Microsoft Exec: Windows 11 CPU Requirements Allow Key Security Features To Run ‘By Default’
Intel’s eighth-gen chips and up enable optimal performance for virtualization-based security, which is automatically turned on in Windows 11, Microsoft’s director of OS and enterprise security, David Weston, tells CRN. And that represents one of the big advancements for Windows 11 over Windows 10 on security, Weston says.
Microsoft has set its minimum CPU requirements for Windows 11 at Intel’s eighth generation because the chips enable several important security features to be turned on by default in the operating system, offering a major security enhancement over Windows 10, a Microsoft security executive told CRN.
With Windows 11 general availability set to launch on Tuesday, David Weston, Microsoft’s director of OS and enterprise security, spoke about how the CPU requirements aim to increase security in the new operating system without causing a trade-off in performance reduction.
Intel’s eighth-gen chips and up support the use of certain key security features—such as virtualization-based security (VBS)—while also providing optimal performance when automatically running those features, Weston said in an interview with CRN.
In Windows 10, powerful security features such as VBS are optional and don’t run automatically—and are rarely used as a result, he said.
“The strategy for the initial release of Windows 11 is very simple: raise the baseline. Turn on the things that were optional in Windows 10 by default,” Weston said.
One example is a feature called mode-based execution control, which—in tandem with Intel’s eighth-gen CPUs and up—helps to ensure optimal performance while running certain virtualization-based security protections, he said.
Some earlier CPUs do support mode-based execution control, including Intel’s seventh-gen processors. But the seventh-gen chips are excluded because they don’t meet all of the performance and reliability requirements that Microsoft has for Windows 11, including for running VBS processes by default, Weston said.
In addition to mode-based execution control, Intel’s eighth-gen chips also ensure that Trusted Platform Module (TPM) encryption and secure boot capabilities are present, Weston said.
“Some lower generations [of processors] also have those features, but then they are missing reliability and performance optimization,” he said.
The stricter CPU requirements for Windows 11 compared to past releases of Windows have led to confusion among users and the IT industry about the reasons that Microsoft drew the line—with just a few exceptions—at Intel’s eighth generation and AMD’s Zen 2. The requirements for newer CPUs along with TPM 2.0 are expected to exclude a significant number of PCs from installing Windows 11. (Users can still bypass the requirements using the Windows media creation tool, which is discouraged but not forbidden by Microsoft.)
[Related: Windows 11: Partners Say It’s A ‘Smart Play’ By Microsoft To Put Security First]
Weston said that part of the confusion is that people have been looking for a single reason behind the choice to start CPU compatibility at Intel eighth-gen and AMD Zen 2. But the situation is more complicated, because Microsoft actually looked at multiple considerations in combination to arrive at the minimum CPU requirements for Windows 11, he said.
“Ultimately, we could have chosen many lines,” Weston said. “But we used data analysis around reliability, performance and security to get there, and that is how we landed on that particular bar.”
An additional issue has affected people’s comprehension of the matter: Some of the specific security features that Microsoft considers crucial to enabling in Windows 11 are not features that have been widely discussed—even by Microsoft. For instance, mode-based execution control is not mentioned in previous Microsoft posts on the security considerations for Windows 11.
What Microsoft did mention in the posts is virtualization-based security, as well as hypervisor-protected code integrity, or HVCI. Virtualization-based security enables HVCI, also known as memory integrity, which disables any dynamic code that a hacker is trying to inject into the Windows kernel.
Mode-based execution control is a critical underpinning to the optimal use of HVCI. The feature is what ensures that running HVCI doesn’t deliver a major hit to performance and user experience.
HVCI can still work with processors that don’t support mode-based execution control—but those processors depend on an emulation of the feature, “which has a bigger impact on performance,” Microsoft said in July documentation about HVCI.
In short, support for mode-based execution control is one of the keys to why CPUs made in the past four years meet the Windows 11 requirements—and why older processors, which don’t support the feature or provide optimal performance for HVCI, are largely excluded from the list.
“Mode-based execution control is the target,” Weston said. “Virtualization-based security is what we need to secure folks. And [to do that] we needed a performant feature set.”
Security Features Running ‘By Default’
VBS works by creating a separate virtual machine that stores the most sensitive credentials and policies, which is isolated from the operating system.
“Even if someone gets admin-level privileges—the highest level of privilege—they still can’t read what’s in this separate VM,” Weston said. “It’s the exact same premise as how the cloud works today—you can be on a hardware machine with your bitterest rival, and you cannot read coded data across. We use that exact same technology shrunk down [for Windows 11].”
Because VBS has not been turned on by default in Windows 10, the feature has seen “very low usage,” he said.
“What we learned from 10 is, if you make things optional, people don’t turn them on,” Weston said. “They assume that if it was necessary, it would be on. And so I think that’s a big learning. What we put into 11 is [that] we are going to secure you by default.”
Turning the features on by default, however, has required Microsoft to ensure that the features will not lead to a drag on performance—which is why mode-based execution control is a crucial piece of the equation. “If you turn something on by default, it better not be slow,” Weston said.
All in all, “I think folks are looking for this very binary decision [about the CPU requirements]. It’s actually a complicated engineering equation—where it’s like, ‘OK, so we turned on security, did performance tank?’” he said. “So, that is the focus.”
While the Windows 11 CPU requirements also ensure that most PCs running the operating system will have hardware protections against the Spectre and Meltdown processor vulnerabilities, Weston said this was not part of the calculus for Microsoft.
“From a feature perspective, there are two things that eighth-gen and up really give us—and that is mode-based execution control, which is on the Intel platform as an optimization for virtualization. And then the assurance that TPM and secure boot are there,” he said. “So Spectre and Meltdown are not a significant factor here.”
Using Windows 11 security features in combination on test devices—including virtualization-based security, secure boot, device encryption and Windows Hello facial recognition—reduced malware by 60 percent on those devices, Microsoft has said.
Zero Trust Strategy
With many workers shifted to hybrid and remote work, the job of securing a business has become much more difficult, Weston noted. In response, one of the goals with Windows 11 has been to make life easier for security teams through automatically turning on security features, Weston said.
“That can actually become the basis for a zero trust strategy—especially for Microsoft shops,” he said. “So [security professionals] can say, ‘Because these features are on, that should limit the funnel of things I need to care about. There are now more things prevented, which means I should have to do less chasing around and detecting.’”
A common scenario Microsoft has heard from customers is that “even if our detection is great, we don’t necessarily have enough human beings to go investigate everything and respond fast enough,” Weston said. “So Windows 11 helps with reducing that funnel.”
Additionally, since it’s possible to determine whether a PC has these features enabled, the security properties of a system can be measured “almost like a vaccination card,” he said.
An enterprise can therefore say, “show me your device security ‘vaccination card’ before I let you have access to the data,” Weston said. “We made that really easy with Windows 11. And that makes things like endpoint detection better because there’s less to look at. And the endpoint detection is harder to undermine because it’s starting from a very clean, high-integrity state.”
‘This Is Act One’
Another motivation for the hardware requirements with Windows 11 is to enable Microsoft to boost security even further in future releases of the operating system, according to Weston.
“A lot of this initial release of Windows 11 is not the end goal—it’s the first click stop on our journey. We’re saying, ‘we can now guarantee you have a TPM. That means I can go and make sure every app developer is now storing credentials and keys in hardware,’” he said. “I can’t do that on Windows 10 when just a percentage of folks have that. So it’s allowing me to set a baseline that I can now move the ecosystem to take full advantage of. And that’s a huge, huge win for us.”
What that means is that “more applications can support passwordless by default. More applications can do data encryption. More applications can have zero trust protections, because we’ve got that virtualization-based capability to report on their integrity,” Weston said. “What you’ll see in the following versions of Windows 11 is us exploiting that to a much better extent to increase security. So I think this is just the stage setting. This is act one. Act two and three, I think, are going to really bring some massive increases in security.”
Even with the first release of Windows 11, there are a number of security advancements that will enable solution providers to do their jobs better, said Marc Menzies, president and CTO of Overview Technology Solutions, a Ronkonkoma, N.Y.-based solution provider and Microsoft partner.
And the CPU requirements are a central part of that, since the “newer CPU models allow you to take advantage of additional security features that are baked into the hardware,” Menzies said in an interview with CRN on Monday. “If you have an environment with certain higher standards for hardware, from a security perspective, it makes things more turnkey.”
Even with Windows 10, “I could do a good job [on security] right now with the tools I’m given in any environment,” he said. What Windows 11 does is it enables solution providers and IT professionals “to do a good job consistently” because of the higher security baseline, he said.
For instance, when every PC in a customer fleet has Windows 11, you can know that they’ll all have TPM 2.0 and thus can be “brought up to some level of security standard easily,” Menzies said.
“I’m able to know, walking into an environment with Windows 11, that the endpoints can be easily secured and I’m not going to run into any weird problems with that baseline,” he said. “It just makes it a heckuva lot easier to know what your baseline is, and that you can implement some of the security features that are really, at this point, fundamentals.”
Overall, “I think Microsoft’s posture on security is about a ‘rising tide raises all ships,’” Menzies said.
For solution providers and IT professionals, Windows 11 should offer the major benefit of having “less to configure,” Weston said.
“They’ve got a very tough job. Many of our IT folks are not just IT—they’re security, they’re DevOps. They’ve got a whole bunch of different hats,” he said. “What I’m really hoping is that they’ll tell me, ‘My job is now easier. I have to do less tweaking and configuration, and less [work] doing the compatibility and performance analysis myself—because Microsoft has done more of that up front with Windows 11.’”