What is a secure core computer in Windows 11
We know that any of our computers are exposed to different threats of all kinds. That was the reason why Microsoft developed a much more secure class of business computers called Secure-Core PCs. Well, part of the features of these are in Windows 11. Let’s see that it is a device with a secure core.
Any computer with any operating system is threatened today, as there are many ways in which this type of device can be affected.
Microsoft knows perfectly well that this happens and, therefore, has provided its operating systems with ways to defend themselves both in Windows 10 and 11 versions, which are the last two.
To effectively fight all the threats we’re talking about, Microsoft and some of its manufacturing partners developed Secured-Core PCs for business. A series of features that protect firmware, hardware, user credentials and other critical system data.
It also offers additional security for sensitive data such as intellectual property, classified intelligence, and financial information.
Some of these secure core security features are included in all versions of Windows 11, including advanced firmware protection and dynamic root-of-trust measurement.
It can be interesting to know what a PC with a secure core would look like, especially to see the differences with a home laptop.
The most basic part of Windows 11 security, Microsoft calls it security baselines. They can vary depending on the type of device and the specific threats that exist at the time, such as web security or the protection of sensitive data.
This is a term that refers especially to those devices that have Windows Proalthough there are also some basic concepts that are included in the Home version.
Proof of this is the TPM 2.0 (Trusted Platform Module Version 2.0) that Microsoft began to require as an essential part to be able to install Windows 11 on a computer.
This is one security function in the hardware area that what it does is store encryption keys securely in order to identify both software and hardware, as well as protect biometric identity and other data.
Secure Boot, Windows Hello, and Bitlocker
There is another security line such as the secure boot of the operating system, in which only signed systems are allowed to run, in addition to the function WindowsHellowhose biometric identification system is also included in this type of line.
Finally, another of these security lines would be BitLocker encryption. This type of system to keep data safe is not available in Windows 11 Home, but there is a case that supports the lighter version called Windows Device Encryption (Device Encryption).
To check if Device Encryption is enabled, we open the app Settingwe are going to System > Information and we search device encryption at the bottom of the panel. If you don’t see anything about Device Encryption here, your computer won’t be compatible.
Secure Core Computers
They are computers created by Microsoft and a series of manufacturers, which are oriented towards those customers who need a higher level of security of the one already offered by Windows 11.
This type of computers can be used by the governments themselves that handle highly private information, by banks or by security companies. intellectual property and even critical infrastructure engineers.
We are talking about protection even against personal and physical attacks aimed at stealing the data they have inside these devices. But not only that, but it also focuses on a wide range of firmware attacks whose purpose is to control the computer at all times, even if the operating system has been erased.
Protection against memory attacks
An example of all these systems would be the Memory attack protection (DMA) when any type of malicious threat connects to the computer through a Thunderbolt port, USB, PCIe or some kind of direct access.
With a type of attack of this type, encryption keys or control of the system can be obtained. For a DMA attack to work there has to be a physical access and a device that is vulnerable, something that we, at the user level, it will be practically impossible for someone to enter our computer in that way, but when you have high responsibilities, it can happen.
Another of the threats that PC Secured Core protects against is the Virtualization-based security (VBS).
This is a security feature that is optional in Windows 11 Home, but only on newer devices, as early devices that upgraded to version 11 may not have received this ability.
The system Memory Integrity executes key processes within a virtual environment, which reduces the chances of any type of malicious attack in this way.
This means that a normal user using a computer with this ability could have problems with those VirtualBox-style virtual machines, plus overclocking will also be restricted or highly complicated.
We inform you at the user level, since Memory Integrity can be activated on an updated Windows 11 system if we are going to Start > All Apps > Windows Security > Device Security > Core Isolation Details (inside Core Isolation) > Memory Integrity (turn on).
System Guard and DRTM
In addition, there are also two additional features of computers with Secured Core such as System Guard Y Dynamic Root of Trust Measurement (DRTM).
Both work in unison to ensure safe system boot.
System Guard takes care of the system integrity during startup and then it checks its good condition through remote and local verification methods.
Dynamic Root of Trust Measurement (DRTM)we can say, that it is a part of System Guard that allows the system to start in an untrusted state in order to overcome the check it performs.
This whitelists all possible variants running the BIOS. This system ensures that all parts of the system go through known and reliable routes so that the operation is without any type of problem.
As you have been able to read, having a PC with a secure core is fighting against all advanced threats that try to enter the computer, either virtually or physically. The good thing is that some of these capabilities are even in Windows Home, which can give us an idea of the security of Microsoft’s operating system.