The other day, my father, my technology leader, mentioned in passing that he had read online that Windows 11 should not be used and that the operating system was not accepted.
Dad was right. Now he is more of an Apple user – I have him in my phone plan to support his technical needs, he uses an iPhone and has an iPad. As its needs have changed, its dependence on Windows devices has decreased. In fact, his current needs for Windows include applications that are not on the Apple platform. (And because he’s a standalone user, not a domain user, many of the achievements of Windows 11 in authentication will not be available to him.)
Computerworld recently noted that Windows 11 uptake is slow, running on just 1.44% of all systems. This is similar to what I see at home and in my office. I have one computer at home, Surface Pro 7, that can run Windows 11. I only have two computers in the office that support Windows 11.
In fact, many users it can not start Windows 11. If this is you and you are wondering why you can’t start Windows 11, you can download Bytejeans tool to find out exactly why. This laptop I use, for example, has a Trusted Platform Module that will support Windows 11. But it doesn’t have virtualization-based (VBS) support on its processor.
Windows 11 ensures that VBS is enabled by default to maintain the integrity of the code imposed by the hypervisor. Although you may argue that in a stand-alone workstation this protection may not be necessary, you will want to make sure that it is enabled in the enterprise. (This is not a new technologybut the mandate is new.)
VBS is required for Protect Windows Defender credentialswhich protects domain credentials on a network. As noted: “Credential Guard is a virtualization-based isolation technology for LSASS that prevents attackers from stealing credentials that can be used to transmit hash attacks. … After compromising the system, attackers often try to retrieve all stored credentials for further lateral movement through the network. The main goal is the LSASS process, which stores NTLM and Kerberos credentials. Credential Guard does not allow attackers to discard credentials stored in LSASS by running LSASS in a virtualized container that even a SYSTEM privileged user cannot access. … The system then creates a proxy process called LSAIso (LSA Isolated) to communicate with the virtualized LSASS process. ”
While this already works in Windows 10, Windows 11 is based on this protection. Sounds great for business, doesn’t it? But there is one problem: many users will not be properly licensed for most of the security benefits of Windows 11. An example is Windows Defender Credential Guard – you need Enterprise license to use it. So while providing a great protection for your user or login secrets, it is not available to many users. In future versions of Windows 11, Certificate protection will be activated by default, but again, only for corporate clients.
Another new technology I’m excited about is Smart Application Control, although I have some concerns about that. Smart Application Control, as Microsoft explains, “prevents users from running malicious applications on Windows devices that block unreliable or unsigned applications by default.” Smart App Control goes beyond previous built-in browser protections and is woven directly into the core of the operating system at the process level. Using code signing along with AI, our new Smart App Control allows only processes that are intended to be secure based on either code certificates or an AI model for trusted applications in Microsoft’s cloud.
“The model conclusion is made 24 hours a day with the latest threat intelligence, which provides trillions of signals. When a new Windows 11 application is launched, its basic signature and basic features are checked against this model, ensuring that only known secure applications can run. This means that Windows 11 users can be assured that they are using only safe and reliable applications on their new Windows devices. Smart App Control will be available on new devices with Windows 11 installed. Devices running earlier versions of Windows 11 will need to be reset and have a clean installation of Windows 11 to take advantage of this feature.
I still regularly install software that is not signed. So I know in advance that Smart Application Control will not work for me either in the office or at home, because I can’t run software using a white list approach. I’m also not sure what licensing will be needed. Will it be accessible to all? Will it be a business-only feature?
Bottom line: Windows 11 will be great for businesses if you have the right license to take advantage of these features. But I’m not convinced that it gives you a big advantage at home. If you’re worried that your older hardware may not work with Windows 11, don’t. Windows 11 is just the next version of Windows and doesn’t really bring many security benefits to the average user. That’s why my father will continue to use Windows 10 for now and won’t worry about Windows 11.
Copyright © 2022 IDG Communications, Inc.