Windows 11: Protect data and secure access with a Zero Trust-ready operating system.

PCs have kept us connected to family and friends throughout the last year and allowed companies to continue to operate. Although we have adapted to working from home, it’s rare to go a day without reading about a new cybersecurity danger. Phishing, ransomware, supply chain, and IoT flaws—attackers are constantly developing new approaches to wreak digital havoc.

But as attacks have increased in scope and sophistication, so have Microsoft. Windows 11 will improve security baselines by incorporating new hardware security standards, giving consumers confidence that they are even more secured from the chip to the cloud on certified devices. Windows 11 has been developed for hybrid work and security, with hardware-based security built-in.

Security by design

Security by design has long been a priority at Microsoft. What other companies invest more than $1 billion a year on security and employ more than 3,500 dedicated security professionals?

They’ve come a long way in their quest to develop chip-to-cloud Zero Trust out of the box. Microsoft introduced secured-core PCs in 2019 that apply best-practice security to the firmware layer, or device core, that underlies Windows. These devices combine hardware, software, and OS protections to help provide end-to-end safeguards against sophisticated and emerging threats like those against hardware and firmware that are on the rise according to the National Institute of Standards and Technology as well as the Department of Homeland Security.

With Windows 11, it’s easier for customers to get protection from these advanced attacks out of the box. All certified Windows 11 systems will come with a TPM 2.0 chip to help ensure customers benefit from security backed by a hardware root-of-trust.

The Trusted Platform Module (TPM) is a chip that is either integrated into your PC’s motherboard or added separately into the CPU. Its purpose is to help protect encryption keys, user credentials, and other sensitive data behind a hardware barrier to prevent malware and attackers from accessing or tampering with that data.

PCs of the future need this modern hardware root-of-trust to help protect from both common and sophisticated attacks like ransomware and more sophisticated attacks from nation-states. Requiring the TPM 2.0 elevates the standard for hardware security by requiring that built-in root-of-trust.

TPM 2.0 is a critical building block for providing security with Windows Hello and BitLocker to help customers better protect their identities and data. In addition, for many enterprise customers, TPMs help facilitate Zero Trust security by providing a secure element for attesting to the health of devices.

Windows 11 also has out-of-the-box support for Azure-based Microsoft Azure Attestation (MAA) bringing hardware-based Zero Trust to the forefront of security, allowing customers to enforce Zero Trust policies when accessing sensitive resources in the cloud with supported mobile device managements (MDMs) like Intune or on-premises.

• Raising the security baseline to meet the evolving threat landscape. This next generation of Windows will raise the security baseline by requiring more modern CPUs, with protections like virtualization-based security (VBS), hypervisor-protected code integrity (HVCI), and Secure Boot built-in and enabled by default to protect from both common malware, ransomware, and more sophisticated attacks. Windows 11 will also come with new security innovations like hardware-enforced stack protection for supported Intel and AMD hardware, helping to proactively protect our customers from zero-day exploits. Innovation like the Microsoft Pluton security processor, when used by the great partners in the Windows ecosystem, help raise the strength of the fundamentals at the heart of robust Zero Trust security.
• Ditch passwords with Windows Hello to help keep your information protected. For enterprises, Windows Hello for Business supports simplified passwordless deployment models for achieving a deploy-to-run state within a few minutes. This includes granular control of authentication methods by IT admins while securing communication between cloud tools to better protect corporate data and identity. And for consumers, new Windows 11 devices will be passwordless by default from day one.
• Security and productivity in one. All these components work together in the background to help keep users safe without sacrificing quality, performance, or experience. The new set of hardware security requirements that comes with this new release of Windows is designed to build a foundation that is even stronger and more resistant to attacks on certified devices.
• Comprehensive security and compliance. Out of the box support for Microsoft Azure Attestation enables Windows 11 to provide evidence of trust via attestation, which forms the basis of compliance policies organisations can depend upon to develop an understanding of their true security posture. These Azure Attestation-backed compliance policies validate both the identity, as well as the platform, and form the backbone for the Zero Trust and Conditional Access workflows for safeguarding corporate resources.

This next-level hardware security is compatible with upcoming Pluton-equipped systems and any device using the TPM 2.0 security chip, including hundreds of devices available from Acer, Asus, Dell, HP, Lenovo, Panasonic, and many others.

Windows 11 is a smarter way for everyone to collaborate, share, and present—with the confidence of hardware-backed protections.