Why Windows 11’s security is such a big deal
Enterprises are worried about exactly the issues that Windows 11 helps with, and the hardware specs mean future security improvements like more app containers.
The hardware requirements for Windows 11 have led to a lot of debate about exactly what changes in newer PCs and processors; they’ve also led to enterprises thinking about what security features they need in hardware.
Microsoft’s second Security Signals report shows that enterprise security decision-makers are concerned about the security impact of hybrid work, and they expect PC hardware to help, said Dave Weston, director of OS security at Microsoft.
SEE: Windows 11: Tips on installation, security and more (free PDF) (TechRepublic)
“On one hand, that is somewhat intuitive because you’re losing Intrusion Detection Systems and some of the network-based analysis and of course the physical protection of being on campus.” But it also underlines that while Windows 10 has the same features for zero-trust security approaches that are built into Windows 11, they haven’t been adopted broadly because people just don’t turn them on.
“We have virtualization-based security, we have many things that can help the folks who are trying to protect the hybrid work environment, but it’s not on by default, it’s difficult to configure, there are performance issues … . Maybe naively, we said at the start of Windows 10 we’ll just put all this great stuff in and customers will run and turn on the group policies for these. With Windows 11, we’re starting off in a very different position; we’re only giving ourselves credit for the security value when it’s on by default,” Weston said.
“We’re calling Windows 11 a ‘zero-trust-ready’ operating system and that means more of those things that you used to have to push yourself as an IT person—maybe doing security and IT and wearing many hats—are just on by default.” (Although if you’re upgrading PCs, you will still have to turn these features on yourself.)
“With Windows 11, conditional access, System Guard, runtime attestation—I’m really excited by the effect having more prevention on by default [on new PCs] is going to have on these customers,” he said.
“I didn’t go and create a bunch of new Guards and other things in the operating system; I focused on the performance, reliability and compatibility aspects of enabling those features by default.”
Ready to refresh
Having those features on by default without any of those concerns also relies on the new hardware requirements for Windows 11, and that’s something the survey suggests enterprises actually want.
Eighty-six percent think outdated hardware leaves their organization mode open to attack (and said almost a third of their hardware counts as outdated); 80% say software protection alone isn’t enough, and almost 90% say modern hardware will help protect them from future threats. That’s quite a change in attitude, Weston told us.
“There has been a big emphasis on buying endpoint detection and response, buying SIEMs, doing [threat] hunting and so on. And so to see the security responders come back and say ‘we need hardware’ is really interesting.”
Talking to Microsoft customers in more depth led Weston to believe the sheer volume of threats is behind the interest in hardware for security. “What I’m hearing is just given the voracity of attackers out there and the threat landscape, detection is working great; but maybe few companies can really staff the folks that would be necessary to investigate and remediate every one of those issues. So what we’re starting to see is a pattern back to good old prevention; the more we can reduce the funnel, the better we can action and remediate [those threats].”
Based on telemetry from Windows Insiders trying out Windows 11, Weston said a lot of PCs are ready to run these hardware-based security protections, and in many cases you won’t notice they’re running.
SEE: Windows 11: Understanding the system requirements and the security benefits (TechRepublic)
“[We saw] an incredibly high percentage of hardware requirements being met, even though it was optional, which I think is telling given the size of our insider population and the variety [of devices]. The hardware requirements have obviously impacted some folks but there are many, many, many folks who can continue to run on the Insider program without issues. A very high percentage of TPM usage and some of the other key hardware. Again, we have all sorts of regression testing around performance and reliability, and the numbers have been what we expected. No significant regressions, no major issues, no NPS [Net Promotor Score] issues. It’s been fairly transparent and a non issue, which is to me the gold standard: when I raise the bar in security and people don’t even know it’s there.”
Not all enterprises join the Windows Insider program so it’s possible commercial environments aren’t well-reflected in those numbers and they will find the security defaults more disruptive. There’s a new in-depth guide to the security architecture of Windows 11 to help them, but application testing may also be key for commercial adoption, especially as the Windows team starts to build security on top of the new baseline.
“Many of the things I want to do around credentials will require people I think to do a little more testing: if you leverage old smartcard drivers and you move that into virtualization-based security and isolate it, there will be more test cases that need to happen.”
Some of that testing can be done on Microsoft’s Test Base service and Windows 365; this will soon take advantage of the new ‘trusted launch’ virtual machines on Azure which he calls “essentially secured-core VMs” with virtual TPMs and virtualization based security features like Credential Guard.
Containing the problem
Hardware-based security will help defenders today but the successes of the Insider program suggest it also puts Windows 11 in a good position to add more features, starting with the promised Android app support, which relies on virtualization.
“Virtualization can introduce problems particularly on older hardware. The [hardware] floor that we have today I think really sets us up to have an excellent experience there. It’s not just things like Mode-Based Execution Control; there are many architectural improvements from Eighthth Generation processors and up.”
Further down the line, virtualization will be able to protect applications more by running them in individual Krypton containers—a feature Microsoft announced for what was going to be Windows 10X but hasn’t yet built into Windows 11.
Enterprise users are already adopting similar security features like Windows Defender Application Guard for Edge and Office, Weston said, especially with the increase in zero-day exploits for browsers. “We’re seeing a lot of folks gravitate to that. On the commercial side, that’s setting us up to increase support for a [wider] variety of applications.”
SEE: Windows evolves: Windows 11, and the future of Windows 10 (TechRepublic)
Those features aren’t aimed at consumer users but Weston said Microsoft has been surprised by how many people have been using the Windows Sandbox feature to isolate applications. “Originally the viewpoint was that this is a great enterprise technology. It’s obviously optimised for security and so sometimes there’s trade-offs in experience. The perception was that consumers would not be interested in that, and the data tells a different story. There’s huge engagement on Sandbox, so that’s really energising us to do similar things in the future. And obviously with Windows 11 having that good hardware baseline and good performance around virtualization, it makes it even more enticing to go and innovate in that space.”
“It’s really captured our imagination on things we can do in Windows 11 in the future with exposing more of these scenarios to consumers.”
From the developer side, Kevin Gallo, CVP of the Windows Developer Platform, told us that getting application containers right will be key in getting developer adoption. “There’s a balance [to strike]; if you put too much security on a container you break functionality, if you don’t have one, apps aren’t contained so one app can affect the other, so if one app gets malware, then all of a sudden every app can get it. So, we have a strong belief that containerization is a good thing.”
The UWP app container isn’t part of the Windows App SDK yet because Gallo notes wryly that “there were parts that were loved, and there were parts that were not loved.” He predicts that the future app container model will have some flexibility in the tradeoff between functionality and security, probably with several different security settings, but those haven’t yet been decided on. Expect to see preview versions for IT and developers to give feedback on so that containerization is easy, but doesn’t get in their way. “What we’ve learned is if it doesn’t work for developers, they just won’t adopt it.”
Plugging in Pluton
The Windows 11 requirements include a TPM; in future hardware, that will include Microsoft’s own Pluton security hardware. Weston wouldn’t confirm when PCs with Pluton will launch beyond saying “very soon” and “in the Windows 11 ship timeframe.”
Windows 11 secure boot fully mitigates current attacks like the UEFI bootkit Kapseprsky recently found in the FinFisher spyware. “Going into early boot is a natural progression for attackers who are trying to evade more visibility and more prevalence of endpoint agents; we saw that in attacks like SolarWinds. Windows 11 is in a really strong position to help with that.”
But Pluton will be important for mitigating future attacks. “The best way to get yourself out of a crisis situation is to hit it off before it happens,” he explained.
“Our perspective has always been, we’ve got to get early boot and that foundation solid otherwise really bad things happen like bootkits turn off Windows Defender, attackers get in and they go invisible. Part of our job is getting that system integrated [so we] make sure the [security] agents have solid footing and they can’t be tampered with.”
Another side effect of the Windows 11 hardware specification has been to show that even PCs with TPMs built in haven’t always been using them to protect the system. And not having had TPMs turned on means they may not have been as widely battle-tested as the security community expected. “As we force more people to turn on a TPM, I think that the TPM will become a more critical path in terms of fundamentals: can it be updated, is it available, is it reliable? We’re seeing in telemetry that as TPMS get used, more of their functionalities expose some of the limitations. That’s where Pluton steps in.
“Pluton does many things; it’s a pretty great Swiss Army knife for security, but its major function is to make TPMs super available and super reliable.” And that means future security features will be built on a secure foundation all the way down to the hardware.