This is such a cool video. It's so hard to describe the importance of Windows 11 security to my clients who upgraded. They look at "enthusiasts" videos on RU-vid and think that all of these security features will slow their PC down and is totally unnecessary. (1) They don't even game for a living, (2) their systems hold important customer and company information. Having a video neatly describes and demonstrate how hacking/computer attacks are done is absolute godsend as now I can just send them these videos to help them understand the potential risks better.
So essentially people running hardware that supported these features would have a more secure experience by default. Everyone else would have had the same protection they had on Windows 10. I was always under the impression that installing Windows 11 on unsupported hardware gave you a less secure experience than Windows 10. Nope, just as if you were running Windows 10. (Assuming you get updates).
You'd have to enable some features in Windows 10 to maximize its capability. Core Isolation is off by default in Windows 10 even if the hardware supports it. With the right settings, Windows 10 should be about as secure (though some virtualization tools may have issues with Core Isolation).
Wouldn't the in-person attack have been thwarted due to VBS / DMA protection? Did the SecureBiometrics registry key make any difference in that regard? Also, is SecureBiometrics enabled by default in RTM Windows 11?
I was in a meeting with (unspecified) police IT yesterday and they 'complained' about Windows 11 being too secure to effectively penetrate for criminal investigations. Sounds pretty secure.
Nice video and nice performance with gummi bear :D BTW it would be really nice, if MS Mechanics could make a video about Windows Core OS or OneCore. After I saw the concept in Surface Neo announcement, I'm deeply interested about the idea. However, I couldn't find any good documentation about that.
Regarding the fingerprint scanner and Windows 11. Let's assume, bit locker is not enabled. Could someone still just boot WinPE from outside of windows and have access to the file system?
That's always been the case and isn't platform specific. If there is no encryption on the drive and you're allowed to boot a parallel OS and see the data on the drive, it can be read and written to.
That's right. Much of what we showed was introduced as part of Secured-core PCs requirements back in 2019. You can get most of these protections now in Windows 10.
It would be nice to know which part stops these attacks. For instance, would the secure boot without TPM or with an older version of TPM block the attacks?
TPM and Secure Boot with Trusted Boot blocked the boot file modifications and will block bootkits and rootkits. TPM 1.2 supports Secure Boot, but it's limited to RSA and SHA-1 hashing. TPM 2.0 supports newer algorithms and more crypto options. See docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-recommendations
Yes, UEFI is only one component. You'd also want to enable virtualization-based security, Secure Boot, Trusted Boot, etc. Good news is that most of what we showed is available in Windows 10, except where these were optional controls on new PCs, they are default on new PCs shipping with Windows 11.
Yes, you can, if your hardware supports it. These are almost all part of the Secure Core PC configurations that have been documented since October 2019. They were more optional then and now more PCs can benefit from them.