Windows 11: Microsoft's Director of OS Security explains the tough CPU requirements for Win 11
Microsoft’s Windows 11 launch has been bumpy to say the least. On one hand, early impressions of the new software have been overwhelmingly positive despite it being the initial Beta release and still missing some key features. On the other hand, the launch was hampered by a leaked early build which was then followed by confusion and anger about requirements around TPM 2.0 modules and CPUs, some of which seemed arbitrary.
A new TechRepublic interview with Microsoft’s Director of OS Security, David Weston, has shed some light over the company’s decisions, none of which is necessarily about forcing users to buy new PCs -- even if that might be a side-effect of its choices. As you might expect, given Microsoft’s TPM 2.0 requirements which are security driven, the same is true of the CPU cut-offs. For better or worse, Microsoft is aiming to get the balance right between security, performance and battery life so users can get the best possible experience on Windows 11.
TPM 2.0, for example, has been a requirement in Windows since 2016, but many vendors didn’t enable it because of performance and battery life concerns. Turning this on along with other existing malware mitigations, which will be a requirement of the final build of Windows 11, increases security protection by 60 percent alone. These features all impact the performance and battery life of PCs that might otherwise be able to run Windows 11, including the Beta right now.
Weston had this to say:
Virtualization Based Security is on by default [in Windows 11]. Obviously the TPM is there, so that's going to give us the ability to do BitLocker in Windows Hello in more default scenarios. Those are going to allow commercial enterprises to do zero trust and take advantage of things like System Guard. There's a lot of out-of-the-box security value. I want people to flip their laptop open and feel they are much better protected, and we know that they will be, based on looking at threat intelligence versus the default we changed.
Some 7th gen Intel chips and those from other vendors including AMD and Qualcomm are described by Weston as having only ‘limited support’ for these virtualization-based security features, hence their omission. While this may be irksome, it is hard to criticize Microsoft for doing its best to address platform security when this has been a long-standing criticism of Windows.