5 Things To Know About Microsoft’s Windows 11 Security Strategy
Microsoft is moving to a zero trust security approach across all of its platforms, including with stringent Windows 11 CPU requirements.
One thing is becoming clear about Microsoft’s strict requirements on CPU compatibility for Windows 11: it’s all about security.
On Monday, Microsoft published a blog post that listed security first among the guiding principles for the Windows 11 operating system, which will be the successor to Windows 10 when it launches later this year.
[Related: Microsoft: Some Intel 7th Gen PCs May Support Windows 11]
“With Windows 11, we are focused on increasing security, improving reliability, and ensuring compatibility. This is what drives our decisions,” Microsoft said in the blog post.
The company has said that its hardware requirements for upgrading from Windows 10 to Windows 11 will include having a processor from Intel’s eighth generation (Coffee Lake) or newer, or from AMD’s Zen 2 series and up.
Intel announced its eighth-gen Coffee Lake processors in August 2017, while AMD’s Zen 2 architecture debuted with third-gen Ryzen chips (Ryzen 3000 series) in July 2019.
That suggests that a significant number of PCs will not be able to install Windows 11. However, Microsoft did say in its blog post Monday that it plans to evaluate whether to allow certain PCs running seventh-gen Intel processors or AMD Zen 1 chips into the Windows 11 fold.
Microsoft has said that the upgrade from Windows 10 to Windows 11 won’t be offered until 2022. That suggests that the original announcement from Microsoft that Windows 11 would be available this holiday only applies to new devices.
What follows are five key things to know about Microsoft’s Windows 11 security strategy.
Zero Trust Security
While it’s true that Microsoft is increasing the hardware requirements substantially for Windows 11—much more so than the company did for Windows 10—a lot has changed for Microsoft around security since Windows 10 debuted in 2015.
The rise of ransomware attacks, the Spectre and Meltdown side-channel vulnerabilities and the massive SolarWinds hack have all ensnared Microsoft and its platforms in numerous ways.
The past year, in particular, has seen Microsoft get far more vocal and aggressive around the need for increasing security. That has included an emphasis on urging businesses to shift to the cloud from on-premises infrastructure.
However, moving to the cloud is not a fix for many of the top PC security issues, leaving PCs as a weak link. That appears to be at least part of why Microsoft is pushing hardware security measures so heavily with Windows 11.
One way to understand the larger goal for Microsoft is that the company is seeking to enable “zero trust” security for its customers, based around the principle that no user should be trusted by default since they could be compromised.
Zero trust security will be a major focus at Microsoft’s Inspire 2021 partner conference next month, Microsoft Channel Chief Rodney Clark said in a recent interview with CRN.
“As a company, we have been focused on this concept of zero trust. We believe that any organization needs to embrace this to adapt to the complexity in today’s secure environment,” Clark said. “There is no patch, per se, and no immediate fix. And so the message to partners is, because security is usually the No. 1 or the No. 2 area of investment for our customers, [partners] also need an approach to zero trust.”
At Inspire, being held virtually from July 14-15, “we’re going to have heavy messaging around zero trust, and why it’s so important to assume that companies will be breached at some point, and the process that you have to go through in order to prepare for that,” he said.
Raising The Bar On Security
In Windows 11, security capabilities such as hardware-based isolation, secure boot and hypervisor code integrity will be turned on by default, Microsoft has said.
“Windows 11 raises the bar for security by requiring hardware that can enable protections like Windows Hello, Device Encryption, virtualization-based security (VBS), hypervisor-protected code integrity (HVCI) and Secure Boot,” the company said in its blog post on Monday.
Using these features in combination on test devices has reduced malware by 60 percent on those devices, Microsoft said in the post.
Side-Channel Vulnerabilities
One possible motivation for starting Windows 11 support at Intel’s eighth generation may be related to the processor side-channel vulnerabilities that were disclosed in early 2018.
Patrick Moorhead, president and principal analyst at Moor Insights and Strategy, told The Verge that Microsoft’s CPU requirements for Windows 11 “don’t appear much at all to do with performance but look like security mitigations for side-channel attacks.”
CRN has reached out to Microsoft for comment.
Intel began releasing hardware-level protections against side-channel vulnerabilities such as Spectre and Meltdown in its eighth-generation line of processors, though not all eighth-gen Intel chips feature the hardware mitigations.
TPM 2.0
One of the other major hardware security requirements for installing Windows 11 is having a PC with a Trusted Platform Module (TPM) 2.0 chip.
A TPM security chip is used for carrying out cryptographic operations, and includes “multiple physical security mechanisms to make it tamper resistant,” Microsoft said in its documentation on TPM. “Malicious software is unable to tamper with the security functions of the TPM.”
Advantages of TPM include the ability to generate and store cryptographic keys, as well as enabling device authentication, the company said.
Requiring a TPM chip in Windows 11 thus gives a boost to any zero trust security approach, said Michael Montagliano, chief of innovation at ProArch, an Atlanta-based Microsoft Gold partner.
“It’s really critical to helping us make certain that that device and that identity is verified,” he told CRN. “That is really important for this zero trust initiative. If organizations start adopting this type of mentality, and leveraging this kind of mindset, we’re going to have much more secure environments.”
A ‘Positive’ Approach On Security
Without a doubt, Microsoft’s hardware requirements for installing Windows 11 are stringent. The requirements are even expected to make many of Microsoft’s own Surface devices—such as the fifth-gen Surface Pro and original Surface Laptop, both launched in 2017—incompatible with Windows 11.
But solution provider partners of Microsoft have told CRN that such moves are necessary in the current security threat environment.
With customers now essentially operating “hundreds of offices and insecure networks” due to remote work, “you don’t have that single office control that we used to have,” said Ryan Loughran, reactive service manager at Valiant Technology, a New York-based MSP.
With Windows 11, Microsoft is “putting security in the forefront,” Loughran said. “Requiring TPM 2.0 is a great move and turning on the other security features by default is fantastic … Hardening endpoints is probably the single most important thing that IT providers should focus on.”
Miguel Zamarripa, CIO of Colorado Springs, Colo.-based Simpleworks IT, also praised the focus on security in Windows 11, as security is the “top concern” with customers right now.
“It’s great to see Microsoft taking more serious steps in making sure their OS is as secure as possible,” Zamarripa said. “Any step you can take to harden your security is a positive one.”