Virtualization-based security enables HVCI, also known as memory integrity, which disables any dynamic code that a hacker is trying to inject into the Windows kernel. What Microsoft did mention in the posts is virtualization-based security, as well as hypervisor-protected code integrity, or HVCI. For instance, mode-based execution control is not mentioned in previous Microsoft posts on the security considerations for Windows 11. “But we used data analysis around reliability, performance and security to get there, and that is how we landed on that particular bar.”Īn additional issue has affected people’s comprehension of the matter: Some of the specific security features that Microsoft considers crucial to enabling in Windows 11 are not features that have been widely discussed-even by Microsoft. “Ultimately, we could have chosen many lines,” Weston said. But the situation is more complicated, because Microsoft actually looked at multiple considerations in combination to arrive at the minimum CPU requirements for Windows 11, he said. Weston said that part of the confusion is that people have been looking for a single reason behind the choice to start CPU compatibility at Intel eighth-gen and AMD Zen 2. (Users can still bypass the requirements using the Windows media creation tool, which is discouraged but not forbidden by Microsoft.) The requirements for newer CPUs along with TPM 2.0 are expected to exclude a significant number of PCs from installing Windows 11. The stricter CPU requirements for Windows 11 compared to past releases of Windows have led to confusion among users and the IT industry about the reasons that Microsoft drew the line-with just a few exceptions-at Intel’s eighth generation and AMD’s Zen 2. “Some lower generations also have those features, but then they are missing reliability and performance optimization,” he said. In addition to mode-based execution control, Intel’s eighth-gen chips also ensure that Trusted Platform Module (TPM) encryption and secure boot capabilities are present, Weston said. But the seventh-gen chips are excluded because they don’t meet all of the performance and reliability requirements that Microsoft has for Windows 11, including for running VBS processes by default, Weston said. Some earlier CPUs do support mode-based execution control, including Intel’s seventh-gen processors. One example is a feature called mode-based execution control, which-in tandem with Intel’s eighth-gen CPUs and up-helps to ensure optimal performance while running certain virtualization-based security protections, he said.
Turn on the things that were optional in Windows 10 by default,” Weston said. “The strategy for the initial release of Windows 11 is very simple: raise the baseline. In Windows 10, powerful security features such as VBS are optional and don’t run automatically-and are rarely used as a result, he said.
Intel’s eighth-gen chips and up support the use of certain key security features-such as virtualization-based security (VBS)-while also providing optimal performance when automatically running those features, Weston said in an interview with CRN. With Windows 11 general availability set to launch on Tuesday, David Weston, Microsoft’s director of OS and enterprise security, spoke about how the CPU requirements aim to increase security in the new operating system without causing a trade-off in performance reduction.
Microsoft has set its minimum CPU requirements for Windows 11 at Intel’s eighth generation because the chips enable several important security features to be turned on by default in the operating system, offering a major security enhancement over Windows 10, a Microsoft security executive told CRN.