I’m currently on 16.2.0 build-18760230 … I’ll have to try an 11 in 11…

Yup, though 16.2.0 seems to have been rushed a bit – the new virtual hardware version is named “Workstation Beta” in the UI, and there are a few other bugs present (if you create a new VM, don’t click “Customize Hardware” in the last step, as it’ll probably crash Workstation).

Well, they removed that requirement in the just-now released VMware Workstation v16.2.0: https://blogs.vmware.com/workstation/2021/10/workstation-16-2-now-available.html

You do have to edit the .vmx file manually but no biggie. I tested it and W11 installed happily without any other trickery.

I hate that requirement. Apparently you can patch vmware-vmx.exe to disable that check: https://twitter.com/gentilkiwi/status/1246838943489953793 but I don’t know where exactly to change what. Can anybody figure it out?

I have to deal with ‘normal people’ and in China. I’d trust the manufactures far more than dumb end users, or random 3rd party ‘must have apps’.

it’s hardly duct tape, anything that you are signing on the same machine is already suspect.

At some point you have to know that everything connected to a network is compromised. Ever since PGP went from being a military grades muntions to being free and open, it’s pretty obvious that none of this stuff matters, it’s just a high enough bar to block anyone below the power of state actor.

Did you found a way to build the root on your own trust chain by changing the signature on your CPU security processor core and sign your firmware image against it, with your own private keys as phone and other electronic device makers can do (and no, that isn’t TPM certificate attestation)? If no, then the security they are selling to you is duct tape, just rhetoric, and you know is true. Sure it will keep away the unblessed hacker people, but the blessed ones will be able to do whatever they want as soon as your device manufacturer gives them the keys to do so. And you still will be vulnerable to these keys leaking, which has been probed to be possible.
Personally, at least to me, security duct tape (and wslg btw) isn’t worth all the hassles which Win11 want to push to me. And I wrote the message answering to your “And to be honest its sad as they do work fine for day to day stuff”. But in the end ofc is your choice if you want to support them trashing perfectly usable hardware for duct tape security.

how is using tpm to enforce only signed code ‘security rhetoric’?

Don’t update. Don’t use Win11, use linux.
Don’t fail for the “security” rhetoric.
MS has to be forced to move their current ways.

Xeon E5 1600/2600v3 (Haswell-E) should work nicely if you pair them with a server/workstation Motherboard, as VT-d tends to work out-of-the-box on those. On consumer Haswell (Core iX 4000 generation), it was hit or miss. For reference, I have a Xeon E3 1200v3 Haswell on a Supermicro Motherboard, which I purchased back in 2013 specifically for this purpose (And is still my main, and only, computer). The v2 I would avoid because the older it is, the more quirks,, albeit chances are that it works there, too.
If that is your available Hardware, at the platform level you should be good to go unless the Motherboard REALLY sucks. Video Card could be complicated, but any recent GeForce/Radeon “mostly” works for as long that you keep in mind what I mentioned previously.

You should manage to get it working, these days it is extremely well documented how to setup PCI Passthrough on most Linux distributions with a variety of supported Hardware. I would like to see what you can do if you add that into your tool arsenal, as it has some interesing retro uses. Thus you’re the type of person that may have the most fun with it. After getting it working, obviously!