Update: Microsoft has killed the registry hack to get the Win10 start menu. The Win11 start menu is so bad I had to revert to Win10. Hopefully they fix it.
On June 24, Microsoft officially announced Windows 11 to great fanfare. For the last few years, Microsoft has cultivated Windows 10 into a productivity powerhouse, adding features like Windows Subsystem for Linux, Windows Sandbox, App Guard and more. They have also created a whole ecosystem of GUI controls that are equally happy with mouse and 10-touch input. Windows Defender has moved into Azure to scale up their anti-malware recognition capabilities, and OneDrive has become an integral part of many people's workflow on Windows. Throw in some niceties like Windows Terminal and WinGet and you have the most capable operating system around.
Microsoft started requiring OEMs to ship systems with TPM 2.0 and Secure Boot enabled by default. These two features combine hardware-level encryption to ensure that the UEFI layer and the Windows bootstrapping mechanisms haven't been tampered with to reduce the likelihood of a rootkit infesting your system.
Here's how Windows utilizes Secure Boot to protect your system.
Secure Boot start sequence
- After the PC is turned on, the signature databases are each checked against the platform key.
- If the firmware is not trusted, the UEFI firmware must initiate OEM-specific recovery to restore trusted firmware.
- If there is a problem with Windows Boot Manager, the firmware will attempt to boot a backup copy of Windows Boot Manager. If this also fails, the firmware must initiate OEM-specific remediation.
- After Windows Boot Manager has started running, if there is a problem with the drivers or NTOS kernel, Windows Recovery Environment (Windows RE) is loaded so that these drivers or the kernel image can be recovered.
- Windows loads antimalware software.
- Windows loads other kernel drivers and initializes the user mode processes.
As long as your known-good recovery files are properly encrypted (which is where TPM 2.0 comes in), you should always be able to boot up Windows in a clean state, even if some malware manages to infest the runtime environment sometime after boot up. That's where Windows Sandbox and App Guard come in, as well as Specter mitigations in Windows or compiled directly into apps.
All of this is already in Windows 10, and most people who have bought a PC over the last few years have these features enabled. If you built your computer, you may not. Even today, some motherboard manufacturers ship retail boards with TPM 2.0 turned off (as well as CPU virtualization, which is mind boggling). If you don't enable TPM 2.0 before installing Windows, then you will not have the Secure Boot workflow happening during bootup. I don't know why they would do this. Linux distributions have been TPM 2, UEFI and Window Secure Boot compatible for quite some time.
If your existing hardware is TPM 2.0 capable, you can enable these great security features in your current installation of Windows 10. If you want to migrate from your current Windows 10 to Windows 11, this is step number 1.
The TPM 2.0 Controversy comes into play because Windows 11 requires that TPM 2.0 and Secure Boot be enabled at all times. This is a major step forward for PC security because now all laptops, tablets and desktops running Windows 11 will be much more resilient to all kinds of malware, but most notably against persistent root kits, which are by far the most damaging class of Malware. The controversy online has been in the form of complaints that this will lock out older computers that lack TPM 2.0 or that have TPM 2.0, but it is disabled in the UEFI settings. I understand that many early adopters are upset that they cannot upgrade their systems to Windows 11. Not being able to have the newest and shiniest version of your software can be a downer. But the barrier is not large, and practically any motherboard and CPU sold in recent years can have TPM 2.0 enabled through the UEFI system settings, or have a TPM 2.0 module added to bring the system into compliance. If that's too much to ask, then maybe you don't need to think about the security implications of not doing so and just stick with whatever OS still supports your workflow.
The other major leap in requirements for Windows 11 is using a DirectX 12 compatible GPU. While not the punching bag of a requirement that TPM 2.0 is, it's important to Microsoft from a product perspective. Windows 11 is getting all of Xbox Series X|S based graphics and gaming features--including Dynamic HDR, and that is all based on a minimum of DirectX 12. If running modern games on your PC doesn't interest you, then that's another reason to stick with Windows 10 until the 2025 End of Support date.
Having spent the last week with Windows 11, the big draw for me is the new System Settings. Nowhere does there appear to have been more time and effort put into Windows 11 that System Settings. The Task Bar and Start Menu are also updated. I'm indifferent to the task bar changes. The new Start Menu is the worst Start Menu ever to grace Windows. It's tiny; the icons are tiny. You have nearly zero control of what is on it and where. It functions identically to placing shortcut on the desktop with auto-arrange enabled all the time. Clicking the button to get the list of applications shows all the applications in a single column, which means you are scrolling forever to get to apps that start with
V. Fortunately, this madness can be disabled and the Windows 10 start menu be restored.
Once you have restored the Windows 10 start menu, you blood pressure will drop precipitously. Although not the complete re-write that the start menu went under, the File Explorer has been visually enhanced. The context menu is cleaner, with modern icons, and theirs a menu item to show the classic context menu if you find some of your favorite functionality is missing at the top level. The ribbon is gone (I don't know if it can be re-enabled) but the icons on the toolbar are the standard set you would expect including a
⋯ button that you would expect to see with more options.
Taking stock of Windows 11 from a developer's perspective, it's really just Windows 10 with better System Settings and better gaming facilities. Right now, Windows 11 is in my way because there's a bug in Project Reunion 0.8 that breaks on Windows 11 meaning I cannot run my current side-project on Win11. It's been fixed, but it hasn't been pushed. This affects every developer on Win11, so Project Reunion needs to push a flight ASAP to get the fix on NuGet. This was supposedly one of the motivations for gutting UWP and distributing the application framework separately. Microsoft needs to prove this was the right call. The store isn't radically different and you still cannot search your library.
The last thing that stands out is that the built-in Win32 UI controls got a refresh. The Textbox is especially attractive.
The best inclusion for developers is that Windows Terminal and WinGet are installed by default.
The new features of Windows 11 are:
- Xbox Series X|S Gaming
- Updated File Explorer UI
- Improved System Settings
- Updated Win32 UI controls
Literally everything else is already in Windows 10, should you choose to enable it.
- IT Administrators - This is the group that will insist on either upgrading to Win 11 immediately to ensure that every system has TPM 2.0 enabled, or will use the promise of Win 11 to force policy changes that result in all Windows 10 systems having TPM 2.0 enabled. Either way, these guys win.
- People who must have the latest and greatest - Most will simply buy a new laptop or Surface tablet (hopefully with an 11th Gen Core i5+ processor). For those that go the upgrade route, updating their UEFI to enable TPM 2.0 is a major win regardless of OS.
- Developers - Having WinGet and Windows Terminal installed out of the box means I can avoid a stop to the Windows Store to get these before installing my software.
As always, I would love to hear from you about your perspective on the features and requirements of Windows 11.