Microsoft has announced an array of security improvements that are coming to Windows 11 to take the worries out of hybrid work. The features are designed to help businesses and users be more confident in the software they’re running, whether that’s the OS itself or its apps, and that’s especially important at a time when many users are working away from an office. Many of these things aren’t completely new, but they’re either coming soon or recently available.
The Microsoft Pluton Security Processor is a new bit of hardware that’s bundled into new devices, and it integrates directly with the CPU as well as Windows 11. In fact, it’s the only security processor that has updateable firmware directly via Windows Update, making it easier to add new features and capabilities without complicated manual updates in an enterprise environment. Updates can be managed just like any other update for Windows 11. This tight integration also means Microsoft Pluton is designed to work well with features like BitLocker and Windows Hello in Windows 11. The firmware for Pluton is developed by the same people on the Windows team, so everything works in tandem.
The integration with the CPU also protects devices from physical attacks, so this is a wide-ranging security solution for businesses and it simplifies configuration.
Hypervisor-Protected Code Integrity
Starting with the next Windows 11 release, Microsoft is enabling Hypervisor-Protected Code Integrity (HVCI) on more Windows 11 devices. This feature is designed ot protect users from driver vulnerabilities, which have been a major source of malware attacks. HVCI prevents malware from being loaded onto driver packages and verifies that installed drivers are trustworthy. It uses data from the Microsoft Vulnerable and Malicious Driver Reporting Center to automatically block drivers that are known to be vulnerable, and it prevents vulnerable drivers from the Windows kernel, so they never have the chance to be exploited.
Smart App Control
Smart App Control, first spotted in Windows 11 build 22567, allows Windows to automatically block potentially dangerous apps from running. Of course, to some extent, that already exists, but there’s more to it this time. SAC uses code signing and artificial intelligence to predict potentially malicious behavior from apps before deciding whether those apps can run. It uses a constantly-updated inference model to determine the security of apps using the latest threat intelligence, along with code certificates, to ensure that apps are safe before running them. This way, users don’t have to worry about running potentially dangerous apps without their knowledge.
Smart App Control will be available on new devices that ship with the next version of Windows 11. If you upgrade from the current version, you’ll have to either reset your PC or clean install Windows 11 using an ISO to see it.
Credential and account security
Microsoft is also making some enhancements to overall account security in Windows 11. First off, it’s baking phishing detection directly into Windows 11 with Microsoft Defender’s SmartScreen feature. Microsoft says it’s blocked over 25.6 billion brute force attacks on Aure Active Directory and intercepted 35.7 billion phishing emails with Microsoft Defender for Office 365 – and that’s just in the last year – and now that protection will be available at the OS level.
Microsoft is also enabling Credential Guard by default on Windows 11 Enterprise. This feature helps protect devices from credential theft using techniques like pass-the-hash, plus it can also prevent malware from accessing system secrets even if its process is running with administrator privileges.
Finally, Microsoft is making improvements to Local Security Authority (LSA) in order to combat attacks that leverage this feature to steal user credentials. Specifically, the company is making it so that LSA can only load trusted and signed code, so malicious programs can’t sneak their way into the process and steal credentials that pass through LSA. This additional protection will be enabled by default in the future for new enterprise-joined Windows 11 devices.
Personal data encryption
The name of this feature is fairly self-explanatory. Essentially, personal data encryption will ensure that user data is protected by encryption that’s only lifted if the respective user is signed in. This is a platform capability that apps and IT departments can use to ensure that data is protected in case a device is stolen. Encryption is linked to Windows Hello for Business so users have to sign in with passwordless credentials to access the data, making it harder for someone with physical access to the device to steal said data.
Finally, there’s Config Lock, which is a feature more aimed toward IT departments inside an organization, and it’s actually available already. According to Microsoft, a common issue for businesses is that they have limited control over a device once it’s being used by an employee. With Config Lock, IT admins can use MDM policies to monitor the registry keys on each device, and if any changes are made, Config Lock automatically reverts them “in seconds”, constantly ensuring the device is adhering to the desired security policies.
Many of these features are geared towards businesses, as you’d expect, but they’re definitely important. With hybrid work becoming the standard for many companies, these steps are essential in keeping users and businesses safe, especially seeing as cyber-attacks have also ramped up in the past couple of years.