With the release of Windows 11 come a host of new security features and a boatload of new terminology to get to grips with. A lot of these terms have been around for many years, but it is important to know what they are to understand the newer security features and how they work. 

Virtual Machine 

A virtual machine (VM) is like a computer, in that it has memory, you can store files on them and run programs, but they don’t physically exist. They aren’t hardware. They use the resources of a physical machine, such as your actual computer, but exists as its own environment, allowing you to run separate processes. 


A hypervisor is the software used to create and run virtual machines. You can use one hypervisor to create many virtual machines on one computer to share out the resources. 

Virtualization-based Security (VBS) 

Virtualization-based Security (VBS) is the technology that utilises a hypervisor and virtual machines to isolate processes from one another. The idea behind it is that if any one process is compromised, such as a virus or ransomware infecting it, the issue will not spread outside of the affected VM. A hacker would not be able to gain access to data or programs stored on your computer, even if they gained access to the VM that is running on your machine, for example. 


The kernel is an important part of the operating system (OS). It is the interface between your hardware and software, responsible for managing processes, memory usage, devices and more. 

Kernel Data Protection 

The current trend for hackers is aiming to corrupt data stored on a machine. They do this by gaining access to a machine and changing security policies, modifying account privileges and other techniques. Kernel Data Protection (KDP) is a relatively new technology that protects part of the kernel and drivers through the use of VBS. KDP allows some kernel memory to be labelled as “read-only”, which means that it can’t be altered by a hacker should they gain access. 

Memory Integrity 

Memory integrity makes use of VBS to prevent malicious code being inserted into certain processes. It regularly checks and verifies the integrity of code that is running core processes to ensure it hasn’t been modified. 

Application Guard 

Application Guard protects from attacks coming through applications that access the internet. Most obviously, web browsers such as Edge, Chrome and Firefox are protected from malicious websites and malware attacks. However, it also protects against attacks coming through other applications such as Word and Excel. 

Encryption & Decryption 

Encryption is when data is mixed up so it can not be understood by a person. If anyone gains access to this data it will not be useful, unless they have a decryption key, which will unscramble the data. It means that only those who are authorised to access data are able to do so, through the use of a decryption key or a password. 

TPM 2.0 

Trusted Platform Module 2.0 (TPM 2.0) is the first piece of hardware on this list of Windows 11 security features. It is a chip, located on the motherboard, which is known as a secure cryptoprocessor. Essentially, it handles encryption, holding a part of the decryption key which is used to access data and processes. Hackers would need to have access to this key, which isn’t easy to gain access to, considering it is on the chip itself! TPM 2.0 provides an excellent boost in security as it has to give permission for certain processes to run. It can also store information such as biometric data and keys for other processes for extra security. 

Windows Hello enhanced sign-in 

Windows Hello has been around for a while, but with the use of TPM 2.0, it is much more secure now. Windows Hello allows you to use extra methods to sign in to your computer. This includes biometric data like facial, fingerprint and even iris recognition, should you have the relevant devices for each. 

Secure Boot  

Secure boot is an internationally accepted security standard that was developed by the industry to only allow trusted software to run when a PC is booted up. Firmware checks the software and if everything is valid and untampered then the operating system (OS) can take over and continue with start up. It is a feature of UEFI. 


Unified Extensible Firmware Interface (UEFI) is similar to BIOS, which you may know from when you’ve accidentally pressed a button whilst your computer loads up and you get that simple blue screen with white text and can only control it with your keyboard. However, UEFI is a lot more sophisticated, using images and an interface that can be controlled with both a keyboard and mouse. It is also more advanced in terms of the range of features and it loads faster than BIOS, meaning that computers will load up faster when you turn them on. 

Contact Us  

If you have any questions about Windows 11 security features, or need help rolling out the update across your fleet of machines, we’re here to help. Our experienced team at Nutbourne have years of experience with major software updates and procuring new computers. Whatever you need, just give us a call. 

So, if you’d like to find out more about our software management services or our work more generally as a London managed service provider, then get in touch! Contact Nutbourne today on +44 (0) 203 7273 or by filling out an enquiry form on our website.