Best Tips of Windows 11 Changes vs Ransomware Attacks

Microsoft has come a long way since the release of Windows for Workgroup 3.0 many decades ago. In this article, we'll take a look at the Windows 11 changes vs ransomware attacks, and why you should consider a Windows 11 Pro upgrade. While not all of their previous client Operating System (O/S) releases have been bug-free, Microsoft continues to improve the reliability, performance, and overall security of its Windows OS product line. Windows 11 pro is a great example of that - a more secure client that performs better.

Is Windows 11 Upgrade Free?

Yes, Microsoft offers a Windows 11 upgrade free of charge for existing Windows 10 and 7 users. The new OS can be downloaded and installed from Windows Update on your computer. Microsoft also offers a compatibility check tool called Windows PC Health, to see if your computer meets the requirements to install and run Windows 11 pro.

The Windows PC Health tool can be downloaded by clicking here. In case you are wondering, below is a list of the minimum system requirements for upgrading to Windows 11 pro. To ensure that you can download some features, you'll need an Internet connection and an active Microsoft account.

Minimum System Requirements:

  • A compatible 64-bit 1 GHz CPU with at least 2 cores.
  • 4 GB of memory / RAM.
  • 64 GB of disk space.
  • Trusted Platform Module (TPM) 2.0 enabled.
  • UEFI Secure Boot.
  • Video card that supports DirectX 12 and WDDM 2.0

If you purchased your computer in the last 5 years, it will probably meet all of the above system requirements. The Windows PC Health tool will let you know if the compatibility test fails due to one or more components. For example, Windows 11 enforces the use of TPM 2.0 and if your device has the chip but it's not enabled, it will not allow you to proceed with the Windows 11 upgrade. You'll receive a message box similar to the one below.

PC Doesn't Meet Windows 11 Requirements

Windows 11 Upgrade Free
PC Health Check - TPM not enabled

If you still receive an error message that your computer can't run Windows 11, run the System Information program. This program can be run from Search by typing "system info" for a summary of components and value. Check if BIOS is set to UEFI and Secure Boot is enabled.

Windows 11 Changes

Windows 11 provides several layers of protection against ransomware using built-in security features that take advantage of trusted technology. Some of these security features already exist in Windows 10 but are optional, where now they are required for Windows 11. For example, your laptop may already have the TPM 2.0 security chip and as stated previously, if it's not enabled, you won't be able to install Windows 11 pro.

The new OS supports UEFI Secure Boot which is available in Windows 10 but it is not enabled by default. Your computer is most likely using the traditional Master Boot Record (MBR) which will need to be changed in the Basic Input / Output (BIOS). This is needed to support the Windows 11 Secure Boot. Another security feature available in Windows 10 is the Microsoft Controlled Folder Access (CFA).

Using CFA, you may be able to prevent unauthorized programs from running and making changes on your computer. It offers protection at the memory level against malicious programs that attempt to take your files and folders ransom. This built-in security should be used as part of your security measure in place against a growing number of cyberattacks. Ransomware and phishing techniques remain two of the most popular methods for cyberattacks today.

When you combine CFA with a premium OneDrive account, you get a native solution that helps you to recover from a ransomware attack. It does this through a data recovery option to restore files and folders. These features are not new and have been introduced in previous Windows versions. TPM 2.0 was released some time in 2014, secure boot was introduced in 2004, and CFA has been available since Windows 10.

For an overview of Windows 11 security, click here. All tips are offered as informational only. If you choose to do any of these tips, you do so at your own risk.

Tip 1 - Enable Trusted Platform Module (TPM)

Trusted Platform Module (TPM) helps protect your device from ransomware attacks by making it resistant to tamper data using physical security functions. TPM is a hardware security chip on the motherboard that uses cryptographic processes when turned on. This module uses encryption keys and protects encrypted data (e.g., your credentials, critical data, and encryption keys) stored in the module.

Think of TPM as an embedded firewall secure chip that protects against ransomware attacks to alter your data and boot sequence. TPM enforces system integrity through its assigned key-based to compare system bootup with a previous known or correct startup, and enforces a conditional response if audit fails. Without TPM turned on, you will not be able to use secure boot. Click here to learn more about TPM.

Tip 2 - Enable Unified Extensible Firmware Interface (UEFI)

UEFI helps protect your computer from ransomware attacks by providing additional security, such as secure boot mode. Although UEFI was optional in Windows 10, it is enforced as part of the Windows 11 changes to security. You can no longer run legacy or backward compatible BIOS if you want to run Windows 11. Microsoft uses UEFI to enhance security.

UEFI, Secure Boot, and TPM work together to prevent your device from booting up from unauthorized programs, such as boot and root kits.

Tip 3 - Enable Windows 11 Secure Boot

windows 11 secure boot against ransonware
Laptop exposed to ransomware attack

The Secure Boot feature helps protect your computer from ransomware by preventing unauthorized operations or applications from running at boot time. It enhances the boot sequence security by checking the signature databases against the platform key to make sure signatures are valid. If Secure boot detects that the firmware is not trusted then UEFI forces a recovery mode and if necessary initiates an OEM remediation action. In short, Secure boot checks bootloader signature against the OEM keys to make sure it is valid and has not been tampered with. A sequence of Windows level recovery action follows:

  • Windows Recovery Environment loads and recovers original drivers.
  • Windows loads Antimalware software.
  • Windows initializes user mode.

Windows 11 Secure Boot requires the BIOS startup setting to be set to UEFI Only and Compatibility Support Model (CSM) set to no as Windows 11 is not backward compatible. Click here for more information on Secure Boot.

Tip 4 - Turn On Controlled Folder Access (CFA)

Controlled Folder Access (CFA) helps protect your computer from ransomware by examining applications against a list of trustworthy applications. CFA protects your folders by allowing controlled access to your protected and common folders by trusted software based on reputation. If the software is not on the trusted list, it is denied modifications to folders and files. The software reputation is based on its demonstrated behavior of either prevalent and trustworthy or malicious and untrusted. If considered highly reputable, it is added automatically to trusted list.

CFA is not enabled by default although "Ransom Protection" shows a status of "No action needed" when you are in Windows Update. This is evident when you click on the "Manage ransomware protection" link and see the actual state of CFA. To turn CFA on, click on the toggle switch.

Below is a screenshot of the Ransomware Protection properties page. The Windows 10 to Windows 11 upgrade process did not offer a suggestion to turn this feature on. It would have been nice if the process tested for the condition or state of this setting and followed up with a suggestion. Once you sign-in to your premium Microsoft OneDrive account, turn on the CFA feature, then specify the files and folders to synchronize and protect.

Controlled Folder Access

Windows Security - Ransomware Protection

Tip 5 - Enable Windows 11 Virtualization based Security (VBS)

Windows 11 Virtualization based Security is a security feature that creates an isolated segment in memory and stores and protects critical data, digital signatures, and encryption keys, from malicious code running in the OS. VBS protects your system by preventing unauthorized applications, unsigned drivers, and malicious code from running in your computer memory. VBS is enabled in a fresh Windows 11 installation, but not when upgraded from Windows 10 to Windows 11 pro.

It is not recommended that you edit the Registry if you don't know what you are doing. Make sure that you have a full backup before making any changes.

  1. Create a registry entry "EnableVirtualizationBasedSecurity" in path: "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Device Guard"
  2. Set the hexadecimal value to 1.
  3. Enable memory integrity in Core Isolation in Device Security of Windows Security.
  4. Restart your computer.

About Us

Everything IT Pros is a Managed Services Provider (MSP) that provides managed services to businesses of all sizes. We offer monthly-based subscription packages and we don't require long-term agreements to do business. We earn your business each month! If your company is looking for better IT support and security, considering outsourcing helpdesk, or looking to integrate with your internal IT, we can help you reach your outcome. Let us help you take advantage of the Windows 11 changes, Windows 11 secure boot, and Windows 11 virtualization based security.

Copyright © 2023. Everything IT Pros. All rights reserved.