Windows 11 Available: What Security Pros Should Know

0 Comments

Microsoft today announced the official release of Windows 11 for compatible machines around the world, starting Oct. 5. But those who want to upgrade will need to ensure their computers meet a long list of security and system requirements.

The system requirements for Windows 11 include a 1GHz or faster dual-core “compatible” 64-bit process or system-on-a-chip (SoC), 4GB of RAM, at least 64GB of storage, UEFI Secure Boot enabled, and Trusted Platform Module (TPM) version 2.0, among other requirements. Those unsure whether their device is compatible can verify using Microsoft’s PC Health Check app.

This is important to note because the long list of requirements, while a plus for security, might mean a lot of people don’t have the required hardware for the new OS and will need to wait until their next PC to upgrade. Microsoft in 2019 debuted Secured-Core PCs, which were built to have a defense-in-depth approach to system security but which still aren’t widely adopted.

Microsoft says the new hardware security requirements for Windows 11 are meant to create a foundation that’s more resilient against cyberattacks. This version of Windows requires hardware that enables additional protection such as Windows Hello, Device Encryption, virtualization-based security (VBS), hypervisor-protected code integrity, and Secure Boot. VBS and Secure Boot are built in and enabled by default on new CPUs, security officials note in a blog post on the rollout.

Enabling security by default was a priority for Windows 11, says David Weston, Microsoft’s director of OS and enterprise security. Many of the Windows 11 baseline security features are available in Windows 10; the focus has been making them ready to be available by default.

“There’s obviously been a lot of discussion about Windows 11 having a higher security bar from a hardware perspective, and we’re putting that to good use by introducing more defaults than Windows 10 or its predecessors had,” Weston says.

The focus on security by default partly stems from Microsoft’s annual Security Signals report, which found more than 80% of vice presidents and above report they’ve experienced a hardware attack in the last two years, but 29% of budgets are allocated to protect firmware. This year, the report found 80% believe software alone doesn’t offer sufficient protection.

“Detection is working [and] we’re seeing more, we just don’t have enough folks, and we just don’t have enough time, to go through all those detections,” says Weston of the challenges that businesses face. “So we want things like hardware to stop more things before they become detections and sort of reduce that funnel.” With more security enabled by default, he believes there will be less to configure and less complexity in deployment for IT and security teams.

Improving virtualization-based security performance, and making it more reliable, lets Windows 11 use technologies such as Microsoft Defender Application Guard to containerize apps that are frequently targeted, such as browsers and Office clients, he continues. With Application Guard, websites and Office files run in an isolated Hyper-V container so anything that happened in the container is isolated from the desktop OS. This virtualization-based technology is also used in other Windows security features, including Credential Guard and Hypervisor Code Integrity.

For IT and security teams gearing up for an enterprise rollout, Weston advises using the same advice that applies to other major upgrades.

“All of those basic fundamentals still hold true: Have a solid backup plan, have a tiered rollout where you can make sure things are going well and roll it back if there are some unforeseen issues,” he says, noting that “every environment is slightly different; their risk tolerance is slightly different.”

He also encourages ensuring security tools are ready to work on the new OS. While Microsoft works with major vendors to ensure compatibility, individual businesses should double-check their endpoint detection agents, vulnerability scanners, and other tools work as expected.

For organizations that aren’t ready to make the switch, there is time. Windows 10, which has the same baseline security features as Windows 11, will be supported through Oct. 14, 2025.