Microsoft windows

5 things to know about Microsoft’s Windows 11 security policy

By Terry J. Morgan

One thing is becoming clear about Microsoft’s strict CPU compatibility requirements for Windows 11: it’s all about security.

On Monday, Microsoft published a blog post that listed security as a guiding principle for the Windows 11 operating system, which will succeed Windows 10 when it launches later this year.

[Related: Microsoft: Some Intel 7th Gen PCs May Support Windows 11]

“With Windows 11, we are focused on increasing security, improving reliability, and ensuring compatibility. That’s what drives our decisions,” Microsoft said in the blog post.

The company said its hardware requirements for upgrading from Windows 10 to Windows 11 will include an eighth generation processor from Intel (Coffee Lake) or newer, or Zen 2 series from AMD and higher.

Intel announced its eighth-generation Coffee Lake processors in August 2017, while AMD’s Zen 2 architecture debuted third-generation Ryzen chips (Ryzen 3000 series) in July 2019.

This suggests that a significant number of PCs won’t be able to install Windows 11. However, Microsoft said in its Monday blog post that it plans to assess whether to allow some PCs running seventh-generation Intel processors or AMD Zen 1 chips in Windows 11 Folding.

Microsoft has said that the Windows 10 to Windows 11 upgrade won’t be offered until 2022. This suggests that Microsoft’s initial announcement that Windows 11 would be available this holiday only applies to new devices.

Here are five key things to know about Microsoft’s Windows 11 security policy.

Zero Trust Security

While it’s true that Microsoft is dramatically increasing the hardware requirements for Windows 11, far more than the company did for Windows 10, a lot has changed for Microsoft when it comes to security since Windows 10 launched in 2015.

The rise of ransomware attacks, Specter and Meltdown side channel vulnerabilities, and the massive SolarWinds hack have all ensnared Microsoft and its platforms in many ways.

Last year, in particular, saw Microsoft become much more vocal and aggressive around the need to increase security. This has included a focus on urging companies to move to the cloud from on-premises infrastructure.

However, moving to the cloud is not a solution for many of the major PC security issues, leaving PCs as a weak link. That seems to be at least part of the reason Microsoft is pushing hardware security measures so hard with Windows 11.

One way to understand Microsoft’s larger goal is that the company seeks to enable “zero trust” security for its customers, based on the principle that no user should be trusted by default or they could be compromised.

Zero Trust security will be a major focus at Microsoft’s Inspire 2021 partner conference next month, Microsoft Channel Leader Rodney Clark said in a recent interview with CRN.

“As a company, we’ve been focused on this concept of zero trust. We believe any organization should embrace this to adapt to the complexity of today’s secure environment,” Clark said. There is no fix per se, nor an immediate solution. And so the message to partners is, because security is usually the #1 or #2 area of ​​investment for our customers, [partners] also need a zero-trust approach.

At Inspire, which will be held virtually July 14-15, “we’re going to have some heavy messaging around zero trust, and why it’s so important to assume companies will be breached at some point, and the process you need to follow in order to prepare for that,” he said.

Raising the bar on safety

In Windows 11, security features such as hardware-based isolation, secure boot, and hypervisor code integrity will be enabled by default, Microsoft said.

“Windows 11 raises the bar for security by requiring hardware that can enable protections such as Windows Hello, device encryption, virtualization-based security (VBS), code integrity protected by ‘hypervisor (HVCI) and Secure Boot,’ the company said in its blog post. Monday.

Using these features in combination on test devices reduced malware by 60% on those devices, Microsoft said in the post.

Side channel vulnerabilities

A possible motivation for starting support for Windows 11 in Intel’s eighth generation may be related to the processor side channel vulnerabilities that were disclosed in early 2018.

Patrick Moorhead, president and principal analyst at Moor Insights and Strategy, said The edge that Microsoft’s processor requirements for Windows 11 “don’t seem to have anything to do with performance at all, but look like security mitigations for side-channel attacks”.

CRN has contacted Microsoft for comment.

Intel has begun releasing hardware-level protections against side-channel vulnerabilities such as Specter and Meltdown in its eighth generation processor lineup, although not all eighth generation Intel chips have the hardware mitigations.

TPM 2.0

One of the other major hardware security requirements for installing Windows 11 is having a PC with a Trusted Platform Module (TPM) 2.0 chip.

A TPM security chip is used to perform cryptographic operations and includes “several physical security mechanisms to make it tamper-proof,” Microsoft said in its TPM documentation. “Malware cannot tamper with TPM security features.”

TPM benefits include the ability to generate and store cryptographic keys, as well as enable device authentication, the company said.

Requiring a TPM chip in Windows 11 thus gives a boost to any zero-trust security approach, said Michael Montagliano, chief innovation officer at ProArch, an Atlanta-based Microsoft Gold Partner.

“Helping us make sure that this device and identity is verified is really critical,” he told CRN. “That’s really important for this zero trust initiative. If organizations start to embrace that kind of mindset and leverage that kind of mindset, we’ll have much more secure environments.”

A “positive” approach to safety

Undoubtedly, Microsoft’s hardware requirements for installing Windows 11 are strict. The requirements should even render many Microsoft Surface devices, such as the fifth-generation Surface Pro and the original Surface Laptop, both launched in 2017, incompatible with Windows 11.

But Microsoft’s solution provider partners told CRN that such measures are necessary in today’s security threat environment.

With customers now essentially operating “hundreds of offices and unsecured networks” due to remote working, “you no longer have that single office control that we used to have,” said Ryan Loughran, responsive service manager at Valiant Technology, a New York-based MSP.

With Windows 11, Microsoft is “putting security first,” Loughran said. “Requiring TPM 2.0 is a great decision and enabling the other security features by default is fantastic… Endpoint hardening is probably the most important thing for IT vendors to focus on.”

Miguel Zamarripa, CIO of Simpleworks IT, based in Colorado Springs, Colo., also praised the focus on security in Windows 11, as security is currently the “top concern” for customers.

“It’s great to see Microsoft taking more serious steps to ensure its operating system is as secure as possible,” Zamarripa said. “Any step you can take to enhance your security is positive.”

Related posts:

  1. Windows 11 bug can only allow administrators to print
  2. Obsolete devices will no longer receive Microsoft Windows OneDrive
  3. New Microsoft Windows Xbox app fixes game installation issue
  4. Microsoft Windows 11 incompatible with more than 55% of workstations? New study shows negative effects
Terry J. Morgan
You might also like More from author

Comments are closed.