Windows 11 makes secure-by-default viable thanks to a combination of modern hardware and software. This ready out-of-the-box protection enables us to create a new baseline internally across Microsoft, one that level sets our enterprise to be more secure for a hybrid workplace.
“We’ve made significant strides to create chip-to-cloud Zero Trust out of the box,” says David Weston, vice president of Enterprise and OS Security at Microsoft. “Windows 11 is redesigned for hybrid work and security with built-in hardware-based isolation, proven encryption, and our strongest protection against malware.”
This new baseline for protection is one of several reasons Microsoft upgraded to Windows 11.
In addition to a better user experience and improved productivity for hybrid work, the new hardware-backed security features create the foundation for new protections. This empowers us to not only protect our enterprise but also our customers.
[Discover how Microsoft uses Zero Trust to protect our users. Learn how new security features for Windows 11 help protect hybrid work. Find out about Windows 11 security by design from chip to the cloud. Get more information about how Secured-core devices protect against firmware attacks.]
How Windows 11 advanced our security journey
Security has always been the top priority here at Microsoft.
We process an average of 65 trillion signals per day, with 2.5 billion of them being endpoint queries, including more than 1,200 password attacks blocked per second. We can analyze these threats to get better at guarding our perimeter, but we can also put new protections in place to reduce the risk posed by persistent attacks.
In 2019, we announced Secured-core PCs designed to utilize firmware protections for Windows users. Enabled by Trusted Platform Module (TPM) 2.0 chips, Secured-core PCs protect encryption keys, user credentials, and other sensitive data behind a hardware barrier. This prevents bad actors and malware from accessing or altering user data and goes a long way in addressing the volume of security events we experience.
“Our data shows that these devices are more resilient to malware than PCs that don’t meet the Secured-core specifications,” Weston says. “TPM 2.0 is a critical building block for protecting user identities and data. For many enterprises, including Microsoft, TPM facilitates Zero Trust security by measuring the health of a device using hardware that is resilient to tampering common with software-only solutions.”
We’ve long used Zero Trust—always verify explicitly, offer least-privilege access, and assume breach—to keep our users and environment safe. Rather than behaving as though everything behind the corporate firewall is secure, Zero Trust reinforces a motto of “never trust, always verify.”
The additional layer of protection offered by TPM 2.0 makes it easier for us to strengthen Zero Trust. That’s why hardware plays a big part in Windows 11 security features. The hardware-backed features of Windows 11 create additional interference against malware, ransomware, and more sophisticated hardware-based attacks.
At a high level, Windows 11 enforced sets of functionalities that we needed anyway. It drove the environment to demonstrate that we were more secure by default. Now we can enforce security features in the Windows 11 pipeline to give users additional protections.
—Carmichael Patton, principal program manager, Digital Security and Resilience
Windows 11 is the alignment of hardware and software to elevate security capabilities. By enforcing a hardware requirement, we can now do more than ever to keep our users, products, and customers safe.
Setting a new baseline at Microsoft
While some security features were previously available via configuration, TPM 2.0 allows Windows 11 to protect users immediately, without IT admins or security professionals having to set specific policies.
“At a high level, Windows 11 enforced sets of functionalities that we needed anyway,” says Carmichael Patton, a principal program manager with Digital Security and Resilience, the organization responsible for protecting Microsoft and our products. “It drove the environment to demonstrate that we were more secure by default. Now we can enforce security features in the Windows 11 pipeline to give users additional protections.”
Thus, getting Windows 11 out to our users was a top priority.
Over the course of five weeks, we were able to deploy Windows 11 across 90 percent of eligible devices at Microsoft. Proving to be the least disruptive release to date, this effort assured our users would be immediately covered by baseline protections for a hybrid world.
We can now look across our enterprise and know that users running Windows 11 have a consistent level of protection in place.
The real impact of secure-by-default
Moving from configurable to built-in protection means that Windows 11 becomes the foundation for secure systems as you move up the stack.
It simplifies everything for everyone, including IT admins who may not also be security experts. You can change configurations and optimize Windows 11 protections based on your needs or rely on default security settings. Secure-by-default extends the same flexibility to users, allowing them to safely choose their own applications while still maintaining tight security.
—David Weston, vice president, Enterprise and OS Security
Applications, identity, and the cloud are able to build off the hardware root-of-trust that Windows 11 derives from TPM 2.0. Application security measures like Smart App Control and passwordless sign-in from Windows Hello for Business are all enabled due to hardware-backed protections in the operating system.
Secure-by-default does all of this without removing the important flexibility that has always been part of Windows.
“It simplifies everything for everyone, including IT admins who may not also be security experts,” Weston says. “You can change configurations and optimize Windows 11 protections based on your needs or rely on default security settings. Secure-by-default extends the same flexibility to users, allowing them to safely choose their own applications while still maintaining tight security.”
Going forward, IT admins working in Windows 11 no longer need to put extra effort in enabling and testing security features for performance compatibility. Windows 11 makes it easier for us to gain security value without extra work.
This is important when you consider productivity, one of the other drivers for Windows 11. We need to empower our users to stay productive wherever they are. These new security components go hand-in-hand with our productivity requirements. Our users stay safe without seeing any decline in quality, performance, or experience.
“With Windows 11, the focus is on productivity and thinking about security from the ground up,” Patton says. “We know we can do these amazing things, especially with security being front and center.”
Now that Windows 11 is deployed across Microsoft, we can take advantage of TPM 2.0 to bring even greater protections to our users, customers, and products. We’ve already seen this with the Windows 11 2022 update.
For example, Windows Defender App Control (WDAC) enables us to prevent scripting attacks while protecting users from running untrusted applications associated with malware. Other updates include improvements to IT policy and compliance through config lock: a feature that monitors and prevents configuration drift from occurring when users with local admin rights change settings.
These are the kinds of protections made possible with Windows 11.
“Future releases of Windows 11 will continue to add significant security updates that add even more protection from the chip to the cloud by combining modern hardware and software,” Weston says. “Windows 11 is a better way for everyone to collaborate, share, and present, all with the confidence of hardware-backed protections.”