A couple of days ago, Microsoft published a blog post explaining how Windows 11 is secure-by-default. If you are wondering what that means, the company says that Windows 11 assures excellent hardware-based security out of the box without the need for going into various settings and taking different measures.
Although certain security features like Trusted Platform Module (TPM) or PTT (Platform Trust Technology) in the case of Intel, and Secure Boot, among others, were already introduced during the Windows 10 days, Microsoft made these security features mandatory on Windows 11. (Fun fact: It looks like Microsoft contemplated bringing these changes in Windows 10 itself but evidently, that did not happen).
David Weston, the Vice President, Enterprise and OS Security at Microsoft, said:
It simplifies everything for everyone, including IT admins who may not also be security experts. You can change configurations and optimize Windows 11 protections based on your needs or rely on default security settings. Secure-by-default extends the same flexibility to users, allowing them to safely choose their own applications while still maintaining tight security.
Microsoft has in the past explained in detail the benefits of features like TPM 2.0 and VBS (Virtualization-based Security). The company also presented a demo to explain how such features can protect against cybersecurity threats like hacking.
However, security researchers recently pointed out a new vulnerability dubbed “faulTPM” which can lead to bypassing fTPM on AMD systems. And sometimes, bugs in Windows components like Defender can lead to the system not detecting the TPM itself. (TPM attestation bugs exist as well.)
Such drawbacks may be rectified in future releases of Windows 11 as Weston adds that Microsoft is improving the security aspect further, and even hints that more chip-level protections combining modern hardware and software could be in the making. Microsoft states:
Future releases of Windows 11 will continue to add significant security updates that add even more protection from the chip to the cloud by combining modern hardware and software
Windows 11 is a better way for everyone to collaborate, share, and present, all with the confidence of hardware-backed protections.
If you recall, Microsoft Pluton security co-processor already exists, though it is yet to become mainstream as it is AMD-only at the moment. Rumor has it though that Microsoft might make Pluton a mandatory system requirement on Windows 12.
Last year, Microsoft detailed the new security features in version 22H2_23H2 feature update, and the company also recently introduced Rust in the Windows kernel for improved memory security.