Forum Discussion
Karl-WE
Dec 17, 2024MVP
BLOG: Windows 11 security and how to get there, if you want
Intro
The goal of this blogpost is guidance about what are recommended security settings in Windows 11 (or Windows Server), today.
Many of them not enable or enforced.
One of the key requirements for Windows 11 is the presence of a "TPM 2.0 chip" on your hardware.
Also, Secure Boot and HVCI (Core Isolation) should be enabled. We come to the details of that, later.
With flexibility and compatibility, many settings that are feasible are not fully enforcement on Windows 11 24H2 and Windows Server 2022 and 2025, as supported Operating Systems in Mainstream Support.
From a high-level perspective, these are settings I would recommend changing in Windows Security center:
Recommended settings in Windows Security
Device Security > Make sure Core Isolation, Security Chip and Secure Boot are enabled.
Device Security > BitLocker
BitLocker is optional but recommended. Best keep a physical (printed) copy of the BitLocker Recovery Key and a copy saved to your Microsoft account. BitLocker is feasible if you fear the chance that your computer / device could be stolen, and it contains important files (incl. OneDrive pinned or cached files).
It's a bit beyond this guidance, but for BitLocker I would change the local group policy on Windows 11 Pro and enable XTS-AES 256 for the OS drive as, very unfortunately, the BitLocker default encryption is still compatible with Windows 7 (XTS-AES 128).
Device Security > Core Isolation and all settings on this page
App and Browser Control > Settings for reliability related security
Some security settings on this page are linked with the Password and Downloads Security settings in Edge browser.
So, you'll notice that Microsoft's feature-rich Chromium based browser is more tightened into the free of charge and market leading Defender security sphere, compared to its pendants like Chrome, Opera et cetera. Remember, while sharing same open-source codebase and combined efforts, MS Edge it a fork.
What's about the fuss of TPM, fTPM and vTPM?
Several types of TPM, not necessarily a discrete chip
A TPM "chip on the hardware", in most modern computers or servers is not a discrete TPM chip on the mainboard, which caused a lot of fuss in 2021 and overpriced chips. And on the top of that allow "easier" local HW attacks.
More though, it's a security feature, silicon integrated in your Windows 11 supported processor (CPU).
In modern UEFI BIOS this TPM is often called vTPM or fTPM.
Why and how-to updating UEFI BIOS (regularly):
If you never updated your BIOS on your OEM device or custom built one, please consider doing so.
This is what you can expect from UEFI BIOS updates:
- Security improvements for mainboard, Secure Boot, certificates, and CPU.
- Intel CPU microcode updates (especially important for Intel 13/14gen)
- AMD AGESA updates
- Intel ME firmware and security updates.
- Many vendors changed default settings for improved TPM and Secure Boot default settings, to comply with Windows 11 requirements.
Prerequisites:
In all cases make sure that for portable devices, PCs and servers your power remains connected, and you do not shutdown, restart (unless prompted) or power off, during the update.
Before starting:
- Connect Power (esp. portable devices)
- Make sure to pause / suspend (not disable) BitLocker, if enabled and make sure you can access your Microsoft Account via mobile to access the BitLocker recovery key in worst case.
Updating UEFI on OEM Hardware
OEM hardware vendors often provide validated UEFI updates directly via Windows Update. These also take care of suspending BitLocker. Power connection advise apply. WU will not prompt you for this.
UEFI Security recommendation
If you can select it, in UEFI security settings, I would disable SHA-1 / SHA-128 and enable SHA-256 and higher. If you have 256 and 384 support. It's fine to enable both.
For custom built PCs please refer to the mainboard vendors manual. They are worth a read.
What about TPM and VMs?
If you have a TPM, vTPM / fTPM on your hardware and properly configured in UEFI, on top of that, in modern versions of Hyper-V on Windows Client and Windows Server you can enable vTPM for VMs.
The VM must be Generation 2, VM Version 9.0 or later and have UEFI enabled.
This vTPM offers the same security layer as on physical hardware.
Mind that this is also available for recent VMware ESXi 7.0 or later / vSphere but often not enabled or embraced as VM default.
Sidenote: What about Windows Server?
Windows Server 2022 and 2025 do benefit from the TPM and Secure Boot, same as Windows 11 Clients, however the setup does not enforce specific settings.
Why are settings not enforced, strictly? And why the Microsoft account?
Secure Boot
In fact, anyone can still boot Windows 11 and Windows Server without Secure Boot enabled.
Which I think is a huge miss. This should be possible as Secure boot and compatible GOP Bootable devices, such as GPUs are available for exceedingly long time ~2011/2012 of the era of Intel Sandy Bridge, GTX 670, anyone?
TPM and Windows Hello
TPM, is required for Windows Hello and BitLocker, saving your - never leave the PC towards internet - secure PC login. Microsoft account with Windows Hello in Windows 11 24H2 even supports modern passkeys. < Edge will offering translate this page from German BSI into your own language.
Microsoft Account
It's more save than password with local Windows accounts like "Administrator / password combinations". Something we had since Windows NT / 3.0 / 95.
Still many still insist using these "offline accounts" in fear of having a Microsoft account.
Microsoft Account does not usually require internet to login with Windows Hello.
As with the enforcement or lazy "allowance" with Microsoft, the discussion on Microsoft Account enforcement in Windows 11, imho, are a bit of double standards. The same personas are often ok to have a Google or Apple Account securing or accessing another sphere, suddenly strictly disagree with security benefits of a highly secure passwordfree Microsoft account to protect and sync their personal settings, OneDrive, Edge on all devices.
Trust me, with Windows 11, a Microsoft account and winget, reinstalling / refreshing your Windows PC is like a breeze that smells like Apple(s).
The final: Exclusions! Exclusions everywhere!
Yes, my face looks exactly like Woody's, thinking about the inconsistencies - I really dislike inconsistencies in general. So my look is like that: Afraid like Woody's, respectfully, not Woody Leonard's, though.
There are different people with different opinions and use cases and that's ok.
Security on Windows 11 for consumers is important.
In the recent 5 years , I saw people being encrypted losing their entire digital life.
This would not have happened with recommended top-notch security measures of Microsoft, plus an offline backup, performant and dependable as Macrium Reflect, among other solutions available.
Microsoft still does not go all in on security, for consumers.
For Windows 11 there are plenty workarounds. Windows Server 2025 does not even include any enforcements, neither Secure Boot, modern CPUs nor TPM. That's a shameful exception to all the rules and fuels the dry taste on Microsoft security-first tongue.
Virtual Machines also form exceptions. All of this appears inconsequent and is highly debated everywhere.
Please do me a favour, refrain to spawn another place in the comments. It's all well-known.
Hope that this guidance is something you can leave thumbs up, regardless "political" and "environmental" decisions. Not speaking for Microsoft, just sharing my knowledge as a Windows Insider and MVP, which is a community-oriented program.
Thanks for your feedback on the subject, leaving thumbs up and sharing.
Cheers for security and Windows!
No RepliesBe the first to reply