eSecurity Planet may receive a commission from vendor links. Our recommendations are independent of any commissions, and we only recommend solutions we have personally used or researched and meet our standards for inclusion.
Windows 11 started rolling out on October 5 for personal devices, but most businesses are unlikely to get access to the upgrade until the middle of 2022.
Regardless of when you get Windows 11, you’ll need to know what security features are included and available, so you can effectively implement it across your organization. The early data shows potential: So far, the new Windows 11 features have reduced malware on tested devices by 60 percent.
Let’s take a look at the Windows 11 security features businesses can expect and the requirements they’ll need to meet.
While Windows 11 offers more security features than previous versions of the operating system, it still requires updates and secure devices to maximize that security. Kolide — this article’s sponsor — works with Okta to ensure that only secure devices can access company resources, checking the status of each device and requiring fixes before allowing access. Through its self-service model, Kolide allows for quick fixes and reduced demand on IT staff.
What to Expect from Windows 11
- Features on by default
- Zero trust ready
- Passwordless access
- Upgraded hardware requirements
- Should you upgrade to Windows 11?
Features On by Default
While Windows 10 included the options for security features, like virtualization-based security (VBS), businesses had to manually turn them on. In Windows 11, however, these features will be turned on by default—one of the reasons for the increased CPU requirements. This is part of a much-needed trend by Microsoft to make security less optional.
Here are some of the features that will be on by default in Windows 11:
- Mode-based execution control (ensures optimal performance while VBS is running)
- Trusted platform module (TPM) encryption
- Secure boot
- Hypervisor-protected code integrity (HVCI)
- Windows Sandbox
- Kernel Data Protection (KDP)
Zero Trust Ready
With these security features already in place, Microsoft is touting Windows 11 as zero trust ready. This should limit the number of incidents cybersecurity professionals have to chase down, improving their response time. Windows 11 also provides the ability to determine whether or not a device has the security features enabled, similar to how someone today might use their vaccination card. A device has to prove that it is secure before getting access to the data, just like you might have to show your vaccination card to get access to a concert venue.
Combining this with the OS supporting Microsoft Azure Attestation (MAA) out-of-the-box, Windows 11 offers both software and hardware-based zero trust protection. MAA has the ability to remotely confirm the integrity of hardware or software trying to access sensitive cloud resources. Extending protection to both cloud and on-premises environments is critical for enterprise scalability.
One of the features Windows 11 promised was Android application support, which requires app virtualization. Because development would be extremely difficult on mobile devices, developers need a way to run the application from their computers. Virtualization allows them to test app features from their computer before rolling them out to the public.
VBS uses hardware virtualization to add an extra layer of protection to security features and prevent malware from infecting them, even if it breaches the rest of the device.
Looking forward, Microsoft expects to run virtualization through individual Krypton containers. While Microsoft has announced this feature for Windows 10X, it isn’t yet part of Windows 11.
Windows Sandbox allows users to run applications in a safe environment that’s separate from the rest of their PC. Once the user closes the application, everything within the sandbox gets deleted. For applications that might be hosting malware, this prevents it from accessing other files and applications on the device.
While Microsoft didn’t anticipate that personal users would be interested in sandboxing, they’ve actually seen a lot of engagement with it. Sandboxing obviously changes the experience of running an application, so Microsoft is still working on balancing both security and usability.
Windows Hello offers passwordless access for your devices, relying instead on a PIN, fingerprint, or facial recognition. For consumers, passwordless access will be on by default, but businesses will be able to deploy simple passwordless models. IT administrators will also retain granular control over authentication methods to ensure users comply with company policy.
In addition to increased security, passwordless access can also reduce operating costs for IT teams because they’ll spend less time helping users reset their passwords. And since 81 percent of breaches use passwords that attackers have stolen or hacked, that’s fewer resources IT will have to put towards chasing down intruders.
Also read: Microsoft Expands Passwordless Sign-on to All Accounts
Upgraded Hardware Requirements
Microsoft requires that devices running Windows 11 have at least an eighth generation Intel CPU in order to enable the default security features it wants to include. Not only do the eighth generation and above processors support these features, but they can also optimize performance so users don’t have to sacrifice usability for security. Eventually, this will include Microsoft’s Pluton processor.
Additionally, devices that are certified for Windows 11 will come with a TPM 2.0 chip, which protects credentials and encryption keys behind hardware. This protection is difficult for attackers to breach and provides root-of-trust out of the box.
While the new hardware requirements may be frustrating for some, 80 percent of security decision makers believe security software has to be supplemented with modern hardware to fend off attacks. Dave Weston, director of OS security at Microsoft, said prevention is at the heart of this shift in his interview with Tech Republic. “What I’m hearing is just given the voracity of attackers out there and the threat landscape, detection is working great; but maybe few companies can really staff the folks that would be necessary to investigate and remediate every one of those issues. So what we’re starting to see is a pattern back to good old prevention; the more we can reduce the funnel, the better we can action and remediate [those threats].”
Should You Upgrade to Windows 11?
Businesses that have the budget to upgrade their hardware should consider upgrading to Windows 11. It reduces the attack surface of your devices and lowers the burden on your IT team by limiting the incidents they need to chase down. Considering how hard good IT security specialists are to find in the current market, reducing their workload can help you keep them.
However, new software releases are bound to include bugs, so it may be worth waiting a few months after the initial release to give your organization time to prepare for any issues that other users have brought up. This way, Microsoft can hopefully address those concerns before your company even has to worry about them.
Even so, Microsoft has been taking security seriously for some time now and scoring well in MITRE tests in the endpoint detection and response (EDR) space. Because of this, any bugs in the new operating system will likely be minor and probably won’t have a huge impact on security. They’d probably be more likely to affect user experience.
Read next: Microsoft, Google Among Tech Giants Pledging Big Money to Cybersecurity