WatchGuard Blog

Is Windows 11 Safe?

Share on LinkedIn Share on X Share on Reddit

Windows 11 is the most secure Windows version to date. Microsoft's new operating system is now available, after learning several lessons from its predecessor. The Redmond company states that the widespread use of hybrid and remote work environments during the pandemic opened the door to a host of threats, with Windows vulnerabilities exploited by hackers, such as the incidents with Specter and Meltdown.  

In this new release, Microsoft has implemented a series of requirements that the system and functionalities must be enabled in order to reduce the chances of exploits and cyberattacks, ranging from hardware to booting the device.

New functionalities implemented by Microsoft:  

  • TPM 2.0: A TPM 2.0 is required to run Windows 11. Mainly from 2016 onwards, Trusted Platform Module (TPM) chips are installed on the motherboard of new computers. Cryptoprocessors store Windows encryption keys and can also store digital certificates and SSL for browsing and can be used for VPNs. One of their key features is that they only communicate with the processor, so it is very difficult for malware to access data without specific permissions.   

  • VBS: Virtualization-Based Security (VBS) built into Windows 11 uses hardware virtualization features to generate a memory enclave that is isolated from the operating system. Windows can then use this "secure virtual mode" to store cybersecurity tools and solutions there. This protects the system against OS vulnerabilities and malware that tries to override its protections.  

  • HCVI: Hypervisor-Protected Code Integrity (HCVI) is a feature of VBS that protects the isolated memory environment that VBS has generated. It makes sure that the Windows Kernel is protected through this isolation, as malware often uses the Kernel to gain full access to systems. Although HCVI could already be enabled in Windows 10, in Windows 11 it comes by default. 

  • UEFI Secure Boot : Secure Boot is a UEFI protocol (the successor of the BIOS, the technology that controls the computer's hardware) to make the system boot process secure. It checks the signatures of all installed hardware components and does not load any unsigned drivers. This prevents bootkits and any malware that runs during booting, before the OS starts up. Windows 11 requires Secure Boot to be enabled before booting up. 

Windows 11 also comes configured with Windows Defender as an anti-malware component, a function that already existed in previous releases. A few days ago, an analyst revealed that Microsoft is working on a new version of Defender that is more closely aligned to Windows 11.  

Improved but insufficient protection  

These functionalities and requirements offer enhanced protection, but they are insufficient. A clear example of this is that traditional antivirus products such as Windows Defender protect and scan computers against known threats, but their benefits are limited when faced with sophisticated new threats such as the “Living off the Land” APT groups that employ techniques such as fileless malware. 

So, while upgrading to Windows 11 is recommended, MSPs should incorporate tools that provide comprehensive endpoint security by complementing antivirus capabilities with advanced incident detection and response capabilities. WatchGuard EDR is installed as an add-on to an existing antivirus solution to address malwareless and fileless attacks that traditional antivirus solutions are unable to stop in all cases. In addition, MSPs can also deploy the full set of EPP (Endpoint Protection Platform) and EDR (Endpoint Detection and Response) capabilities with a single solution, Watchguard EPDR. This provides maximum protection on Windows 11 systems with minimal impact on computer performance.