Microsoft has made a big deal about the increased security in Windows 11. According to Microsoft, the surprisingly high system requirements that prevented many users with even fairly new computers from installing the Windows 11 are mainly due to security features. So what’s the deal and how can you make sure you benefit from it?
In this article, we provide the answers and show you how to better protect your privacy — both from Microsoft and others. The more our lives are lived digitally, the more important it is.
Windows 11 security features you didn’t know existed
get windows 11 cheap in pcworld's software store
Many of Windows 11’s system requirements relate to security features that have been around for years in Windows 10 but few outside of corporate IT departments paid attention to. Some of these won’t turn on automatically if you update from Windows 10, but will be enabled on all new computers sold directly with Windows 11. Some are very sensible and don’t affect your computer’s performance at all, while others can have a negative impact and we’ll show you below how to turn them off if you value performance more.
Secure Boot and TPM
To install Windows 11 on your PC at all, it needs a modern processor (Intel 8th-generation or AMD Ryzen 3000 or newer) and two security features: Secure Boot and a so-called trusted platform module (TPM).
Secure Boot has been around for many years, but most PC users haven’t had it running because it hasn’t been compulsory, and mostly felt like an unnecessary hassle. The feature is part of UEFI, the modern replacement for BIOS. It allows the computer’s basic software to detect — and stop — a modified operating system by checking its cryptographic signatures.
Enabling Secure Boot effectively stops sneaky malware that, for example, installs itself under Windows as a so-called bootkit and can covertly read everything that happens on the system. You enable Secure Boot in your computer’s BIOS settings, but activating it is not actually a requirement for installing or running Windows 11 — the requirement is for the computer to be able to use Secure Boot.
TPM, on the other hand, is a requirement for installing and running the new system. There are ways around it, but Microsoft warns that you may miss out on future updates and it’s unlikely that the TPM requirement is the only thing preventing you from installing Windows 11 as almost all Intel and AMD processors from 2013 onwards have a built-in TPM module.
Brad Chacos/IDG
Unlike Secure Boot, whose benefits are a bit more esoteric, it’s clearer why TPM is a great idea. The basic functions of TPM are the secure storage of encryption keys, certificates and the like, and the secure creation and control of new keys. For example, it could be the encryption key for Bitlocker that secures all data on your hard drive, or the encryption key used with Windows Hello for quick login with PIN or facial recognition. Third-party applications like Firefox and Chrome also use TPM if it’s present, even in Windows 10.
This works much like Apple’s “secure enclave” that has protected the iPhone and iPad for many years, and similar features in mobile processors from Qualcomm, Samsung and other manufacturers.
With a TPM enabled, Windows and individual programs that need to generate encryption keys can ask the TPM to do so. The generated keys are only stored there and can never be extracted or copied to other locations. This is much more secure than when keys are generated by the regular processor because a Trojan or other malware could theoretically intercept such keys.
Brad Chacos/IDG
A good example of how TPM protects you is Windows Hello. In Windows 11, Microsoft recommends that you use a Microsoft account and turn off sign-in with the account password so that you can only sign in with Windows Hello — normally a PIN, but you could also use facial recognition or a fingerprint scanner.
the best windows hello webcam
Let’s say you are hit by a malware with a keylogger that captures everything you type on your keyboard. This includes your PIN, but because the PIN is linked to an encryption key on this particular computer, the malware creators will not be able to log in to your Microsoft account on another machine. If you had logged in with your account password instead, you would have been left with only two-factor authentication to protect you from a hacked account.
Further reading: Here’s where to buy a TPM for Windows 11
Virtualisation-based security
The hardware requirement that is really behind Windows 11 requiring such a new computer is something called virtualization-based security or VBS. This means that the system uses the ability of modern processors to run code in virtual machines with their own separate parts of working memory.
Virtualization was first used to run other operating systems inside Windows or another system so that you can, for example, test software or run a program that doesn’t work on your regular system. A common example is Mac users running Windows with a virtual machine to access Windows-specific programs.
Virtualization-based security uses the same techniques to separate certain parts of Windows so that other parts of the system cannot access them. It consists of several different components, some of which are only available in the enterprise versions of Windows and not in the Home version.
Memory integrity
Open Windows Security and select Device Security. If VBS is active, you will see a green tick next to Core isolation and it says “virtualization-based security protects the core parts of your device.” Click on the Core isolation information and you’ll be taken to a submenu where you can enable or disable something called Memory Integrity (the technology behind it is called “hypervisor-enforced code integrity” or HVCI).
Brad Chacos/IDG
This is one of the features VBS enables, which means that Windows places sensitive code in a virtual machine that the rest of the system cannot access, even with admin permissions. This increases security and provides better protection against some malware, but can also lead to lower performance — up to 25 percent less on some machines. Because of this, gamers or people who use their computer for intensive work often choose to disable the feature despite its security benefits.
If you have updated from Windows 10, Memory Integrity is not enabled by default. On new computers that come with the system, it is. If you are experiencing performance issues with your computer, check if the feature is active and try turning it off. If you don’t have a problem with it, it is of course best to keep it active so that your computer is as protected as possible.
Privacy protection – Microsoft has improved
One of the things Microsoft was most criticised for after the launch of Windows 10 is how the system sends analytics data to the company and how difficult it is to turn off this sharing, as well as how the Start menu was full of ads.
In Windows 11, Microsoft has listened to the criticism and the settings for privacy protection and user data sharing have been significantly improved. The settings for both Windows itself and the authorization of third-party applications to access features such as the camera and your image library are located in Settings -> Privacy & Security. Here’s how to use them and turn off any sharing you don’t want.
Brad Chacos/IDG
The settings panel has three major sections: Security, Windows Permissions, and App permissions. Security is mostly shortcuts to the separate program Windows Security, so it’s the other two that you will use the most.
Windows permissions
General has the important setting for Advertising ID, the unique code that, if you allow it, can be used to track you, so that advertising buyers can, for example, trace a purchase of a product to an advertising banner you clicked on. If you don’t like adverts in your system, turn this off.
Inking and typing personalization: If you use a pen and sometimes write directly on the screen, this setting lets you decide whether Windows should create a customized dictionary for you.
Speech controls whether you want to use Microsoft’s more advanced online speech recognition, which of course sends what you say to Microsoft’s servers. If you switch it off, you’ll have to make do with the less advanced speech recognition directly on your computer.
Brad Chacos/IDG
Diagnostics & Feedback: Here
Войдите, чтобы добавить комментарий
Другие сообщения в этой группе
In 1924, an innocuous American house might’ve hidden a speakeasy, sli
Microsoft has tacitly confirmed that the mandatory Windows 11 24H2 up
The prices for VPNs nowadays can vary widely from absolutely free to
I wanted the Zenbook A14 ever since I saw it at an Asus press event.
Graphics cards have gotten really freakin’ big… so big, in fact, that
Want to upgrade your home PC or laptop setup? Maybe think outside the
Logitech’s MX Keys keyboards are some of the best out there, seen as
