According to Microsoft, the company invests $1 billion annually in cloud security and employs over 3,500 security professionals. With such resources, it’s not going to ignore the security of its flagship product, Windows. In Windows 11, rather than simply offering new features, Microsoft is requiring them and stepping up the hardware security requirements for PCs running Windows 11.
In a zero-trust environment, a device trusts nothing. It demands authentication for as many tasks, both hardware and software, as possible and ensures the device grants access to the least amount of information required. Here are some ways Windows 11 enforces zero trust.
Click the banner below to get access to customized content by becoming an Insider.
Passwordless Authentication
Released with Windows 10, Microsoft facial recognition software again makes an appearance in Windows 11. Windows Hello allows users to keep information protected and to drop passwords entirely in favor of more secure, cryptographic identification.
In Windows 10, Windows Hello was disabled by default. In Windows 11, Windows Hello will be on by default, and Windows will prompt you to set it upon first signing in.
LEARN ABOUT: Zero-trust security for state and local governments.
Cloud-Based Zero-Trust Policies
Administrators in large agencies already rely on various security policies to harden devices and communication. Windows 11 brings a method of validating cloud resources at scale known as Microsoft Azure Attestation.
Microsoft Azure Attestation is a policy-driven service that creates a cryptographic token from a device’s Trusted Platform Module 2.0 chip. That token is then provided to Azure to authenticate an endpoint’s identity. Administrators can create and upload attestation policies via the Microsoft Azure Attestation service in the Azure portal.
Virtualization-Based Security
In response to historic attacks like Spectre and Meltdown, Windows 11 includes the successor to the memory integrity feature known as hypervisor-protected code integrity. HVCI, enabled by default, virtualizes memory and processes data in silos.
Virtualizing and segmenting memory allows devices to adhere to the zero-trust model by executing instructions in complete isolation. Administrators may still control this feature via a registry key.
EXPLORE: What you need to know before adopting Windows 11.
Secure Boot by Default
Secure Boot, a Unified Extensible Firmware Interface feature released with Windows 10, makes another comeback in Windows 11. Secure Boot creates a digital signature that prevents malicious binaries from executing on boot.
Previously an optional feature, Secure Boot now becomes mandatory in Windows 11.