Microsoft explains why TPM 2.0 and VBS on Windows 11 are so key for next-gen security

windows 11 TPM requirement

Microsoft’s much-awaited Windows 11 is generally available starting today (check out our review here) and there has been a lot of buzz around the integrated security features and the rather strict system requirements criteria it brings with it. The latest commotion has been around the Virtualization-based Security (VBS) feature and how it can adversely affect gaming performance even on CPUs officially supported by the OS.

Apparently, VBS is set to on by default in clean Windows 11 installs. In an interview with the Computer Reseller News (CRN), David Weston, Partner Director of Enterprise and OS Security at Microsoft, has clarified why this is so:

What we learned from [Windows] 10 is, if you make things optional, people don’t turn them on. They assume that if it was necessary, it would be on. And so I think that’s a big learning. What we put into 11 is [that] we are going to secure you by default.

He also explained why there is a need for such a feature in the first place:

Even if someone gets admin-level privileges—the highest level of privilege—they still can’t read what’s in this separate VM. It’s the exact same premise as how the cloud works today—you can be on a hardware machine with your bitterest rival, and you cannot read coded data across. We use that exact same technology shrunk down [for Windows 11].

Other than sharing his thoughts on VBS, Weston also talked about the TPM 2.0 requirement in Windows 11 and how all of this together will help Microsoft realize its vision for the future of the OS and Windows PCs:

A lot of this initial release of Windows 11 is not the end goal—it’s the first click stop on our journey. We’re saying, ‘we can now guarantee you have a TPM. That means I can go and make sure every app developer is now storing credentials and keys in hardware.

[…] More applications can support passwordless by default. More applications can do data encryption. More applications can have zero trust protections, because we’ve got that virtualization-based capability to report on their integrity.

What you’ll see in the following versions of Windows 11 is us exploiting that to a much better extent to increase security. So I think this is just the stage setting. This is act one. Act two and three, I think, are going to really bring some massive increases in security.

In fact, back when it had announced its Windows 11 system requirements, the Redmont giant claimed that the added security measures led to reduced malware infestation by 60%.

Source: CRN

Leave a Reply

Your email address will not be published. Required fields are marked *