Edge. If you use Application Guard for Office, you should instead plan for 16 GB in order to be able to run this performantly, as a 600-800 MB virtualization container and the virtualized Office output are also executed on the host operating system besides Windows 11 and Office in this case.

The 64 GB storage represents a doubling of the previous Windows 10 specifications of 32 GB. The OS has not grown significantly, but we have noticed that with only 32 GB storage, problems with insufficient memory for the in-place upgrade occur disproportionately often. Even the specified 64 GB is still very ambitious, and you should not install too much extra on this OS partition or activate storage-heavy Windows 11 functions such as Application Guard Container, Windows Subsystem for Linux, Windows Subsystem for Android, Windows Sandbox, or similar. Therefore, 128 GB should be the minimum storage requirement, and we recommend 256 GB or 512 GB for Office PCs. More about this is coming up in the Recommendations for a future-oriented hardware choice section.

Windows 11 requires a UEFI firmware that (if still switchable between legacy mode and UEFI mode) runs in pure UEFI mode. Note that legacy mode is often referred to as BIOS mode or CSM mode). The UEFI mode must also support Secure Boot, and Secure Boot needs to be enabled. This disqualifies early UEFI implementations from the Windows 7 era, as UEFI 2.3.1 Standard or higher is required, which premiered with Windows 8. Because Windows 7 was not 100% compatible with UEFI Graphics Output Mode (GOP) (you could install Windows 7 on such UEFI 2.3.1 computers in UEFI mode, maybe you still got the startup sound but then had a black screen), and for a supported in-place upgrade, UEFI must be on, so an in-place upgrade from Windows 7 to 11 directly is out of the question. We will describe a possible workaround in the In-place upgrades section.

Windows 10 already required Trusted Platform Module (TPM) 1.2 as a minimum for many security functions, but TPM 2.0 was already required for some important functions to be able to activate these functions. However, these security features were not mandatory and Original Equipment Manufacturers (OEMs) still had the option to offer Windows 10-compatible logo devices without TPM. Since the cyber threat situation is getting worse, and Microsoft has moved the goals of Zero Trust and security from the chip to the cloud, it is only logical to activate some of these important security features by default for new installations and to require TPM 2.0 for them.

There is an attack vector where the communication between the CPU and the dedicated TPM chip can be eavesdropped on. In the past, TPM firmware updates were sometimes slow to be rolled out by the OEMs, or older devices were completely forgotten by them. Therefore, Microsoft has addressed these weak points with the optional Pluton security chip, which is integrated directly into the CPU and can receive firmware updates directly from Microsoft. Find out more about the Pluton chip in Chapter 8, Windows 11 Security, and at Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs (https://packt.link/jtBtx)

The requirements for graphics cards and minimum display resolution should be fulfilled by current hardware. Certain Windows 11 functions, such as 3-column snap, require at least 1,920 pixels. There will be more about this in the Hardware requirements for additional features section.

The internet requirement and the necessary Microsoft account only apply to consumer editions. However, some Windows 11 functions may require internet access or have limited functionality without the internet.

There are several ways to remove the limitations of CPU and TPM compatibility. Besides various tinkering solutions that modify the setup files, intervene live in the setup process, or perform other unrecommended hacks, there is also the possibility to remove these limitations via a registry key. In the meantime, these registry keys have been officially documented by Microsoft. (AllowUpgradesWithUnsupportedTPMOrCPU). However, Microsoft points out clearly that with circumvention of the minimum requirements, you take on the risk of possible limited functionality, crashes, instabilities, and other problems. In addition, such systems do not receive any support from Microsoft, and it is not guaranteed that future Windows 11 updates can be installed.

Therefore, it is strongly advised not to override these minimum system requirements on production systems. This option is only for a test lab scenario at most. Computers that do not meet the minimum requirements will also be watermarked in the future. Computers that do not meet the minimum requirements of Windows 11 can continue to run Windows 10 until October 2025.

CPU limitations

It gets a bit more complicated with the CPU since there is a dedicated compatibility list as well as the basic requirements of a minimum of 1 GHz, 64-bit compatibility, and two cores.

Currently, this list roughly includes all Intel CPUs beginning with the 8000 series (Coffee Lake) and similar, as well as AMD CPUs beginning with the Ryzen 2000 series (ZEN 2) and similar. The list has been extended for the Intel 7000 generation. The X and W Xeons and 7820HQ variants are now also allowed, but only if modern managed drivers are used. That means only Declarative Componentized Hardware (DCH)-supported app drivers are used, for example, in the Surface Studio 2.

An extension of this list to older CPUs is currently not under discussion.

The most up-to-date lists for each client OS can be found under Windows Processor Requirements: Intel processors supported under Windows 11 | Microsoft Docs: https://packt.link/P5loz.

There are dedicated lists of supported Intel, AMD, and Qualcomm processors for Windows 11 [21H2] and Windows 11 22H2, respectively (as well as the older client OS and server OS). As soon as new versions of Windows 10 and 11 are released, this list will be updated.

Unfortunately, this limitation of the CPUs was communicated to the public very late. But how did this CPU selection come about?

Here are some of the reasons and decisions that led to this list. Among other things, the Microsoft team conducted evaluations around crashes and reliability. It was noticed that older systems had significantly higher crash rates than newer systems. Whether this was caused by outdated BIOS versions, the subsequent changes by Spectre and Meltdown mitigations, older/poorly maintained OEM drivers, or other reasons, was not specified.

In addition to ensuring system stability, system performance emerged as another crucial factor. Windows 11 mandates the default activation of several security features, notably Virtualization-Based Security (VBS) along with Hypervisor-Protected Code Integrity (HVCI). This led to the collection of relevant telemetry data throughout the Insider Preview phase. It’s noteworthy that HVCI, when executed without compatible hardware support, can result in a substantial slowdown of individual system calls, potentially ranging from 600% to 800%. The essential hardware compatibility required for optimal HVCI operation is provided by what’s known as Mode-Based Execution Control (MBEC). MBEC was initially introduced with Intel’s seventh-generation Kaby Lake CPUs and AMD’s Zen 2 CPUs. As a result, processors preceding this architecture, such as Intel’s sixth-generation and AMD’s Zen 1 generation, as well as earlier generations, lack the MBEC capability and were thus excluded from this feature. After careful examination of the accessible data, the decision was made to grant unrestricted support exclusively to Intel’s eighth-generation processors. Additionally, support was extended to certain model series within the seventh generation, but only when utilizing DCH drivers.

As mentioned earlier, these specifications represent the bare minimum. To take full advantage of all the security features currently available in Windows 11, you’ll need an Intel processor from the eleventh generation or newer, or an AMD processor from the Zen 3 generation or newer. Additionally, certain optional Windows 11 features might necessitate a more powerful CPU than what’s specified as the minimum requirement.