{"id":11692,"date":"2023-06-29T08:00:00","date_gmt":"2023-06-29T15:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=11692"},"modified":"2026-04-09T07:49:15","modified_gmt":"2026-04-09T14:49:15","slug":"hardware-backed-windows-11-empowers-microsoft-with-secure-by-default-baseline","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/hardware-backed-windows-11-empowers-microsoft-with-secure-by-default-baseline\/","title":{"rendered":"Hardware-backed Windows 11 empowers Microsoft with secure-by-default baseline"},"content":{"rendered":"\n

<\/p>\n\n\n\n

\"Microsoft<\/figure>\n\n\n\n

Windows 11 makes secure-by-default viable thanks to a combination of modern hardware and software. This ready out-of-the-box protection enables us to create a new baseline internally across Microsoft, one that level sets our enterprise to be more secure for a hybrid workplace.<\/p>\n\n\n\n

\u201cWe\u2019ve made significant strides to create chip-to-cloud Zero Trust out of the box,\u201d says David Weston, vice president of Enterprise and OS Security at Microsoft. \u201cWindows 11 is redesigned for hybrid work and security with built-in hardware-based isolation, proven encryption, and our strongest protection against malware.\u201d<\/p>\n\n\n\n

This new baseline for protection is one of several reasons Microsoft upgraded to Windows 11.<\/p>\n\n\n\n

In addition to a better user experience and improved productivity for hybrid work, the new hardware-backed security features create the foundation for new protections. This empowers us to not only protect our enterprise but also our customers.<\/p>\n\n\n\n

How Windows 11 advanced our security journey<\/h2>\n\n\n\n
\"Weston
Upgrading to Windows 11 gives you more out-of-the-box security options for protecting your company, says David Weston, vice president of Enterprise and OS Security at Microsoft.<\/figcaption><\/figure>\n\n\n\n

Security has always been the top priority here at Microsoft.<\/p>\n\n\n\n

We process an average of 65 trillion signals per day, with 2.5 billion of them being endpoint queries, including more than 1,200 password attacks blocked per second. We can analyze these threats to get better at guarding our perimeter, but we can also put new protections in place to reduce the risk posed by persistent attacks.<\/p>\n\n\n\n

In 2019, we announced Secured-core PCs designed to utilize firmware protections for Windows users<\/a>. Enabled by Trusted Platform Module (TPM) 2.0 chips, Secured-core PCs protect encryption keys, user credentials, and other sensitive data behind a hardware barrier. This prevents bad actors and malware from accessing or altering user data and goes a long way in addressing the volume of security events we experience.<\/p>\n\n\n\n

\u201cOur data shows that these devices are more resilient to malware than PCs that don\u2019t meet the Secured-core specifications,\u201d Weston says. \u201cTPM 2.0 is a critical building block for protecting user identities and data. For many enterprises, including Microsoft, TPM facilitates Zero Trust security by measuring the health of a device using hardware that is resilient to tampering common with software-only solutions.\u201d<\/p>\n\n\n\n

We\u2019ve long used Zero Trust\u2014always verify explicitly, offer least-privilege access, and assume breach\u2014to keep our users and environment safe. Rather than behaving as though everything behind the corporate firewall is secure, Zero Trust reinforces a motto of \u201cnever trust, always verify.\u201d<\/p>\n\n\n\n

The additional layer of protection offered by TPM 2.0 makes it easier for us to strengthen Zero Trust. That\u2019s why hardware plays a big part in Windows 11 security features. The hardware-backed features of Windows 11 create additional interference against malware, ransomware, and more sophisticated hardware-based attacks.<\/p>\n\n\n\n

\n

At a high level, Windows 11 enforced sets of functionalities that we needed anyway. It drove the environment to demonstrate that we were more secure by default. Now we can enforce security features in the Windows 11 pipeline to give users additional protections.<\/p>\n\n\n\n

\u2014Carmichael Patton, principal program manager, Digital Security and Resilience<\/p>\n<\/blockquote>\n\n\n\n

Windows 11 is the alignment of hardware and software to elevate security capabilities. By enforcing a hardware requirement, we can now do more than ever to keep our users, products, and customers safe.<\/p>\n\n\n\n

Setting a new baseline at Microsoft<\/h2>\n\n\n\n
\"Patton
Windows 11 reduces how many policies you need to set up for your security protections to kick in, says Carmichael Patton, a principal program manager with Microsoft Digital Security and Resilience.<\/figcaption><\/figure>\n\n\n\n

While some security features were previously available via configuration, TPM 2.0 allows Windows 11 to protect users immediately, without IT admins or security professionals having to set specific policies.<\/p>\n\n\n\n

\u201cAt a high level, Windows 11 enforced sets of functionalities that we needed anyway,\u201d says Carmichael Patton, a principal program manager with Digital Security and Resilience, the organization responsible for protecting Microsoft and our products. \u201cIt drove the environment to demonstrate that we were more secure by default. Now we can enforce security features in the Windows 11 pipeline to give users additional protections.\u201d<\/p>\n\n\n\n

Thus, getting Windows 11 out to our users was a top priority.<\/p>\n\n\n\n

Over the course of five weeks, we were able to deploy Windows 11 across 90 percent of eligible devices at Microsoft. Proving to be the least disruptive release to date, this effort assured our users would be immediately covered by baseline protections for a hybrid world.<\/p>\n\n\n\n

We can now look across our enterprise and know that users running Windows 11 have a consistent level of protection in place.<\/p>\n\n\n\n

The real impact of secure-by-default<\/h2>\n\n\n\n

Moving from configurable to built-in protection means that Windows 11 becomes the foundation for secure systems as you move up the stack.<\/p>\n\n\n\n

\n

It simplifies everything for everyone, including IT admins who may not also be security experts. You can change configurations and optimize Windows 11 protections based on your needs or rely on default security settings. Secure-by-default extends the same flexibility to users, allowing them to safely choose their own applications while still maintaining tight security.<\/p>\n\n\n\n

\u2014David Weston, vice president, Enterprise and OS Security<\/p>\n<\/blockquote>\n\n\n\n

Applications, identity, and the cloud are able to build off the hardware root-of-trust that Windows 11 derives from TPM 2.0. Application security measures like Smart App Control and passwordless sign-in from Windows Hello for Business are all enabled due to hardware-backed protections in the operating system.<\/p>\n\n\n\n

Secure-by-default does all of this without removing the important flexibility that has always been part of Windows.<\/p>\n\n\n\n

\u201cIt simplifies everything for everyone, including IT admins who may not also be security experts,\u201d Weston says. \u201cYou can change configurations and optimize Windows 11 protections based on your needs or rely on default security settings. Secure-by-default extends the same flexibility to users, allowing them to safely choose their own applications while still maintaining tight security.\u201d<\/p>\n\n\n\n

\n
\"Key<\/figure>\n\n\n\n