Windows 11 is super-secure, don’t mess it up
When asked why he robbed banks, famous Willie Sutton reportedly replied, “Because that’s where the money is. Likewise, most malware coders hit Windows or Android because that’s where the security holes are. Once Windows 11 reaches wide usage, that may change. Microsoft has made the bold move to demand essential security hardware, even if that means some PCs won’t be upgradeable. With the protected boot process and cryptographic routines running in protected memory, this edition of Windows appears to be completely invulnerable against a wide range of attacks.
How does this additional security work? Microsoft will be happy to provide endless pages of detailed descriptions. For those who prefer a larger view, here is a simple overview of what I learned and what I found when I installed the new operating system. The TL; DR? The new operating system might not look like a major update, but security wise, it’s a big change unless you turn it off.
Install Windows 11 on a virtual machine
To start with, I needed to install Windows 11. I do almost all security product testing using virtual machines. This way I can release ransomware in the real world without worrying about the real damage if the antivirus fails in its defensive task. It made sense for me to install Windows 11 in a virtual machine, especially the preview version, which was available when I started testing. We covered the basics of creating a Windows 11 virtual machine, but I found that I need to go beyond what our article suggested. The biggest adjustments I had to make were for security.
My first attempt ended badly. I had barely entered the installation process when the installer announced, “This PC does not meet minimum requirements. Without further details, it wasn’t very helpful. After several more false starts, I had the brilliant idea of using the PC Health Check app on an existing virtual machine. The verdict was clear and simple. In their default configuration, my virtual machines do not support Secure Boot and do not have a Trusted Platform Module (TPM) (virtual).
I redid the problem by choosing to create a virtual machine with custom settings. This allows me to choose UEFI firmware with Secure Boot, a good start. In the last step, customizing the hardware, I tried adding a TPM. The VMware screen explained: “The virtual machine must be encrypted and use UEFI firmware.” I tried the installation but encountered the same warning that the requirements did not meet the requirements.
After some more hesitation, I started looking at each VM setting, looking for something on encryption. And I found it, “Access Control: Unencrypted”. I clicked to encrypt the drive and almost screamed with excitement that I could now add a virtual TPM 2.0 chip. After that, the installation went without a hitch.
The lesson was clear. Windows 11 is all about security. It requires a PC capable of Secure Boot, which prevents malware from attacking the boot process. You don’t have to activate Secure Boot, at least not at the moment, but the PC must support it. And your PC must have a TPM chip to manage cryptographic keys and protect your PC’s operating system and firmware. Without this security kernel, you are stuck on Windows 10 (which Microsoft continues to support).
What is a TPM?
The concept of a trusted platform module for increased security dates back 20 years, and PCs have had it since 2005. Microsoft’s BitLocker Whole Drive Encryption system relies on TPM to manage and protect its cryptographic keys. The handy Windows Hello facial recognition login system also uses TPM support. Microsoft’s documentation indicates that every modern PC probably has a TPM, and PCs under five most likely have the latest version, TPM 2.0.
If you delve into your PC’s settings for security chip details, you’ll see status indicators for Attestation and Storage (both should say “Ready”). Each TPM includes highly secure storage for cryptographic keys, among other things. Attestation refers to the fact that the TPM can create a snapshot of your system’s hardware and software configuration and verify (upon request) that there has been no tampering. Since each TPM has a unique, non-modifiable key, it can be used to authenticate the PC on which it resides.
Software-based random number algorithms can be hacked; the hardware random generator inside a TPM is not vulnerable. Storing cryptographic functions in the TPM rather than implementing them in software also protects them against hacking. When a TPM is available, Chrome, Firefox, and Outlook all use it for certain encryption tasks.
In short, a TPM is a central security. It validates hardware and software components, so that no one can tamper with your PC. It stores important cryptographic keys. And it provides ultra-secure cryptographic functions to Windows and applications. If you want to know more, check out this in-depth dive into TPM by Tom Brant of PCMag.
And then Microsoft gave in
Apple’s operating systems have security built in from the start, with iOS even more locked down than macOS. Windows, on the other hand, is still locking down endless system vulnerabilities. By requiring a secure boot and a TPM 2.0 chip, Windows 11 completely neutralizes a whole class of malware attacks, attacks that take full control of the computer by subverting the Windows startup process or breaking into the system. before starting. Of course, some older PCs are being left behind, but Microsoft will keep Windows 10 to themselves. This is a big step towards security at Apple level.
And then Microsoft dug a big hole in the new security wall on startup. Directly from Microsoft’s site there is now an explanation of how to bypass Windows 11 installation control for TPM 2.0 and for sufficiently advanced processor. It’s a simple registry adjustment. Some have commented on the dreadful warnings that “Serious problems can arise if you modify the registry incorrectly.” But Microsoft adds this disclaimer in any support article that involved tweaking the registry.
Recommended by our editors
The result is that people can install Windows 11 on a PC with an outdated TPM (TPM 1.2 is still required) and an outdated processor. In a gesture reminiscent of Willy Wonka’s vague advice “no… stop… don’t… don’t…”, the instructions warn that Microsoft “advises against” installing Windows 11 on a machine that does not respect the minimum.
To be fair, those who dig a little deeper will find stronger warnings. If you install Windows 11 on unsupported hardware, “your PC will no longer be supported and will no longer be able to receive updates.” It specifies that you may receive updates; you are just not guaranteed to get them. The page adds that “Damage to your PC due to a lack of compatibility is not covered by the manufacturer’s warranty.”
Windows security support
Familiar security features like Microsoft Defender Antivirus don’t seem to have changed much in Windows 11. Microsoft is pushing passwordless security, which uses some of the advanced security technologies required by Windows 11, but passwordless security is available. in Windows 10. It’s secure boot and the use of TPM 2.0 that dramatically improves security in Windows 11 — assuming you don’t turn it off!
If your computer has a TPM 2.0 chip and supports Secure Boot, upgrade to Windows 11. Make sure Secure Boot is enabled (at this time, Windows only requires it to be available). According to Microsoft, “Secure-core PCs are twice as resistant to malware infection,” so you’ve just halved your malware attack surface.
With a computer that does not meet Windows 11 requirements, please do not use the bypass. Stick with Windows 10 and start saving for a new, more secure PC.
Do you like what you read ?
Sign up for Security watch newsletter for our best privacy and security stories delivered straight to your inbox.