Windows 11: Security advice for enterprises

November 19th, 2021 Posted in Information Security

Microsoft recently announced a significant upgrade to its operating system: Windows 11, released in October 2021. At the same time, it made another announcement about its predecessor: Windows 10.  

From October 2025, Microsoft will cease updates for Windows 10. While organisations will still be able to use the software, Microsoft will no longer provide patches. It will also cease to send functionality updates that improve performance or add new features.  

Of course, some enterprises still use Windows 7. BitSight Windows end of life research  indicates that almost 90% of companies still have Windows 7 PCs in their environment, as of 2020, while 2021 ZDNet Windows analysis suggests that Microsoft’s Windows 7 operating system is still running on at least 100 million PCs.  

Support for Windows 7 ended in January 2020. It is essential practice for security for organisations to move to a newer operating system – either Windows 10 or Windows 11 – to ensure they are using the most up-to-date software and receiving regular security updates. Without such updates, laptops and workstations running the unsupported OS are more susceptible to malware and other vulnerabilities.  

Indeed, as the infamous WannaCry ransomware attack of May 2017 highlighted, running an outdated Windows operating system leaves endpoints vulnerable to exploitation.  

Considering the Windows 11 release, a few questions arise for business and IT leaders: should my company upgrade to Windows 11? Are our devices compatible? What happens if we choose not to upgrade? We issue some security advice in this blog.

We’ll explore these in detail below.  

Should my organisation upgrade to Windows 11?

There is a four-year grace period before Windows 10 will no longer receive security updates. This means organisations have time before needing to upgrade to Windows 11 from a security perspective. However, security aside, Window 11 does offer new features and functionality enterprises might find appealing. 

In a Microsoft blog post about Windows 11, the company explained the upgrade facilitates hybrid working. Features include inclusive video conferencing tools, password-less logins and a more intuitive, Apple-style dock and end-user experience.  

Windows 11 is not a radical overhaul compared to Windows 10, meaning end-users and IT administrators should find the system moderately easy to adapt to. Moreover, enterprises with a Windows 10 legal license can upgrade to Windows 11 without an extra cost – if the devices are supported. In terms of the free upgrade, there is no time limit on the offer at present. This means organisations do not need to rush their decision.  

For businesses with compatible devices, IT administrators should consider targeted deployments as part of their Windows Update cycles. Microsoft has released some features to make deployment more seamless, including endpoint analytics that enables IT teams to assess their organisation’s readiness for Windows 11. Microsoft has also updated its Work from Anywhere guidance with details on the devices that meet Windows 11 system requirements.  

What devices are compatible with Windows 11?

If your organisation has recently refreshed its devices, then they should be compatible with Windows 11. However, devices more than two years old may not be compatible. 

Broadly speaking, Windows 11 readiness is defined by a few key features. The devices must have a 1 GHz processor with at least two cores on 64-bit processors. Other requirements include 64GB of storage, 4GB of RAM, a secure boot cable and TPM 2.0 enabled. Devices without these requirements will not be able to receive the upgrade.  

For businesses that have embraced hybrid work and have hundreds if not thousands of Windows endpoints, preparing for the Windows 11 upgrade will take time, strategy and, most likely, automation. Indeed, manually updating these devices is a cost and time drain, risks a loss of visibility, and could lead to machines being missed. There are Microsoft tools available, though, to help automate this process and restore visibility.  

What if our enterprise devices aren’t compatible with Windows 11?

Many IT administrators may find they are running older devices which are not compatible with Windows 11. Lansweeper’s Windows 11 readiness data shows that 55% of workstations can’t be upgraded to Windows 11 due to Microsoft’s stringent minimum hardware requirements. This sample is based on 30 million Windows devices across 60,000 organisations, making it a significant data pool.  

In particular, only 44.4% of machines meet Microsoft’s Windows 11 CPU requirements, while 52.5% meet its Trusted Platform Module 2.0 requirements. Indeed, many pre-2019 workstations will not meet these requirements. 

Moreover, it is not advisable to run Windows 11 on hardware that does not meet the requirements. While it can be done, the device is likely to encounter compatibility issues, become unusable and miss critical security updates. It appears there is no shortcut for Windows 11 compatibility.   

Steps for organisations to take

We’ve already highlighted that running outdated operating systems like Windows 7 – and soon to be Windows 10 – has several security implications. Patches are an intrinsic element of a mature cyber security posture. Outdated hardware is a potent security risk to any organisation. When Windows 10 was released, Microsoft data found that Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices. 

We have little doubt that, as Windows 10 end of life draws nearer, we will see the same pattern occur again, with threat actors targeting Windows 10 devices in late 2025. For enterprises with devices incompatible with Windows 11, this means planning to upgrade now.  

The good news, though, is enterprises have time. With four years until Windows 10 is no longer supported, there is time to plan to avoid embracing Windows 11 haphazardly. Gartner advocates a slow and steady approach. The firm believes organisations should begin by running small pilots using Windows 11. This will help the organisation develop familiarity with the new user experience and understand how the new operating system could impact both users and support roles.  

In cases where devices are incompatible, organisations should look to refresh their devices between 2022 and 2023 to ensure no users are still running Windows 10 once it passes its end-of-life date.  

Need help?

If you require access to a dedicated security resource but don’t need or can’t afford a full-time CISO or Information Security Manager, we can help. We offer cost-effective Outsourced and Virtual CISO services delivered by suitably experienced personnel. You’ll get a lead CISO / Information Security Manager who’ll be supported by the wider team as required. There are no ‘call centre’ type operations, just real people who you’ll come to see as an extended member of your workforce. 

  • This field is for validation purposes and should be left unchanged.

Matt Gerry

Written by Matt Gerry

Matt consults on information and cyber security, including incident response, security awareness and training, security gap analysis and certification advisory. Matt started his career working in large multinationals where he gained experience delivering large system implementations, leading projects, and handling key stakeholder relations. He holds an MSc in Information Security from Royal Holloway, University of London.