Windows 11 is out. Is it any good for security?

Windows 11, the latest operating system (OS) from Microsoft, launches today, and organizations have begun asking themselves when and if they should upgrade from Windows 10 or older versions. The requirements and considerations of each organization will be different, and many things will inform the decisions they make about whether to stick or twist. One of those things will be whether or not Windows 11 makes them safer and more secure.

I spoke to Malwarebytes’ Windows experts Alex Smith and Charles Oppermann to understand what’s changed in Windows 11 and what impact it could have on security.

A higher bar for hardware

If you’ve read anything about Windows 11 it’s probably that it will only run on “new” computers. Microsoft’s latest OS sets a high bar for hardware, with the aim of creating a secure platform for all that’s layered on top of it. In effect, Microsoft is making its existing Secured-core PC standards the new baseline, so that a range of technologies that are optional in Windows 10 are mandatory, or on by default, in Windows 11.

In reality the hardware requirements will only seem exacting for a short period. Moore’s Law and the enormous Windows install base mean that yesterday’s stringent hardware requirements will rapidly turn into today’s minimum spec.

Three of the new OS’s hardware requirements play major, interlocking roles in security:

All hail the hypervisor

At a minimum, Windows 11 requires a 64-bit, 1 GHz processor with virtualization extensions and at least two cores, and HVCI-compatible drivers. In practice that means it requires an 8th generation Intel processor, an AMD Zen 2, or a Qualcomm Snapdragon 8180.

This is because Virtualization Based Security (VBS) has become a keystone concept in Microsoft’s approach to security. VBS runs Windows on top of a hypervisor, which can then use the same techniques that keep guest operating systems apart to create secure spaces that are isolated from the main OS. Doing that requires hardware-based virtualization features, and enough horsepower that you won’t notice the drag on performance.

Noteworthy security features that rely on VBS include:

• Kernel Data Protection, which uses VBS to mark some kernel memory as read only, to protect the Windows kernel and its drivers from being tampered with.
• Memory Integrity (a more digestible name for HVCI), which runs code integrity checks in an isolated environment, which should provide stronger protection against kernel viruses and malware.
• Application Guard, a protective sandbox for Edge and Microsoft Office that uses virtualization to isolate untrusted websites and office documents, limiting the damage they can cause.
• Credential Guard runs the Local Security Authority Subsystem Service in a virtual container, which stops attackers dumping credentials and using them in pass-the-hash attacks.
• Windows Hello Enhanced Sign-In uses VBS to isolate biometric software, and to create secure pathways to external components like the camera and TPM.

United Extensible Firmware Interface (UEFI)

UEFI is a specification for the firmware that controls the first stages of booting up a computer, before the operating system is loaded. (It’s a replacement for the more widely-known BIOS.) From a security standpoint, UEFI’s key feature is Secure Boot, which checks the digital signatures of the software used in the boot process. It protects against bootkits that load before the operating system, and rootkits that modify the operating system.

Trusted Platform Module 2.0 (TPM 2.0)

TMP is tamper-resistant technology that performs cryptographic operations, such as creating and storing cryptographic keys, where they can’t be interfered with. It’s probably best known for its role in Secure Boot, that ensures computers only load trusted boot loaders, and in BitLocker disk encryption. In Windows 11 it forms the secure underpinning for a host of security features, including Secure Boot’s big brother, Measured Boot; BitLocker (Device Encryption on Windows Home); Windows Defender System Guard; Device Health Attestation; Windows Hello; and more.

New in Windows 11

Windows 11 has some new tricks up its sleeve too.

Hardware-enforced Stack Protection

Windows 11 extends the Hardware-enforced Stack Protection introduced in Windows 10 so that it protects code running in kernel mode as well as in user mode. It’s designed to prevent control-flow hijacking by creating a “shadow stack” that mirrors the call stack’s list of return addresses. When control is transferred to a return address on the call stack it’s checked against the shadow stack to ensure it hasn’t changed. If it has, something untoward has happened and an error is raised.

Pluton

Windows 11 comes ready to embrace the impressively-named Pluton TPM architecture. It’s been a feature of the Xbox One gaming console since 2013, but doesn’t exit in PCs… yet.

Pluton sees the security chip built directly into the CPU, which prevents physical attacks that target the communication channel between the CPU and the TPM. And while Pluton is backwards-compatible with existing TPMs, it’ll do more if you let it. According to Microsoft, “Pluton also provides the unique Secure Hardware Cryptography Key (SHACK) technology that helps ensure keys are never exposed outside of the protected hardware, even to the Pluton firmware itself”.

Microsoft Azure Attestation (MAA)

No discussion about security in 2021 would be complete without somebody mentioning Zero Trust, so here it is. Windows 11 comes with out-of-the-box support for MAA, which can verify the integrity of a system’s hardware and software remotely. Microsoft says this will allow organizations to “enforce Zero Trust policies when accessing sensitive resources in the cloud”.

Evolution, not revolution

For several years, Microsoft’s approach to Windows security has been to create a chain of trust that ensures the integrity of the entire hardware and software stack, from the ground up. The latest version of Windows seeks to make that approach the default, and demands the hardware necessary to make it work. With Windows 11, Microsoft is making an aggressive attempt to raise the security floor of the PC platform, and that’s a good thing for everyone’s security.

Make no mistake that threat actors will adapt, as they have done before. Advanced Persistent Threat (APT) groups are well-funded enough to find a way through tough defences, ransomware gangs are notoriously good at finding the lowest-hanging fruit, and lucrative forms of social engineering like BEC are notoriously resistant to technology solutions.

And you can add to that the interlocking problems of increasing complexity, backwards compatibility, and technical debt. Operating systems and the applications they must support are a behemoth, and while Microsoft pursues its laudable aim of eliminating entire classes of vulnerabilities, new bugs will appear and a lot of legacy code will inevitably come along for the ride.

Decisions about whether to adopt Windows 11 will doubtless be impacted by the fact it won’t run on a lot of otherwise perfectly good computers. We expect this to have a chilling effect on organizations’ willingness to migrate away from Windows 10.

And there are other headwinds too. These days, new Windows operating systems are rarely greeted with great enthusiasm unless they’re putting right the wrongs of a particularly disliked predecessor. The bottom line is that Windows 10 works and OS upgrades are painful, so it is difficult to imagine that anyone will conclude they need Windows 11.

Migration away from older versions of Windows is inevitable eventually, and by the time mainstream support for Windows 10 ends in October 2025, users will undoubtedly be more secure. But we expect organizations to move away from Windows 10 slowly, which will delay the undoubted security benefits that will follow from wide-scale adoption of Windows 11.