Contents

Deep Dives

Windows 11 Security and TPM 2.0: What You Need to Know

Microsoft recently released Windows 11, its latest operating system (OS). This new OS has enhanced security features that reduce malware on tested devices by 60%. However, it also comes with strict hardware requirements, such as TPM 2.0.

Windows 11 Security Features: What's New?

Microsoft has set a high bar for hardware requirements to create a secure platform with Windows 11. It made its Secured-core PC standards the new baseline, so some technologies optional in Windows 10 are mandatory in the latest OS.

Windows 11 is more secure than Windows 10, offering these key security features:

Virtualization-Based Security

Virtualization-based security (VBS) isolates a region of memory separate from the rest of the OS, in which Windows can host security software. This feature helps protect these solutions, which are prime targets of many cyberattacks and malicious exploits.

The UEFI Secure Boot

If a PC boots up with corrupted code, malicious attacks, rootkits, and unauthorized software updates can take place before the OS launches. United Extensible Firmware Interface (UEFI) Secure Boot verifies that a computer only boots up with code from a trusted source (e.g., PC manufacturer, chip maker, Microsoft) to guard against exploits during system start-up.

Microsoft Azure Attestation

Microsoft Azure Attestation (MAA) remotely verifies the trustworthiness of a platform, including the integrity of the system's hardware and software. This feature allows organizations to enforce Zero Trust policies when using resources in the cloud.

Passwordless Access

Windows Hello's passwordless access uses a PIN, fingerprint, or facial recognition to authenticate a user's identity. It allows IT administrators to retain granular control over authentication methods to ensure compliance with company policy.

An info-graphic of an iMac with a password field populated. To right right of the iMac the text reads: 81% of hacking-related breaches use stolen or weak passwords. Source: query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3YNUI

Windows 11 and TPM 2.0

We can't talk about Windows 11 security without considering Trusted Platform Module (TPM), an international standard used in cryptoprocessors to secure hardware through integrated cryptographic keys.

Windows 11 requires TPM 2.0 to store encryption keys, passwords, and certificates and support other security features, such as Windows Hello for identity protection and BitLocker for data protection. The TPM chip uses the stored information to identify and authenticate devices, software, and users.

The Pluton TPM architecture prevents physical attacks that target the communication path between the CPU and the TPM. Its unique Secure Hardware Cryptography Key (SHACK) technology ensures that encryption keys aren't exposed outside the protected hardware.

Compared to the older TPM 1.2, TPM 2.0 supports greater crypto agility and more robust cryptographic algorithms to strengthen authentication. For example, TPM 2.0 supports newer algorithms that improve drive signing and key generation performance. It has achieved ISO standardization and offers a consistent experience across various implementations.

To see if a device has a compatible TPM for Windows 11, go to Settings > System > About > BitLocker Settings to confirm that "TPM is ready for use." You can also verify the presence of a TPM chip by going to Device Manager > Security devices or with UEFI to ensure that it's enabled.

A screenshot of the Windows 11 Device Manager with the "About" tab selected. A red box draws attention to a link in the dialog box called "BitLocker settings"

Key Challenges and Considerations with Windows 11 Security

While Windows 11 offers many improved security features, implementing this new OS isn't without its challenges. Here's what you should consider:

Upgraded Hardware Requirements

Windows 11 requires a 64-bit, 1 GHz processor with virtualization extensions and at least two cores, plus HVCI-compatible drivers. These specs translate into a device with at least an 8th generation Intel CPU, an AMD Zen 2, or a Qualcomm Snapdragon 8180 to ensure that you don't sacrifice performance and usability for security.

These new requirements may require a substantial upfront investment on new devices and deter some companies from upgrading to the new OS right away.

An info-graphic that shows 10 people icons with 2 of them faded out. To the right of the icons the text reads: 8 in 10 security experts think that software alone cannot protect from emerging threats"

The Risks of TPM 2.0 Bypass

Microsoft has published a method to bypass the TPM 2.0 requirements so users can install Windows 11 on older machines with TPM 1.2 enabled. The process involves changing the registry key values in the OS to make the system ignore the check for TPM 2.0.

However, if you install Windows 11 on unsupported hardware, the PC will no longer be supported by Microsoft or entitled to receive updates. Furthermore, damages to any machine due to lack of compatibility aren't covered under the manufacturer's warranty. Not to mention, you won't be able to take advantage of many of the Windows 11 security features.

Kolide has developed a check to detect the TPM 2.0 bypass. Our software will flag devices that have bypassed the TPM 2.0 requirement so IT has insight into which machines may run into compatibility issues. It can also send automated messages to affected end-users that tells them how to downgrade or to contact the IT team for a hardware upgrade.

A screenshot of the Kolide check's UI showing the Windows 11 TPM/CPU Bypass Check"

Kolide's Check to detect the TPM 2.0 bypass.

New Threats and Social Engineering

Threat actors will adapt to the new features. Well-funded Advanced Persistent Threat (APT) groups will uncover loopholes, and ransomware groups will find low-hanging fruits. Not to mention, it's hard to defend against social engineering with technology solutions alone.

The human factor is often the weakest link in the security chain. If employees fail to follow your security policy or adopt cybersecurity best practices, they could compromise access to your systems and networks.

How To Make the Most of Windows 11 Security Features

Installing Windows 11 and accessing the new security features is only half the story. You also need to ensure that employees use them effectively to stay safe by incorporating these best practices into your IT policy:

  • Keep Windows 11 up to date: Ensure that the latest patches and bug fixes are installed in the OS.

  • Select login options: Use facial recognition or fingerprint recognition, if available, instead of a password.

  • Enable built-in security tools: Set security features (e.g., malware scan) to run automatically in the background.

  • Switch on reputation-based and exploitation protection: Protect against suspicious apps and remote hacking attacks while browsing online.

  • Manage application permission: Ensure that only trusted applications can access the device's location, camera, and microphone.

  • Encrypt the data: Enable device encryption from the Windows 11 settings screen to protect data stored on the device.

Ensure Endpoint Security For Any Device

Windows 11 is a big step forward in device security, but it's not the be-all-end-all solution.

What if you have devices that don't run on Windows 11? How do you address concerns and challenges that aren't covered by its security features, such as new threats and social engineering? How can you make sure all employees adhere to your information security policy all the time?

You need endpoint security measures to support a secure operating system.

An endpoint security solution works on any OS and supports any device. It's regularly updated to detect new and emerging threats, including risky behaviors that can cause employees to fall prey to social engineering schemes.

Some endpoint security software, such as Kolide, allows you to customize alerts and notifications based on your IT policy. You can also easily compile all the necessary information to demonstrate compliance with standards and regulations.

A high-level mock-up of Kolide's Slack application asking a user to fix several issues on their device

Kolide engages with end-users via Slack.

Meanwhile, Kolide takes endpoint security to the next level with proactive measures based on the Honest Security principles. Our user-first approach explains to employees how your IT policy works. They can learn how to curb risky behaviors and improve the security on their devices (e.g., installing patches, removing sensitive data) at the point of performance.

Try Kolide for free to see how we can help you crowdsource security, so IT doesn't have to track down every device to enforce rigid management.

Share this story:

More articles you
might enjoy:

Tutorials
How to Set up Windows File Integrity Monitoring Using Osquery and Kolide
Fritz Ifert-Miller
Tutorials
How to Read Nested Complex Plists in Osquery
Fritz Ifert-Miller
Changelog
New Inventory: Windows Defender and XProtect Reports
Kolide
Try Kolide Free
Try Kolide Free