Just what does Windows 11 bring to the table?
Credit to Author: Susan Bradley| Date: Mon, 09 May 2022 07:43:00 -0700
The other day, my Dad — my bellwether for technology — mentioned in passing that he’d read online that Windows 11 shouldn’t be used and that the operating system wasn’t being adopted.
Dad had a point. He’s more of an Apple user now — I have him on my phone plan to support his tech needs, he uses an iPhone and has an iPad. As his needs have changed, his reliance on Windows devices has decreased. In fact, his current Windows needs involve applications not on the Apple platform. (And because he’s a standalone user, not a domain user, many of the advances in Windows 11 having to do with authentication won’t be available to him.)
“Computerworld” recently noted that the uptake for Windows 11 was moving slowly, with it running on just 1.44% of all systems. This is similar to what I see at home and in my office. At home I have a single computer, a Surface Pro 7, that can run Windows 11. At the office, I only have two computers that support Windows 11.
A lot of users actually can’t run Windows 11. If that’s you, and you’re interested about why you can’t run Windows 11, you can download the Bytejeans tool to find out exactly why. This laptop I use, for example, has a Trusted Platform Module that will support Windows 11. But it doesn’t have Virtualization Based Security (VBS) support in its processor.
Windows 11 ensures that VBS is enabled by default to support Hypervisor-Enforced Code Integrity. While you could argue that in a standalone workstation this protection may not be needed, in the enterprise you’ll want to ensure it is enabled. (This is not a new technology, but the mandate is new.)
VBS is needed for Windows Defender Credential Guard, which protects domain credentials in a network. As noted: “Credential Guard is a virtualization-based isolation technology for LSASS which prevents attackers from stealing credentials that could be used for pass the hash attacks. …After compromising a system, attackers often attempt to extract any stored credentials for further lateral movement through the network. A prime target is the LSASS process, which stores NTLM and Kerberos credentials. Credential Guard prevents attackers from dumping credentials stored in LSASS by running LSASS in a virtualized container that even a user with SYSTEM privileges cannot access. …The system then creates a proxy process called LSAIso (LSA Isolated) for communication with the virtualized LSASS process.”
While this is already working in Windows 10, Windows 11 builds on this protection. Sounds great for businesses, right? But there’s one problem: many users won’t be properly licensed for most of Windows 11’s security goodness. Case in point is Windows Defender Credential Guard — you need an Enterprise license to use it. So while it provides a great deal of protection for your user or login secrets, it’s not available for many users. In future versions of Windows 11, Credential Guard will be enabled by default, but again, only for enterprise customers.
Another new technology I’m excited about is Smart Application Control, though I have some concerns about it. Smart app control, as Microsoft explains it, “prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level. Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud.
“Model inference occurs 24 hours a day on the latest threat intelligence that provides trillions of signals. When a new application is run on Windows 11, its core signing and core features are checked against this model, ensuring only known safe applications are allowed to run. This means Windows 11 users can be confident they are using only safe and reliable applications on their new Windows devices. Smart App Control will ship on new devices with Windows 11 installed. Devices running previous versions of Windows 11 will have to be reset and have a clean installation of Windows 11 to take advantage of this feature.”
I still install software on a regular basis that is unsigned. So I know ahead of time that Smart Application Control will not work for me either in the office or at home because I can’t run software using a “whitelist” approach. I’m also unsure of what licensing will be needed. Will it be available to all? Will it be an Enterprise-only feature?
Bottom line: Windows 11 will be great for enterprises if you have the right licensing to take advantage of these features. But I’m not convinced it gives you a great advantage at home. If you’re concerned that your older hardware can’t run Windows 11, don’t be. Windows 11 is just the next version of Windows and really doesn’t bring much in the way of security advantages for a typical user. That’s why my Dad will continue to use Windows 10 for now and not worry about Windows 11.