In October last year, we covered a very simple bypass trick that involved just a single command when running the Windows 11 Setup. While this passthrough got popular in the tech community during this time as a result of the media coverage from Neowin as well as others, it was actually something even older.
To use this, all a user had to do was add “/product server” when running the setup, and Windows would just skip the hardware requirements check entirely.
As it turns out, Microsoft has blocked this bypass method on the latest Canary build 27686 as discovered by X user and tech enthusiast Bob Pony. When trying to use the Server trick now, the hardware requirements check is not bypassed.
↫ Sayan Sen
It’s such an own goal to limit Windows 11 as much as Microsoft is doing. Windows 11 runs pretty much identically, performance-wise, to Windows 10 on the same hardware, so there’s no reason other than to enable the various security features through TPMs and the like. The end result is that people simply aren’t upgrading to Windows 11 – not only because Windows 10 is working just fine for them, but also because even if they want to upgrade, they often can’t. Most people don’t just buy a brand new PC because a new version of Windows happens to be available.
There’s been a variety of tricks and methods to circumvent the various minimum specifications checks Microsoft added to the regular consumer versions of Windows, and much like with the activation systems of yore, Microsoft is now engaging in a game of whack-a-mole where as soon as it kills on method, ten more pop up to take its place. There’s a whole cottage industry of methods, tools, registry edits, and much more, spread out across the most untrustworthy-looking content farms you can find on the web, which all could’ve been avoided if Microsoft just offered consumers the choice of disabling these restrictions, accompanied by a disclaimer.
So Microsoft is now in the unfortunate situation where most of its Windows users are still using Windows 10, yet the end of Windows 10’s support is coming up next year. Either Microsoft extends this date by at least another five years to catch the wave of ‘natural’ PC upgrades to a point where Windows 10 is a minority, or it’s going to have to loosen some of the restrictions to give more people the ability to upgrade. If they don’t, they’re going to be in a world of hurt with security issues and 0-days affecting the vast majority of Windows users.
And then the people have the nerve to say Windows on desktop has better support for hardware then GNU/Linux. Go figure.
Geck,
I’ve experienced a lot of hardware loosing support on windows after the hardware’s EOL, which sure is frustrating. But at the same time I’ve experienced frustration with linux support too., only in different ways. I really think there are a lot of data points to cherry pick from in order to make the case for whichever OS you happen to prefer.
Right now I have an intel AX200 adapter I use for bluetooth. On linux this disconnects about every half hour or so. and when I looked it up others were experiencing the same behavior with linux. Windows drivers can have better support, if only because of critical mass.
Ether way, I am very critical of microsoft’s policy deprecating millions of PCs that still work fine.
It used to though. But yeah, modern Linux has support either on par or superior to windows, especially for older hardware that only doesn’t work on modern Windows because of lack of the drivers.
As it is now, I am days away from “upgrading” my Windows 10 computer to GNU/Linux (openSuSE Tumbleweed to be precise). I will not be extorted into buying new hardware especially since the so-called new system works perfectly fine if you’re willing to hack the installer.
I suspect the TPM restrictions are driven by DRM mandates by the media and gaming industries. They want to know that if they restrict content to Windows 11 or ARM Macs that users will have to work harder to pirate.
runciblebatleth,
TPM can definitely be used for DRM purposes, but even if there were some publishers who require it, it doesn’t really follow that windows 11 itself should.
Alfman,
Yes, DRM might be part of the reasons.
But Microsoft would very well want a standard platform as well. In Windows Phone 7 times, they basically supported very few number of chipsets, and they might be aiming for something similar in Windows 11 / ARM era.
Especially more so, when you look at how successful their software + hardware security on Xbox was. Xbox 360 was only hacked since they forgot debug / JTAG headers. Xbox One was not hacked in its lifetime (and was only hacked I think last month), while their competitors Sony and Nintendo leaked everything.
If Windows can get in a position where everything is locked down, it would be a natural extension of an Xbox appliance on the desktop,
(Not that I support any of these. Just wanted to speculate their worry about Netflix stream ripping is probably at the very bottom of priority lists).
sukru,
TPM might be useful for some, not everyone cares about it and there are also negative use cases to consider. The most obvious use case is that TPM could be used to gatekeep owners, for better or worse. I wouldn’t mind Microsoft telling owners what they’re missing without TPM, but it really should be the owner’s business to decide whether to continue using their existing hardware or to replace it. After all microsoft are not paying the bills to replace the hardware and it’s won’t be microsoft shouldering the burden for all the carbon emissions that their planned obsolescence will inevitable be responsible for. There are natural limits to hardware longevity, like transitioning to 64bit. But in this case it’s an artificial requirement and so I cannot sympathize with microsoft here.
Alfman,
I think I might not have expressed it well. I don’t like what Microsoft is trying to do either.
Of course if it works for them, we would have a very locked down, non-open ecosystem.
sukru,
IIRC the new windows 11 requiremenst were projected to affect a hundred million computers. That’s a lot of new OEM licenses microsoft gets to sell when those computers are replaced, worth several billion. When microsoft announced that upgrades to existing licenses would be free, two things became inevitable right then: windows would become an advertising platform, and there would be a shift towards planned obsolescence, both of which turned out to be true.
By all means bypass Tpm, but be aware that in doing so you’re leaving your system vastly more vulnerable. Bitlocker, Windows Hello, and certificate storage all rely on it to remain secure.
Its used by UFEi for secure boot to protect you from root kits (unless you install crowdstrike and let them circumvent it).
That’s before we get into other uses like office using it to secure documents and 1password to encrypt your passwords.
TPM is a cornerstone of modern security practices. Circumvent it at your own risk.
Adurbe,
I agree TPM is very fundamental in modern security.
At the same time, the protocol itself is not as secure as it can be. This is because many motherboards did not come with TPM bundled, but allowed you to buy an aftermarket one. That opens up the possibility of a malicious actor to do a MITM attack if they have physical access to your PC.
Newer TPMs can be built into the chipset, which would make it much more difficult to intercept.
And then there is the fun shown at Defcon (https://www.wired.com/story/amd-chip-sinkclose-flaw/) where if you already have system access, you can reach in and do what you want with the firmware (ring -2 below the hypervisor). You might be able to get such access by starting with a “secure” system and using Windows downgrade attacks (https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates) to “downgrade” your way to a vulnerable version where Windows’ TPM code itself is buggy. The conversations on the Risky Business podcast (https://www.risky.biz/RB759/) are always entertaining.
So, yes a TPM is a step in the right direction but definitely not a panacea.
foobar,
Yes, most attacks are all about punching holes, and using those holes to punch even more inside. Opening up security like layers of onions.
On the other side, we try to set of additional layers to slow this down.
Btw, the AMD flaw, if we are talking about the same thing, is very new, and I did not have a chance to do a deep dive. Thanks for sharing the link.
TPM could be emulated in software, with keys, etc. stored on an encrypted drive partition. You don’t need Toilet Paper Module to have your system secure.
That is exactly what AMD does with its fTPM feature…
darkhog,
Unfortunately not all functions of TPM can be emulated in software.
For example, it can store encryption keys to unlock boot drives on the motherboard. This allows securing offline storage, as it would be impossible to transfer the hard drive or ssd to another system and read the contents.
Another functionality that cannot be replicated is authenticating the system to the OS (the other way around), so that the software can ensure it is being run on allowed set of systems only.
There are actually more, and some happen with collaboration with other systems, like the CPU or memory controllers:
https://en.wikipedia.org/wiki/Trusted_Platform_Module
I struggled to install windows 11 in a vm today until i found Crystalfetch who got me an iso for arm not requiring ms account or any fancy hw verification. Got it on app store (mac) if it can help people here.
” Windows 11 runs pretty much identically, performance-wise, to Windows 10 on the same hardware”
Sure it does… is that why the brand new PCs in microcenter are hogging 11GB of ram doing absolutely nothing? People claim this is to “speed up windows” pray tell what exactly is being sped up… the bundled apps I never use? Because my game ad browse loading certainly have not sped up.
Windows 11 is drastically more bloated with telemetry and “suggestions” than windows 10.