We can't have it both ways. Either Windows gets serious about security and enforces hardware encryption or forever the industry will say "oh, Windows isn't secure you can't trust it."
Windows has supported hardware encryption for a very long time. I support various machines owned by my family that are hardware encrypted spanning across the last 15 years. All work on Windows 10 and are encrypted with Bitlocker (or that invisible Home edition "device encryption" version). They don't support Windows 11.
… and all those things that Windows 10 “supports“ can be much more easily bypassed without TPM and secure boot. Lots of things not to like about Win11 but force-dragging their manufacturers and customers into 2010s era security is long overdue.
> How does secure boot help against a browser vulnerability exploitation? Especially on Windows?
It will eventually do that by only allowing you to run microsoft-approved signed software. Of course no sane person should want that but it's what all this is building towards.
What? TPM and Secure Boot aren't new at all. Fine let's remove one machine from the set:
I support various machines owned by my family that are hardware encrypted spanning across the last 10 years. All work on Windows 10, use Secure Boot, and are encrypted with TPM and Bitlocker (or that invisible Home edition "device encryption" version). They don't support Windows 11.
Even the extreme outlier machine has TPM. This nonsense is not about security. What threats are actually affecting people's computers these days? What is this going to do against phishing and scammers? What new security features are present in Windows 11 and not 10 that are so critical to justify throwing out hundreds of millions of machines?
Being serious about security means replacing the ecosystem of downloading unsigned .exe installers. Unfortunately code signing and discouraging downloads of unpopular exe files has been very hostile to independent developers. The Windows Store is focused on shovelware and revenue share rather than getting a real package manager out there.
The dichotomy is with their backwards compatibility. They could gut the windows apis and replace them with more secure models, but that might upset legacy corporate customers so instead they let ordinary people get hacked or lose their family photos and spend money on repairs.
Even if we ignore the fact that Windows RT is long cancelled, has anyone ever seen either in the wild on any machine?
Ultimately my point is I don't think the following is true. What you describe basically exists, and no one wanted it. For Windows RT I remember it basically being, "wait a minute, this thing can't run my normal apps".
> but that might upset legacy corporate customers so instead they let ordinary people get hacked or lose their family photos and spend money on repairs
I doubt Microsoft could manage to market an umbrella in a rain storm, so I imagine that's why S mode is basically stillborn. These days people use a lot fewer native apps (and now it is possible to package many of them into the Store), and S mode can be converted to full. I imagine if it started in S mode by default most people would never notice