Despite the hype and gnashing of teeth over its hardware requirements, Windows 11 fundamentally shifts how Microsoft approaches both consumer and enterprise security. Even though the upgrade process from Windows 10 will be minor and more like a feature release of Windows 10, hardware requirements draw lines in the sand to make Windows more secure. The decision to move to Windows 11 will be different for each organization. It might be one person making a hard decision, a natural evolution of the Windows security, or a bit premature for ecosystems not ready for the mandates.
At the same time Microsoft is taking a step back from possibly its most secure operating system, Windows S, which forces users to obtain software through the vetted Microsoft Store. Windows 11 Enterprise will no longer support this method, which will be allowed only on consumer versions. It appears that Microsoft realized what I had long thought: The Windows ecosystem is not ready for the Windows S mode process of whitelisting applications even though that’s ultimately where we need to be. Rather, Microsoft is focusing on security features and mandates that will ensure a secure ecosystem, as they call it, from silicon all the way to the cloud.
Why hardware is important to Windows 11 Security
Windows secured-core computers are the foundation of Windows 11 requirements, but they are not new. It starts with a mandated Trusted Platform Module (TPM) 2.0 that ensures a hardware root of trust, secure boot, and BitLocker drive encryption. The next mandate is virtualization-based security (VBS) enabled in the motherboard. This ensures that the computer system can leverage virtualization capabilities as well as allow the hypervisor to provide additional protection for critical systems. This isolation allows browsers to be separated from Office processes and other features on the machine.
The processor is defined as “secured-core”, which allows the system to provide protection from firmware attacks. These mandates demand a higher level of system performance. Microsoft is stating that processors need to be Generation 8 or higher, but they may lower it to certain Generation 7 processors if performance won’t be impacted.
TPM 2.0 or higher and VBS enabled by default allows Microsoft to mandate a “hardware root of trust.” VBS creates and isolates a secure region of memory from the normal operating system. It requires a 64-bit processor. The processor must also support second level address translation (SLAT), either Intel VT-X2 with Extended Page Tables (EPT), or AMD-v with Rapid Virtualization Indexing (RVI). Privilege escalation attacks are attempted every day. In fact, the recent PrintNightmare vulnerability in Windows Print Spooler code allowed attackers to gain rights on a domain controller was one such privilege attack that hardware root of trust should prevent.
Original article source was posted here