301.519.9237 exdirector@nesaus.org

7.2.21 – CI –

With Microsoft’s announcement of Windows 11, some are concerned about the software’s hardware requirements and security.

Since Microsoft announced Windows 11, one of the more frequent concerns about the new software has been regarding the hardware requirements, specifically the Trusted Platform Module (TPM). Windows PC’s have required TPM 2.0 since 2016, with a small number of exceptions. But TPM services various Windows security features like blocking dictionary attacks to make shorter PINs and passwords safer and storing the PINs for Windows Hello biometrics, just to name a few.

In a TechRepublic article, they point out that this response could mean that many PCs have TPMs, but they have not been enabled. They go on to suggest that those looking to upgrade to Windows 11 should take this time as an opportunity to investigate their server hardware because TPMs will be required for Windows Server 22, but they are not always present and are listed as optional by Microsoft documentation.

“I would not recommend it being optional,” says David Weston, partner director of enterprise and OS security at Microsoft, in the TechRepublic article.

“Without a TPM, you’re not going to have segmentation, which is what we want,” he says.

Windows 11 will require CPUs to have hardware that allows virtual secure mode for Virtualization-Based Security and protected code integrity that is foundational for protections that Microsoft has been constructing since Windows 8.

TechRepublic’s article mentions that Weston informed them that he and his team are striving to make security simpler and want to activate more of the existing security guards without affecting battery life or performance. He and his team are also excited about the Windows updates installation speed.

Turning on the existing security features decreases malware infections by 60%, however, most PCs have shipped without them on by default due to compatibility and performance concerns. Towards the end of 2021, new PCs will be shipped with Microsoft’s Pluton security processor, but TechRepublic points out that Tiger Lake CPUs have enforcement technology to assist Control Flow Guard in blocking ROP attacks.

There are also eight-generation processors with functionality that boosts the performance on HVCI from Intel, AMD, and ARM but they rely on less efficient Restricted User Mode emulation.

“Many of the architectural changes in the CPU have allowed software to get out of being the middle person between the hypervisor and the hardware,” says Weston in the TechRepublic article. “Things that used to take longer because the operating system would have to say, ‘I have to walk this over to the hardware’ — we got out of the way. So, you see substantial performance increases with virtualization in Windows 11, because of the hardware ‘floor’, and you see substantial battery life extension as a result. It’s a much better experience with virtualization,” he says.

The hardware requirements have certainly caused some disappointment, but Weston told Tech Republic that part of the aim is to direct users to where the best experiences will be in terms of devices.