Microsoft has unveiled a series of advanced security features for Windows 11, highlighting its ongoing commitment to cybersecurity amidst an increasingly complex threat landscape.
The announcement of new security features, immediate plans for the upcoming period, and a summary of recently introduced measures were made by David Weston, Vice President of Enterprise and OS Security, ahead of the upcoming Microsoft Build 2024 conference.
Copilot+ PCs and advanced security integrations
One of the key highlights is the introduction of Copilot+ PCs, all of which will be Secured-core PCs. These devices integrate advanced security and AI, providing robust protection for both commercial and consumer users.
A significant addition to these PCs is the Microsoft Pluton security processor, enabled by default. Pluton enhances security by protecting credentials, identities, personal data, and encryption keys, making it significantly harder for attackers to exploit these components, even with physical access or malware.
Enhancements to biometric security
Windows Hello Enhanced Sign-in Security (ESS) is now available on compatible Windows 11 devices. ESS offers more secure biometric sign-ins, reducing the need for traditional passwords. This technology leverages virtualization-based security and Trusted Platform Module 2.0, providing an additional layer of security by isolating and protecting authentication data.
Expanded measures
Microsoft is extending its Secured-core PC initiative, which was initially targeted at users handling sensitive data. Now, a wider range of Windows users can benefit from these advanced security measures, which include firmware safeguards and dynamic root-of-trust measurement to protect from chip to cloud.
Local Security Authority (LSA) protection is now enabled by default on all new consumer devices, enhancing defense against credential theft by preventing untrusted code from accessing critical authentication processes. Additionally, Microsoft plans to deprecate NT LAN Manager (NTLM) in the second half of 2024, a move aimed at strengthening user authentication based on community feedback.
Key protection and VBS enclaves
Microsoft is also advancing key protection in Windows by introducing Virtualization-based Security (VBS) enclaves, now available for third-party developers. These enclaves provide a trusted environment within an application's address space, offering deep operating system protection for sensitive workloads.
App and driver security
To combat malware, Windows 11 now includes Smart App Control, which uses AI models based on extensive security signal collection to block unknown and potentially harmful apps by default. This feature is part of Microsoft's effort to provide effective malware protection out of the box.
Trusted Signing, currently in public preview, simplifies the certificate lifecycle for app developers, integrating seamlessly with Azure DevOps and GitHub. Another new feature, Win32 App Isolation, helps contain damage and safeguard privacy in the event of an application compromise. This feature is built on the foundation of AppContainers and is nearing general availability.
Additional features
Personal Data Encryption (PDE) enhances data security by encrypting data and decrypting it only when the PC is unlocked using Windows Hello for Business. PDE complements BitLocker's volume-level protection, providing dual-layer encryption for personal or app data.
Zero Trust DNS, now in private preview, restricts Windows devices from connecting only to approved network destinations, enhancing security for outbound traffic. Config Refresh allows administrators to schedule policy refreshes on devices, ensuring settings remain as configured without the need for constant check-ins with Intune or other management solutions.
Critical Authentication Bypass Vulnerability Found in GitHub Enterprise Server
Leave a Reply