Windows 11 Cybersecurity Features
The expansion of both remote and hybrid workplaces brings new opportunities to organizations. But the expansion of access, increased number of endpoints, and desire for employees to work from anywhere on any device have also introduced new threats and risks. This creates new, acute security challenges and makes it critical to add as many layers of protection as possible to keep devices secure. That’s why Microsoft is pushing hardware security measures so heavily with Windows 11.
According to Microsoft, the new set of hardware security requirements for Windows 11 are designed to build a foundation that is even stronger and more resilient to attacks. New Windows 11 security features include:
Windows 11 raises the bar for security by requiring hardware that can enable protections like Windows Hello, Device Encryption, virtualization-based security (VBS), hypervisor-protected code integrity (HVCI), and Secure Boot. The combination of these features has been shown to reduce malware by 60% on tested devices.
This is because Virtualization Based Security has become a keystone concept in Microsoft’s approach to security. VBS runs Windows on top of a hypervisor, which can then use the same techniques that keep guest operating systems apart to create secure spaces isolated from the main OS. Doing that requires hardware-based virtualization features and enough horsepower that you won’t notice the drag on performance.
At a minimum, Windows 11 requires a 64-bit, 1 GHz processor with virtualization extensions and at least two cores and HVCI-compatible drivers. In practice, that means it requires an 8th generation Intel processor, an AMD Zen 2, or a Qualcomm Snapdragon 8180.
Trusted Platform Module 2.0 (TPM 2.0)
One of the other major hardware security requirements for installing Windows 11 is having a PC with a Trusted Platform Module (TPM) 2.0 chip. A TPM security chip carries out cryptographic operations and includes multiple physical security mechanisms to make it tamper-resistant. TPM protects encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data.
Requiring the TPM 2.0 elevates the standard for hardware security. In Windows 11, TPM forms the secure underpinning for a host of security features, including Secure Boot’s big brother, Measured Boot, BitLocker (Device Encryption on Windows Home), Windows Defender System Guard, Device Health Attestation, and Windows Hello.
United Extensible Firmware Interface (UEFI)
UEFI is a specification for the firmware that controls the first stages of booting up a computer before the operating system is loaded. Windows 11 isolates software from hardware, which helps protect access from encryption keys and user credentials to other sensitive data behind a hardware barrier, so malware and attackers can’t access or tamper with that data during the boot process.
UEFI Secure Boot ensures that the boot code is signed appropriately and that cryptographic information can be sent to the cloud to verify integrity. It protects against rootkits that modify the operating system and bootkits that load before the operating system. UEFI Secure Boot must be enabled for Windows 11 to run.
Microsoft Azure Attestation
By default, Windows 11 will also offer support for Microsoft Azure Attestation, which is designed to enable users to enforce zero-trust policies when accessing sensitive resources in the cloud with supported mobile device management systems like Intune or on-premises. This means that the hardware ‘attests’ to the device’s authenticity before accessing cloud resources.
Microsoft Azure Attestation forms the basis of compliance policies that organizations can depend on to validate the user identity and the platform as part of Zero Trust security. Zero Trust security means organizations must verify everything that tries to connect to their internal or external systems every time.
With Windows Hello, Windows 11 is moving onto more strong authentication methods, including Face lock, Fingerprint, Iris, and other biometrics. Windows Hello for Business supports simplified passwordless deployment models for achieving a deploy-to-run state within a few minutes. This includes granular control of authentication methods by IT admins while securing communication between cloud tools to better protect corporate data and identity.
Windows 11 primarily focuses on hardware security requirements to mitigate various firmware attacks, zero-day exploits, malware infection, and other cyberattacks. At Alvarez Technology Group, we provide robust cybersecurity services designed to protect your organization from external and internal threats. For more information on our cybersecurity and IT services, contact us today.