I will give you this -
If virtualization-based security (VBS) can actually defeat ransomware, malware, and viruses for good (not just until the better, smarter ransomwares come around) then the TPM pre-requisite may be worth it, but I definitely have my doubts.
I agree time will tell. there is a lot of money involved in ransomware/malware, which is used to fund new ransomware/malware development so it could be all for nothing. Someone pointed out in another thread that OEM and hardware makers should of been shipping hardware with all the security features enabled by default, and I agree. MS did try to make secure boot required for Windows 8.1, but backed down. I don't think they can this time, all the security stuff really does require the CPU to support multiple things that are relatively new considering the time it takes from being a concept CPU (for lack of a better term) to being assembled in bulk, sold to OEM's, and made publicly available if you build your own machine.
Yes, you were 100% correct and I was wrong. You can encrypt an already encrypted filesystem. I have no issues admitting when I am wrong, so thanks for pointing that out. Honestly, I wish we could trust hard drive manufactures to support encryption at the hardware level. Hardware solutions are almost ALWAYS better then software solutions in my experience, both in performance and actual security gained, but based on some brief research, consumer level hard drive manufactures just can't be trusted to leave a potential back door. I am sure enterprise hard drives do support it as enterprise level hardware is more expensive and if they get caught, they lose a LOT of money compared to home users. There is a reason Lenovo and other only put backdoor software on consumer level laptops but not their business ones like ThinkPad's a few years back.
Bit Locker currently slows down my read speeds by 1GB/s. According to Crystal Disk Mark, I consistently get 4600MB/s read on sequential reads with Bit Locker disabled. I consistently get 3500/3600 MB/s read on sequential reads with Bit Locker enabled. Write speeds are closer, although still slower when BL is enabled. 4K random and sequential read/write speeds are pretty much the same. While I know software based encryption slows down drives, 1000MB/s is close to losing 1/5th the read speeds as I often transfer large files and right now, my internal nvme drive seems to be the bottleneck when transferring data to my external Samsung X5 nvme TB3 drive (no Bit Locker on external drives, fully decrypted).
Yes, that article was about compromising one computer with physical access to get access to business/ect.. network and compromising the company's VPN or LAN, among other things, not someone clicking on a link they obviously shouldn't be. Hopefully this is where VBS really helps, but we will have to wait and see. I came across another article that lists another security feature that works out of the box with Edge, but you have to install an optional feature, app from the MS store, and a Chrome/Firefox extension to get it working in other browsers. Sounds like MS tried to bury this feature to make Edge seem more secure. One article I read said it was useless in Windows 10 Pro and only worked on Enterprise while another said the opposite. Being able to sandbox Office is good, as malware attachments are often sent in an Office file format of some kind.
While Edge is better now that it is Chromium based, I rarely use it. I use the Chrometana Pro extension, along with EdgeDeflector (which can oddly be downloaded via winget). Essentially it redirects searches through Start/Cortona, anywhere so you can do internet searches without having to using Bing and Edge and use Chrome and Google every time. Pretty nice to just be able to hit WINKEY and type in "dogs are cool" and have Chrome open with the Google search results. I could live with Edge but I can't stand Bing, you can't change the search engine, and MS needs to quit trying to make Bing a thing.
VBS sounds promising, and if you have all the supported hardware that is needed for 11, you can turn on every one of these features in Windows 10 Pro, you just have to manually enable them in the BIOS and in the OS.
https://www.zdnet.com/article/windo...rity-heres-how-to-get-it-in-windows-10-today/
The CPU must support Intel's VT-X and AMD-V, while neither are new, it also requires VT-X/AMD-V to support Second Level Address Translation (SLAT), which is newer hence the CPU compatibility list being what it is.
There's an additional HVCI requirement that any I/O devices capable of Direct Memory Access (DMA) sit behind an IOMMU (Input-Output Memory Management Unit). Those are implemented in processors that support Intel VT-D, or AMD-Vi instructions. (also required for 11, not talked about but relatively new)
Should the browser become infected by scripting or malware attacks, the Hyper-V container, which runs separately from the host operating system, is kept isolated from your critical systems processes and your enterprise data.
MDAG is combined with Network Isolation settings configured for your environment to define your private network boundaries as defined by your enterprise's Group Policy.
https://hitechglitz.com/windows-11-...rity-heres-how-to-get-it-in-windows-10-today/
One particular feature that many Windows users are unfamiliar with is Microsoft Defender Application Guard or (MDAG). (***Based on group policy and appears to be geared towards businesses, but can be configured via local group policy also with scripts available to set local GPO options already out there)
This is another virtualization-based technology (also known as “Krypton” Hyper-V containers) that, when combined with the latest Microsoft Edge (and current versions of Chrome and Firefox with an extension), creates an isolated storage instance of your browser. Prevent your system and company data from being compromised by untrusted website
Should the browser be infected by scripting or malware attacks, the Hyper-V container, which runs separately from the host operating system, remains isolated from your critical system processes and your company data.
MDAG is combined with network isolation settings configured for your environment to define your private network boundaries according to your company’s group policy.
In addition to protecting your browser sessions, MDAG can also be used with Microsoft 365 and Office to prevent Word, PowerPoint, and Excel files from accessing trusted resources like corporate credentials and data. This feature was released in August 2020 as part of a public preview for Microsoft 365 E5 customers.
MDAG, which is part of Windows 10 Professional, Enterprise, and Educational SKUs, is activated through the Windows Features menu or a simple PowerShell command. It doesn’t require Hyper-V to be enabled.