Why Microsoft Is So Hell-Bent On Windows 11 TPM And Cloud Security Requirements
With the launch of Window 11 taking place today, Microsoft is providing some background on why it has taken such a hardline stance on TPM 2.0 and Virtualization-Based Security (VBS), the latter of which we recently discussed regarding its negative effect on PC gaming performance.
David Weston, Microsoft director of OS and enterprise security, spoke with CRN about the company's controversial decisions with Windows 11. The primary motivation, according to Weston, was to improve security across the board for consumers and businesses, and that meant making some hard decisions regarding hardware requirements.
"What we learned from 10 is, if you make things optional, people don't turn them on," said Weston. "They assume that if it was necessary, it would be on. And so I think that's a big learning. What we put into 11 is [that] we are going to secure you by default."
For example, Weston said that only 8 generation Intel processors and newer support all the functionality of VBS and TPM 2.0 while hitting its internal performance requirements. That's why only a select few 7 generation Core processors are supported by Windows 11, while the vast majority are blocked.
"Ultimately, we could have chosen many lines," he added. "But we used data analysis around reliability, performance, and security to get there, and that is how we landed on that particular bar."
And even though VBS seemingly has the potential to tank gaming performance, there's a reason for Microsoft's action on this front with Windows 11. "Even if someone gets admin-level privileges—the highest level of privilege—they still can't read what's in this separate [virtual machine]," Weston said. "It's the exact same premise as how the cloud works today—you can be on a hardware machine with your bitterest rival, and you cannot read coded data across. We use that exact same technology shrunk down [in Windows 11]."
"A lot of this initial release of Windows 11 is not the end goal—it's the first click stop on our journey," Weston goes on to explain. "What you'll see in the following versions of Windows 11 is us exploiting [zero trust protections and virtual-based capability] to a much better extent to increase security. So, I think this is just the stage setting. This is act one. Act two and three, I think, are going to really bring some massive increases in security."
Microsoft's reasoning for being strict with hardware requirements seems to be sound, even if some people are incensed by the restrictions. We highly recommend that you check out the full CRN interview, as it goes into a lot more detail about Microsoft's security philosophy with Windows 11.
And remember, you do have the option to perform a clean install of Windows 11 on a system that doesn't meet all of Microsoft's system requirements. However, you potentially lose out on future security updates, which would make that decision foolish at best for enthusiasts and businesses.