Five Things to Know about Windows 11 Security

Microsoft has stringent requirements for computers that can run Windows 11 for a reason – to ensure data protection.

While Microsoft didn't explain it this way when Windows 11 was announced, the primary reason for the new operating system is security. The company is working to include hardware-based security in its operations as a way to prevent a wide range of malware attacks. To do this, it's using input from a variety of sources, including its own security research and requirements from the US Department of Defense.

As a result, the only computers that will run Windows 11 are those that were built in the last three or four years, and even some of those may not be supported.  For example, Windows 11 requires a Trusted Platform Module (TPM - a separate, dedicated chip that manages security keys and ensures the system hasn't been tampered with before letting it boot up) built into the device. This helps Windows move away from passwords and support advanced cryptographic algorithms. We think  TPMs are a smart feature to look for, regardless of whether you're planning to upgrade. 

Another requirement, UEFI Secure Boot, limits the code that can be used to boot the machine, and it eliminates the chance of a legacy BIOS attack such as the tactic used by "NotPetya" ransomware.

In addition, the new processors specified by Microsoft are more reliable and less prone to some types of malware attacks than earlier models. To help you figure out if your computer will run Windows 11, including meeting the security requirements, Microsoft is bringing back the Windows Health Check app, and the list of supported processors has been expanded slightly. 

Here's what you need to know about Windows 11 Security:

  1. Injection rejection. Windows 11 will use Virtualization-Based Security (VBS). This protects Windows from 'code injection' attacks, where malicious code is introduced into the OS and changes the way it executes. VBS enables hypervisor-protected code integrity (HVCI), which disables dynamic code injection into the Windows kernel and provides driver control by requiring that all drivers meet Microsoft's standards. It's also the basis for System Guard Runtime Attestation, which provides tamper-proof, hardware-based health statements to the cloud as part of a chip-to-cloud trust approach. The US Department of Defense has been requiring virtualization-based security on its own Windows 10 devices, and now, all Windows 11 devices will have this capability.

  2.  Time for TPM.  The Trusted Platform Module v.2.0 is a key part of multi-factor authentication as well as passwordless access security. Windows Hello, which is also an integral part of Windows 11, stores PIN, biometric, and cryptographic data so users can log in with a fingerprint or iris scan. Windows Hello also supports the Windows Bitlocker and device encryption. The TPM will also bind web-based credentials to a machine, so malware is unable to extract credentials.

  3. Give hackers the boot. Microsoft has been requiring UEFI (Unified Extensible Firmware Interface) since 2013, but not all manufacturers have enabled it, instead opting for the legacy BIOS as the connection to the computer's firmware. UEFI Secure Boot ensures that the boot code is signed appropriately and that cryptographic information can be sent to the cloud to verify integrity. UEFI Secure Boot must be enabled for Windows 11 to run.

  4. Trust nobody. Windows 11 supports Microsoft Azure Attestation, which means the hardware 'attests' to the device's authenticity before it can access cloud resources. According to Microsoft, this forms the basis of compliance policies that organizations can depend on to validate both the user identity and the platform as part of Zero Trust security. (Zero Trust security means organizations must verify everything that tries to connect to its systems, whether internal or external, every time.)

  5. Get the latest updates. Part of Windows 11 security is control of the Windows Update process. New Windows computers sold later this year will include Windows 11, and computers that are compatible with all Windows 11 requirements will receive updates through the Windows Update process sometime in early 2022. (The exact timing of the update depends on the availability of driver support.)

Some older computers that meet the Windows 11 requirements, but which don't receive the automatic updates, may be updated manually. These machines may not receive automatic security updates, though. Microsoft makes it clear that this manual update is designed for existing Windows 10 users to do testing with Windows 11, but it's discouraging long-term use of older machines.

If you think Microsoft is strongly encouraging a broad move to newer computers, you'd be right. Older computers simply don't have the ability to fight off some newer forms of malware, especially those that attack hardware resources. The newer machines that Microsoft is espousing have the ability to support a Zero-Trust security model, with hardware designed specifically to keep malware at bay.

These same newer computers also have security features outside of Windows, such as self-healing BIOS and UEFI chips, and secure storage of boot code. Fortunately, if you decide that a new PC is the way to go for Windows 11, every new Dell PC is compatible with Windows 11, and they can be upgraded automatically when the software is available.