Security Baselines
Security on Windows 11 starts with the basics to stay secure, which Microsoft calls security baselines. These baselines can vary based on device types and industry-specific threats such as web security or confidential data protection.
The term “security baselines” is specifically about Windows Pro machines, nevertheless there are some basics that most modern PCs, including Windows 11 Home devices, use to stay secure. One example is the Trusted Platform Module Version 2.0 (TPM 2.0), which Microsoft famously started requiring for Windows 11 machines. TPM is a hardware-level security feature that stores encryption keys in a secure manner for authenticating hardware and software, enabling BitLocker encryption if available, as well as protecting biometric identity and other data.
The next key baseline feature is Secure Boot, which only allows signed (known) operating systems to run. This helps prevent rootkits and other nasty bits of malware that could infect the system. Windows Hello with biometric identity authentication is also considered an essential baseline.
Finally, there’s BitLocker drive encryption, which keeps your data safe when not in use. BitLocker is not available for Windows 11 Home PCs, but some support a lighter version called Windows Device Encryption.
So What Are Secured-Core PCs?
Microsoft and its partners aim Secured-Core PCs at people who need a higher level of security because of the industry or profession they’re in. Governments may want a Secured-Core PC for dealing with highly privileged information, for example, as would banks, or businesses with highly sought-after intellectual property, or engineers working on critical infrastructure. These people can face advanced threats including targeted and physical attacks against their machines in order to pilfer important data or authentication data. Secured-Core focuses on a wide range of potential firmware attacks, which (when successful) can remain on a machine even after wiping the operating system or swapping out components.
So what are the extra levels of security you get with Secured Core? One example is Memory Access Protection. This protects against Direct Memory Access (DMA) attacks when a malicious device connects to a PC via Thunderbolt, PCIe, or some other high-speed interface to get direct access to memory.
From there it can run malware, try to obtain encryption keys, or gain control of the system. Microsoft showed an example of how this could be done and how Memory Access Protection mitigates these attacks during Microsoft Ignite in 2020. For a DMA attack to work, typically the attacker must start with physical access to a vulnerable device. Clearly, most of us don’t have to worry about a corporate spy sneaking into our hotel room in order to pwn our laptop. Corporations and governments, however, do.
Another feature of Secured Core PCs is virtualization-based security (VBS), and Hypervisor Code Integrity the main attraction of which is Memory Integrity, an optional security feature in Windows 11 Home. On Secured-Core PCs this is enabled by default, and newer pre-built PCs and laptops with Windows 11 Home may have it activated as well. Older systems that upgraded to Windows 11, however, usually don’t.
To prevent malicious compromise of your system Memory Integrity runs key processes inside a virtual environment to isolate them from the system and reduce the chances of a malicious attack. To do this, however, it uses the PC’s virtualization capabilities.
This means you may run into trouble if you’re running virtual machines via programs like VirtualBox, or if you’re trying to overclock your system with something like Ryzen Master. More often than not, Memory Integrity will not play nice with these programs. If you run into issues you’ll have to either boot into safe mode to turn Memory Integrity off, or even race to open Windows Security and turn the feature off before the Blue Screen of Death splashes across your monitor.
Memory integrity also won’t run if you have older hardware with outdated drivers. The good news is that if you do have a driver issue, Windows will alert you to the problem and won’t allow you to activate Memory Integrity until the problem is resolved.
If, after all those caveats, you’d like to try turning on Memory Integrity on your upgraded Windows 11 Home PC, then open the Windows Security app by clicking Start > All Apps > Windows Security.
On the left-hand rail select Device Security, and then on the page that appears under Core Isolation select the link “Core Isolation Details.”
Finally, under Memory Integrity flip the slider from Off to On.
Windows 11 will then ask you to reboot your machine. After that, may the fates be with you.
Two additional major features of Secured Core are System Guard and Dynamic Root of Trust Measurement (DRTM). These two features work together to ensure the system remains secure during boot and while running.
System Guard is focused on protecting the integrity of the computer system during start-up and then ensures that the system is in a good state through remote and local methods of verification. This includes the ability for the IT department to remotely analyze the results of a system’s boot process using data stored and protected on the device by the TPM 2.0.
DRTM is a part of System Guard. It allows the system to start in an untrusted state (from the point of view of Windows) to overcome having to verify and whitelist every possible variant of a motherboard BIOS under the sun. Then shortly after the boot process starts, DRTM makes sure that all system CPUs go through a known and trusted path to get the system up and running.
To read more of the technical details about System Guard and DRTM check out Microsoft’s online documentation.
Getting Down to Bare Metal
Basically, a Secured-Core PC is about fighting against advanced threats that try to sneak in malware before the operating system loads. A critical feature for PCs that have critical data on them relating to, say, energy security or extremely valuable intellectual property.
Some of these features, or similar ones, are available to Windows Home PCs, and if you buy a new PC, many of them will be activated by default. If you’ve built your system or upgraded from Windows 10 they often won’t be activated, but you can turn them on. Secure Boot is a no-brainer, but Memory Integrity should be treated with caution, especially on older machines.
You can view a list of available Secured-Core PCs on Microsoft’s website.