Windows 11 will turn on hardware security by default but only on new PCs or if you re-image from scratch. But there is a workaround.
Security is only one of the reasons for the hardware requirements for Windows 11; it’s also about reliability, compatibility and performance. But the hardware security features in the CPUs that Windows 11 will run on reduce malware and ransomware attacks significantly.
Speaking at a virtual “Ask Me Anything” event about Windows 11, David Weston, partner director of enterprise and OS security at Microsoft, talked about leveraging hardware to “raise the security baseline to a level much higher than Windows 10 or any other previous version of Windows.”
“We started by thinking about how we can prevent against the most common attacks, so supply chain attacks, credential attacks, things that you might see in the news related to ransomware or other really impactful issues,” he said at the event. UEFI secure boot “makes sure that the machine boots in what I would call a clean and secure state, with only code coming from Microsoft, your silicon provider and your device manufacturer.”
He also called Windows 11 “the first true passwordless operating system” because it uses the TPM as a “secure lock box” for biometrics, which prevents the kind of lateral movement attackers rely on when they crack passwords and steal credentials.
“When you’re authenticating with your PIN, your face or your fingerprint … we’re taking that information, we’re processing and checking it, and if it passes muster the secure lockbox releases a key and allows you to authenticate securely. This helps a lot by preventing very common attacks that would seek to steal this information, steal your credentials and use it to access other machines in your name.” The TPM is also used to store the BitLocker encryption key.
Newer CPUs offer better performance for virtualisation so Windows 11 can rely on it for security. “The advances in processor architecture in recent generations allow us to turn on virtualization-based security, which helps secure the kernel from code injection attacks like those seen in WannaCry, and also helps prevent credential attacks against common enterprise credentials like NTLM, things that would be involved in domain join.”
Windows 11 also uses virtualisation to monitor the OS itself. “We use virtualization-based security … to produce what we call a zero-trust operating system where we’re able to observe changes in the operating system, those that might be interesting from a security perspective, and report them to the top.”
Those features are available for Windows 10, too, though they’re not enabled on the vast majority of PCs.
But depending on how you get Windows 11 on your PC, those hardware security features may not be turned on automatically.
Clean installs and compatibility
All Windows 11 PCs will be capable of running virtualization-based security, a Microsoft spokesperson said. But memory integrity (the friendlier term used in Settings for hypervisor-protected code integrity, which uses VBS) is only turned on by default on a new PC that ships with Windows 11, or if you reimage a PC with Windows 11 (both of which count as a “clean install”).
But just upgrading from an earlier version of Windows won’t automatically enable the hardware-based security features for you. (If you had memory integrity turned on before you upgrade, it will stay on).
Even if you re-image your PC, HVCI and VBS won’t be turned on if you have incompatible kernel drivers, and compatibility with the software, peripherals and device drivers you have installed is the main reason that upgrading doesn’t turn on the hardware security features, but it’s not the only factor, Microsoft said.
“Compatibility is the main concern but turning on virtualization will affect the performance characteristics of a device, and we want to avoid sudden changes to the performance that a user is accustomed to on their device without being directly attributable to an action they take.”
Generally speaking, HVCI and VBS security features don’t have much impact on performance, but Microsoft is being extra cautious when you’re upgrading an existing PC so that you don’t feel that Windows 11 is a worse experience than Windows 10 just because it turns on security features you could have been using but weren’t.
In fact, you need a slightly more powerful PC to get the hardware security features turned on automatically than just to run Windows 11: Microsoft says they will be on by default on new and reimaged PCs with Intel 11th generation, AMD Ryzen 3000 or later or Qualcomm 8C or later CPUs, 64GB or larger SSD (Windows 11 requires 64GB of storage but not an SSD) and 8GB of RAM rather than the 4GB specified for Windows 11.
Some OEMs may enable HVCI and VBS on PCs that don’t meet those specs, Microsoft told us, but also noted that “end users or their organization’s IT department are always in control and can turn HVCI + VBS on or off as appropriate.”
HVCI and VBS won’t be enabled automatically on PCs in China or Korea; Microsoft said that’s “for both legal and compatibility reasons.”
If hardware security isn’t turned on—in Windows 11 or Windows 10—you can enable it yourself from the Windows Security app in Settings, under Device security, Core isolation. But upgrading to Windows 11 won’t prompt you to do this or offer to do it for you, even if your PC meets the hardware requirements. Microsoft is considering suggesting this to users, possibly through a new version of the PC Health Checker app, which will be available again before Windows 11 ships to help people decide whether to upgrade, but that’s not definite.
“We are constantly evaluating how to raise awareness of our security capabilities in a way that helps users make informed choices,” Microsoft said.
Organizations that are planning to upgrade devices to Windows 11 without re-imaging will want to set device management policies to turn on HVCI and VBS to get the full protection.
For those who aren’t ready to move to Windows 11, you don’t need to worry about being unable to get future feature releases if you don’t have a version 2.0 TPM in your Windows 10 PC. At the virtual Windows 11 event, Microsoft also confirmed that Windows 10 will not require TPM 2.0, even in future releases.