Windows 11 and security
What is a TPM, anyway?
So, Windows 11 is around the corner. For new PCs it’s coming out this year, and Windows 10 users will be able to get a free update in 2022. That is, unless their PC is not supported – and many PCs will not be.
As of the time of writing, Windows 11 has a hard requirement of a Trusted Platform Module (TPM) version 2.0, something that many older PCs lack (as well as some new ones, especially ones that have been self-built). It will check during the install if that’s present, and kick you out if you don’t have it.
We say ‘at the time of writing’ because this situation is fluid and Microsoft’s messaging has been somewhat confusing. Originally, only TPM version 1.2 was required. Then that was changed to 2.0. Then it was revealed that some computer manufacturers could forgo the TPM requirements, and users of preview builds of Windows 11 found it was quite trivial to bypass the check and the OS would work fine without the module. Then it was found that even some systems that met all the qualifications for the OS would register as non-compatible due to the CPU (Intel NUCs, for example, are often coming up as incompatible despite meeting every criteria for the operating system).
We’re not sure where this is all going to land in the end, but we thought we’d take this moment to look at Windows 11 security, and the reasons Microsoft is nominally demanding that a TPM be present.
All about TPMs
TPMs were first introduced in 2009, with version 1.2. The specification was updated in 2014 to 2.0, with widespread adoption starting around 2016 (so if your PC is older than that, there’s no way it will meet the official requirements of Windows 11). In many cases a TPM is a physical chip attached to the motherboard of your computer, but in some cases it’s instead implemented in the firmware on the CPU. Either works for Windows 11.
A trusted platform module does a number of things related to security. Its core features include:
It creates unique cryptographic keys for the device it’s attached to (including the specific hardware and software configuration), which allows third party software to check that it’s talking to the ‘real’ device rather than a hacker trying to spoof
the device, and to ensure that the software has not be changed or modified – this includes the computer’s firmware. This is used in Secure Boot (see below), Windows Update and for things like Office365 licensing and for other services where the software provider wants to be sure that they’re talking to the right computer and that communications and software haven’t been tampered with. It’s also used in full disk encryption utilities like Bit-Locker and dm-crypt, where the keys to decrypt the hard drive are stored securely in the TPM, as well as Windows Hello, which stores your biometric data in the TPM.
A hardware random number and cryptographic key generator, which is designed to prevent the spoofing of software-based random number sequences. Many programs will use a TPM to generate keys, though some still prefer to use software.
These features are designed to create “trust” – hence the name. They create a bridge between the hardware, software, and the services that talk to the computer to ensure that everybody is who they say they are and that there have been no modifications to the system that might compromise its integrity, such as firmware-based malware or modifications to applications or the OS.
The security features of Windows 11
Which brings us to the security of Windows 11. Oddly enough, Windows 11 brings very little that is completely new to the security of the operating system, but it does implement a lot of existing systems more universally. Things like Windows Hello, Secure Boot, virtualisation-based security (VBS) and hypervisor-protected code integrity (HPVI) were all features that were available in Windows 10 for those that bothered to implement them, but will be more broadly available in Windows 11. According to Microsoft, historically companies that implemented these features saw a 60% reduction in malware infections, so it wants to ensure that everybody is using them.
So let’s take a look at them in turn:
Windows Hello From a user perspective Windows Hello is probably the most visible security feature of the operating system. Windows Hello is available in Windows 10, found in Start > Settings-Account > Sign-in options. It allows you to sign in via a fingerprint, facial recognition or a pin. Windows Hello on Windows 10 can use but does not require a TPM.
Secure Boot Originally launched with Windows 8, Secure Boot was and remains controversial since it complicates the installation of other operating systems (though the problem has largely been solved for Linux), but Microsoft sees it as a key pillar in its defence against malware that infects the system firmware or the pre-OS environment such as the boot loader.
With Secure Boot, the computer’s unified extensible firmware interface (UEFI) checks the signature and checksum of any program loaded by the firmware against a list of ‘approved’ programs stored in the TPM. If the program is unapproved – for example, if the bootloader has been modified (which will change its checksum) then it simply will not load.
Virtualisation-based security (VBS) and hypervisor-protected code integrity (HVCI) These sound terrifying, but they’re not something you’ll have to think about much as a user. What they do is allow Microsoft and software developers to run programs in a protected sandbox that is protected from interference by other programs. It’s particularly useful, for example, for security solutions that need to be kept free from tampering by hackers who would try to disable or modify them.
It uses the built-in virtualisation features of current Intel and AMD processors as well as Microsoft’s Hypervisor capability, which is commonly used to create “virtual PCs” running inside the current PC. With HPVI, code can be set to run only if it has been signed and it will also check all the operating system components inside the virtualised PC to ensure that they haven’t been modified.
The upshot is that code running in VBS with HPVI enabled is protected from modification or infection by malware. As a user, it’s not something you have to enable or think about, but having it there ensures that, say, your security suite cannot be compromised and disabled by hackers.
Much like Windows Hello, VBS/ HVCI does not technically require a TPM, but having one is highly recommended. Storing the signatures for checking application integrity on the TPM is far more secure than storing them on the hard drive in the OS.
The upshot
For a lot of users, the lack of new security features in Windows 11 may be a disappointment. The main Windows 11 “innovation” is essentially that it’s forcing people to use security systems that already existed, in particular those that use a TPM. That is not, in itself, a bad thing. Many a system has been compromised because the home or business user did not properly apply security controls that they could have, but never bothered to, enable. Windows 11 may not be a security revolution, but we’re going to say it’s a good thing that Microsoft is going to enforce security more rigidly than it has in the past.