Microsoft's latest Windows 11 security features aim to make it 'more secure out of the box'
On Monday, alongside a host of new PCs powered by Copilot, Microsoft revealed new security features for Windows 11. "We've not only built new security features into Windows 11, but we've also doubled down on security features that will be turned on by default," the company explained in a blog.
Also: Every Copilot+ PC Microsoft just announced to take on Apple's M3 MacBooks
It's a critical time for cybersecurity to stay at the cutting edge. According to Microsoft's own research, password attacks have increased 3,378% to more than 4,000 per second since 2015. By upgrading both hardware and software and gearing the features toward developers, the company aims to make Windows safer at the enterprise and individual level.
Hardware improvements
To start, Microsoft is enhancing "out of the box" hardware security by making sure all Copilot+ PCs will be Secured-core devices, according to the release. "Secured-core PCs provide advanced firmware safeguards and dynamic root-of-trust measurement to help protect from chip to cloud," the blog states.
The new PCs will also come with Pluton -- the company's Zero Trust-based security processor -- enabled by default, ensuring more built-in security for users from day one. Pluton protects everything from credentials and personal data to encryption keys, which Microsoft says makes it "significantly harder to remove, even if a cyberattacker installs malware or has physical possession of the PC."
Also: Microsoft's Surface Pro and Laptop are the ultimate 'AI PCs', and I'm worried for Apple
Additionally, the new Copilot+ PCs will arrive with Windows Hello Enhanced Sign-in Security (ESS), which replaces typical passwords with more secure biometric sign-in options. Using specialized hardware and software like virtualization-based security (VBS) -- an isolated virtual environment that protects security solutions from OS vulnerabilities -- and Trusted Platform Module 2.0, ESS better protects biometric data with strengthened communication channels.
If you don't plan on getting a Copilot+ PC, ESS is also available on other devices running Windows 11.
Software updates
Microsoft will enable several new Windows 11 features by default -- instead of relying on individual customers to be responsible for their own security initiatives. These include malware shields, credential safeguards, and application protection, all of which Microsoft says led to a 58% reduction in incidents, according to a 2022 report.
According to the announcement, multifactor authentication is no longer enough to beat cyberattackers, who have adapted around it. Microsoft is targeting this with several updates, including Local Security Authority (LSA) protection. LSA authenticates users and handles credentials for single sign-on (SSO); LSA protection "prevents LSA from loading untrusted code and prevents untrusted processes from accessing LSA memory," the blog also wrote.
Previously on by default only for commercial devices, the company is now turning LSA protection on by default for consumer devices as well.
Also: Microsoft releases upgrades to Azure AI Speech at Build 2024
Microsoft is also deprecating NT LAN Manager (NTLNM), an outdated security suite known for vulnerabilities, later this year to improve user authentication.
Additionally, the company is using VBS to advance key protection and harden Windows Hello. Powered by a device's CPU, the former means better protection than hardware-based security; for the latter, Windows Hello can now protect passkeys and isolate credentials from "admin-level attacks" for devices that lack built-in biometrics, according to the blog. Advanced key protection is now available in public preview for Windows Insiders.
Increased app vetting
Microsoft also announced new capabilities that aim to improve app security for Windows developers, including Smart App Control, which uses an AI model trained on 78 trillion security signals to predict whether an app is safe. The feature, which is available and on by default in select systems, allows known apps to run while blocking malware-connected ones.
Another feature, Trusted Signing, helps an app maintain good standing with Smart App Control through updates "by managing every aspect of the certificate lifecycle," the release explains. Recently moved to public preview, the feature also integrates with Azure DevOps and Github for seamless use.
Also in preview is Win32 app isolation, which makes containing damage and protecting user privacy easier for app developers if a breach occurs. The feature can now be used with Visual Studio integration.
Also: Delete yourself from the internet with the best online data removal services
Additionally, Microsoft is amping up admin security by narrowing the scope of when admin rights are deployed on-device. If an app needs certain permissions, for example, this feature asks the user for specific approval, and Windows Hello makes it easy to approve or deny requests.
"Windows is being updated to require just in time administrative access to the kernel and other critical services as needed, not all the time, and certainly not by default," the company said in the release. The feature is in private preview, but Microsoft says it will expand to public preview soon.
The company also announced that VBS enclaves, which help protect sensitive workloads, are now available to third-party app developers. Users can try out the enclave APIs.
Hardened code
Microsoft also announced it is strengthening Windows code to account for increased attacks. Windows Protected Print Mode (WPP), which prevents third parties from loading drivers, will be the default print mode on devices moving forward.
The company is also making improvements to tool tips to account for better security and less exploitation.
"The responsibility for managing the lifecycle of tool tips has been transferred to the respective application that is being used," the release says. "Now, the kernel monitors cursor activity and initiates countdowns for the display and concealment of tool tip windows. When these countdowns conclude, the kernel notifies the user-level environment to either generate or eliminate a tool tip window."
Also: Microsoft's Build 2024: 10 quick developer focused announcements you need to know about
Microsoft also announced that transport layer security (TLS) server authentication, which confirms server identity to a client, is getting a boost: Windows will now only trust TLS certificates with RSA keys of 2048 bits or more, as opposed to the weaker encryption keys of 1024 bits the software used to support by default.
Commercial customer improvements
The company also made updates specifically for commercial users to help make Windows more secure within their environments, including Config Refresh, Firewall, and Personal Data Encryption (PDE).
Config Refresh lets admins "set a schedule for devices to reapply policy settings without needing to check in to Microsoft Intune or other mobile device management vendors, helping to ensure settings remain as configured by the IT admin," the blog states. Refreshes are set to every 90 minutes by default but can happen as often as 30-minute intervals, and can be paused during maintenance periods or troubleshooting.
Also: Microsoft Azure gets 'Models as a Service,' enhanced RAG offerings for enterprise generative AI
Windows' Firewall Configuration Service Provider (CSP) applies rules with an all-or-nothing approach. "Previously, if the CSP encountered an issue with applying any rule from a block, the CSP would not only stop that rule but also would cease to process subsequent rules, leaving a potential security gap with partially deployed rule blocks," the blog explains. "Now, if any rule in the block cannot be applied successfully to the device, the CSP will stop processing subsequent rule[s] and all rules from that same atomic block will be rolled back, eliminating the ambiguity of partially deployed rule blocks."
PDE only decrypts data when a PC is unlocked with Windows Hello for Business. The feature, now in preview, maintains two tiers of data protection and pairs with BitLocker for added security.
Zero Trust DNS, currently in private preview, ensures Windows devices only connect to approved network destinations and blocks outbound IPv4 and IPv6 traffic.
