{"id":11692,"date":"2024-08-28T08:00:12","date_gmt":"2024-08-28T15:00:12","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=11692"},"modified":"2024-08-23T14:16:09","modified_gmt":"2024-08-23T21:16:09","slug":"hardware-backed-windows-11-empowers-microsoft-with-secure-by-default-baseline","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/hardware-backed-windows-11-empowers-microsoft-with-secure-by-default-baseline\/","title":{"rendered":"Hardware-backed Windows 11 empowers Microsoft with secure-by-default baseline"},"content":{"rendered":"

\"MicrosoftWindows 11 makes secure-by-default viable thanks to a combination of modern hardware and software. This ready out-of-the-box protection enables us to create a new baseline internally across Microsoft, one that level sets our enterprise to be more secure for a hybrid workplace.<\/p>\n

\u201cWe\u2019ve made significant strides to create chip-to-cloud Zero Trust out of the box,\u201d says David Weston, vice president of Enterprise and OS Security at Microsoft. \u201cWindows 11 is redesigned for hybrid work and security with built-in hardware-based isolation, proven encryption, and our strongest protection against malware.\u201d<\/p>\n

This new baseline for protection is one of several reasons Microsoft upgraded to Windows 11.<\/p>\n

In addition to a better user experience and improved productivity for hybrid work, the new hardware-backed security features create the foundation for new protections. This empowers us to not only protect our enterprise but also our customers.<\/p>\n

[Discover how Microsoft uses Zero Trust to protect our users.<\/a> Learn how new security features for Windows 11 help protect hybrid work.<\/a> Find out about Windows 11 security by design from chip to the cloud.<\/a> Get more information about how Secured-core devices protect against firmware attacks.<\/a>]<\/em><\/p>\n

How Windows 11 advanced our security journey<\/h2>\n
\"Weston
Upgrading to Windows 11 gives you more out-of-the-box security options for protecting your company, says David Weston, vice president of Enterprise and OS Security at Microsoft.<\/figcaption><\/figure>\n

Security has always been the top priority here at Microsoft.<\/p>\n

We process an average of 65 trillion signals per day, with 2.5 billion of them being endpoint queries, including more than 1,200 password attacks blocked per second. We can analyze these threats to get better at guarding our perimeter, but we can also put new protections in place to reduce the risk posed by persistent attacks.<\/p>\n

In 2019, we announced Secured-core PCs designed to utilize firmware protections for Windows users<\/a>. Enabled by Trusted Platform Module (TPM) 2.0 chips, Secured-core PCs protect encryption keys, user credentials, and other sensitive data behind a hardware barrier. This prevents bad actors and malware from accessing or altering user data and goes a long way in addressing the volume of security events we experience.<\/p>\n

\u201cOur data shows that these devices are more resilient to malware than PCs that don\u2019t meet the Secured-core specifications,\u201d Weston says. \u201cTPM 2.0 is a critical building block for protecting user identities and data. For many enterprises, including Microsoft, TPM facilitates Zero Trust security by measuring the health of a device using hardware that is resilient to tampering common with software-only solutions.\u201d<\/p>\n

We\u2019ve long used Zero Trust\u2014always verify explicitly, offer least-privilege access, and assume breach\u2014to keep our users and environment safe. Rather than behaving as though everything behind the corporate firewall is secure, Zero Trust reinforces a motto of \u201cnever trust, always verify.\u201d<\/p>\n

The additional layer of protection offered by TPM 2.0 makes it easier for us to strengthen Zero Trust. That\u2019s why hardware plays a big part in Windows 11 security features. The hardware-backed features of Windows 11 create additional interference against malware, ransomware, and more sophisticated hardware-based attacks.<\/p>\n

At a high level, Windows 11 enforced sets of functionalities that we needed anyway. It drove the environment to demonstrate that we were more secure by default. Now we can enforce security features in the Windows 11 pipeline to give users additional protections.<\/p>\n

\u2014Carmichael Patton, principal program manager, Digital Security and Resilience<\/p>\n<\/blockquote>\n

Windows 11 is the alignment of hardware and software to elevate security capabilities. By enforcing a hardware requirement, we can now do more than ever to keep our users, products, and customers safe.<\/p>\n

Setting a new baseline at Microsoft<\/h2>\n
\"Patton
Windows 11 reduces how many policies you need to set up for your security protections to kick in, says Carmichael Patton, a principal program manager with Microsoft Digital Security and Resilience.<\/figcaption><\/figure>\n

While some security features were previously available via configuration, TPM 2.0 allows Windows 11 to protect users immediately, without IT admins or security professionals having to set specific policies.<\/p>\n

\u201cAt a high level, Windows 11 enforced sets of functionalities that we needed anyway,\u201d says Carmichael Patton, a principal program manager with Digital Security and Resilience, the organization responsible for protecting Microsoft and our products. \u201cIt drove the environment to demonstrate that we were more secure by default. Now we can enforce security features in the Windows 11 pipeline to give users additional protections.\u201d<\/p>\n

Thus, getting Windows 11 out to our users was a top priority.<\/p>\n

Over the course of five weeks, we were able to deploy Windows 11 across 90 percent of eligible devices at Microsoft. Proving to be the least disruptive release to date, this effort assured our users would be immediately covered by baseline protections for a hybrid world.<\/p>\n

We can now look across our enterprise and know that users running Windows 11 have a consistent level of protection in place.<\/p>\n

The real impact of secure-by-default<\/h2>\n

Moving from configurable to built-in protection means that Windows 11 becomes the foundation for secure systems as you move up the stack.<\/p>\n

It simplifies everything for everyone, including IT admins who may not also be security experts. You can change configurations and optimize Windows 11 protections based on your needs or rely on default security settings. Secure-by-default extends the same flexibility to users, allowing them to safely choose their own applications while still maintaining tight security.<\/p>\n

\u2014David Weston, vice president, Enterprise and OS Security<\/p>\n<\/blockquote>\n

Applications, identity, and the cloud are able to build off the hardware root-of-trust that Windows 11 derives from TPM 2.0. Application security measures like Smart App Control and passwordless sign-in from Windows Hello for Business are all enabled due to hardware-backed protections in the operating system.<\/p>\n

Secure-by-default does all of this without removing the important flexibility that has always been part of Windows.<\/p>\n

\u201cIt simplifies everything for everyone, including IT admins who may not also be security experts,\u201d Weston says. \u201cYou can change configurations and optimize Windows 11 protections based on your needs or rely on default security settings. Secure-by-default extends the same flexibility to users, allowing them to safely choose their own applications while still maintaining tight security.\u201d<\/p>\n

\"Key
\nGoing forward, IT admins working in Windows 11 no longer need to put extra effort in enabling and testing security features for performance compatibility. Windows 11 makes it easier for us to gain security value without extra work.<\/p>\n

This is important when you consider productivity, one of the other drivers for Windows 11. We need to empower our users to stay productive wherever they are. These new security components go hand-in-hand with our productivity requirements. Our users stay safe without seeing any decline in quality, performance, or experience.<\/p>\n

\u201cWith Windows 11, the focus is on productivity and thinking about security from the ground up,\u201d Patton says. \u201cWe know we can do these amazing things, especially with security being front and center.\u201d<\/p>\n

Now that Windows 11 is deployed across Microsoft, we can take advantage of TPM 2.0 to bring even greater protections to our users, customers, and products. We\u2019ve already seen this with the Windows 11 2022 update.<\/p>\n

For example, Windows Defender App Control (WDAC) enables us to prevent scripting attacks while protecting users from running untrusted applications associated with malware. Other updates include improvements to IT policy and compliance through config lock: a feature that monitors and prevents configuration drift from occurring when users with local admin rights change settings.<\/p>\n

These are the kinds of protections made possible with Windows 11.<\/p>\n

\u201cFuture releases of Windows 11 will continue to add significant security updates that add even more protection from the chip to the cloud by combining modern hardware and software,\u201d Weston says. \u201cWindows 11 is a better way for everyone to collaborate, share, and present, all with the confidence of hardware-backed protections.\u201d<\/p>\n

\"Try<\/p>\n