Why VBS and TPM 2.0 are key for security on Windows 11

PC Security

Microsoft here with a rare explanation. The highly awaited Windows 11 is generally available, with the rollout of the new OS having officially begun and set to continue deep into next year.

At the same time, there has been a lot of buzz around the security sphere of the new operating system, as well as the rather strict system requirements criteria that Microsoft has in place for it. Factors like Virtualization-based Security (VBS) feature and the TPM 2.0 necessity continue to generate talk.

Not all of which is positive, obviously.

Good thing then that a Microsoft executive is here to clarify why these security features are in place.

In an interview with Computer Reseller News (CRN), David Weston, Partner Director of Enterprise and OS Security at Microsoft has detailed why VBS is turned on by default in clean installs of Windows 11.

Explaining the need for such a feature in the first place, he said:

“Even if someone gets admin-level privileges—the highest level of privilege—they still can’t read what’s in this separate VM. It’s the exact same premise as how the cloud works today—you can be on a hardware machine with your bitterest rival, and you cannot read coded data across. We use that exact same technology shrunk down [for Windows 11].”

Redmond learned from Windows 10 that when features are made optional, people don’t turn them on. They assume that if a certain feature was necessary, it would be on. Hence why the company took the drastic step of securing the userbase by default.

Weston also shared his thoughts on TPM 2.0, and how it together with VBS will help Microsoft realize its vision for the future of the Windows operating platform.

He termed this as the first click stop on the journey, where Microsoft can guarantee TPM on a system and enable software developers to store credentials and keys in hardware:

“More applications can support passwordless by default. More applications can do data encryption. More applications can have zero trust protections, because we’ve got that virtualization-based capability to report on their integrity.

What you’ll see in the following versions of Windows 11 is us exploiting that to a much better extent to increase security. So, I think this is just the stage setting. This is act one. Act two and three, I think, are going to really bring some massive increases in security.”

Noble goal, but not without blowback. Still, back when Redmond laid down the law, it said that these added security measures reduced malware infestation by 60% on Windows 11 devices.