So we keep seeing this “you can install 11, but you won’t get security updates” statement. It’s amazing that Microsoft (a place I worked for 6 1/2 years) still can’t sort out messaging like this. I make no warranties, implied or otherwise, but here’s my experience driven take on this mess:
TL;DR version: Install, via setup (fresh or in-place), requires UEFI+SecureBoot support (doesn’t need to be turned on)+TPM 2.0 (firmware or discreet). You can by bypass for fresh installs by using a slightly older boot.wim (works fine, but YMMV, won’t likely work in future releases for legacy BIOS machines, as that support is certainly on its way out). If you don’t meet all of Microsoft’s requirements for hardware going forward, you’ll get quality updates (fixes, security) during the support window for thatrelease, but you’ll never be offered a feature update via WU. This policy has (apparently) been in place starting with Windows 10 21H1, as certain hardware running 20H2 is never offered 21H1.
Long bloviating boring version:
Here’s the support matrix-
Minimum (install blocking) requirements: UEFI+SecureBoot capable+TPM 2.0 - Secure boot doesn’t have to be enabled, but a TPM 2.0 (discreet or firmware based) must be present, or install will be blocked. That means no legacy BIOS support.
That’s it. Beyond that, it will install just fine via clean or in-place upgrade (in-place upgrade tested on a Core i7-6600U Yoga 900 with Windows11 21H2 22000.176 via ISO image) provided the prerequisites are met and your installing via media (ISO image).
You can easily bypass those prerequisites with a clean install by swapping out the boot.wim image for an earlier version of the PE (preinstall environment) that doesn’t have checks. Using my WDS server, but PXE booting to a Win10 boot.wim, I installed 22000.176 with no issues on an ancient Core2 Q9550 (including all the Intel chipset drivers, rubbish Nvidia GT430, etc). So all the legacy bios boot-loader bits are still in-place and functional, which is not surprising for an OS that was, not long ago, called Windows 10x. I’d expect the legacy BIOS support to be excised in future releases (e.g. if you thought you’d get another decade out of your pre-UEFI x58 board, you won’t).
So what does Microsoft mean when they say (possibly) no security updates? For that answer you have to look at their release support matrix and (already) current Windows 10 Update behavior. Windows 10 Releases are supported, intra-release, for 18 months from release date. If you are licensed for Enterprise (which is a virtual SKU for Pro), the H2 releases are supported longer, for 30 months. For Windows 11, they’re moving that to 24 months for retail SKU’s and 36 months for Enterprise, and scrapping the twice yearly feature updates, moving to yearly feature (e.g. OS release) updates. So you’ll receive quality updates (patches and security updates), inside those time-frames (officially speaking, reality is a bit different).
The key element, is that you will NOT be offered future feature releases (AKA new OS version) via Windows Update, if your machine is below spec. You’ll get qualitative updates for the support window, but (officially - again reality is a bit different) you will not get said updates past that point. Barring manual tricks and manual install hacks, your machine’s OS install is dead-ended at that point.
This behavior has already been rolled out. Machines that conspicuously don’t meet certain requirements, that are running Windows 10 20H2, are not offered 21H1 feature upgrade via Windows Update. You can force the upgrade to 20H1 via an ISO in-place upgrade, and it will work just fine (just as you can do the same for Windows 11 21H2 provided, you meet the prerequisite checks mentioned earlier), but you’re not going to get feature updates (e.g v.next). Again, this behavior is already in-place and aligns with driver model requirements changes they are phasing in, starting with 21H1.
So, as an example, my Yoga 900, with its “unsupported” 6th gen skylake, installed Windows 11, as an in place upgrade to Windows 10 20H2 (it was never offered 21H1 via WU) without complaint from the installer, but I expect that it will never receive the next release via WU. That said, I’d also expect that I can update manually again in the same fashion, which aligns just fine with how enterprise customers push updates via custom infrastructure. I’d fully expect legacy BIOS support (which you have to modify the PE image to install against) will go away very soon, and Microsoft will eventually hard-block systems that don’t meet today’s min requirements.
It’d be nice if someone from Tom’s could verify (with some legitimately authoritative from the Windows product group) what I’ve written above, but I’m 95% confident I’ve got it right.