When Windows 11 was introduced in late June 2021, many were excited about the renewed user interface – and countless PC enthusiasts rushed to download Windows Insider Developer Channel buildings of the new operating system.
But as they quickly discovered, the new operating system has several new requirements for PCs to support the new hardware and virtualization-based security features. These features are essential to secure both consumer and business load from more sophisticated malware and exploit threats that are currently evolving in nature.
Also: Windows 1
As it turns out, all of these features are already built into Windows 10 if you are running the 20H2 release (Windows October 10, 2020 update). As a consumer, small business or enterprise, you can take advantage of these if you deploy Group Policy or just click the Device Security menu in Windows 10 to turn them on. You do not have to wait until Windows 11 is released or buy a new PC.
Feature 1: TPM 2.0 and Secure Boot
Trusted Platform Module (TPM) is a technology designed to provide hardware-based, security-related cryptographic features. If you have a PC that was manufactured in the last five years, chances are you have a TPM chip on the motherboard that supports version 2.0. You can determine this by opening Device Manager and expanding “Security Devices”. If it says “Trusted Platform Module 2.0”, you are ready.
This appears as “Security Processor” in the Device Security Settings menu in Windows 10 (and Windows 11).
So what does TPM really do? It is used to generate and store cryptographic keys that are unique to your system, including an RSA encryption key that is unique to the system’s TPM itself. In addition to being used traditionally with smart cards and VPNs, TPMs are used to support the Secure Boot process. It measures the integrity of the operating system boot code, including firmware and individual operating system components, to ensure that they have not been compromised.
There is nothing you need to do to make it work; it only does so, provided it is not disabled in UEFI. Your organization can choose to deploy Secure Boot on Windows 10 through Group Policy or a corporate MDM-based solution such as Microsoft Endpoint Manager.
While most manufacturers ship their PCs with the TPM turned on, some may have it disabled, so if it does not appear in Device Manager or shows it as disabled, you can boot into the UEFI firmware settings and see.
If the TPM has never been prepared for use on your system, you can only invoke the tool by running tpm.msc from the command line.
Function 2: Virtualization-based security (VBS) and HVCI
While TPM 2.0 has been common on many PCs for as long as six years, the feature that really makes the security rubber on the way in Windows 10 and Windows 11 is HVCI or Hypervisor-Protected Code Integrity, also referred to as Memory Integrity or Core Isolation, as shown in the Windows Device Security menu.
Although required by Windows 11, you must turn it on manually in Windows 10. Just click on “Core Isolation Details” and then turn on Memory Integrity with the rocker switch. It may take about a minute for the system to turn it on, as it must check every memory page in Windows before activating it.
This feature is only usable on 64-bit CPUs with hardware-based virtualization extensions, such as Intel’s VT-X and AMD-V. While first implemented in server-class chips back in 2005, they have been present in almost all desktop systems since at least 2015, or Intel Generation 6 (Skylake). However, it also requires Second Level Address Translation (SLAT), which is found in Intel’s VT-X2 with extended page tables (EPT) and AMD’s rapid virtualization indexing (RVI).
It is an additional HVCI requirement that all I / O devices capable of direct memory access (DMA) are located behind an IOMMU (Input-Output Memory Management Unit). These are implemented in processors that support Intel VT-D or AMD-Vi instructions.
It sounds like a long list of requirements, but the bottom line is that you are good to go if Device Security says that these features are present in your system.
Isn’t virtualization used primarily to improve workload density in data center servers or by software developers to isolate the test setup on desktops or run foreign operating systems such as Linux? Yes, but virtualization and containerization / sandboxing are now increasingly used to provide extra layers of security in modern operating systems, including Windows.
In Windows 10 and Windows 11, VBS, or virtualization-based security, uses Microsoft’s Hyper-V to create and isolate a secure memory region from the operating system. This protected region is used to run multiple security solutions that can protect older vulnerabilities in the operating system (for example, from outdated application code) and stop exploits that try to fight protection.
HVCI uses VBS to strengthen code integrity policy enforcement by checking all core mode drivers and binaries before starting and prevents unsigned drivers and system files from being loaded into system memory. These restrictions protect important OS resources and security means such as user credentials – so even if malicious software gains access to the kernel, the extent of exploitation may be limited and contained because the hypervisor may prevent malicious software from executing code or gaining access to secrets.
VBS also performs similar functions for application code – it checks apps before they are loaded and launches them only if they are from approved code designers, and does this by assigning permissions across all pages in the system memory. All this is done in a secure memory area, which provides more robust protection against nuclear viruses and malicious software.
Think of VBS as Windows’ new code management officer, your core, and the Robocop app that resides in a protected memory box enabled by your virtualization-enabled CPU.
Feature 3: Microsoft Defender Application Guard (MDAG)
One special feature that many Windows users are not familiar with is the Microsoft Defender Application Guard, or (MDAG).
This is another virtualization-based technology (also known as “Krypton” Hyper-V containers) which, when combined with the latest Microsoft Edge (and current versions of Chrome and Firefox using an extension), creates an isolated memory instance of the browser prevents your system and your business data from being compromised by untrusted websites.
Should the browser become infected with scripts or malware attacks, the Hyper-V container, which runs separately from the host operating system, is kept isolated from critical system processes and enterprise data.
MDAG is combined with network isolation settings configured for your environment to define your private network boundaries as defined by your corporate group policy.
In addition to protecting your browser sessions, MDAG can also be used with Microsoft 365 and Office to prevent Word, PowerPoint, and Excel files from accessing trusted resources, such as enterprise credentials and data. This feature was released as part of a public preview in August 2020 for Microsoft 365 E5 customers.
MDAG, which is part of Windows 10 Professional, Enterprise and Educational SKUs, is enabled with the Windows Features menu or a simple PowerShell command; it does not require Hyper-V to be turned on.
While MDAG is primarily aimed at businesses, end users and small businesses can turn it on with a simple script that specifies the group policy objects. This excellent video and related article published on URTech.Ca covers the process in more detail.