> Security.

Ironically, TPM requirement comes from the same company that invented logging your screen every few seconds and storing it unencrypted and without your consent.

Copilot+ thing is due to Metric stuffing. AI is big and Microsoft wanted to juice the numbers so stuffing copilot down everyone throat.

Security is important but like every company, will take a backseat to "revenue" or "growth".

> I dont know that they are right (eg if the #1 exposure for home users is ransomware, does a tpm help at all?), but I am prepared to give them dome grace.

One particularly generous view is that the TPM requirements catch PCs up with the TPM requirements of modern phones. (Both iOS and Android have had very strict TPM requirements for a while now.) With a lot of industry interest in moving to hardware security-backed Passkeys to replace passwords, it would help to have PCs on an equal security footing with phones.

Passkeys are a pretty big deal to reduce home user exposure. Phishing and all of its variants are as much or more a home user problem as ransomware.

Passkeys are also a great way to have vendor lock-in.

Passkeys are a multi-vendor standard. Because Windows is no one's phone vendor today, it's generally a good idea that Windows has strong Passkey support because it can be an intermediate between the two major phone vendors and help even average users avoid vendor lock-in by pushing a majority of users to try keeping keys with at least two vendors (their phone, and their Windows device) in their common accounts.

If there was no vendor lock in, you'd only need one key, no?

Your first two reasons are why they're discontinuing support for Windows 10. The intention to drive Windows 11 adoption is inverse to disabling upgrades, because then some of the people without a supported PC won't be able to afford a new one and will switch to Linux or continue to run Windows 10 unsupported when they would otherwise have installed Windows 11 on it.

And the security reason is nonsense because as you point out, the overwhelming majority of Windows security problems are in no way improved by a TPM.

The most likely real explanation is that Microsoft is constantly at war with itself and the manager currently occupying the relevant coign of vantage finds it to be in their personal interest for some muddy reason having to do with internal politics.

> Security

There's a pretty interesting video from 2023 that goes through much of Microsoft's thoughts around Windows security. It flew under the radar unfortunately:

https://www.youtube.com/watch?v=8T6ClX-y2AE

Do you have a TL;DW? It's an hour long video

- Windows 11 has provided a hardware security baseline for Microsoft, with features that require hardware support (HVCI, TPM etc) to be enabled by default going forward, stating that Windows 10 strategy of off-by-default was a failure.

- Admin accounts are a continued security problem within the Windows ecosystem, so a future version of Windows will be adding a new "Adminless" account model with linux-like just-in-time escalation. This new model intends to provide a secure middle-ground between the frustrations of a standard user account and the security risks of an Admin account. "Adminless" accounts will run as a "less privileged" user by default and prompt users with Windows Hello when an application requires escalation for a given operation, rather than permanently running the account as a standard or admin user.

- Win32 Applications will be bundled under the new Win32 App Isolation model, which provides the security benefits of UWP sandboxing & clean uninstalls without the API limitations of UWP. Developers will be able to specify what privileges an application requires, much like other application platforms. A demo was shown of Notepad++ running under this sandbox model with minimal modification.

-TPMs within the ecosystem are not in a healthy state, with telemetry telling Microsoft that many are running vulnerable firmware due to manufactures not pushing out updates, and some being inoperable due to hardware failures or other issues. Microsoft is working on its Pluton security chip to replace/augment the existing TPM ecosystem and have the ability to push out firmware updates via Windows Update.

- Software/Hardware mitigations are reaching the end of the road in terms of viability. Microsoft is now focused on eliminating classes of security bugs with extensive R&D going into the use of Memory-safe languages (Rust) in areas of the system that exploits often appear in.

> a new "Adminless" account model with linux-like just-in-time escalation

This was the promise of User Account Control, was it not? Or does that just prompt for confirmation for various actions, without actually enforcing a security boundary?

The way I read it, the difference between existing UAC and "Adminless" is that the user is always in the Administrators group and UAC just unlocks an Administrator token/ACL temporarily to bestow the actual powers of the Administrators group. In "Adminless" the user is only a less privileged/low privilege user, a new system-managed Admin User is created, and the new security boundary prompts instead of unlocking a temporary token/ACL are more "runas" the system-managed Admin User. It's similar to Linux sudo sending commands to the root account, where Linux doesn't have a token/ACL model that allows temporarily upgrading the existing user "in place". It's also similar to how Windows Admin security was managed pre-UAC in places that separated standard accounts and Admin accounts, and similar to how many corporations still manage security, with the difference being that the new "Adminless" admin account is system owned (like the various internal service accounts), supposedly does not allow interactive login, has no password only a hardware security key (hence why the new security boundary requires Windows Hello unlocks every time, versus UAC can be as subtle as Yes/No, depending on configuration/group policy).

"Adminless" is a funny name given that there's still an admin account involved, it's just an admin account that is much more than before not a user account but more like a service account.

UAC provides just-in-time elevation. The user belongs to the 'admin' group (aka wheel) and only receives an admin token when performing a task that requires elevation. Once the task is complete, the token is destroyed.

> Once the task is complete, the token is destroyed.

It's less granular than a task though, it's an execution context. If you're running Notepad++ and it wants to update, it requires an elevation. The installer is now running in an admin context and can do whatever it wants, once it's finished installing it usually asks if you want to launch Notepad++ again. At that point the installer running in the admin context can launch Notepad++ within that admin context.

Thus there's a potential for the admin context to persist indefinitely.

In my mind, tasked based elevation is more granular. Something like "I need to write to the program files directory" and not a carte blanche "gimmie admin access to do whatever the hell I want".

Sorry, I'm confused. I can't figure out from your explanation how the new adminless just-in-time elevation is supposed to be different from UAC's just-in-time elevation?

As far as I can tell, the difference is this:

UAC is per-process and monotonic. Once elevated, the entire process stays elevated.

The new model is per-operation. Even if the same process has been allowed to elevate before, it must ask to do it again. I don't know how granular this is, and whether there's a grace period like sudo.

However, the biggest problem with UAC was that it was considered too noisy for the end user, leading to people just blindly accepting every dialog and Microsoft turning down the default level to the much less secure "don't always prompt". I don't know how this new model will address that problem; naively, it seems to be worse on this front.

Huh. In that case, the upthread commenter likening the new model to being more "linux-like" seems confusing.

Given that they didn't mention which Linux security model the new system was like, I presumed they meant the most commonly referenced model for performing administrative tasks: sudo/doas - which elevates a process for its entire runtime.

But if it's a per-operation model, I guess they might have been comparing it to the "desktop portal"/"policykit-dbus" model instead? Which does kind of fit, but I don't think is the security model that most people think of when someone says "linux-like just-in-time escalation"?

> Win32 Applications will be bundled under the new Win32 App Isolation model, which provides the security benefits of UWP sandboxing & clean uninstalls without the API limitations of UWP.

Wow that thing they probably should've been doing in the first place. I'll be curious if it'll end up as a supervisor (AI) model or if each program will have its own scope of a file system. The latter of course will be very tricky with how intertwined legacy software can be for file and registry access.

Yea, making sure legacy apps keep working is the hard part especially when they have million+ unit customers that have issues around it.

win32 isolation sounds cool.

> I plan to use this opportunity to install Linux on my old PC.

Use this opportunity to install Linux and your NEW PC, and then buckle in!