Microsoft announced New Security Features for Windows 11 that will help protect hybrid work. In a future release of Windows 11, you’re going to see significant security updates that add even more protection from the chip to the cloud by combining modern hardware and software.
Microsoft is continuously investing in improving the default security baseline for Windows, With built-in chip to the cloud protection and layers of security, Windows 11 helps organizations meet the new security challenges of the hybrid workplace, now and in the future.
David Weston, vice president of enterprise and OS security at Microsoft, said In upcoming releases of Windows, we are advancing security even further with built-in protections to help defend from advanced and targeted phishing attacks. Summarize Announcements for New Security Features for Windows 11 here –
- Pluton SHIPPING
- HVCI/VBS on default ALL CPUs
- Credguard default ON
- LSASS Protection default ON
- EXE signed or rep REQUIRED
- Script Blocking from Internet ON
- Enhanced Phishing ON
- File Layer Encryption with Hello ON
There are several security features for Windows 11 for the Future of Hybrid, In Windows 11, hardware and software work together for protection from the CPU all the way to the cloud.
- Windows 11 New Features | Latest Improvements
- Best Antivirus for Windows 11 Microsoft Defender | App Browser Protection | Firewall Protection
- New Cloud-Based Microsoft Defender App For Home Users | Step By Step User Guide
New Security Features for Windows 11
Here’s a look at what’s coming, New security features for Windows 11 will help protect hybrid work with great addition of Pluton, Default App Control, Default Cred Protection, Phishing, Personal Data Encryption that will help to address the biggest security challenges of distributed work scenarios and the threat landscape of the future.
Microsoft Pluton Processor
Microsoft Pluton is built on the principles of Zero Trust. The hardware and silicon-assisted security features in Windows 11—including the TPM 2.0, firmware and identity protection, Direct Memory Access, and Memory Integrity protection—help protect core parts of the OS as well the user’s credentials as soon as the device powers on.
Pluton is the only security processor kept regularly up to date with key security and functionality updates coming through Windows Update, just like any other Windows component.
The Pluton security processor complements work Microsoft has done with the community, including Project Cerberus, by providing a secure identity for the CPU that can be attested by Cerberus, thus enhancing the security of the overall platform.
One of the other major security problems solved by Pluton is keeping the system firmware up to date across the entire PC ecosystem. Pluton provides a flexible, updatable platform for running firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft.
Pluton for Windows computers will be integrated with the Windows Update process in the same way that the Azure Sphere Security Service connects to IoT devices.
Smart App Control
Smart App Control is a major enhancement to the Windows 11 security model that prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications.
When a new application is run on Windows 11, its core signing and core features are checked against this model, ensuring only known safe applications are allowed to run.
This means Windows 11 users can be confident they are using only safe and reliable applications on their new Windows devices. Smart App Control will ship on new devices with Windows 11 installed.
Devices running previous versions of Windows 11 will have to be reset and have a clean installation of Windows 11 to take advantage of this feature.
One of the new security features for Windows 11, Password Protection for Microsoft Defender SmartScreen.
The enhanced phishing detection and protection built into Windows with Microsoft Defender SmartScreen will help protect users from phishing attacks by identifying and alerting users when entering their Microsoft credentials into a malicious application or hacked website.
These enhancements will make Windows the world’s first operating system with phishing safeguards built directly into the platform and shipped out-of-box to help users stay productive and secure without learning to be their own IT department.
In the future, Credential Guard will be enabled by default for organizations using the Enterprise edition of Windows 11.
Windows 11 uses hardware-backed, virtualization-based security capabilities to help protect systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if it is running with admin privileges.
Additional protection for Local Security Authority (LSA)
Windows has several critical processes to verify a user’s identity. The Local Security Authority (LSA) is one of those processes responsible for authenticating users and verifying Windows logins.
It is responsible for handling user credentials, like passwords and tokens used to provide single sign-on to Microsoft accounts and Azure services.
LSA protection will be enabled by default for new, enterprise-joined Windows 11 devices making it significantly more difficult for attackers to steal credentials by ensuring LSA loads only trusted, signed code.
Secured-Core Configuration Lock (Config Lock)
Secured-Core Configuration Lock (Config Lock) is a new Secured-Core PC (SCPC) feature that prevents configuration drift from Secured-Core PC features caused by unintentional misconfiguration. Config Lock:
- Enables IT to “lock” Secured-Core PC features when managed through MDM
- Detects drift remediates within seconds
- DOES NOT prevent malicious attacks
Windows 11 with Config Lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and, when it detects a drift, it reverts to the IT-desired state in seconds.
This feature, already in Windows 11, monitors registry keys through mobile device management (MDM) policies to help ensure devices in your ecosystem comply with industrial and company security baselines.
If Config Lock detects a change in registry keys, it will automatically revert the impacted system to the IT-desired state in seconds. With Config Lock, IT administrators can be confident that devices in their organization are protected and that users have not changed critical security settings.
Block Vulnerable Drivers with Hypervisor-Protected Code Integrity (HVCI)
In the next Windows 11 release, Hypervisor-Protected Code Integrity (HVCI) will be enabled by default on a broader set of devices running Windows 11.
This feature prevents attackers from injecting their own malicious code (for example, WannaCry) and helps ensure that all drivers loaded onto the OS are signed and trustworthy.
You can enable vulnerable driver blocklist to automatically block known vulnerable drivers that uses Windows Defender Application Control (WDAC) to help prevent advanced persistent threats (APTs) and ransomware attacks abusing and exploiting known vulnerable drivers.
About Author – Jitesh, Microsoft MVP, has over five years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.