When Windows 11 debuted last June, many were excited about its revamped user interface, and countless PC enthusiasts rushed to download Windows Insider Developer Channel builds of the new operating system.
But, as they quickly discovered, the new operating system has several new requirements for PCs to support their new hardware and virtualization-based security features. These features are essential to protect home and business workloads from today’s malware.
It turns out that all of these features are already built into Windows 10 if you’re using version 20H2 (Windows 10 October 2020 Update). You can take advantage of this by implementing Group Policy or simply clicking the Windows 10 “Device Security” menu to enable them. You don’t have to wait for Windows 11 to launch or buy a new PC.
The “Security and Peripherals” menu in Windows 10 20H2. Jason Perlow / .
Feature 1: TPM 2.0 and Secure Boot
Trusted Platform Module (TPM) is a technology designed to provide hardware-based and security-related cryptographic functions. If your PC was manufactured in the last five years, the TPM chip on your motherboard is likely version 2.0 compliant. You can determine this by opening “Device Manager” and expanding “Security Devices”. If it says “Trusted Platform Module 2.0,” you’re good to go.
Microsoft Windows Device Manager with TPM 2.0. Jason Perlow / .
This appears as “Security Processor” in the “Device Security Settings” menu in Windows 10 (and Windows 11).
What does TPM actually do? It is used to generate and store cryptographic keys specific to your system, including an RSA encryption key specific to your system’s TPM. In addition to being traditionally used with smart cards and VPNs, TPMs are used to support the secure boot process. Measures the integrity of the operating system boot code, including firmware and individual operating system components, to ensure that they have not been compromised.
There is nothing to do to make it work; it just works, as long as it is not disabled in your UEFI. Your organization can choose to implement Secure Boot in Windows 10 through Group Policy or an enterprise MDM solution such as Microsoft Endpoint Manager.
While most manufacturers ship their PCs with TPM enabled, some may have it disabled, so if it doesn’t show up in Device Manager or is disabled, launch the UEFI firmware setup and take a look.
If the TPM was never prepared for use on your system, simply invoke the utility by running tpm.msc from the command line.
Security chip details (TPM 2.0) in Windows Security and Peripherals.
Feature 2: Virtualization Based Security (VBS) and HVCI
While TPM 2.0 has been common on many PCs for the past six years, the feature that really makes the security difference in Windows 10 and Windows 11 is HVCI, or Hypervisor Protected Code Integrity, also known as Memory Integrity or kernel isolation as it appears in the Windows device Security menu.
Although Windows 11 requires it, you have to manually enable it in Windows 10. Just click on “Kernel Isolation Details” and then enable memory integrity with the toggle switch. It may take about a minute for your system to wake it up as you need to check every page of memory in Windows before you wake it up.
This feature can only be used on 64-bit processors with hardware-based virtualization extensions, such as Intel VT-X and AMD-V. Although they were initially implemented in server-class chips as early as 2005, they have been present in almost every desktop system since at least 2015, or Intel’s Generation 6 (Skylake). However, it also requires Second Level Address Translation (SLAT), which is present in Intel VT-X2 with Extended Page Tables (EPT) and indexing. AMD Rapid Virtualization Indexing (RVI).
There is an additional HVCI requirement that all direct memory access (DMA) capable I / O devices must be behind an input and output memory management unit (IOMMU). These drives are implemented in processors that support Intel VT-D or AMD-Vi instructions.
The list of requirements may seem long, but the bottom line is that you are ready if Device Security indicates that these features are present on your system.
Windows 10 Device Security Kernel Isolation Feature (Memory Integrity). Jason Perlow / .
Isn’t virtualization primarily used to improve workload density on servers in the data center? Or by software developers to isolate their test setup on their desktops? Or run foreign operating systems like Linux? Yes, but virtualization and containerization / sandboxing are increasingly being used to provide additional layers of security in modern operating systems, including Windows.
In Windows 10 and Windows 11, VBS, or virtualization-based security, uses Microsoft’s Hyper-V to create and isolate a secure memory region from the operating system. This protected region is used to run various security solutions that can protect existing vulnerabilities in the operating system (such as those in unmodified application code) and stop vulnerabilities that try to bypass those protections.
HVCI uses VBS to enforce the code integrity policy by checking all kernel mode binaries and drivers before they are started and preventing unsigned system files and drivers from being loaded into system memory. These restrictions protect vital operating system resources and security assets, such as user credentials. So even if the malware gains access to the kernel, the scope of the exploitation can be limited and contained because the hypervisor can prevent the malware from executing code or accessing secrets.
VBS also performs similar functions for application code. It checks applications before they load and only launches them if they come from trusted code signers, assigning permissions to each page in system memory. All of this is done in a secure memory region, providing stronger protections against kernel viruses and malware.
Think of VBS as the new executor of Windows code, your kernel, and Robocop applications, living in a protected memory area, powered by your virtualization-capable CPU.
Feature 3: Microsoft Defender Application Guard (MDAG)
One special feature that many Windows users are unaware of is Microsoft Defender Application Guard, or (MDAG).
This is another virtualization-based technology (also known as Hyper-V “Krypton” containers) that when combined with the latest version of Microsoft Edge (and current versions of Chrome and Firefox using an extension) creates a memory instance isolated from your browser. , preventing your system and company data from being compromised by untrusted websites.
Protection of Windows Defender applications in use in Microsoft Edge. Jason Perlow / .
If the browser is infected with scripts or malware, the Hyper-V container, which runs separately from the host operating system, remains isolated from critical system processes and corporate data.
MDAG is combined with the network isolation settings configured for your environment to define the boundaries of your private network as defined by your company’s group policy.
How MDAG works on host PC and isolated Hyper-V browser container. Microsoft.
In addition to protecting your browser sessions, MDAG can also be used with Microsoft 365 and Office to prevent Word, PowerPoint, and Excel files from accessing trusted resources such as credentials and company data. This feature was released as a public preview in August 2020 for Microsoft 365 E5 customers.
MDAG, which is part of the Windows 10 Professional, Enterprise, and Education SKUs, is activated with the Windows Features menu or a simple PowerShell command; does not require Hyper-V activation.
Microsoft Defender Access Guard in the menu Turn Windows Features On or Off. Jason Perlow / .
Although MDAG is primarily aimed at businesses, it can be activated by end users and small businesses using a simple script that defines GPOs. This excellent video and the accompanying article posted on URTech.ca cover the process in more detail.