Since the launch of Win11, one of the points that Microsoft has constantly emphasized is that security is the cornerstone of the new operating system. Therefore, Win11 has significantly increased the device threshold, requiring devices to meet conditions such as TPM 2.0 and Virtualization-based Security (Core Isolation).
Microsoft can further enhance the security of Win11 22H2 by deploying Intel’s Total Memory Encryption – Multi-Key (TME-MK) technology, according to a new blog post written by Jin Lin, PM Manager for Azure and Windows OS Platform at Microsoft.
TME-MK technology is only supported on Intel’s third-generation Xeon scalable Ice Lake processors and subsequent models for server CPUs and on Intel’s 12th-generation Alder Lake processors and subsequent models for desktop CPUs.
TME-MK is already available on Intel 3rd generation Xeon server processors and Intel 12th generation Core client processors. azure, Azure Stack HCI and now the Windows 11 22H2 operating system also take advantage of this next-generation hardware capability. tme-mk is compatible with 2nd generation VM version 10 and subsequent versions.
To start a new virtual machine with TME-MK protection (assigning it a unique encryption key different from other partitions), use the following PowerShell cmdlet.
Set-VMMemory -VMName -MemoryEncryptionPolicy EnabledIfSupported
To verify that the running virtual machine is enabled and using TME-MK for memory encryption, you can use the following Powershell cmdlet.
Get-VmMemory -VmName | fl *
If the virtual machine is protected by TME-MK, the following values are returned.
MemoryEncryptionPolicy : EnabledIfSupported MemoryEncryptionEnabled : True