Windows 11: Partners Say It’s A ‘Smart Play’ By Microsoft To Put Security First
While stringent hardware requirements will prevent many PCs from installing Windows 11, the verdict from solution providers is that the security advantages of TPM 2.0 and newer processors are worth it. The third of a three-part series on Windows 11.
The rollout of Windows 11 is highlighting a major shift in Microsoft’s strategy with the Windows operating system, with the company putting a higher priority on improving security than on enabling the most PC upgrades possible, solution providers and industry analysts told CRN.
For Windows 11, which will be generally available Oct. 5, Microsoft has issued hardware requirements that are far more stringent than users have been accustomed to in the past.
Along with requiring a TPM 2.0 security chip, Windows 11 is only compatible with CPUs released in the past four years. This is also widely seen as a security measure since it ensures that most PCs running Windows 11 will have hardware protections against the Spectre and Meltdown vulnerabilities.
[Related: Windows 11: Partners See Complications In Rollout Amid PC Shortages]
The requirements for newer CPUs and TPM 2.0 are expected to exclude a significant number of PCs from installing Windows 11, however. That’s a stark departure from Microsoft’s approach with past releases of Windows—especially Windows 10— but is ultimately a worthwhile trade-off, solution providers told CRN.
“I would say that they are prioritizing security first. And I’d say that’s the prudent thing to do, given what’s going on in this environment,” said Matthew Bookspan, CEO of Altamonte Springs, Fla.-based Blacktip. “It’s a smart play.”
The six years since the launch of Windows 10 have seen Microsoft ensnared in a series of massive cyberattacks, even as troubling new hardware-level vulnerabilities such as the Spectre and Meltdown processor flaws have emerged.
While security was a focus for past Windows releases as well, the emphasis on tightening hardware security is a greater focus with Windows 11, analysts told CRN.
“What I think is new is the recognition that it’s not just about fixing the OS, but rather looking at the entire stack from the hardware up through the applications and the user experience and trying to make the entire stack work better and more securely,” said Stephen Kleynhans, research vice president at Gartner. “There are some things you need to do that you can’t do solely in the operating system, which needs the newer hardware.”
The CPU requirements for upgrading to Windows 11 include—with just a few exceptions—having a processor from Intel’s eighth generation and newer, or AMD’s Zen 2 series and up.
Those CPU requirements appear to be aligned with mitigations against Spectre and Meltdown side-channel vulnerabilities, analysts told CRN. However, Microsoft has not specifically confirmed this, and some Windows 11-compatible chips did come out before hardware protections for Spectre and Meltdown arrived. Microsoft did not make an executive available to comment for this article.
In an interview with CRNtv in August, Microsoft Channel Chief Rodney Clark said that the Windows 11 chip and security requirements are in part a response to the new places, such as edge devices, where cyberattacks are now originating.
“When you think about the security landscape that we are in today, it’s changed quite a bit,” said Clark, Microsoft’s corporate vice president of global channel sales. “Yesterday’s PC doesn’t necessarily address today’s security concern and tomorrow’s security concern.”
Along with protecting against existing cyberthreats, Microsoft does appear to be trying to set up a stronger security baseline for the future with its Windows 11 security requirements, analysts said.
“I think Microsoft is looking at the things that we know we need to do for security in the future that we simply can’t do on some of the really old hardware,” Kleynhans said. “At some point they knew that they’d have to make a tough call. This is an opportunity to make that tough call.”
‘Security Is Job No. 1’
While Apple has taken a similar approach with macOS, this approach by Microsoft has come as a shock to some Windows users.
In past releases, Windows has tended to support a “long legacy of hardware,” said Tom Mainelli, group vice president for device and consumer research at IDC.
“There are certainly challenges with supporting older hardware, particularly on the security side,” Mainelli said. “I think that Microsoft’s decisions around what will be supported are ultimately in service of driving a better experience and a more secure experience.”
With the Windows 11 processor requirements, it’s evident that “security is job No. 1” for Microsoft, he said.
By contrast, security was one among many priorities with the debut of Windows 10 in 2015—and not necessarily the most prominent.
Microsoft’s rollout included an aggressive push to coax users to upgrade to Windows 10. With many users still on Windows 7, following the failed launch of Windows 8 in 2012, Microsoft deployed a variety of tactics in its upgrade campaign. Some were even criticized as sneaky; at one point in the campaign, clicking an “X” in the Windows 10 updates box would install, rather than dismiss, the new operating system.
Initially, Microsoft had set an ambitious goal of getting Windows 10 onto 1 billion devices by the summer of 2018. (It hit the goal in March 2020.)
In comparison to the transition happening today to Windows 11, Microsoft felt there was “a bit more urgency to get people from 7 to 10,” Mainelli said.
The security environment that Windows 11 is launching into has also changed dramatically in the six years since Windows 10 debuted, solution providers said.
“Now, you have to prioritize security,” said Zach Saltzman, senior director for the Microsoft platform at Carlsbad, Calif.-based FMT Consultants. “It’s not like when Windows 10 came out when, sure, Microsoft talked about security. But they were just trying to get away from Windows 8.”
Microsoft ‘Always In The Middle’
Microsoft has also become a security vendor powerhouse in its own right in recent years, with a portfolio of security offerings ranging from identity to cloud to endpoint protection. Meanwhile, the company’s platforms are not only a prime target for hackers, but have also gotten entangled in numerous high-profile cyberattacks such as the massive SolarWinds compromise and an attack on IT distributor Synnex in July.
“It doesn’t matter where the problem is, Microsoft’s always going to be in the middle of fixing it,” Kleynhans said.
In terms of Windows security specifically, the vulnerabilities known as “PrintNightmare” have been vexing Microsoft and IT departments for the past two months.
Since unveiling Windows 11 in June, Microsoft has made it clear that security is at the forefront of its strategy for the new operating system. A blog post in June, for instance, listed security first among the guiding principles for Windows 11.
Using key Windows 11 security features in combination on test devices—including Windows Hello facial recognition, device encryption, secure boot and virtualization-based security—reduced malware by 60 percent on those devices, Microsoft said.
The dozen solution providers who spoke to CRN for this series said they do believe Windows 11 will be a meaningful step up in security, and they agree with Microsoft’s strategy of putting security first.
“I strongly feel that Microsoft is doing the right thing by prioritizing security” with Windows 11, said Marc Menzies, president and CTO of Ronkonkoma, N.Y.-based Overview Technology Solutions. “I’m fine with them prioritizing security over being able to roll this out to every computer.”
While the TPM 2.0 requirement has caused grumbling among some users, Menzies noted that the security chip is necessary for enabling BitLocker encryption. BitLocker encrypts all data on a device, ensuring that the data cannot be accessed in the event the device is lost or stolen.
“Security needs to be paramount,” Menzies said. “I’m definitely on Microsoft’s side here.”
Spectre, Meltdown ‘Woke Up The Industry’
In terms of the requirements for CPUs made in the past four years, many in the industry believe that this requirement is tied to the Spectre and Meltdown vulnerabilities, including executives at device makers.
Lenovo North America President Vlad Rozanovich, for instance, recently told CRN that he understands the requirement for newer Intel and AMD chips as stemming from Spectre and Meltdown. “Those are things that the CPU guys have gotten their arms around” in the recent generations of processors, Rozanovich said.
The Spectre and Meltdown processor flaws were discovered in January 2018 and pose the threat of enabling hackers to access protected data. The discovery of the vulnerabilities “really woke up the industry,” Kleynhans said.
“That scared the industry. Because it was so fundamental, there was no simple way to get around that one,” he said. “It opened up the [industry’s] eyes that there’s a whole raft of potential new vulnerabilities. I think it’s forced everybody in the whole stack to think differently about what security needs to be going forward.”
Software patches against Spectre and Meltdown were rolled out going back multiple generations of processors, but chipmakers agreed that it would take a hardware fix to fully solve the issue.
While ensuring strong performance is also a motivation for requiring newer processors, that appears to be secondary to security with the Windows 11 CPU requirements, analysts said.
“The state of security has changed, with hardware embeds being more important to the posture,” said J.P. Gownder, vice president and principal analyst at Forrester.
Notably, Microsoft has pursued its strategy of requiring newer chips even amid an industrywide shortage of components, particularly processors. The shortages are constraining the production of PCs at a time when demand continues to be high and are expected to slow the rollout of Windows 11.
At least in the short term, Mainelli said he sees little evidence that Microsoft is expecting to drive a significant amount of new PC sales via its Windows 11 hardware requirements.
Currently, “the industry can’t make more PCs,” he said. “They’re making as many as they can.”
Fortunately, all indications suggest that upgrades of compatible PCs to Windows 11 will not be nearly as risky as the shift was from Windows 7 to 10, solution providers and analysts said. Because the two operating systems share a similar codebase, application compatibility from Windows 10 to 11 should not be a major issue if one chooses to upgrade—as long as one’s PC meets the CPU and TPM requirements, of course (see footnote).
For businesses that have put off refreshing their PC fleet, due to the pandemic or other spending restrictions, upgrading to Windows 11 may simply not be an option until more hardware becomes available.
Still, none of the solution providers who spoke with CRN for this article offered any criticism of Microsoft’s compatibility requirements for Windows 11.
At Kirkland, Wash.-based FusionTek, for instance, CEO Brian Miller applauded Microsoft for sticking to its strategy of putting security ahead of competing considerations. As a managed services provider, “we’re being asked to take care of and be responsible for our clients’ data,” Miller said.
Windows 11, he said, “is just giving us the right tools to do that. This sets that security bar higher.”
Footnote: While there are methods available for running Windows 11 on non-compatible hardware, which Microsoft is allowing but does not openly condone, businesses “should not take that chance,” said Derek Nwamadi, CEO of Dallas-based solution provider Quantum Symphony. Individual users who know what they’re doing may be able to pull this off without issues, but “as a business, it’s just a bad idea,” Nwamadi said.