Windows 11 upgrades: Why security is going to be the key driver

While the changes to Windows' look and feel may grab the eye, the less visible security upgrades may be more interesting to CIOs.

Microsoft unveiled Windows 11 last week and has now shared the first few features and UI changes with testers in the Windows Insider program

The feature update is due out in the fall, but despite the new look, could it be security rather than design that is going to drive businesses to upgrade? 

ZDNet Recommends

The best laptops: Our recommended models for every use case and platform

New year, new laptop? These are the devices that should be at or near the top of your shortlist.

Read More

Dave Weston, director of enterprise and operating system security at Microsoft, says he's confident the added security of Windows 11 will drive faster uptake. 

Weston points out that, according to tech analyst Gartner, security was the number one driver for enterprises upgrading to Windows 10 from Windows 7. And since then, thanks to a range of high-profile hacking incidents and the rise of ransomware, security is even higher on the agenda.

SEE: Network security policy (TechRepublic Premium)

"I expect the adoption to go even faster than the Windows 7 to 10 period because of the security advantages," he says.

He says the two most important things enterprises can do to improve security is get rid of passwords and move to a zero-trust framework – a network security design that assumes breaches, and acknowledges that managed and unmanaged devices flow between homes and workplaces fluidly as a result of new work practices brought by the COVID-19 pandemic.    

Microsoft has been talking up passwordless authentication for years now as an early backer of the FIDO2 standard. Key Microsoft technologies in this space include Windows Hello biometrics for accessing Azure Active Directory (Azure AD) networks, and apps that support the Microsoft Authenticator app and FIDO2-based security keys, such as Google's Titan keys.

"So with Windows 11, out of the box, you can actually create a Microsoft account that never has a password that uses your face or biometrics in lieu of a password," Weston says.

Beyond this, Windows 11 tightens up operating system security because more of these security features for the enterprise are turned on by default. 

"We got deep in the engine, tweaked things, tuned things, got things fast enough and compatible enough that they're just there. It's not the features that are there – it's the features that are turned on by default," he says. 

This means virtualization-based security (VBS), TPM, or Trusted Platform Module hardware-based security, and BitLocker are automatically on for all Windows 11 machines. 

"This is really the most secure release – not in the sense of new features – but that users used to have to be educated on or needed more effort to enable and protect themselves. It's just there now," he says.

"As more websites on the internet start to support FIDO2 and the passwordless standards, we think we're well on our way to a world where you're just not going to enter passwords," says Weston.  

He adds that Microsoft bolstered the security of biometrics in Windows 11, putting this biometric data in their own shielded virtual machine. This helps stop attackers stealing biometric data for future attacks on systems that rely on biometric authentication. 

"That means if malware or a hacker got on your machine, it couldn't tamper with your biometric data, which is a much stronger security guarantee for biometrics," explains Weston. Security in hardware is also a key evolution.

The TPM is a chip that is either integrated into the PC's motherboard or added separately into the CPU with the aim of protect encryption keys, user credentials, and other sensitive data behind a hardware barrier. All certified Windows 11 systems must have a TPM 2.0 chip.

Another example is Pluton, a Microsoft-made and updated component of CPU hardware from Intel, AMD and Qualcomm. Pluton-equipped computers aren't available just yet, but Windows 11 is ready to use it. 

SEE: Security Awareness and Training policy (TechRepublic Premium)

Pluton is embedded in the CPU, so it's not a separate processor. A major benefit is that end users can just get firmware updates from Microsoft's usual Patch Tuesday updates from Windows Update.   

"We write the software for this chip, so the root of trust is a combination of mostly hardware and a small amount of software to make it run. The nice thing about Pluton is that Microsoft writes the code and keeps it up to date, so it comes through Windows Update and users don't have to do anything," he says. 

"Today when you have a security issue, users have to go out of their normal flow and track it down on the web and run an executable, and they often don't do that, which leaves these systems vulnerable.

"Every Windows 11 device will have a hardware identity and a TPM, which means the cloud can uniquely identify it and organizations can determine if a device that can connect into their cloud meets acceptable security guarantees. 

"In addition, we have conditional access agents built in to the operating system that leverages hardware. Which means that before a device can connect to sensitive data – which is what ransomware wants to encrypt – companies can easily define a security policy with all the protections you would need to stop ransomware: antivirus, control that patches up to date, and so we're making that much easier to enforce on Windows 11." 

The catch is that you'll need new hardware with the latest CPUs from these chipmakers to take advantage of Windows 11's default security features: the question is whether CIOs and consumers alike will take security seriously enough to make the upgrade.