Windows 10 has had its share of security exploits. From Specter and Meltdown to the recent print spooler bug, the list of Windows 10 vulnerabilities and hacks is extensive. Therefore, it is a relief to see Microsoft doubling down on security in Windows 11.
Windows 11 will be a more secure operating system than Windows 10 out of the box, full stop. Microsoft’s renewed focus on security in Windows 11 will center around some key features. So, let’s take a look at crucial security features that strengthen Windows 11’s defenses.
1. The Trusted Platform Module (TPM)
Ever since Microsoft announced that Windows 11 requires Trusted Platform Module (TPM) 2.0 support, this topic has become sort of controversial. While TPM chips have been around for over a decade, device manufacturers and users haven’t taken them seriously until now.
A TPM chip is a cryptographic store that stores encryption keys, passwords, and certificates. The TPM chip uses the stored items to identify and authenticate devices, software, and users.
For instance, in Windows 11, Windows Hello works alongside the TPM 2.0 chip to secure the log-in process. The TPM 2.0 chip stores a secret related to Windows Hello and uses secret that to authenticate the user.
According to Microsoft on Windows Blogs, the reason for going with the newer TPM 2.0 instead of the older TPM 1.2 is because TPM 2.0 supports better cryptographic algorithms.
In other words, the TPM 2.0 chip will make sure that Windows 11’s PCs are authentic and unbreached.
2. A Virtualization-Based Security (VBS)
Microsoft has included Virtualization-based Security (VBS) in Windows 11. The feature aims to protect security solutions against exploits by hosting these solutions inside an isolated and secured segment of system memory.
In simpler terms, VBS takes a chunk of system memory, isolates it from the rest of the OS, and uses that space to store security solutions. By doing this, Microsoft is protecting security solutions that are the prime targets of most cyberattacks.
While VBS-support is available in Windows 10, the feature isn’t used by default. Microsoft is changing this with Windows 11. The company has announced that it will be enabling VBS on most Windows 11 by default in the coming year.
3. Hypervisor-Protected Code Integrity (HVCI)
Hypervisor-protected Code Integrity is a feature of VBS that protects the isolated system memory environment that VBS creates. HVCI makes sure that the Windows kernel, aka the brain of the OS, is not compromised.
Because many exploits rely on using kernel mode to gain access to the system, HVCI does a critical job in ensuring that the kernel is safe and can’t be used to exploit the system.
In layman’s terms, HVCI ensures the brain of Windows (the kernel) doesn’t do something stupid that can compromise the system's security.
Window 10 ships with HVCI out of the box. But it degrades the performance of older CPUs quite a lot. This is one reason why Microsoft is requiring 8th gen or above Intel and Zen 2 or above AMD CPUs, since they have dedicated hardware for HVCI.
In short, Windows 11 will be considerably more secure than Windows 10 by default through the use of HVCI and VBS.
5. The UEFI Secure Boot
Before we talk about UEFI Secure Boot, let’s clear up one thing: all of Windows security tools and protocols can do nothing if your system is compromised before booting.
Put simply, if Windows boots up with bad code, exploits can bypass all the security measures. UEFI Secure Boot makes sure this doesn’t happen by verifying that your computer only starts up with code that is from a trusted source. This source can be your PCs manufacturer, chip maker, or Microsoft.
All Windows 11 machines will come with UEFI Secure Boot from the get-go. This will give Windows 11 machines a significant security leg-up over Windows 10 devices.
Windows 11 Will Be Safer Than Windows 10 From Every Angle
Microsoft is making sure that its new OS is secure from the beginning. Security-focused hardware like TPM 2.0 and newer CPUs will enable features such as VBS and UEFI Secure Boot to guard users against exploits.
That said, most Windows users are still using older machines. So, Microsoft has to convince people to buy new PCs. And that won’t be easy.