Windows 11 offers chip to cloud protection to meet the new security challenges of hybrid work

As the world has changed over the past 18-months, companies have been wrestling with ways to keep employees and data protected as they support new ways of hybrid working. We built Windows 11 to be the most secure Windows yet with built-in chip to cloud protection that ensures company assets stay secure no matter where work happens.

Seventy-five percent of software decision-makers feel that the move to hybrid work leaves their organization more vulnerable to security threats.

The threat intelligence journey to build in protection

The expansion of both remote and hybrid workplaces brings new opportunities to organizations. But the expansion of access, increased number of endpoints, and desire for employees to work from anywhere on any device has also introduced new threats and risks. In 2020, Microsoft protected customers from 30 billion email threats, 6 billion threats to endpoint devices, and processed more than 30 billion authentications. Yet most employees still struggle to avoid clicking phishing links in email, spoofed websites, and more. The National Institute of Standards and Technology (NIST) shows a more than five-fold increase in hardware attacks over three years, and Microsoft’s initial Security Signals report found that more than 80 percent of Vice Presidents and above admitted to experiencing a hardware attack in the last two years.

We designed Windows 11 for today’s hybrid workplace. With Windows 11, hardware and software work together for protection from the central processing unit (CPU) all the way to the cloud so our customers can enable hybrid productivity and high-quality employee experiences without compromising security.

“In this new hybrid work environment, more information is being handled outside the confines of the traditional office and outside the control of IT departments. This creates new, acute security challenges and makes it more important than ever to add as many layers of protection as possible to keep devices secure. Hardware protections are a key component to instilling a higher degree of confidence that devices haven’t been compromised.”—Michael Mattioli, Vice President, Goldman Sachs

Windows 11: Security by default

NIST shows a more than five-fold increase in hardware attacks over three years, and Microsoft’s initial Security Signals report found that more than 80 percent of Vice Presidents and above admitted to experiencing a hardware attack in the last two years. To address the increasing sophistication and number of attacks against firmware/hardware, we partnered with manufacturers to create a new class of Secured-core PCs in 2019 and a new security-specific processor in 2020, the Microsoft Pluton, that redefines Windows security at the CPU. In Secured-core PCs, hardware-backed security features are enabled by default without any action required by the user or IT. Secured-core PCs were initially designed for highly targeted industries like financial services and healthcare with mission-critical roles that handle company IP, customer Personal Identifiable Information (PII), sensitive government data, financial information, or patient history. But as the move to hybrid work becomes the new normal and the threat landscape becomes more complex, the need to apply better security features from chip to cloud becomes a high priority.

Eighty percent of security decision-makers believe software alone is not enough protection from emerging threats.

We leveraged our learnings from secured-core PCs and brought them to Windows 11. The new hardware security requirements that come with Windows 11 are designed to build a foundation that is even stronger and more resilient to attacks. Windows 11 isolates software from hardware. This isolation helps protect access—from encryption keys and user credentials to other sensitive data—behind a hardware barrier, so malware and attackers can’t access or tamper with that data during the boot process. And Windows 11 requires hardware that can enable even more protections like Windows Hello, Device Encryption, virtualization-based security (VBS), hypervisor-protected code integrity (HVCI), and Secure Boot. The combination of these features has been shown to reduce malware by 60 percent on tested devices. All Windows 11 supported CPUs have an embedded Trusted Platform Module (TPM) chip, support secure boot, and support virtualization-based security (VBS) and specific VBS capabilities, fully turned on out-of-the-box.

Windows 11: Powerful security from chip to cloud. For a comprehensive view of the Windows 11 security investments, see the Windows 11 Security book.

Enhanced hardware and operating system security

With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind additional security barriers, separated from the operating system. As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering. In Windows 11, hardware and software work together to protect the operating system, with VBS and Secure Boot built-in and enabled by default on new CPUs. Even if bad actors get in, they don’t get far.

Robust application security and privacy controls

To help keep personal and business information protected and private, Windows 11 has multiple layers of application security to safeguard critical data and code integrity. Application isolation and controls, code integrity, privacy controls, and least-privilege principles enable developers to build in security and privacy from the ground up. This integrated security protects against breaches and malware, helps keep data private, and gives IT administrators the controls they need.

Secured identities

Passwords are inconvenient to use and prime targets for cybercriminals—and they’ve been an important part of digital security for years. That changes with the passwordless protection available with Windows 11. After a secure authorization process, credentials are protected behind layers of hardware and software security, giving users secure, passwordless access to their applications and cloud services.

Connecting to cloud services

Windows 11 security enables policies, controls, procedures, and technologies that work together to protect your devices, data, applications, and identities from anywhere. Microsoft offers comprehensive cloud services for identity, storage, and access management in addition to the tools to attest that any Windows device connecting to your network is trustworthy. You can also enforce compliance and conditional access with a modern device management (MDM) service such as Microsoft Intune that works with Microsoft Azure Active Directory to control access to applications and data through the cloud.

Learn more

Windows 11 rises to the challenge of modern threats of hybrid computing and enables customers to get ultimate productivity and intuitive experiences without compromising security.

For customers who aren’t ready to transition to new devices, the baseline security features in Windows 11 are also available on Windows 10, which will be remain supported through October 14, 2025. We are committed to supporting Windows 10 customers and offering choices in their computing journey.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.