Key Takeaways
Windows 11 was released on October 5th and is available for download on computers with certain hardware requirements.
The required hardware for Windows 11 enables several security functions including virtualization based security, side-channel security, and zero trust security.
The combination of the features covered in this blog have been shown to reduce malware by 60% on tested devices, according to Microsoft.
Windows 11, the latest operating system (OS) from Microsoft, launched on October 5th. Organizations and individuals have begun asking themselves when and if they should upgrade from Windows 10. Windows 11 boasts an updated sleeker user interface that is alluring to users, but one factor all should consider is how the update impacts the security of your device.
A major trend in cybersecurity in the last few years is an emphasis on urging businesses to shift to the cloud from on-premises infrastructure. However, moving to the cloud is not a fix for many of the top PC security issues, leaving PCs as a weak link. Windows 11 looks to improve PC security in several ways through hardware security measures.
If you’ve heard anything about Windows 11 it’s probably that it will only run on “new” computers. Microsoft’s latest OS sets a high bar for hardware. At a minimum, Windows 11 requires a 64-bit, 1 GHz processor with virtualization extensions and at least two cores, and HVCI-compatible drivers. In practice that means it requires a processor from Intel’s eighth generation or newer, or from AMD’s Zen 2 series and up. If you are curious if your PC is compatible check out this video that will help you find out.
One thing is clear about Microsoft’s strict requirements on CPU compatibility for Windows 11: it’s all about security. Microsoft themselves even confirmed this in a blog post, “With Windows 11, we are focused on increasing security, improving reliability, and ensuring compatibility. This is what drives our decisions”. The post lists security as the first answer to the question “Why new Windows 11 minimum system requirements?”.
So what are the new security features that require these advanced CPU capabilities? Here we cover four of them.
Virtualization Based Security
Virtualization Based Security (VBS) has become a keystone concept in Microsoft’s approach to security. VBS runs Windows on top of a hypervisor, which can then use the same techniques that keep guest operating systems apart to create secure spaces that are isolated from the main OS. Doing that requires hardware-based virtualization features, and enough CPU horsepower that you won’t notice the drag on performance.
Noteworthy security features that rely on VBS include:
Kernel Data Protection, which uses VBS to mark some kernel memory as read only, to protect the Windows kernel and its drivers from being tampered with.
Memory Integrity which runs code integrity checks in an isolated environment, which should provide stronger protection against kernel viruses and malware.
Application Guard, a protective sandbox for Edge and Microsoft Office that uses virtualization to isolate untrusted websites and office documents, limiting the damage they can cause.
Credential Guard runs the Local Security Authority Subsystem Service in a virtual container, which stops attackers dumping credentials and using them in pass-the-hash attacks.
Side-Channel Security
Another possible motivation for starting Windows 11 compatibility at Intel’s eighth generation may be related to the processor side-channel vulnerabilities that were disclosed in 2018. Intel began releasing hardware-level protections against side-channel vulnerabilities such as Spectre and Meltdown in its eighth-generation line of processors. Perhaps Microsoft wants to finally say goodbye to those vulnerabilities for good by leveraging what Intel has already made.
Trusted Platform Module 2.0
One of the other major hardware security requirements for installing Windows 11 is having a PC with a Trusted Platform Module (TPM) 2.0 chip. A TPM security chip is used for carrying out cryptographic operations, and includes “multiple physical security mechanisms to make it tamper resistant,” Microsoft said in its documentation on TPM. “Malicious software is unable to tamper with the security functions of the TPM.”
Advantages of TPM include the ability to generate and store cryptographic keys, as well as enabling device authentication.
Zero Trust Security
One larger goal for Microsoft is that the company is seeking to enable “zero trust” security for its customers, based around the principle that no user should be trusted by default since they could be compromised.
One way that Windows 11 helps in this effort is with out-of-the-box support for Microsoft Azure Attestation (MAA). MAA can verify the integrity of a system’s hardware and software remotely. Microsoft says this will allow organizations to “enforce Zero Trust policies when accessing sensitive resources in the cloud”.
A Word of Caution
There are plenty of cybercriminals looking to cash in on the inevitable and rising interest surrounding Windows 11. Threats such as malware hiding within Windows 11 installer downloads have been spotted on the web. The best way to avoid these traps is to download Windows 11 straight from the official Microsoft downloads webpage, instead of trusting a link from a third-party site.
Conclusion
The combination of the features covered in this blog have been shown to reduce malware by 60% on tested devices, according to Microsoft.
Due to remote work, organizations running Windows no longer have control over a single office network but are essentially operating hundreds of insecure networks. Windows 11 does a good job of hardening endpoints which is one place that IT providers can continue to focus on.
Nevertheless, Windows 10 still works fine and organization-wide OS upgrades are a big process, so it’s likely that migration to Windows 11 could be slow. Mainstream support for Windows 10 ends in October 2025. It is clear that users will undoubtedly be more secure on Windows 11, but it is unclear if the security benefits are enough to speed up its adoption.