A slightly deeper dive into the explanations you might find regarding Win11’s hardware requirements.
At a minimum, security is inconvenient. Years ago, it was decided by the powers that be that the device BIOS, the programmable chip that ties all the components together so that a Windows device can start or boot, should contain a sort of Linux-based mini-OS. The first problem is that any OS can be hacked, which is made easier in this case since the BIOS’ code can be updated by software running in Windows. So, Microsoft introduced Secure Boot, which [per Microsoft] is supposed to make sure that: “… a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM).”
Secure Boot can be inconvenient – usually turned on/off in the BIOS settings [it can be locked on], it may disable other BIOS features, and may need to be off in order to boot from a USB stick or drive – and it may not be secure… relying on signature databases, there’s an AFAIK still not fully patched bypass if the UEFI BIOS accepts a 3rd party database. Microsoft is also working on methods to monitor and control what happens in the BIOS using a TPM – a Trusted Platform Module – which is more-or-less like a hardware encryption key that Windows uses to store keys/values. The TPM itself can have or cause issues with Windows that can affect whether Windows works properly, while having its own security vulnerabilities.
So, next step, Microsoft is working on trying to better secure the values/data stored in the device’s memory, which is where the actual work your PC does happens. You may have heard the term Sandbox, which refers to a closed off environment where if something bad happens, nothing can escape to harm anything else. Microsoft is working on isolating critical stuff in memory that way and has developed Hypervisor-Protected Code Integrity [HVCI], using the CPU’s virtualization capabilities. It caused a huge drop in performance however, so Microsoft had CPU manufacturers add something called Mode Based Execution Control, which helped, but seems to have not cured the problem. The newer CPUs that have that Mode Based Execution Control are the ones that Microsoft qualified for Win11.
Enabling virtualization-based protection of code integrity – HVCI – is possible in Win10, and may break the software you use &/or Windows itself – driver compatibility is an issue. [Settings -> Update & Security -> Windows Security -> Device Security -> Core isolation details -> Memory integrity on/off]
If you upgrade to Win11 from Win10, VBS [Virtualization Based Security] will be off – if you install Win11 fresh it’ll be on by default. There’s not a lot of documentation on any of this, and what there is targets IT pros & developers. As you’d expect there’s also a bit of incomplete or even incorrect info in articles & blogs online. I know personally I’ll not use VBS because it requires the same Hyper-V that VirtualBox is allergic to. I don’t expect most people upgrading from Win10 to Win11 will turn it on, assuming they even know it’s there, which is a big IF. I don’t see a lot of overworked IT staff going through all the testing that would be required before enabling it on all their company’s PCs/laptops. I could see a company like Dell leasing PCs/laptops with Win11 & having VBS turned on when/if there were replacing or supplying all the PCs/laptops whatever organization used, and specialized, hardened PCs for specific tasks may become more common. But all of that could have happened last week, before Win11 officially debuts on October 5th. The only thing Win11 adds is potential marketing to try justifying Win11.
Microsoft may be planning to add something VBS-related in the future that can only be had with Win11, and that could plausibly be the reason for Win11’s CPU & TPM requirements. But that’s again another Big IF. And Microsoft could have plausibly improved performance in Win11 with VBS enabled – we’ll have to wait and see on that one… so far there have only been a few tests that say it kills gaming.