The larger issue is VBS (Virtualization Based Security) - a mainly DRM thing which only works on Coffee Lake, Zen2 and Snapdragon 850 and newer.

That's funny. I have virtualization-based security (Core isolation, memory integrity) turned on, and working, (but had to uninstall a couple of incompatible drivers and use generic ones instead), on my old Haswell laptop. And Haswell is old by this point...

It works but on older hardware it takes a significant performance hit. They don't want that.

Thank you, I hadn't heard of this before. Looks fascinating!

If by "fascinating" you mean "dystopian"...

My friend said he installed Windows 11 preview build on an old spare computer for the evaluation.

"But how did you solve the TPM requirement?"

"I just bought a cheap TPM module from dubious Amazon market place. I cannot examine this piece of additional device so this system is less secure in my opinion."

You can install the preview build without TPM fairly easily.

Knowing how sloppy MS is they are going to get pwned in a month. Let's all remember that the community managed to find a way to install macOS on PCs a few weeks after the first x86 build was made public.

Isn't that more an embarrassment for Apple than for Wintel PCs?

It's more of an acknowledgement to how impossible it is to avoid people to run what they want where they want, unless your software is not meant to run on off-the-shelf hardware in the first place (see iOS)

this stuff has always been configurable from the policy editor and I can't imagine that ever going away, but I can imagine them removing the policy editor from the free editions - but then someone would just make a free policy editor (if there isn't one already)

There is, and it's pretty great: https://github.com/Fleex255/PolicyPlus

Sounds good, but I can't install it.

"Microsoft Defender SmartScreen prevented an unrecognised app from starting. Running this app might put your PC at risk."

I've switched off Defender. Still the same.

Last time I checked it was wrongly reported as malware and blocked at the browser level. At least it's accessible now but there may be some latency in Defender getting updated.

The tool is sound. Unless your company explicitly disallow it, you should be able to bypass defender and force it to install, although there are some dark patterns there that may not make it obvious.

The author of the tool is aware of the problem, from the github page:

_N.B. A few antivirus programs incorrectly flag Policy Plus as malware. Policy Plus is a powerful tool and so may cause problems if used recklessly, but it is not malicious. If you would prefer to not trust binaries, feel free to read the code and compile Policy Plus from source. You can also verify that a build was created from the published code by examining the output of a GitHub Actions run: the input commit hash can be found under "checkout master" and the output executable hash can be found under "compute hash."_

I disabled Windows Defender, which is the only AV product I have installed.

They are banking on the power of the normies not being aware of such power tools, let alone having the patience/competence to go through those workarounds. And they are right. Normies don't usually care/bother, they will just order that Windows 11 laptop.

Serious enough that it’s close to impossible to buy modules. On eBay they are being scalped for serious $$$

AFAIK most motherboards have software TPM available, you just have to configure it in the BIOS.