According to NIST, hardware attacks have increased by more than five times in the past three years. What’s more is that, based on the Security Signals study from Microsoft, more than 80% of C-level executives reported having experienced a hardware attack in the previous two years. Microsoft prioritizes security in their new Windows 11 OS due to the increased threat of attacks. 

Microsoft used the lessons learned from secure-core PCs and applied them to the new Windows 11 operating system as an upgrade to Windows. The secure-core PCs were initially developed for highly focused sectors like financial services, government, and healthcare to protect sensitive data, so it becomes clear why Microsoft would want to use them as the standard. Building a stronger and more secure foundation serves as the goal of Windows 11’s new hardware security requirements. 

As described in an official blog post, there are many Windows 11 security features and Microsoft is now investing more than $1 billion a year on security.  

For consumers, Windows 11 aims to make it simpler to acquire protection against sophisticated threats out of the box. Window 11 focuses on security in every layer, according to Microsoft. This image shows how they position security in Windows 11. 

 

The Top 10 Reasons Why Windows 11 Improves Your Security Posture

1. TPM 2.0 and Pluton provide Root-of-Trust at the Hardware level

One reason is all Windows 11 PCs will be required to have a TPM 2.0 chip that helps to safeguard encryption keys, user passwords, and other sensitive information data. 

A built-in “root-of-trust” is what makes TPM 2.0 the new standard for hardware security. You’ll have the ability to mitigate ransomware and other more sophisticated assaults by leveraging this contemporary hardware.

 

Windows Hello facial recognition and BitLocker also use TPM 2.0 as a foundational component for enhanced identity and data protection. It’s worth noting that TPMs also play an important role in Zero Trust security for many business clients by providing a secure element for certifying the health of devices. 

Further, Microsoft is introducing Pluton, which brings moves the TPM chip inside the CPU. This feature further secures devices from physical attacks. Pluton is a direct response to the ability to extract the encryption key (Bitlocker key) of a TPM chip through an advanced physical attack

By moving TPM inside the CPU architecture, there will be no externally accessible bus on the motherboard for physical attacks to leverage. 

2. Protecting the Kernel with hardware-assisted virtualization 

Modern CPUs will be required for Windows 11, and built-in and activated security features such as virtualization-based security (VBS), hypervisor-protected code integrity (HVCI), and Secure Boot are included as standard safeguards malware and ransomware assaults.   

VBS uses hardware virtualization to create a separate memory region from the OS, which is then used to hold security solutions in isolation. HVCI uses VBS to create a secure kernel within a virtualized space rather than in the actual kernel. With HVCI, kernel code can be checked for proper code signing before being allowed to run – this ensures that only validated code can be executed in kernel-mode. Attacks like WannaCry are mitigated by this capability. 

The hardware-enforced stack protection for compatible Intel and AMD hardware that is part of Windows 11 and will assist in protecting against zero-day vulnerabilities and other security threats.  

This means companies of all sizes get increased security without the complexity of software solutions and third-party vendor management.

3. Firmware protections against bootkits and rootkits 

Windows 11 relies on the Unified Extensible Firmware Interface (UEFI) Secure Boot standard. Secure boot helps ensure that only authorized firmware and software with trusted digital signatures can execute.

 

Keeping a ‘known good’ list is problematic though, so Microsoft has introduced Windows Defender System Guard Secure Launch. This feature introduced the ability for machines to follow the normal UEFI process, but before launching Windows, the physical device enters a hardware-controlled trusted state that forces the CPUs down hardware hardware-secured code path – blocking bootkits and rootkits. 

Microsoft has a deep dive article about this capability for those interested. 

4. Device health attestation is available for Azure Conditional Access and Microsoft Endpoint Manager (Intune) 

Building on the capabilities of Windows 10, machines running Windows 11 are able to report on their device health in several ways: 

  • If the device can be trusted 

  • If the OS booted correctly 

  • If the OS has the right set of security features enabled 

For companies leveraging the Zero Trust capabilities in Azure Conditional Access, this means policies can be created that block access to resources when device attestation fails.  

This provides a powerful tool to block devices that are in an unhealthy state. Users may not know their device is compromised but with the capabilities in Windows 11, combines with Azure Conditional Access and Microsoft Endpoint Manager, companies can keep information safe. 

5. Improved network security with TLS 1.3 and DNS over HTTPs 

Windows 11 comes with TLS 1.3 enabled by default. This is the latest iteration of Transport Layer Security (replacing TLS 1.2). Windows 11 will use TLS 1.3 where possible and will fall back to TLS 1.2 when necessary. This will result in slightly improved efficient handshakes (1 less roundtrip per connection) and the elimination of obsolete algorithms. 

Windows 11 supports DNS over HTTPS, which is an encrypted DNS protocol. This provides further security in the network layer against malicious redirects and browsing behavior logging.  

DNS over HTTPS protocol can be mandated by administrators, ensuring devices that use insecure DNS will fail to connect to network resources. IT administrators also have the option exclude DNS over HTTP for legacy deployments where network edge appliances are trusted to inspect plain-text DNS traffic. 

6. Bluetooth protection policies 

Windows 11 has Bluetooth policies that can be managed through Microsoft Intune. You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. Windows 10 administrators using Microsoft Intune will be familiar with these policies. 

By leveraging Microsoft Intune with Windows 11, administrators can allow input and audio while blocking file transfers. Further, administrators can force encryption standards, limit discoverability, and even disable Bluetooth entirely for sensitive environments. 

7. Microsoft Defender Application Guard  

This feature allows administrators to create approved lists of applications and websites. Untrusted applications and website are run in a Hyper-V container to isolate potential threats from the operating system. The container can block access to peripherals like cameras and microphones, as well as block the ability to reach sensitive OS files. 

This feature may impact device performance though – and will be problematic on Cloud PCs. It will be important to test this feature on real hardware to see the performance impact in a production environment.  

Microsoft requires a 64-bit CPU with virtualization extensions, 8 GB of RAM (memory), and 5 GB of ROM (hard drive) preferably on an SSD. IOMMU, or input-output memory management unit, support is highly recommended as well. 

Regardless, the potential is exciting.  

8. With Windows 11 you can go passwordless and have a secure login experience 

Enterprises can implement Windows Hello for Business in a few minutes using simple passwordless deployment approaches in Windows 11. This includes comprehensive control over authentication methods by IT administrators and enables secure communication across cloud products.  

Windows 11 has native capability for Windows Hello for Business. Further, advances in Azure Active Directory will soon allow for completely passwordless user accounts to be created. This means that there will be no password to steal and no man-in-the-middle attacks to be created either. 

Passwordless technologies include the Microsoft Authenticator app (or third-party MFA), Biometrics, a FIDO2 key, smart card, and phone or email. If you are interested in going passwordless, this article does a great job of laying out passwordless strategy. 

 

Conclusion 

Windows 11 continues building on security features introduced in Windows 10 and brings along some new ones. There are many, many more security features in the operating system. These are the ones that have us excited. 

Hopefully you are as excited as we are. If you want a deep dive into the security features Microsoft offers in Windows 11, check out their Windows 11 Security Book, which is a comprehensive report on the security capabilities of their latest operating system. If you are interested in Windows 11 for your company and want to know how to manage it using modern techniques, contact us or check out our Intune for Windows package.

 

 

 

Contact us to learn more about Windows 11!

 

SHANE SLOAN

Shane is our Vice President of Products and Innovation our managed service line of business as well as our enterprise Intune migration program.  Shane is a graduate of Vanderbilt University’s Owen Graduate School of Management with a Master’s in Business Administration (MBA).  Prior to joining Mobile Mentor, Shane spent 9 years at AIG’s Life Insurance division focused on development, automation engineering and quality assurance leadership. In 2007, Shane obtained a Bachelor’s of Science in Information Technology from Colorado Technical University. Prior to undergrad, Shane had a distinguished career with the US Army as a Blackhawk helicopter crew chief.