Ask Paul: October 11 (Premium)

Happy Friday! This is a particularly good set of reader questions in my opinion, so let’s dive right in. The weekend isn’t going to, um, weekend itself. Or something.

The Halo effect

helix2301 asks:

With this news of Halo this week what do you think future of Halo looks like there been speculation for years they were going to put it in maintenance mode I think this is proof they still have faith in franchise.

I was never worried about Xbox/Microsoft putting the franchise in maintenance mode, but it was clear to me that Halo Infinite was such a bungled mess from the get-go, with that initial preview that was so horrible, the year-long delay for the initial release, and then the months of updates to get it to where they had promised originally. And that in this mess, we had the makings of a disaster. Microsoft’s biggest game franchise had hit a brick wall, and while I am sure there are all kinds of reasons, the thing I keep coming to is that 343 was playing it safe, and that what it delivered in Halo Infinite, ultimately, was this thing that was super-respectful of the past, especially the original game (in single player, anyway), and that in doing so, it had in fact disrespected the game and the fans. Because both deserve better. More.

Ignoring the past year for a moment, when I think back on the many ways in which Xbox had evolved as a business in this push towards remaking itself in the image of its corporate parent–in this case, by “meeting gamers wherever they are”–one of the many bright points I would have (and I guess still do) point to is this ongoing support for existing titles instead of always rushing to the next game. That is, there are games both big (Gears of War, Flight Simulator, etc.) and small-ish (Sea of Thieves) where Xbox just kept supporting that community with additional content post-release. And this made sense within a Game Pass-centric world, especially, where you could do that because loyal fans were still paying to play, essentially, and they didn’t need to charge extra for that content as is so often the case. It seemed like a good model to me, not that I have any information about how well it works financially or whatever.

And that’s what happened with Halo Infinite. Until it stopped, sort of. 343 back in January revealed that it would no longer deliver any more major updates to the game but would instead scale back and provide smaller, shorter event-based updates over time. This isn’t exactly how that was presented, of course. And to be fair, it has continued with those smaller updates consistently all year. But it was clear, still is, that the latest Halo title had underperformed on every level and can only be described as a disappointment. That it is the third straight title in the series to disappoint can’t have been lost on anyone inside the company or out.

And so there were always going to be changes. And while this switch to the Unreal Engine is just one of them, it’s an important one. It signals to the world that Xbox is seriously about getting Halo right, in attracting talent that might otherwise have ignored the franchise because of its quirky, unusual engine. And that Halo will absolutely follow that “meeting gamers wherever they are” mantra and come to other platforms, most especially PlayStation. And probably mobile, right? Because games this important should be everywhere.

My guess is that’s what 343–sorry, Halo Studios–was hinting at when they mentioned multiple new games in development. A full-on Halo 7 or whatever title for PC and consoles. And a Call of Duty Mobile-like Halo title. Or, better still … a single Halo 7 title that works across PC, console, and mobile. Maybe it’s time.

Of course, for this to work, we need compelling story, great single player gameplay, and maybe a long-overdue reworking of multiplayer so that it makes sense in the competitive e-sports/Call of Duty/Warzone/Fortnite world of today. It’s a lot. But this is Halo, and it’s important enough to warrant this work.

Anyway, I’m excited enough by the Unreal Engine reveal to be cautiously optimistic. But Halo has fallen pretty far. I hope they get this right.

The problem with 24H2

ivarh asks:

Parallels 20.1 is now available, and when you install a new Windows 11 virtual machine, you now end up with an ISO that installs a 24H2 system. However, running an update in my existing 23H2 virtual machine does not upgrade it to 24H2. I recall that there was a patch with a specific KB number that you could download to enable your 22H2 virtual machine to update to 23H2. Do you know if there is a similar patch available that you can download and apply to upgrade your 23H2 virtual machine to 24H2?

So, the problem with 24H2 is that it’s what Microsoft now calls a “full OS swap,” and not the enablement package that makes the type of patch you want possible. That is, with 23H2, Microsoft delivered the OS upgrade–the feature update, as Microsoft calls it–as an enablement package, meaning that the new features were basically preinstalled via previous month’s cumulative updates, and it could remotely flip a switch–deliver a small update that enabled those features–and give customers that upgrade in the smallest, simplest, least destructive way imaginable. But that’s not the case with 24H2. This is a full version upgrade, and it’s installed the normal/traditional way.

Your situation is further complicated by it being Windows 11 on Arm. And so you have to wait/rely on one of two things happening: Microsoft delivering a Windows 11 on Arm ISO, or Parallels delivering its own in-app mechanism for doing the upgrade. I upgraded my Parallels-based install of Windows 11 (and an older WOA-based laptop) a while ago using a custom ISO I created with UUP Dump, as described here, but that’s not something I’d ever recommend to mainstream users. But those are your options, sorry. Wait on Microsoft. Wait on Parallels. Or do it yourself.

Or … wait for it to actually appear on Windows Update, of course. Parallels is fully supported by Microsoft, so that will happen organically at some point.

But no, I’m not aware of a cumulative update (KBxxxxxx) for flipping that switch for 24H2, sorry.

SOS for SSO

wright_is asks:

We are constantly being pushed to use single sign-on and bring everything together for convenience, but is that always a wise move?

Before getting too far into this, my gut reaction is that Microsoft and other identity/infrastructure makers pushed (and still push) single sign-on (SSO) because they understand that users will fight more traditional authentication methods for all the well-understood reasons. And that the marketing of this to IT and the commercial entities that employ them is that they will do this is in the most-secure ways possible. In the end, it’s that standard convenience vs. security thing, and if it works the way Microsoft and others promise, we have that rare win-win scenario. But I’m guessing that’s not been your experience. 🙂

I will read on.

I’ve just spent the last couple of weeks de-coupling all of our infrastructure from the Windows domain. Things like Hypervisors, backup solutions, firewalls etc. all offer integration into the Windows domain for convenience – the administrator can sign into each of the services/solutions with their domain account. That is incredibly convenient.

But I’ve been pushing for years to disable this convenience. Now I run the department and I am in the process of doing that… Just as our worst nightmares are becoming reality. Over the past few weeks several clients of one of our external service providers have been hit with crypto malware, where they compromised a domain account and managed to leverage their way up to domain administrator and from there they compromised the hypervisor and the backups, because they all worked with the same username and password. The backups were encrypted and, once that was done, they encrypted the complete hypervisor environment.

Maybe I should read all this before commenting, but this does sound like a classic single point of failure issue. Which is, of course, one argument against using a password manager or whatever. I guess this is the second major concern after the convenience v. security debate: We all land somewhere on the spectrum of these things, but most individuals are probably too far towards the convenience side of that issue. But single point of failure is an interesting problem. Because the alternative is multiple points of failure, which is what we see when individuals–probably most of them–have their credentials in multiple places, most of which they’re not actively monitoring or using anymore.

Again, I will read on.

It also looks like they used an unpatched zero day exploit in the Linux on the firewalls to get their foothold in the domain in the first place. For years, I’ve avoided the “login to our unaffiliated service using your Apple/Google/Microsoft/Meta account”. For a couple, where it didn’t really matter (E.g. RSS feed reader) I did use that facility (mainly because I wanted to move my Google Reader lists over anyway), but for everything else, I’ve used a separate account with a unique password and MFA, or even Passkeys when available.

Yeah. These online accounts are hitting on that convenience thing, easing access for individuals, and as I noted up top, the promise and the hope is that they deliver on the security angle. But there are other issues here, too. One is just basic trust. I may trust Apple, Google, or Microsoft to handle the security inherent there, but I would never trust Meta/Facebook. Ever. But the one worry I do have, in the back of my brain, is what would happen to me if I woke up tomorrow and couldn’t get into my Google account, which is tied not just to my identity (literally) but also to my work-related assets and all those third-party accounts I’ve linked to it? The question isn’t whether I’d lose anything, it’s how much I’d lose. This hasn’t worried me enough to decouple any accounts–I’m a person, too, so I also want the convenience–but it is something I think about. And now I’m thinking about it again. Thanks for that. 🙂

But you’re talking about identities in a corporate domain. And in that spectrum sense, I have no problems whatsoever with corporate resources leaning more toward the secure/more difficult to authenticate than toward convenience. In fact, this makes sense to me.

Some friends think I am paranoid, but working in IT with a focus on internal cybersecurity I’ve always thought that cordoning off the different areas to have their own security made more sense to me than the convenience of simply clicking a button to join it to a single point of failure.

Exactly. My response to any complaint would be that they are free to be reckless with their personal online identities. But when it comes to company resources, the responsibility isn’t just greater, it’s not theirs. I don’t know the full story here, but I hope and assume that you can explain to whomever doesn’t like what you’re doing that there are good reasons for it. And that their employer’s need to be secure outweighs their desire for a little convenience.

Why? Surface edition

paulschnack asks:

Hi Paul, any idea why the Surface Pro Copilot+ Snapdragon X Elite / X Plus only come in 16 GB / 512 GB when equipped with 5G? I’m in Australia, got a marketing email that 5G was now available, but turns out that the 32 GB / 512 & 1 TB models don’t have 5G, only the lower spec ones. Curious to find out.

This is the first of two “why” questions this week, and my usual reply is that “why” questions can be difficult to answer. But in this case, I think I know the reason why. (I have a better response to the other “why” question, I think.)

And it boils down to Microsoft basically being a boutique PC maker that doesn’t have the sales volume to justify the expense of offering customers the ability to mix and match every single component/color choice/whatever for any given PC. I ran into this with Surface Laptop 7: What I wanted was a 15-inch/32 GB configuration in that gorgeous Sapphire blue color with a 512 GB SSD, but that’s not possible. But once you move up to 32 GB of RAM, the only color choice is black. So black it is.

In your case, the 5G-enabled Surface Pro is the unicorn of this entire lineup. You can only get 5G on Surface Pro–not Surface Laptop 13 or 15-inch), and while you do at least have color choices, it’s only available in a single configuration, 16 GB/512 GB. Sadly, that’s how it’s always been. Not that specific configuration, just what feels like a weird limitation.

This is the case with Pixel, too. This makes sense: Pixel is the Surface of the Android world, where the platform’s maker is nonetheless not exactly a big player in hardware, and so it limits which combinations of components buyers can get because doing otherwise is prohibitively expensive. Looking just a Pixel 9 Pro, you can get the XL with 1 TB of storage … but only if you choose Obsidian (black). The other colors are limited to 512 GB. And Rose Quartz is further limited to a single 256 GB configuration. It’s the Surface Pro 11 of Pixel, I guess.

Anyway, that doesn’t help you, I know. Sorry. But that’s why. The hope is that time will go by or, God forbid, these things will sell well enough, that the configuration choices can explain. But for Surface Pro specifically, it’s a niche seller as is, and a 5G-equipped model is a niche within a niche. So you’re stuck.

Again, sorry.

Cuauhtémoc es mi casa

train_wreck asks:

Just curious how the Spanish learnings are coming along? Have you made it to the dreaded subjunctive verb tense? (I’ve given up on knowing when to use that myself, fortunately it seems nonessential enough that people will still understand you.)

It’s coming along. Slowly, for the most part, because I’m not in Mexico enough–I feel like the only way for this to work effectively is full-on immersion–and because I’m not currently doing anything more than using Duolingo, which is good for what it is, but not a path to fluency.

Coincidentally, I just wrote about Duolingo on our Eternal Spring site, and I’m currently at level A2 in the Common European Framework of Reference for Languages (CEFR) standard, which means I can speak like a small child and order food in restaurants, basically. (I’m paraphrasing.) I just went through some lessons on imperfect/preterite (variations on past tense) and alternate between things that are surprisingly easy and surprisingly difficult. But I do it every day, and I often spend a lot of time on it.

I mentioned this question to my wife, and she just started some subjunctive verb lessons, which she agreed was difficult. But she’s beyond me in Spanish, and she has 1-2 live lessons with a tutor over Zoom. On Duolingo, she’s now level B1 on that CEFR standard if that means anything to anyone.

I’m hoping that being here in Mexico City through mid-November will help, and then we expect to spend at least two months here over the winter. And we’ll see.

Why? Intel edition

MartinusV2 asks:

Hello Paul, what Intel is thinking to sell a desktop chip with an NPU at only13 TOPS? It’s way lower than the requirement of Copilot+.

My first reaction to this was the same, and I had that same reaction when Intel announced tepid 14th generation Core chips in early 2024 without any NPU at all. But as referenced above, this is the second “why” question this week, and I have a good answer to this one.

In a perfect world, Intel’s move to “Lunar Lake” for its Core Ultra Series 2 chips would mark a dividing line between the powerful NPU present and the lackluster or nonexistent past. But this is Intel, not a perfect world. And because its product roadmap was whatever it was–it had moved into a “tick-tock-tock” if not a “tick-tock-tock-tock” model recently, if that makes sense–we’re still dealing with the vestiges of that.

More specifically, Intel planned to iterate on Meteor Lake, which is a mobile family of chips, over several generations, and the roadmap had it implementing more powerful NPUs later. It was also doing the same thing on the desktop, where it will implement Meteor Lake-level NPUs in its desktop chips a year later (which it just did), and then rev those accordingly.

But then Microsoft revealed the Copilot+ PC specification to Intel and told the company that it would launch first with Qualcomm by mid-2024. I’m writing a series about Windows on Arm–only the first is available so far–and there are a couple of overreaching themes that will appear in all three articles, one of which is Intel and its efforts over the years to undermine any competition in the PC space. And it has always been particularly aggressive going after Arm.

This past year’s events will factor heavily into the third chapter of that series, but the short version is that Intel threw away its roadmap for the Meteor Lake follow-ups–Core Ultra for mobile, basically–and accelerated the development and implementation of a next-generation architecture that includes, among other things, a Copilot+ PC-capable NPU. The resulting chip is Lunar Lake, and even without knowing the inside story on this, you can see hints of what happened in Intel’s public disclosures. In its most recent earnings announcement, which was a disaster, it alluded to this effort when it noted that Lunar Lake achieved production ahead of schedule in the win column, but that this push to get it into market so quickly contributed to its financial difficulties. I was told by insiders that Lunar Lake is so expensive for Intel to produce–remember, this was meant to be 3+ years out–that it loses money on every sale.

From a technical perspective, Lunar Lake is a not a “tock” to Meteor Lake’s “tick.” It’s a “tick,” a new architecture, and a major advance. I mean, look at the improvement claims: 50+ percent better graphics performance, 40 percent lower power consumption, and 3X AI TOPS performance gains, year-over-year. Those numbers are nuts. But Intel did that to ensure it was competitive against both Arm (Qualcomm) and AMD, which also met Microsoft’s requirements for Copilot+ PC this year with its Zen 5 architecture. (Unlike with Intel, I don’t have any information about whether that was problematic for that company.)

Lunar Lake is also a mobile-only chip family. Intel focused its Copilot+ PC push on mobile because Microsoft did. For now, Copilot+ PC is a mobile phenomenon because that’s the sweet spot for the market. Most PCs sold today are laptops. And the most lucrative PCs sold today are premium laptops (from a volume perspective). There’s a nice efficiency/performance story there.

Lunar Lake is unique for so many reasons, it’s almost like the “anti-Intel” release in which it squandered CPU performance for its efficiency, GPU, and NPU gains because GPU and NPU performance doesn’t kill battery life like CPU performance does. This is OK on many levels, too, because this market is mostly about productivity, not performance-heavy tasks, and we’ve had too much CPU performance for years anyway. But it’s an outlier during this transition, too. Lunar Lake chips are only available in U-series variants, for ultra-mobile PCs. There are no H-series (or whatever) Lunar Lake chips.

Arrow Lake, which is the chip family you’re wondering about, is what Meteor Lake 2 would have looked like. It was going to be available in mobile and desktop variants with different TPD models across U-, H- and other series. (Intel is revamping those, too, and there are new series names with different TDP ratings now.) What we’re seeing with Arrow Lake is what Intel would have delivered this year: A “tock” update to Meteor Lake with minor improvements, but also available in desktop versions. Arrow Lake is, in many ways, vestigial. And so it seems out of step. But Intel couldn’t do the same ramp up on desktop as it did on mobile: It’s already losing money on Lunar Lake, so it needed to make up those margins (in part) somewhere.

One could argue that this is OK because those who want Copilot+ PC capabilities on desktop PCs are small in number, and they can always upgrade to more powerful GPUs if needed. But that requires Microsoft to open up the Copilot+ PC spec to include desktop GPUs, of course. And that will happen, of course. It’s just a matter of timing. And perhaps Intel can rev future generation chips for desktop a bit faster, if only to get 40+ TOPS NPUs in market. For now, it can at least claim to have delivered its first desktop chips with integrated NPUs. (You can get add-on NPUs for the past few generations.)

So that’s why. Intel finally got tripped up by its hyper-focus on CPU performance and it ignoring mobile/efficiency for too long, and it had to race to catch up. It did what it could do given the financial and engineering realities. Ultimately, this is Intel’s fault, of course. But I’m fascinated that Microsoft finally forced Intel to do the right thing by threatening it with a world in which only its competitors met a specification that, frankly, no one really cares about anyway. I mean, why couldn’t a 13 TOPS NPU utilize these AI features, just a bit more slowly? I bet it would all work fine.

By the way, Intel’s next earnings release is on October 31, Halloween. How appropriate.