Security is a big part of Windows 11, but so is delivering productivity and a good experience with all the security features turned on.
The hardware requirements for Windows 11 have been causing some confusion and controversy. The minimum specification is about getting the right trade-offs between security, reliability, compatibility and performance to deliver a good Windows experience, and many enterprises will be ready for Windows 11.
The minimum system requirements of 1GHz or faster dual-core processors, 4GB of RAM, and 64GB of storage are what Microsoft Office and Teams already specify.
TPM 2.0 has been a requirement for all new Windows PCs since 28 July 2016 (2018 in China), with the only exceptions being special-purpose commercial systems and custom orders. Although it’s usually just thought of as storage for BitLocker (and the Device Encryption equivalent on Windows Home) keys, the Trusted Platform Module services a wide range of Windows security features: storing other keys and the PINs for Windows Hello biometrics and Credential Guard; blocking brute-force dictionary attacks so that even shorter PINs and passwords are more secure; powering virtual smart cards; acting as the hardware root of trust for secure boot and measured boot; attesting to PC health after boot with Windows Defender System Guard; and enabling ‘white glove’ and self-service Autopilot deployments.
While the official documentation suggests that a TPM is optional for some of those features, “to be honest, I would not recommend it being optional,” David Weston, partner director of enterprise and OS security at Microsoft, told TechRepublic. “Without a TPM, you’re not going to have segmentation, which is what we want”.
In fact, the reaction to the Windows 11 requirements suggest that many PCs have TPMs that haven’t been enabled, so even a protection mandated five years ago may not be in place. Admins expecting to upgrade to a new version of Windows Server may want to take this as an opportunity to audit their server hardware, because TPMs have been recommended since Windows Server 2016 and will be required for Windows Server 2022, but aren’t always present.
To run Windows 11, CPUs need to have the hardware virtualization features to enable virtual secure mode for Virtualization-Based Security and the Hypervisor-Protected Code Integrity that underlies a range of protections that Microsoft has been building since Windows 8, like Application Guard, Control Flow Guard, Credential Guard, Device Guard and System Guard. Now they’ll be on by default for all PCs, not just specially selected devices.
They also need to have drivers based on the new Windows Drivers model; earlier this year, Microsoft announced that drivers for what was then called Windows 10X would need to be certified through the Windows Hardware Compatibility Program and be componentised, written for isolation and use an approved subset of Windows APIs, to make them more stable and easier to update.
The breadth and variety of the PC ecosystem makes the specification more complicated than you might think. Intel 8th generation CPUs, AMD Zen 2 and Qualcomm 7 and 8 Series have the right hardware features for security, reliability and performance; they also have full support. While 7th generation and AMD Zen CPUs have the hardware features, they have what Microsoft described to us as ‘limited support’, so one of the things the Windows Insider releases of Windows 11 will show is exactly which of those earlier processors will deliver a good enough experience to be supported. And the Snapdragon 835 that powered the very first Windows on Arm devices isn’t supported at all.
No more guards
Security isn’t its only raison d’etre, but Windows 11 is intended to “raise the security baseline”, taking advantage of the various ‘guard’ features that are already in Windows but rarely turned on.
The goal is to make security easy, to make sure it doesn’t impact performance or battery life, and to make it easy for organizations to move to passwordless, ‘zero trust’ approaches, Weston told TechRepublic.
“I tell my team ‘no more guards’; we really want to focus not on building new security tech, but in turning on the security tech we have, which I think is already pretty substantial.”
“Virtualization Based Security is on by default. Obviously the TPM is there, so that’s going to give us the ability to do BitLocker in Windows Hello in more default scenarios. Those are going to allow commercial enterprises to do zero trust and take advantage of things like System Guard. There’s a lot of out-of-the-box security value. I want people to flip their laptop open and feel they are much better protected, and we know that they will be, based on looking at threat intelligence versus the default we changed.”
“If you look at the major attacks out there, whether that’s ransomware or phishing, we’ve struck directly at mitigating those, or at least making them much, much better protected on Windows 11,” Weston claimed.
“For the folks who are tasked with managing, you need to make their deployment as simple as possible. And I think we’ve done that by saying the things that are most critical are just there and enabled by default. Many of the security professionals in organizations are stuck in between detecting and responding, and then modifying and working with the configuration management folks to turn on more security. If we could make that job a little easier I think we’d see more secure commercial enterprises, and that’s a big theme for Windows 11.”
Windows Hello for Business replaces the familiar username and password with strong user authentication using asymmetric cryptographic key pairs (stored in the TPM) and Windows 11 improves the way the key trust relationship works with Active Directory and Azure AD. “Folks who were using certificates or smart cards, which are pretty substantial, can very quickly transition to Windows Hello for Business, which means they can really quickly get to a nice passwordless strategy,” Weston said. “That was one of the bigger blockers for passwordless adoption in corporations; we’ve got that.”
Zero trust isn’t always clearly defined, and Weston is keen to simplify the idea for organisations, pointing out that it’s an approach many are already taking, like moving from Group Policy to MDM for devices (and Windows 11 adds many new MDM policies to help them move away from legacy device management).
“I think what most of our customers are looking for is a combination of additional identity proofs and some information about the risk of the device and combining those to make an educated decision about the cloud,” said Weston. “What Windows 11 does for that style of zero trust is, if you have an MDM — of course we love Intune and conditional access — you can collect, from the hardware, very high-integrity information about the risk of the device and you can combine that with identity information from your identity provider — of course we like Azure Active Directory for that. And those two signals give you a lot of additional security over the traditional perimeter approach. You’re getting the right information to make the right decision, and you’re making sure that that information can be trusted, so it’s captured from the hardware, because otherwise you’re gathering information that might be tampered [with] by an attacker.”
Windows 11 will have other security improvements that Microsoft isn’t ready to talk about yet, which might include the application containers originally promised for 10X. “We have some really interesting ideas on how to do better app security for mainline apps,” said Weston.
But beyond security, one of the features Weston is most excited about is the way Windows Updates are 40-50% faster to install (thanks to only delivering file deltas and even more aggressive compression than previous update models. “As someone who takes a daily build [of Windows], every day I’m smiling and saying ‘that was so fast’ — it’s really noticeable.”
Understanding the ‘CPU floor’
Just turning on the existing hardware-based security features reduces malware infections by 60%, but compatibility and performance worries have meant only a few PCs have shipped with them on by default.
“This is really, really important fundamental stuff. If you don’t have that foundation to build on, you’re going to be in reactive mode for the rest of existence,” Weston pointed out. “Windows 11 is starting with an incredibly strong foundation.”
While only new PCs shipping later this year will come with the Microsoft-designed Pluton security processor, Tiger Lake CPUs have Control-flow Enforcement Technology to help Control Flow Guard block ROP attacks (and there’s an AMD equivalent).
Eighth-generation processors also already include functionality that improves the performance of HVCI: Intel’s Mode-based execute control for EPT (MBEC), AMD’s Guest-mode execute trap for NPT (GMET), and ARM’s Translation table stage 2 Unprivileged Execute-never (TTS2UXN). Older processors have to rely on slower, less power-frugal Restricted User Mode emulation, which is one of the reasons for the CPU requirements in Windows 11.
“Many of the architectural changes in the CPU have allowed software to get out of being the middle person between the hypervisor and the hardware,” Weston explained. “Things that used to take longer because the operating system would have to say, ‘I have to walk this over to the hardware’ — we got out of the way. So you see substantial performance increases with virtualization in Windows 11, because of the hardware ‘floor’, and you see substantial battery life extension as a result. It’s a much better experience with virtualization.”
That’s important for features like Windows Defender Application Guard, the Windows Sandbox, WSL 2 and the way Hyper-V now works with third-party virtualisation software. It will also be what powers the virtualised Android apps that will run on Windows 11.
That mix of security, performance and battery life explains what might otherwise look like arbitrary CPU choices, Weston explained.
“We looked at a median that we thought was right in the target range of folks who are going to adopt Windows 11, and then we looked at performance and reliability and what features are available — the virtualisation necessary for Android apps, what drivers are available, security features and having efficient security…that was all factored into the decision.”
“This was a focus on making sure that Windows 11 met expectations. This is a new rejuvenated Windows — the experience is awesome. And that’s why you saw a little bit of bump in the RAM, a little bit of bump in the SSD, a little bit of bump in the CPU, because all of those things take advantage of what our silicon ecosystem has been producing for the last five years, which is pretty fantastic. And when you’ve got competition who’s really raising the bar, you want to make sure you know that our experience in the PC ecosystem can meet any other ecosystem.”
Microsoft used a lot of telemetry, but also talked to commercial customers about their PC hardware and upgrade plans, where the four to five years of PC hardware that Windows 11 will run on is a typical refresh cycle.
“We spent a lot of time with enterprises in different categories and the feedback we got is, for the vast majority of enterprises we talked to, this is going to work just fine. The other reality is, despite security being the top driver for Windows 10 and the Windows 7 to 10 transition happening relatively quickly, there’s going to be some folks who just aren’t going to make that move quickly. And so we think this is a good balance between the folks who are ready to go to Windows 11 and the folks who need more time but want to stay secure and supported.”
Common enterprise security initiatives like the passwordless and zero trust approaches that Windows 11 supports natively will appeal to many enterprises, Weston expects; for others the Windows 10 support lifecycle matches the timescale for buying new PCs.
“Folks who have the hardware available and want these substantial security increases — we think they’re going to move to Windows 11 even faster than the 7 to 10 transition, because security is even more important now. And there will certainly be another set of folks who need more time to do hardware refresh or just get prepared. And we’re going to continue to ship updates and ship new and interesting things down to Windows 10 to keep them secure and viable.”
For those disappointed by the hardware requirements, Weston points out that it’s delivering a good Windows experience. “It’s not like we’re trying to make it hard for people who are on an unsupported configuration. The goal is to say, ‘let’s be very clear about where the best experience is and where Microsoft suggests you really go to have a good experience’.”
The breadth of the PC ecosystem allows for a wide range of devices. “We’re open enough to allow people to really do what they want to do. At the same time we need to be clear and say ‘this is what we intended’, and those two things are not mutually exclusive.”
All the discussion about TPMs and CPU capabilities is just a reminder of how much interest there is in Windows, Weston pointed out. “I’m actually excited by how many people are just asking about Windows 11 and seeing the level of energy. People are passionate, they want it, and they want it the way in which they enjoy it, and I’m super-supportive of that.”
via: techrepublic.