'ZDNET Recommends': What exactly does it mean?
ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.
When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.
ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.
OK Microsoft, you win: I’m buying a Windows 11 PC
This has been a rather, shall we say, exciting week. First, Microsoft rolled out Windows 11 to great fanfare, emphasizing the new, flashy user interface. There was just one problem: If you didn't have a system with the latest Intel Generation 8 or above processors, you couldn't have it -- you'd be stuck on Windows 10.
Our resident Windows expert, Ed Bott, has been diligent in his coverage of watching Microsoft walk itself back from compatibility commitments in its pre-release documentation to get down to the bottom of exactly which systems would be orphaned by and which ones would move forward to Windows 11.
That we did not have a definitive answer from Microsoft from the get-go has added a great deal of frustration from Microsoft's traditional loyalists. I have also not been pleased with this, having discovered that my own PC systems, which I purchased in 2016, will not make the cut.
Fortunately, we now have a definitive answer: The reason why many systems may not make the cut has much to do with Intel (and AMD processor) features in the latest generation of chips related to hardware-based virtualization.
Virtualization? But wait, isn't that something we are only really concerned with regarding servers that live in datacenters? Traditionally, yes. But there are other uses for virtualization besides increasing workload density.
Microsoft Defender Application Guard (MDAG) running on Windows 11 on a 6th Generation Intel i7-6700 system. This requires hardware virtualization technology, which is a minimum requirement for running Windows 11.
In 2017, I wrote an article entitled How containers will transform Windows 10 in the next three years; I discussed the various virtualization and containerization technologies Microsoft worked on in their Azure Cloud, Windows Server OS, and desktop Windows.
Now, with this required hardware-enforced containerization and virtualization tech, Windows 11 will isolate applications and processes much more easily. It will be much more difficult for malware in an errantly running application to access resources it isn't supposed to. It will only access the resources in that specific application task that it infects, such as a particular browser tab.
It won't have a free run of the OS, and if the infected task is detected based on its known malware signature, it's nuked in orbit.
Additionally, while not virtualization related, the requirement for Trusted Platform Module 2.0 provides additional features that prevent compromises at the boot level and at the firmware level for an extra level of security that legacy systems without them do not have.
The Windows 11 Device Security App. While Gen6 systems are able to run MDAG, it does not have all the features needed to enable VBS, which will be a requirement for new systems when Windows 11 is released. It has not yet been determined if Gen6 systems testing Windows 11 now will continue to function in October.
From a security perspective for both end-users and enterprises, that is huge. And it is something you absolutely want to upgrade to in an age where malware threats are constant, and the need to be vigilant against these threats is never-ending.
So yes, this is a significant upgrade. It's valuable, and if you're a Windows user -- consumer or enterprise -- you want this. If you don't have hardware that supports it, it's worth getting a new system.
The problem is that Microsoft buried the lead and employed bait-and-switch tactics to induce us to upgrade, rather than simply being straight with us from the beginning. What Microsoft should have said is: "Look, we can't implement these important architectural changes in the OS to protect you from the bad guys unless your hardware supports this."
Instead, we got: "Open your mouth, the airplane is landing! Microsoft wants you to eat the improved hardware-enforced security feature because it's good for you! Woooo! Flashy Windows 11 user interface!"
By the way, if you already have these features built into your Intel and AMD chips, then guess what? Windows 10 already has this enabled, by default, assuming you are at current patch levels. You're already protected. But Windows 11 will be the first Microsoft OS to require these features to turn on Virtualization Based Security (VBS) and Microsoft Defender Application Guard (MDAG). So future generations of systems will not be vulnerable to the same malware and exploits of previous generations.
It should be noted that Intel Gen6 systems, which did not make the official cut for Windows 11 support, can not only install the Windows 11 prerelease from the Windows Insider developer channel now, but they can also run MDAG, as shown in the screenshots above.
However, they do not have sufficient hardware virtualization technology to run what is referred to as the "Standard Hardware Security" that certified Windows 11 PCs require to make the cut. Gen7 systems do (Which Microsoft is now exploring the possibility of supporting and some older generation AMD systems), but Gen8 does it better. This includes the Core Isolation, Security Processor, and Secure Boot features within the Device Security menu.
Core Isolation requires a hypervisor, whereas MDAG appears to use host-based virtualization (which has less stringent hardware requirements), which could be the difference.
So it's unknown at this point if Gen6 systems like my 2016-era Dell XPS 8900 (Intel Skylake) running on the prerelease today will still be working on the gold release of Windows 11 in October. It would be nice if they did. I'm not counting on it.
It's ironic that the hardware-based virtualization technology I have been pleading with Microsoft to implement for years is the very thing that is likely to leave my PC systems behind with this upgrade.
Am I annoyed by this? Yes. Can I accept this now? Also, yes. But the best approach would have been coming clean with its userbase from the very beginning, making security a primary emphasis of the product launch, and not baiting and switching with a pretty user interface.
To test the new OS and migrate some of my Windows workloads over to a more secure system, I am buying a new PC. Which PC? An AMD Ryzen 7 3750H-based system from Amazon. (Ed triple-checked it!) Sorry, Intel. I wasn't too happy with my last Skylake experience.
What is more important to you, the enhanced security enforced by default or the new user interface in Windows 11? Talk Back and Let Me Know.