The best songs in Windows 11 are already in Windows 10. You just need to activate themZDNet

When Windows 11 was presented last June, many were excited about its revamped user interface – and countless PC enthusiasts rushed to download Windows Insider Developer Channel builds of the new operating system.

But, as they quickly discovered, the new operating system has several new requirements for PCs, in order to support its new hardware and virtualization-based security features. These functions are essential for securing home and business workloads against today’s malware.

It turns out that all of these features are already built into Windows 10 if you are using version 20H2 (Windows 10 October 2020 Update). You can take advantage of this if you deploy Group Policy or if you just click in the Windows 10 “Device Security” menu to enable them. You don’t have to wait for Windows 11 to release or buy a new PC.

The “Security and peripherals” menu in Windows 10 20H2. Jason Perlow / ZDNet.

Feature 1: TPM 2.0 and Secure Boot

Trusted Platform Module (TPM) is a technology designed to provide hardware-based, security-related cryptographic functions. If your PC was manufactured within the past five years, chances are good that the TPM chip on your motherboard support version 2.0. You can determine this by opening “Device Manager” and expanding “Security devices”. If it says “Trusted Platform Module 2.0”, you are ready to go.

Microsoft Windows Device Manager with TPM 2.0. Jason Perlow / ZDNet.

This is listed as “Security Processor” in the “Device Security Settings” menu in Windows 10 (and Windows 11).

What does TPM actually do? It is used to generate and store cryptographic keys specific to your system, including an RSA encryption key specific to your system’s TPM. In addition to being traditionally used with smart cards and VPN, TPMs are used to support the Secure Boot process. It measures the integrity of the operating system boot code, including firmware and individual operating system components, to ensure that they have not been compromised.

There is nothing to do for it to work; it just works, as long as it’s not disabled in your UEFI. Your organization can choose to deploy Secure Boot on Windows 10 via Group Policy or an enterprise MDM solution such as Microsoft Endpoint Manager.

While most manufacturers ship their PCs with TPM enabled, some may have it disabled, so if it doesn’t show up in Device Manager or if it’s disabled, boot into your UEFI firmware settings and watch.

If the TPM was never prepared for use on your system, simply invoke the utility by running tpm.msc from the command line.

Security Chip (TPM 2.0) details in Windows Security and Peripherals.

Feature 2: Virtualization-Based Security (VBS) and HVCI

While TPM 2.0 has been common to many PCs for the past six years, the feature that really makes the security difference in Windows 10 and Windows 11 is HVCI, or Hypervisor-Protected Code Integrity, also called Memory Integrity or Core Isolation, as it appears in the Windows Device Security menu.

Although it is required by Windows 11, you need to enable it manually in Windows 10. Just click on “Kernel Isolation Details” and then enable memory integrity using the toggle switch. It may take about a minute for your system to activate it, as it needs to check every memory page in Windows before activating it.

This function can only be used on 64-bit processors equipped withhardware-based virtualization extensions, as Intel VT-X and AMD-V. Although initially implemented in server-class chips as early as 2005, they have been present in almost every desktop system since at least 2015, or Intel’s Generation 6 (Skylake). However, it also requires the second level address translation (SLAT – Second Level Address Translation), which is present in Intel’s VT-X2 with Extended Page Tables (EPT) and Rapid Virtualization Indexing (RVI) from AMD .

There is an additional HVCI requirement that all I / O devices capable of Direct Memory Access (DMA) must be behind an Input-Output Memory Management Unit (IOMMU). These units are implemented in processors that support Intel VT-D or AMD-Vi instructions.

The list of requirements may seem long, but the bottom line is that you are ready if Device Security indicates that these features are present in your system.

Windows 10 Device Security kernel isolation feature (memory integrity). Jason Perlow / ZDNet.

Isn’t virtualization primarily used to improve workload density in data center servers? Or by software developers to isolate their test setup on their desktops? Or run foreign operating systems like Linux? Yes, but virtualization and containerization / sandboxing are now increasingly used to provide additional layers of security in modern operating systems, including Windows.

In Windows 10 and Windows 11, VBS, or Virtualization-based Security, uses Microsoft’s Hyper-V to create and isolate a secure memory region from the operating system. This protected region is used to run several security solutions that can protect existing vulnerabilities in the operating system (such as those from unexploded application code) and stop exploits that attempt to bypass those protections.

HVCI uses VBS to enforce the code integrity policy by checking all kernel-mode drivers and binaries before they are started and preventing unsigned drivers and system files from being loaded into system memory. These restrictions protect vital operating system resources and security assets such as user credentials. So even if malware gains access to the kernel, the extent of exploitation can be limited and contained because the hypervisor can prevent the malware from executing code or accessing secrets.

VBS also performs similar functions for application code. It checks apps before they load and only launches them if they come from trusted code signers, assigning permissions to every page in system memory. All of this is done in a secure memory region, which provides more robust protections against viruses and kernel malware.

Think of VBS as the new enforcer of Windows code, your kernel and applications Robocop, who lives in a protected memory area, activated by your virtualization-capable CPU.

Feature 3: Microsoft Defender Application Guard (MDAG)

One special feature that many Windows users are unaware of is Microsoft Defender Application Guard, or (MDAG).

This is another virtualization-based technology (also known as Hyper-V containers “Krypton”) which, when paired with the latest version of Microsoft Edge (and current versions of Chrome and Firefox using an extension), creates an isolated memory instance of your browser, preventing your system and company data from being compromised by untrusted websites.

Windows Defender Application Guard in use on Microsoft Edge. Jason Perlow / ZDNet.

If the browser is infected with scripts or malware, the Hyper-V container, which runs separately from the host operating system, remains isolated from your critical system processes and corporate data.

MDAG is combined with the parameters Network Isolation configured for your environment to define the limits of your private network as defined by your company’s group policy.

How MDAG works on host PC and isolated Hyper-V browser container. Source: Microsoft.

In addition to protecting your browser sessions, MDAG can also be used with Microsoft 365 and Office to prevent Word, PowerPoint, and Excel files from accessing trusted resources such as company credentials and data. This feature was released as a public preview in August 2020 for Microsoft 365 E5 customers.

MDAG, which is part of the Windows 10 Professional, Enterprise, and Education SKUs, is activated with the Windows features menu or a simple PowerShell command ; it does not require the activation of Hyper-V.

Microsoft Defender Access Guard from the Turn Windows Features On or Off menu. Jason Perlow / ZDNet.

Although MDAG primarily targets enterprises, end users and small businesses can activate it using a simple script that defines GPOs. This excellent video and this accompanying article published on URTech.ca cover the process in more detail.

Source: ZDNet.com