“Windows 10 will be the last Windows version.” Yeah, not really. Microsoft recently announced Windows 11 being in development with a targeted release in late 2021. Even more than Windows 10, it focuses on a secure hardware root of trust as a foundation for the operating system’s overall security posture. So let’s have a look at Windows 11 security.
New hardware requirements
A hardware root of trust requires – you’ve guessed it – certain hardware and firmware features to be enabled on the device. Why is that necessary? Microsoft focuses on Virtualization-Based Security (VBS) to encapsulate parts of the operating systems into different so called enclaves. This helps to maintain system integrity even in the event of malware attacks. What do we need for that:
- A trusted platform module (TPM) in version 2.0
- Secure Boot (as part of UEFI)
- Certain CPU-side functionality like
- Intel Mode-based execute control for EPT (MBEC): Windows Processor Requirements Windows 11 Supported Intel Processors | Microsoft Docs
- AMD Guest-mode execute trap for NPT (GMET): Windows Processor Requirements Windows 11 Supported AMD Processors | Microsoft Docs
- ARM Translation table stage 2 Unprivileged Execute-never (TTSUXN): Windows Processor Requirements Windows 11 Supported Qualcomm Processors | Microsoft Docs
- For all manufacturers: support for the Windows Drivers model
You probably won’t need to memorize the latter but it is important to understand that the level of protection that is desired can’t be implemented by software only. Features that use this hardware foundation are e.g.:
- System Guard for low level system integrity
- Device Guard for kernel level code integrity
- Application Guard for user level code integrity
- Credential Guard for securely storing account credentials
- BitLocker
- Windows Hello for Business
- Windows Sandbox
Microsoft also provides a full table for most of those features:
| Windows Feature | TPM required | TPM 1.2 support | TPM 2.0 support |
| Secure Boot | No | Yes | Yes |
| Measured Boot | Yes | Yes | Yes |
| System Guard | Yes | No | Yes |
| Device Health Attestation | Yes | Yes | Yes |
| Autopilot | No | N/A | Yes |
| BitLocker | No | Yes | Yes |
| Device Encryption | Yes | N/A | Yes |
| Credential Guard | No | Yes | Yes |
| Windows Defender Application Control | No | Yes | Yes |
| Windows Hello/Windows Hello for Business | No | Yes | Yes |
| TPM Platform Crypto Provider Key Storage Provider | Yes | Yes | Yes |
| Virtual Smart Card | Yes | Yes | Yes |
| Certificate storage | No | Yes | Yes |
What really changes
All features discussed above are already present in Windows 10. What Microsoft will now enable by default is memory integrity as part of Hypervisor-protected Code Integrity. This was already part of Windows 10 for quite some time but an optional feature. It still is, but dependent on device hardware and the OEM image it will now be enabled by default. The requirements for that can be found here: https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-hvci-enablement#hardware-features-for-automatic-enablement
Besides, not much changes. Windows 11 will enforce certain requirements like a TPM but the functionality that builds upon it must in parts still be configured on the administrative side. Here, Windows 10 already is quite secure and has many options to protect the operating system against threats.
In my opinion, what Microsoft really wants to achieve here is to make sure that any Windows 11 installation already fulfills the hardware requirements for enhanced security, so any admin can just go ahead and be more secure if required.
Windows 11 security
It was already possible with Windows 10, but Windows 11 now is the opportunity to deploy more secure baseline configurations to clients. Windows 10 will still be supported until 2025, so there is time to move. How can we use that time? Well, let’s have a look at a more secure client design (no guarantee to be complete) with Windows 11 security features:
- BitLocker: For years one of the most reliable and manageable volume encryption solutions for Windows. Mandatory for mobile devices, recommended for all. Self service is available with Azure AD.
- SmartScreen / Network Protection: two features that are simple to deploy and still a huge benefit. Windows 10 will go ahead an check for malicious files and web traffic in Microsoft Edge and Explorer (SmartScreen) or at the network level independent from the client application (Network Protection). This way malicious entities as identified by the Microsoft Intelligent Security Graph will be audited or blocked on the client.
- User Account Control: yes, it can be bypassed. Please use it nevertheless. You don’t want your local admin access token present in the session all the time.
- Microsoft Defender Antivirus / Microsoft Defender for Endpoint: Microsoft Defender Antivirus and Defender for Endpoint are a great combination for client-side antimalware + EDR / EPP
- Safe Documents as part of Defender for Office 365: Microsoft Defender for Endpoint scans any office file from an external source and only allows enabling the editing mode if it was determined to be clean. This is a significant protection against malicious macros or other prepared office files.
- Attack Surface Reduction: ASR is part of the EPP approach in Windows. It provides protection capabilities against the most common threats, like macros dropping code or unknown executables from external devices, and many more.
- Credential Guard: isolates (domain) credentials and prevents extracting them, no perfect protection but still a valuable component
- Windows Defender Firewall: Isolate devices on the network to prevent lateral movement. With Intune, it is very easy to set the Firewall to stealth / shielded mode to completely prohibit incoming connections and probing. This must of course fit your helpdesk scenarios.
- Application Control / AppLocker: both features can be used to define a allow list of applications. AppLocker does the job but is there since Windows 7. Application Control is more advanced and allows more granular identification of application + the option to sign policies to prevent modifications. In combination with HVCI (previously known as Device Guard which, however, – as a product name- included both HVCI and Application Control), Application Control can govern kernel mode and user mode binaries.
- Application Guard: Hardware based isolation of Microsoft Edge and Microsoft Office to keep any potential infection to the container instead of letting it spread to the whole system.
- LAPS: use random local administrator passwords to prevent lateral movement to other systems with the same password.
- Passwordless authentication: Use Windows Hello for Business for single-user devices or FIDO2 security keys for shop floors / production systems.
Thanks for reading!
Chris
Note
Please note that all content on this blog is provided ‘as is’ without any warranty.