8 minute read

Windows 11 Security

Next Article
Triple Crown Award

Triple Crown Award

Solution Providers: Windows 11 Security Is ‘Job No. 1’

Prioritizing security in Windows 11 is the smart thing to do in today’s landscape of increasing cyberattacks, solution providers tell CRN.

Advertisement

By Kyle Alspach

THE ROLLOUT OF of Windows 11 is highlighting a major shift in Microsoft’s strategy for the Windows operating system, with the company putting a higher priority on improving security than on enabling the most PC upgrades possible, solution providers and industry analysts told CRN.

For Windows 11, which will be generally available Oct. 5, Microsoft has issued hardware requirements that are far more stringent than users have been accustomed to in the past.

Along with requiring a TPM 2.0 security chip, Windows 11 is only compatible with CPUs released in the past four years. This is also widely seen as a security measure since it ensures that most PCs running Windows 11 will have hardware protections against the Spectre and Meltdown vulnerabilities discovered in 2018.

The requirements for newer CPUs and TPM 2.0 are expected to exclude a signi cant number of PCs from installing Windows 11, however. That’s a stark departure from Microsoft’s approach with past releases of Windows—especially Windows 10— but is ultimately a worthwhile trade-off, solution providers told CRN.

“I would say that they are prioritizing security rst. And I’d say that’s the prudent thing to do, given what’s going on in this environment,” said Matthew Bookspan, CEO of Altamonte Springs, Fla.-based Blacktip. “It’s a smart play.”

The six years since the launch of Windows 10 have seen Microsoft ensnared in a series of massive cyberattacks, even as troubling new hardware-level vulnerabilities such as the Spectre and Meltdown processor aws have emerged.

While security was a focus for past Windows releases as well, the emphasis on tightening hardware security is a greater focus with Windows 11, analysts told CRN.

“What I think is new is the recognition that it’s not just about xing the OS, but rather looking at the entire stack from the hardware up through the applications and the user experience and trying to make the entire stack work better and more securely,” said Stephen Kleynhans, research vice president at Gartner. “There are some things you need to do that you can’t do solely in the operating system, which needs the newer hardware.”

The CPU requirements for upgrading to Windows 11 include—with just a few exceptions—having a processor from Intel’s eighth generation and newer, or AMD’s Zen 2 series and up. Those CPU requirements appear to be aligned with mitigations against Spectre and Meltdown side-channel vulnerabilities, analysts told CRN. However, Microsoft has not speci cally con rmed this, and some Windows 11-compatible chips did come out before hardware protections for Spectre and Meltdown arrived. Microsoft did not make an executive available to comment for this article.

In an interview with CRNtv in August, Microsoft Channel Chief Rodney Clark said that the Windows 11 chip and security requirements are in part a response to the new places, such as edge devices, where cyberattacks are now originating.

“When you think about the security landscape that we are in today, it’s changed quite a bit,” said Clark, Microsoft’s corporate vice president of global channel sales. “Yesterday’s PC doesn’t necessarily address today’s security concern and tomorrow’s security concern.”

Along with protecting against existing cyberthreats, Microsoft does appear to be trying to set up a stronger security baseline for the future with its Windows 11 security requirements, analysts said.

“I think Microsoft is looking at the things that we know we need to do for security in the future that we simply can’t do on some of the really old hardware,” Kleynhans said. “At some point they knew that they’d have to make a tough call. This is an opportunity to make that tough call.”

‘Security Is Job No. 1’

While Apple has taken a similar approach with macOS, this approach by Microsoft has come as a shock to some Windows users.

In past releases, Windows has tended to support a “long legacy of hardware,” said Tom Mainelli, group vice president for device and consumer research at IDC.

“There are certainly challenges with supporting older hardware, particularly on the security side,” Mainelli said. “I think that Microsoft’s decisions around what will be supported are

ultimately in service of driving a better experience and a more secure experience.”

With the Windows 11 processor requirements, it’s evident that “security is job No. 1” for Microsoft, he said.

“Now, you have to prioritize security,” said Zach Saltzman, senior director for the Microsoft platform at Carlsbad, Calif.based FMT Consultants. “It’s not like when Windows 10 came out when, sure, Microsoft talked about security, but they were just trying to get away from Windows 8.”

Microsoft Is ‘Always In The Middle’

Microsoft has also become a security vendor powerhouse in its own right in recent years, with a portfolio of security offerings ranging from identity to cloud to endpoint protection. Meanwhile, the company’s platforms are not only a prime target for hackers, but have also gotten entangled in numerous high-pro le cyberattacks such as the massive SolarWinds compromise and an attack on IT distributor Synnex, now TD Synnex, in July.

“It doesn’t matter where the problem is, Microsoft’s always going to be in the middle of xing it,” Kleynhans said.

In terms of Windows security speci cally, the vulnerabilities known as “PrintNightmare” have been vexing Microsoft and IT departments for the past few months.

Since unveiling Windows 11 in June, Microsoft has made it clear that security is at the forefront of its strategy for the new operating system. A blog post that month, for instance, listed security rst among the guiding principles for Windows 11.

Using key Windows 11 security features in combination on test devices—including Windows Hello facial recognition, device encryption, secure boot and virtualization-based security—reduced malware by 60 percent on those devices, Microsoft said.

The solution providers who spoke to CRN said they do believe Windows 11 will be a meaningful step up in security, and they agree with Microsoft’s strategy of putting security rst.

“I strongly feel that Microsoft is doing the right thing by prioritizing security” with Windows 11, said Marc Menzies, president and CTO of Ronkonkoma, N.Y.-based Overview Technology Solutions. “I’m ne with them prioritizing security over being able to roll this out to every computer.”

While the TPM 2.0 requirement has caused grumbling among some users, Menzies noted that the security chip is necessary for enabling BitLocker encryption. BitLocker encrypts all data on a device, ensuring that the data cannot be accessed in the event the device is lost or stolen.

“Security needs to be paramount,” Menzies said. “I’m de nitely on Microsoft’s side here.”

Spectre, Meltdown ‘Woke Up The Industry’

In terms of the requirements for CPUs made in the past four years, many in the industry believe that this requirement is tied to the Spectre and Meltdown vulnerabilities.

The Spectre and Meltdown processor fl aws pose the threat of enabling hackers to access protected data. The discovery of the vulnerabilities “really woke up the industry,” Kleynhans said. “Because it was so fundamental, there was no simple way to get around that one,” he said. “It opened up the [industry’s] eyes that there’s a whole raft of potential new vulnerabilities.”

Software patches against Spectre and Meltdown were rolled out going back multiple generations of processors, but chipmakers agreed it would take a hardware x to fully solve the issue.

While ensuring strong performance is also a motivation for requiring newer processors, that appears to be secondary to security with the Windows 11 CPU requirements, analysts said.

“The state of security has changed, with hardware embeds being more important to the posture,” said J.P. Gownder, vice president and principal analyst at Forrester.

Notably, Microsoft has pursued its strategy of requiring newer chips even amid an industrywide shortage of components, particularly processors. The shortages are constraining the production of PCs at a time when demand continues to be high and are expected to slow the rollout of Windows 11.

At least in the short term, Mainelli said he sees little evidence that Microsoft is expecting to drive a signi cant amount of new PC sales via its Windows 11 hardware requirements.

Currently, “the industry can’t make more PCs,” he said. “They’re making as many as they can.”

Fortunately, all indications suggest that upgrades of compatible PCs to Windows 11 will not be nearly as risky as the shift was from Windows 7 to Windows 10, solution providers and analysts said. Because the two operating systems share a similar codebase, application compatibility from Windows 10 to Windows 11 should not be a major issue if one chooses to upgrade—as long as one’s PC meets the CPU and TPM requirements, of course (see footnote).

For businesses that have put off refreshing their PC eet, upgrading to Windows 11 may simply not be an option until more hardware becomes available.

Still, none of the solution providers who spoke with CRN for this article offered any criticism of Microsoft’s compatibility requirements for Windows 11.

At Kirkland, Wash.-based FusionTek, for instance, CEO Brian Miller applauded Microsoft for sticking to its strategy of putting security ahead of competing considerations. As a managed services provider, “we’re being asked to take care of and be responsible for our clients’ data,” Miller said.

Windows 11, he said, “is just giving us the right tools to do that. This sets that security bar higher.”

Footnote: While there are methods available for running Windows 11 on non-compatible hardware, which Microsoft is allowing but does not openly condone, businesses “should not take that chance,” said Derek Nwamadi, CEO of Dallasbased solution provider Quantum Symphony. Individual users who know what they’re doing may be able to pull this off without issues, but “as a business, it’s just a bad idea,” Nwamadi said. ■

Scan here for more of CRN’s Windows 11 coverage.

This article is from: