Chapter 1:
Security unlike anything before
With Windows 11 Security, Microsoft is making an aggressive attempt to raise the security floor of the PC platform, and that’s a good thing for everyone’s security. Here is just a snapshot of the significant security upgrades you can expect:
New Hardware Requirements Bring Vital Security
Three of the new OS’s hardware requirements play major, interlocking roles in security:
Virtualization-Based Security (VBS)
VBS runs Windows components in secure spaces that are isolated from the main OS. Doing that requires hardware-based virtualization features, and enough horsepower that you won’t notice the drag on performance. Noteworthy security features that rely on VBS include:
Measured/Secure Boot (UEFI)
Measured/Secure Boot checks the digital signatures of the software used in the boot process. It protects against bootkits that load before, or modify, the operating system.
Trusted Platform Module 2.0 – Based Security Features (TPM 2.0)
TMP is tamper-resistant technology that is best known for its role in Secure Boot, ensuring computers only load trusted boot loaders, and in BitLocker disk encryption. In Windows 11 it forms the secure underpinning for a host of security features, including BitLocker and Windows Defender System Guard.
BitLocker. BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
Windows Defender System Guard. System Guard prevents attacks using a unique hardware isolation approach, with the goal of destroying the playbook that attackers use by making current attack methods obsolete. It works on:
Hardware-enforced Stack Protection prevents hijacking. Windows 11 extends the Hardware-enforced Stack Protection introduced in Windows 10 to protect code running in kernel and user modes. It’s designed to prevent control-flow hijacking by creating a “shadow stack” that mirrors the call stack’s list of return addresses. When control is transferred to a return address on the call stack it’s checked against the shadow stack to ensure it hasn’t changed. If it has, an error is raised.
Control-Flow Enforcement Technology protects against malware attacks. Control-Flow Enforcement Technology delivers processor-level security structures to protect against common malware attack methods that have been a challenge to mitigate with software alone.
Eliminate Passwords with Windows Hello. Windows Hello helps keep your information protected and is a more personal, secure way to get instant access to your Windows 11 devices using a PIN, facial recognition, or fingerprint.
For several years, Microsoft’s approach to Windows security has been to create a chain of trust that ensures the integrity of the entire hardware and software stack, from the ground up. Windows 11 Security demands the hardware necessary to make it work. Microsoft is making an aggressive attempt to raise the security floor of the PC platform, and that’s a good thing for everyone’s security.