Ever since Windows 11 was released, Microsoft made it clear that security was a big aspect of the new OS. The company explained why features like TPM 2.0 and Virtualization-based Security (Core Isolation) play a key role on Windows 11 and also demoed hacking attacks on mock systems.
With the launch of Windows 11 version 22H2, Microsoft detailed the security features users can expect in the new feature update. However, the 2022 update has now got a security upgrade as Microsoft has announced that Intel's Total Memory Encryption - Multi-Key (TME-MK) is now available on Windows 11 22H2 as well.
In a new blog post penned by Microsoft's Jin Lin, who is the PM Manager at Azure and Windows OS Platform, the company confirmed this new development. In terms of hardware, TME-MK is available on Intel's 3rd Gen Xeon scalable Ice Lake CPUs, and Intel 12th Gen Alder Lake processors on the client side.
TME-MK is available in Intel 3rd Generation Xeon server processors and Intel 12th Generation Core client processors. Azure, Azure Stack HCI, and now Windows 11 22H2 operating systems also take advantage of this new generation hardware feature. TME-MK is compatible with Gen 2 VM version 10 and newer. List of Guest OS’s supported in Gen 2
Here are the steps to enable multi-key total memory encryption:
To boot a new VM with TME-MK protection (assigning it a unique encryption key from other partitions), use the following PowerShell cmdlet:
Set-VMMemory -VMName -MemoryEncryptionPolicy EnabledIfSupported
To verify a running VM is enabled and using TME-MK for memory encryption, you can use the following Powershell cmdlet:
Get-VmMemory -VmName | fl *
The following return value would describe a TME-MK protected VM:
MemoryEncryptionPolicy : EnabledIfSupported
MemoryEncryptionEnabled : True
You may find more details on the official blog post.