The rollout of Windows 11 is well underway. Here are three ways Windows 11 is helping companies keep malware at bay.
The rollout of Windows 11 is well underway. One aspect that has received a lot of attention is that Windows 11 cannot be installed on most older devices because they do not meet its minimum system requirements.
Microsoft has its reasons for establishing those requirements. “Windows 11 raises the bar for security by requiring hardware that can enable protections like Windows Hello, device encryption, Virtualization-Based Security (VBS), Hypervisor-Protected Code Integrity (HVCI) and Secure Boot,” according to the Windows Team. “The combination of these features has been shown to reduce malware by 60% on tested devices.”
Here are three ways Windows 11 is helping companies reduce the number of malware infections and other types of cyberattacks.
Trusted Platform Modules (TPMs) are not new. Virtually all computers built since 2015 include a TPM chip — a specialized processor (crypto processor) that executes cryptographic algorithms within hardware. The TPM chip has physical security mechanisms to make it tamper-resistant. Equally important, malware is unable to tamper with the chip’s security functions.
Despite its usefulness and resistance to cyberattacks, TPM support has been largely untapped because it is typically disabled in the firmware settings. This situation is now changing thanks to Windows 11.
To use Windows 11, you need a computer with a TPM 2.0 chip and TPM support enabled. The chip is used for many security-related functions, including the generation and storage of cryptographic keys that are unique to each user’s computer. It is also used to ensure system integrity by taking and storing security measurements. For example, the measurements taken by TPM 2.0 chip are used in the Secure Boot process. This process prevents malware from being installed when a computer starts up.
TPM 2.0 is a critical building block for providing security in Windows 11, according to David Weston, the director of enterprise and OS security at Microsoft. “Its purpose is to help protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data.
In the past, businesses used virtualization mainly to consolidate servers, optimize resources, and run legacy applications. Companies that have installed Windows 11 on their devices will also be using virtualization to improve their security defenses.
In Windows 11, VBS is used to create a secure region of memory that is isolated from the rest of the operating system (OS). This isolated memory is used to protect the secure kernel and other security-sensitive OS functions. It also protects authenticated user credentials and other security assets. “Even if malware gains access to the main OS kernel, VBS greatly limits and contains exploits because the hypervisor and virtualization hardware help prevent the malware from executing code or accessing platform secrets running within the VBS secure environment,” according to Microsoft.
VBS is also used by other Windows 11 security features, including HVCI. HVCI checks the integrity of kernel-mode code (e.g., drivers) before that code is run by making sure that it hasn’t been tampered with and it’s properly signed. This is all done inside the VBS secure environment instead of the main Windows kernel to help prevent attacks that try to modify kernel mode code or inject malicious code into the kernel.
Microsoft Defender Application Guard (MDAG) is another security feature that uses VBS. MDAG runs untrusted websites in a VBS container that is isolated from the host OS. That way, if an untrusted website includes malware, the infection is confined to the container. MDAG works on Microsoft Edge browsers. Extensions are available for other browsers, including Google Chrome and Mozilla Firefox.
MDAG can also be used with Microsoft 365 and Microsoft Office. It runs untrusted Word, PowerPoint, and Excel files in an isolated container to prevent weaponized files from accessing a company’s resources, including its data.
Although VBS, HVCI, and MDAG are available in Windows 10, they are disabled by default. That is no longer the case. In Windows 11. VBS, HVCI, and MDAG are enabled by default.
Strong passwords — long, unique passwords that include mixed-case letters, numbers, and symbols —are harder to hack. However, they are also harder to create and remember. As a result, employees often create short, weak passwords. Plus, they reuse passwords so they only have to memorize a few of them.
“Passwords are inconvenient to use and prime targets for cybercriminals — and they’ve been an important part of digital security for years. That changes with the passwordless protection available with Windows 11,” according to the Microsoft Windows Security Team. “After a secure authorization process, credentials are protected behind layers of hardware and software security, giving users secure, passwordless access to their applications and cloud services.”
There are several ways to go passwordless, one of which is Windows Hello for consumers. With Windows Hello, individuals can sign in to their Microsoft account using facial recognition, fingerprint recognition, or a device-specific PIN that is stored locally.
Businesses might want to set up passwordless multi-factor authentication (MFA) for enhanced security. With MFA, two or more types of credentials are used to authenticate a user. The main types of credentials are often described as:
Passwordless MFA can be set up using Windows Hello for Business, the Microsoft Authenticator app, or Fast Identity Online (FIDO2) security keys. Azure Active Directory is required to set up passwordless MFA.