Let's install Windows 11 on incompatible hardware

I read in another thread that latest Rufus will give you choice which certificate to use, 2011 or 2023 for Windows 11 25H2. I would create a bootable USB flash drive with the new certificate first. If it boots OK, I would install Windows 11 25H2. It should have the new certificate and boot without issues. Otherwise I would create the USB again with the old certificate. Another workaround is to temporarily disable Secure Boot, install Windows 11 25H2 and the required certificate, and then enable Secure Boot.

hello guys just checking is there anyone here with unsupported pc who updated to 25h2? How is it going so far according to your usage?

Any error log?

Unless the changes they did in 25H2, such as removing PowerShell 2.0, affect compatibility, there shouldn't be any issues as 24H2 and 25H2 share the same system files and system requirements. As soon as I upgrade I will post my experiences.

PS: Is there any way to reinstall PowerShell 2.0 and whatever else they removed, just in case we need it? Or, hopefully, systems upgraded from 24H2 are not affected, only new installations? I hope Winaero does his magic again.

HarleyQuinn said:

is there anyone here with unsupported pc who updated to 25h2

Click to expand...

Yes.
I've just done it & confirmed with WinVer, Version 25H2 Build 26200.6584.
There have been no oddities apparent in the 60 seconds since I did the update - I am not an Insider or anything but I just ran the latest CU then the Enablement package [https://www.elevenforum.com/attachments/windows11-0-kb5054156-x64-zip.143755/]
I got the link in KB5054156 Windows 11 Insider Release Preview build 26200.5074 (25H2) - ElevenForum

The computer is a 2016 Dell Inspiron 7779.

Denis

spapakons said:

the changes they did in 25H2, such as removing PowerShell 2.0

Click to expand...

Mine was PSVer 5.1 both before & after updating to 25H2 and, in the response to $PSVersionTable, the list of PSCompatibleVersions remains the same.
Perhaps I misunderstood your comment.


All the best,
Denis

Try3 said:

Mine was PSVer 5.1 both before & after updating to 25H2 and, in the response to $PSVersionTable, the list of PSCompatibleVersions remains the same.
Perhaps I misunderstood your comment.


All the best,
Denis

Click to expand...

PowerShell 2.0 is a Windows Feature enabled separately from Windows Features. It's disabled by default, so chances are most of us will not notice any compatibility issues with very old apps that cannot be upgraded. If we need it back, hopefully Winaero or other fellow will find a way to restore it, like he had done with good old Windows Photo Viewer and Wordpad.

EDIT: I was outside at a playground with my son. Now that I returned to my PC I checked Windows Features, PowerShell 2.0 isn't there, probably removed by some update this June. I haven't seen any issues because of that since June, so don't worry about it.

HarleyQuinn said:

hello guys just checking is there anyone here with unsupported pc who updated to 25h2? How is it going so far according to your usage?

Any error log?

Click to expand...

I'm on an AM3+ motherboard with an FX-6300 processor and just yesterday completed the 25H2 update using the enabler package. It went without a hitch and even got another update to .NET framework 3.5 and 4.8.1 this morning, also completed hitch free. The Event Log doesn't have any errors different from the usual ones from before the update and everything I use seems to work as expected; can't say for things I don't use.

It may be important to note that, while officially unsupported and lacking a TPM2.0, the processor supports SSE4.2. The motherboard has a discrete TPM1.2 module installed, not sure if that matters at all though.

When I updated my Win10 to Win11 several weeks ago I did it by manually posting the registry hack to ignore compatibility/supportability testing prior to installs and updates which I assume is still there, if that matters.

If your CPU supports SSE4.2 instructions (check with CPU-Z utility), then all you need is bypass compatibility check to install Windows 24H2 and 25H2. I don't have a TPM, not even TPM 1.2, I have Secure Boot disabled, and I have a Legacy BIOS installation. I did that to avoid creating the system partitions required by GPT and save as much as possible disk space on my then 240GB SDD (now replaced with 1TB SSD). So as long as you bypass compatibility check only requirement is the CPU supporting SSE4.2 All other requirements are bypassed. You could even run Windows 11 with just 1GB RAM and 40GB hard disk, but it wouldn't be a pleasant experience, been there done that.

HarleyQuinn said:

hello guys just checking is there anyone here with unsupported pc who updated to 25h2? How is it going so far according to your usage?

Any error log?

Click to expand...

I installed the enablement package and have 25H2 on a 2013 Asus UX51VZ and no issues. Runs better than it did new.

HarleyQuinn said:

hello guys just checking is there anyone here with unsupported pc who updated to 25h2? How is it going so far according to your usage?

Any error log?

Click to expand...

I ran the enablement package on 3 of my machines (2 are listed below in My Computer) and they are running well, as they were prior.

Buddywh said:

I'm on an AM3+ motherboard with an FX-6300 processor and..... completed the 25H2 update using the enabler package....

Click to expand...

Adding to this: I also completed the three steps to install the Microsoft 2023 certificate to the EFI database, sign the bootfile so the system is booting with it and then revoke trust on the 2011 certificate.

Not sure what's left but it's at least partly ready for the 2011 secure boot certificates expiration, and as well have hardened security against the Black Lotus secure boot exploits.

Make sure you download latest Rufus Beta and create a USB flash drive choosing the 2023 certificate. This way you can boot from it and repair or reinstall Windows 11 if anything happens to your system. That's why I suggested to NOT block the old 2011 certificate, just in case you need to boot an old USB flash drive. Why limit your options? Like I said in my previous post, a hacker needs physical access to exploit boot loader. This means he is actually there using your PC or you connect an infected USB flash drive to your PC. If you are careful and keep Windows Defender updated you should not worry about Black Lotus and the like.

spapakons said:

...That's why I suggested to NOT block the old 2011 certificate, just in case you need to boot an old USB flash drive. ...

Click to expand...

OK... a couple things. Can I remove the 2011 certificate from the DBX? "unblocking" it, as it were. I am aware it's always in DB and can't be removed for whatever reason.

I've never used a USB flash drive to boot the system before, so not really sure why that would be important now. If I manage to hose Windows my preferred solution has always been to re-install Windows, reinstall apps (not that many any more) and games (more of those LOL) then recover user files from backups.

Will we all have to do this with a beta Rufus boot mediaI after all the 2011 certificates are expired? Won't Windows install with the new 2023 certificates after that since the 2011 ones are expired?

I'm not just concerned about this old, unsupported system but my main system too which is modern but in the same boat with expiring certifcates... as is most of the Window-using world it would seem.

Separately: mainly, I was just interested to know if I could do this with this old, unsupported, system running BIOS released in 2014. I suppose I went a step further than necessary to satisfy that bit of curiosity.

Buddywh said:

OK... a couple things. Can I remove the 2011 certificate from the DBX? "unblocking" it, as it were. I am aware it's always in DB and it can't be removed for whatever reason.

Click to expand...

Yes. Most BIOS menus will allow you to delete installed certs from the KEK, DB or DBX categories.
Or you can just disable Secure Boot.

Buddywh said:

I've never used a USB flash drive to boot the system before, so not really sure why that would be important now. If I manage to hose Windows my preferred solution has always been to re-install Windows, reinstall apps (not that many any more) and games (more of those LOL) then recover user files from backups. Is that going to be impossible after all the 2011 certificates are expired?

Click to expand...

When the CA 2011 certs expire, it doesn't mean all previously signed code suddenly drops dead. If you have added the CA 2011 to your trust list (DB) and haven't revoked it (DBX), then all CA 2011 binaries continue to be trusted.

What doesn't work is MS cannot sign new boot files (like if there's a recent security fix) with the CA 2011 cert after the October 2026 expiration date. So to release any updated boot files past Oct. 2026, they would need a new certificate that your BIOS trusts. This is why you add CA 2023 to cover all future boot files.

A signed file includes the file signing date, so the BIOS or Windows can compare it against the cert's begin and end dates.

garlin said:

Yes. Most BIOS menus will allow you to delete installed certs from the KEK, DB or DBX categories.

Click to expand...

Thanks very much for that clue... I looked through BIOS, found the "CUSTOM" settings and the 2011 certificate then deleted it from DBX. Rebooted (twice, just in case) and the check_efibootfiles script shows me it's no longer in DBX, but trusted now.

garlin said:

When the CA 2011 certs expire, it doesn't mean all previously signed code suddenly drops dead. If you have added the CA 2011 to your trust list (DB) and haven't revoked it (DBX), then all CA 2011 binaries continue to be trusted.

What doesn't work is MS cannot sign new boot files (like if there's a recent security fix) with the CA 2011 cert after the October 2026 expiration date. So to release any updated boot files past Oct. 2026, they would need a new certificate that your BIOS trusts. This is why you add CA 2023 to cover all future boot files.

A signed file includes the file signing date, so the BIOS or Windows can compare it against the cert's begin and end dates.

Click to expand...

This is a point that's not been made in any of the articles I've been reading about this. I was just waiting to see what Microsoft's updates do, but was really a bit too curious. And I also kind of figure this old unsupported system would simply be bypassed by these updates anyway.

Which is pretty much the same about Black Lotus. The articles make it sound like a major risk, and I know it needs admin privileges but I'm sometimes to quick to click through the cautions and thought it would be a better for me in case it came as a phishing attack in an email. I really do not want to run without Secure Boot; I had too many scares when running Win7 and WinXP before I got UEFI system and Win10... because of that! Black Lotus is far from the only threat in the wild.

As with any threat, you must be a little careless or be a hacker target to actually get any virus. If you keep Windows Defender or other third-party antivirus updated and watch where you click, you shouldn't worry, even if you were running Windows XP. Just click anywhere to get rid of a popup window is the recipe for disaster! So don't overthink it, keep your system updated, be a little careful and enjoy it.

spapakons said:

As with any threat, you must be a little careless or be a hacker target to actually get any virus....

Click to expand...

I feel the problem with UAC- type click-throughs is it conditions us to do just that: when they come at us too frequently it's easy to become careless and simply accept instead of thinking about it first. I get UAC warnings opening (what I consider) innocent utilities like HWInfo, CPUz and Afterburner. Not just to install them, which I can understand because their popularity makes them an obvious vehicle for transmitting an attack, but to run them too.

In addition to keeping Defender and MalwareBytes updated I also keep my web browsers updated. MS will keep Edge updated but only if not blocking Windows updates... which a lot of people do for various reasons.

Buddywh said:

I feel the problem with UAC- type click-throughs is it conditions us to do just that: when they come at us too frequently it's easy to become careless and simply accept instead of thinking about it first. I get UAC warnings opening (what I consider) innocent utilities like HWInfo, CPUz and Afterburner. Not just to install them, which I can understand because their popularity makes them an obvious vehicle for transmitting an attack, but to run them too.

In addition to keeping Defender and MalwareBytes updated I also keep my web browsers updated. MS will keep Edge updated but only if not blocking Windows updates... which a lot of people do for various reasons.

Click to expand...

What on earth does Malwarebytes do these days for domestic computer users. -- Good for C20 stuff but we are nearly 30% through C21 -- WD itself is almost now of military strength. No need for malwarebytes or any 3rd party A/V stuff for domestic computer users. Just learn to avoid scams (far more of a problem) -- don't give away personal info on social media sites, and if you do download stuff from some of those well known sites e.g one still flying the jolly roger flag then use a VPN and ensure you download the proper stuff -- avoid like the plague any .rar type files (these are the one's most infested with "nasty payloads") and avoid any extra "offers" etc.

This comment (I'm usually known here for my real HATE of some of these 3rd party A/V suppliers preying on people's security feelings on domestic computers) only applies to DOMESTIC users -- Corporates etc have other issues to deal with of course -- but do you really think a serious hacker in 2025 is bothered with trying to get a paltry €5.00 from a domestic user when with a bit of work they can shut down loads of EU and UK airports, cause a month long outage at the UK's Jaguar Range Rover plant with consequence to zillions of workers in the ancilliary supply chains not only in the UK, disrupt national health type systems of many countries, disrupt banks and stock markets, NATO command centres etc etc.

I can't know about whether having a load of this unnecessary 3rd party stuff gives people "peace of mind", but both economically and technologically it's JUST PLAIN BONKERS.

Cheers
jimbo

spapakons said:

As with any threat, you must be a little careless or be a hacker target to actually get any virus. If you keep Windows Defender or other third-party antivirus updated and watch where you click, you shouldn't worry, even if you were running Windows XP. Just click anywhere to get rid of a popup window is the recipe for disaster! So don't overthink it, keep your system updated, be a little careful and enjoy it.

Click to expand...

I've run XP for years as a VM (I still have some old Vinyl cutting equipment to make Vinyl bespoke records for people- quite profitable !!) -- now I can actually get the Vinyl blanks which was a limiting factor before !!, New soft/hardware would cost me around €50,000 plus wretched music software subscription fees. The old XP version I have is "Royalty free" plus the hardware still works absolutely perfectly.

Just isolating the main XP from the general Internet is 100% safe if you set up the VM properly. !!!

This XP VM system will probably outlast my physical Win 11 systems !!!!!!

Cheers
jimbo

At work we still use some old XP and Windows 7 computers. Apart from being rather slow compared to my home PC, the only thing I don't like is that I can't browse all sites with the very old browser versions. Browsers like My Pal and Supermium can browse more sites but are still not compatible with all. In Windows 7 official browser versions stop at 109 and Firefox ESR at 115, still don't browse everything. Thankfully R3DFOX is equal to current Firefox and much faster, so it makes using Windows 7 feel like using Windows 10 or 11.