Windows 11 uses some of the best security features of Windows 10. The big difference is that many are now required. Credit: Microsoft Despite the hype and gnashing of teeth over its hardware requirements, Windows 11 fundamentally shifts how Microsoft approaches both consumer and enterprise security. Even though the upgrade process from Windows 10 will be minor and more like a feature release of Windows 10, hardware requirements draw lines in the sand to make Windows more secure. The decision to move to Windows 11 will be different for each organization. It might be one person making a hard decision, a natural evolution of the Windows security, or a bit premature for ecosystems not ready for the mandates.At the same time Microsoft is taking a step back from possibly its most secure operating system, Windows S, which forces users to obtain software through the vetted Microsoft Store. Windows 11 Enterprise will no longer support this method, which will be allowed only on consumer versions. It appears that Microsoft realized what I had long thought: The Windows ecosystem is not ready for the Windows S mode process of whitelisting applications even though that’s ultimately where we need to be. Rather, Microsoft is focusing on security features and mandates that will ensure a secure ecosystem, as they call it, from silicon all the way to the cloud.Why hardware is important to Windows 11 SecurityWindows secured-core computers are the foundation of Windows 11 requirements, but they are not new. It starts with a mandated Trusted Platform Module (TPM) 2.0 that ensures a hardware root of trust, secure boot, and BitLocker drive encryption. The next mandate is virtualization-based security (VBS) enabled in the motherboard. This ensures that the computer system can leverage virtualization capabilities as well as allow the hypervisor to provide additional protection for critical systems. This isolation allows browsers to be separated from Office processes and other features on the machine. The processor is defined as “secured-core”, which allows the system to provide protection from firmware attacks. These mandates demand a higher level of system performance. Microsoft is stating that processors need to be Generation 8 or higher, but they may lower it to certain Generation 7 processors if performance won’t be impacted. TPM 2.0 or higher and VBS enabled by default allows Microsoft to mandate a “hardware root of trust.” VBS creates and isolates a secure region of memory from the normal operating system. It requires a 64-bit processor. The processor must also support second level address translation (SLAT), either Intel VT-X2 with Extended Page Tables (EPT), or AMD-v with Rapid Virtualization Indexing (RVI). Privilege escalation attacks are attempted every day. In fact, the recent PrintNightmare vulnerability in Windows Print Spooler code allowed attackers to gain rights on a domain controller was one such privilege attack that hardware root of trust should prevent.Isolation helps mitigate common threatsMicrosoft developed VBS and Hypervisor-Protected Code Integrity (HVCI), commonly referred to as memory integrity, provides better protection against common and sophisticated malware by performing sensitive security operations in an isolated environment. HVCI can mitigate like Trickbot that deploys kernel drivers. You can see the impact of HVCI already in Surface computers that are shipping with this feature. Secure Boot protects firmwareNext, Microsoft wants to mandate Secure Boot by default to ensure that the firmware has not been tampered with since the computer was manufactured. As the system boots, System Guard checks that the device integrity is maintained. If the system lacks integrity, a management system such as Intune or Microsoft Endpoint Configuration Manager can take action and even deny the device access to the network.Improved identity management and access controlMicrosoft is planning to mandate that Windows 10 Home version installs use a Microsoft account when logging into the operating system. Furthermore, there will be improvements to the onboarding process when starting the computer to connect to two-factor platforms. It appears that they are including more framework to include federated sign-in providers such as ADFS, Okta and Ping. Credential Guard BIOS prerequisites (including VBS) ensure that identities and secrets are protected from external threats. Susan BradleyMore sign-in optionsVirtualization enables security featuresSeveral features can be enabled when a computer supports virtualization security. For example, Windows Subsystem for Linux 2 allows you to run a Linux kernel inside of a lightweight utility virtual machine. It is faster than WSLv1 and allows for full system calls. Windows Defender Application Guard (WDAG) will now be able to be run by default since VS enabled by default. To include all the defensive features of WDAG you will need to properly license Windows and Office. For example to fully enable Application Guard for Office, you will need a Microsoft 365 E5 or Microsoft 365 E5 Security license. When you open an untrusted file from the internet, Application Guard for Office will open the file in a sandbox. You can open it once the file has been fully scanned and evaluated. One trade-off: When virtualization security is on by default, it affects performance, causing the age-old problem of balancing security and usability.Windows Sandbox is also not a new feature but will now be mandated in Windows 11. It builds on the technologies used within Windows containers to allow you to open files and websites isolated from your machine. This ensures that you can safely open a potentially damaging file or link inside the sandbox without impacting your machine. Once you shut down the Windows sandbox, the virtual machine is shut down and all artifacts are trashed in the process. Susan BradleyWindows SandboxWindows 11 will also provide support for third-party virtualization software and allow developers and scripters to quickly build custom tools, utilities, and enhancements for the virtualization platform. These improvements are inspired by enhancements in Azure. Ransomware attacks have used driver vulnerabilities to launch RobbinHood, Uroburos, Derusbi, GrayFish, and Sauron. So have campaigns by the threat actor Strontium to gain kernel privileges and disable security programs on compromised machines. Protection against threats from unverified codeArbitrary Code Generation (ACG), Control Flow Guard (CFG), and Code Integrity Guard (CIG) can keep systems from running unverified code execution. Microsoft’s case study on secured-core computers points out the features that were optional with Windows 10 and mandated in Windows 11. Secured-core PCs have Kernel Data Protection (KDP) enabled by default.What Windows 11 brings to the table isn’t necessarily new security features. Rather, it’s drawing the line in the sand to enforce the features that Microsoft has been bringing to the marketplace over the last year. Security admins will have to decide how soon to join in that journey to better secure networks. . Related content interview Strong CIO-CISO relations fuel success at Ally CIO Sathish Muthukrishnan and CISO Donna Hart have forged a partnership steeped in Ally’s culture of radical candor that keeps the financial services firm secure and innovative. By Dan Roberts May 09, 2024 9 mins CIO CSO and CISO IT Leadership news Zscaler shuts down exposed system after rumors of a cyberattack Initially dismissing rumors, Zscaler now says it did have a system exposed but nothing important has been accessed. By Shweta Sharma May 09, 2024 3 mins Data Breach Cyberattacks news Palo Alto launches AI-powered solutions to fight AI-generated cyberthreats The suite is powered by Palo Alto’s proprietary solution, Precision AI, which integrates machine learning, deep learning, and generative AI technologies. By Prasanth Aby Thomas May 09, 2024 3 mins Generative AI Security Software news F5 patches BIG-IP Next Central Manager flaws that could lead to device takeover Two high-risk vulnerabilities could allow attackers to gain full administrative control on devices via leaked password hashes. By Lucian Constantin May 08, 2024 5 mins Threat and Vulnerability Management Cloud Security Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe