A practical hardware-readiness checklist for Houston and Texas businesses moving fleets to Windows 11 -- covering TPM 2.0, Secure Boot, supported CPUs, the 24H2 SSE4.2 gotcha, and how to sort devices into ready, firmware-fix, and replace buckets.
Windows 10 reached end of support on October 14, 2025. Microsoft no longer ships free feature updates, security fixes, or technical assistance for it, and version 22H2 is the final release. For businesses across Houston, The Woodlands, Katy, and Sugar Land, that turns a background upgrade project into a security and compliance deadline. The catch is that Windows 11 is pickier about hardware than any release in a decade, and a fleet of 40, 100, or 300 machines rarely upgrades cleanly all at once.
This is a checklist-first guide to Windows 11 hardware compatibility for business. It walks through the real minimum requirements, how TPM 2.0 and Secure Boot actually work, which CPUs Microsoft supports, the one requirement in 24H2 that genuinely cannot be bypassed, and how to check a whole fleet at scale rather than one PC at a time. The goal is to help you sort every device into one of three buckets: ready today, fixable with a firmware change, or due for replacement.
Start with the baseline. Windows 11's official minimum requirements have not changed since launch: a 1 GHz or faster 64-bit processor with 2 or more cores from Microsoft's supported list, 4 GB of RAM, 64 GB of storage, UEFI firmware that is Secure Boot capable, and TPM 2.0. In the real world, treat 4 GB of RAM as a floor you never want to hit -- plan for 8 GB or more for anything a staff member uses all day in Microsoft 365, a browser with 20 tabs, and a line-of-business app.
Two of those five requirements -- TPM 2.0 and Secure Boot -- are where most "this PC can't run Windows 11" errors come from, and both are frequently a settings problem rather than a hardware problem. That distinction is the difference between a free BIOS toggle and a capital purchase, so it is worth understanding before you write any device off.
A Trusted Platform Module is a secure chip that stores encryption keys, and Windows 11 uses it for features like BitLocker and Windows Hello. The TPM 2.0 requirement can be satisfied two ways. A discrete TPM (dTPM) is a physical chip soldered to or plugged into the motherboard. A firmware TPM is built into the CPU itself -- Intel calls theirs PTT (Platform Trust Technology) and AMD calls theirs fTPM. Both fully satisfy the requirement, and most business PCs from the last six to seven years already have firmware TPM sitting idle in the BIOS.
Here is the part that saves fleets real money: TPM is very often disabled by default. Enabling it -- look for Intel PTT or "Security Device Support," or AMD "CPU fTPM" in the UEFI setup screen -- frequently flips a device from "not compatible" to "ready" with zero hardware change. When a machine offers both a discrete module slot and firmware TPM, firmware TPM is used unless a physical dTPM module is actually installed. Before you quote a client on new laptops, confirm whether their "failing" devices simply need this switch flipped.
Secure Boot Windows 11 support has a prerequisite people miss. Secure Boot requires the disk to use GPT partitioning and the firmware to run in UEFI mode -- not legacy BIOS or CSM mode. A machine that was imaged years ago on MBR partitioning and legacy BIOS cannot simply have Secure Boot switched on; the disk has to be converted first, typically with Microsoft's MBR2GPT tool, and then the firmware moved to UEFI mode.
This conversion is safe when done correctly but is exactly the kind of step that goes wrong at scale without testing and backups. If a chunk of your fleet is on older images, budget time for conversion and validation, and make sure your backup and recovery is verified before anyone touches partition tables on production machines.
The Windows 11 CPU support list is defined by Microsoft's explicit model list, not by clock speed or a blanket generation rule. As a baseline, support starts at Intel 8th Gen Core (Coffee Lake, roughly 2017 to 2018) and newer, and AMD Ryzen 2000 series / Zen+ (2018) and newer, plus Threadripper 2000 and up, EPYC 2nd gen and up, and select Xeon, Atom, Celeron, and Pentium models.
Resist the temptation to assume "all 8th gen and newer works." A handful of chips inside a supported generation are excluded, and a few outside it are included. For a business fleet, verify the exact processor model against Microsoft's official supported-processor list rather than eyeballing the generation. This is the kind of inventory detail that a proper hardware audit through technology roadmap planning captures once and reuses for every future upgrade cycle.
This is the single most misunderstood point in Windows 11 planning, so keep the distinction crisp. The TPM 2.0, Secure Boot, and CPU-list checks can technically be bypassed with registry or installer workarounds -- though Microsoft warns those unsupported installs may be denied updates, which makes them a poor choice for any business fleet.
Windows 11 24H2 is different. Starting with build 26080, 24H2 hard-requires the CPU to support the SSE4.2 instruction set, which includes POPCNT. A CPU that lacks SSE4.2 will not boot 24H2 at all -- it fails at the boot screen or bugchecks. This is a physical CPU capability, not a policy check, so no registry tweak can work around it. The good news: SSE4.2 has been in mainstream processors for roughly 15-plus years, so essentially every CPU already on Microsoft's supported list meets it. Only genuinely ancient machines are affected, and those are stuck on 23H2 or earlier. In practice, if a device passes the supported-CPU check, it clears the SSE4.2 bar too.
The way you check Windows 11 compatibility should match your scale. The consumer PC Health Check app is fine for a single home PC, but running PC Health Check business device-by-device across a managed fleet is not what Microsoft intends -- and it does not aggregate results anywhere useful.
For managed environments, use the right tools:
Deploying and interpreting these at scale is squarely a job for a managed Intune and endpoint practice. If your team is not already running endpoint security and management centrally, the upgrade project is a good forcing function to get there, and it pairs naturally with ongoing Houston managed IT services so readiness reporting becomes continuous rather than a one-time scramble.
Once the readiness report is in hand, every device lands in one of three buckets, which drives your budget and timeline for Windows 11 upgrade readiness:
For the replace bucket, Extended Security Updates (ESU) is the transition safety net -- not a destination. Commercial ESU is available for up to three years -- through October 2028 -- but it delivers only Critical and Important security updates: no features, no bug fixes, no technical support. Note that the widely quoted 30 dollar and Microsoft Rewards options are the consumer path; business ESU is priced per device, per year through volume licensing and roughly doubles each year, so it is deliberately structured to encourage migration rather than delay it.
There is no single sticker price, but the model is predictable. Firmware-fix devices cost mostly labor. Replace devices are a per-seat capital line, and mid-range business laptops in the Texas market generally run several hundred to a bit over a thousand dollars each depending on specs. Layer in imaging, data migration, and any ESU bridge licensing for stragglers. A clean inventory turns this from a guess into a spreadsheet -- which is exactly the point of doing the readiness audit before you buy anything.
Yes. TPM 2.0 remains an official requirement for mainstream Windows 11 Home, Pro, and Enterprise. Headlines about Microsoft "dropping TPM 2.0" refer to unsupported install bypasses or the specialized IoT Enterprise/LTSC edition -- not a change to the standard requirements. Most business PCs from the last six to seven years already have firmware TPM (Intel PTT or AMD fTPM) that just needs enabling in BIOS.
You can technically bypass the TPM, Secure Boot, and CPU-list checks with registry workarounds, but it is not recommended for business fleets -- Microsoft may deny updates to those installs and it can conflict with licensing and support terms. The 24H2 SSE4.2 CPU requirement, by contrast, cannot be bypassed at all because it is a physical processor capability.
Windows 10 stopped receiving free security updates on October 14, 2025. Running it unpatched raises real breach and compliance risk, especially for regulated Texas businesses in finance, legal, and healthcare. Commercial ESU can bridge up to three years for devices that genuinely cannot migrate yet, but it is security-only and priced to be temporary.
Skip the consumer PC Health Check app for fleets. Deploy Microsoft's Hardware Readiness PowerShell script through Intune or Configuration Manager, or use the Endpoint Analytics "Work from anywhere" report to see readiness across all managed devices in one dashboard, with the exact failing check per machine.
It is the official minimum, but not a realistic target for daily business use. Plan for 8 GB or more so staff can run Microsoft 365, a browser, and line-of-business apps without slowdowns. If you are already replacing devices, specifying adequate RAM up front avoids a second refresh cycle.
Every month a device stays on unsupported Windows 10 is another month of unpatched exposure. A one-time hardware-readiness audit tells you exactly how many machines are ready, how many need a free firmware fix, and how many to budget for replacement -- so the migration becomes a plan instead of a fire drill. LayerLogix brings 20-plus years of experience and 100 percent Texas-based support to businesses across Houston, The Woodlands, and the surrounding metro. Talk to our Houston managed IT team to get your Windows 11 readiness audit scheduled.
LayerLogix provides expert infrastructure solutions for businesses across Houston and nationwide.
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.