New security features in Windows 11 protect users and empower IT

While attacks are getting more sophisticated, so are our defenses. With recent innovations like secured-core PCs that are 60 percent more resilient to malware than non-secured-core PCs,¹ and the Microsoft Pluton Security Processor that adds more protection by isolating sensitive data like credentials and encryption keys, Windows 11 has elevated the security bar for all. Our goal is to protect organizations by simplifying security, building in stronger protections from the chip to the cloud.

From more secure and easy-to-use authentication with multifactor authentication to adding extra layers of protection for applications and data, we’ve simplified and enabled more security features by default than ever before with Windows 11. These features are designed to help stop attacks we’re seeing now as well the more sophisticated and targeted attacks that we expect to become more mainstream in the future. We have also begun to adopt memory-safe languages like Rust, starting with using Rust code for two traditional attack targets—Font Parsing and Win32k Kernel.

When we launched Windows 11 it came with new hardware and software features like secure boot, virtualization-based security, hypervisor-protected code integrity, and Windows Hello using the Trusted Platform Module (TPM) on by default in many regions. Since turning those features on, organizations have reported a 58 percent reduction in security incidents, and a three times reduction in firmware attacks—a highly attractive and lucrative target for attackers. Our data shows that 83 percent of Windows 11 devices use three or more security features. 

We’re excited to take the next step on this journey with updates for security and IT professionals available today and on by default for new installs of Windows 11.

The next step towards eliminating passwords entirely

Microsoft global threat intelligence processes more than 65 trillion security signals every day. That intel has shown us there are more than 4,000 password attacks every second.² Everyday cybercriminals as well as nation-state attackers like Peach Sandstorm are leveraging password spray attacks to compromise high-value targets in sectors like satellite, defense, and pharmaceuticals. Organizations can reduce their risk of compromise to these kinds of attacks with Windows passwordless authentication and multifactor authentication features that offer more protection than traditional passwords.

Passkeys make passwordless easier and more universal: Windows 11 will make it much harder for hackers who exploit stolen passwords through phishing attacks by empowering users to replace passwords with passkeys. Passkeys are the cross-platform future of secure sign-in management. Microsoft and other technology leaders are promoting passkeys as part of the FIDO Alliance. A passkey creates a unique, unguessable cryptographic credential that is securely stored on your device. Instead of using a username and password to access a website or application, Windows 11 users will be able to use and protect passkeys using Windows Hello or Windows Hello for Business, or their phone. This will allow users to access the site or app using their face, fingerprint, or device PIN. Passkeys on Windows 11 will work on multiple browsers including Microsoft Edge, Google Chrome, Firefox, and others. Setting up a passkey in Windows is accomplished by:

• The website or application owner creates a passkey and offers it to you as a sign-in option instead of your password—website and app owners will need to develop their own passkeys infrastructure on their sign-in experience.
• Once you create the passkey on your device, the next time you sign in to that website or app from your device it will recognize that you have its passkey, and you can use it instead of a password. If you are using Windows Hello or Windows Hello for Business, you will be able to use your face, PIN, or fingerprint to sign in more easily. In addition, you can now use a passkey from your phone or tablet to complete the sign-in process.
• Users will have a management dashboard through Settings –> Accounts –> Passkeys to see and manage passkeys on their Windows 11 device.

Simplifying and modernizing security for IT by reducing the attack surface 

The latest Windows 11 will also include powerful new tools that enable IT teams to keep their organizations and employees more secure. We’re improving authentication, making it easier for IT to lock down and maintain policy configurations, adding more controls through Intune.

Phish-resistant credentials with Windows Hello for Business Passwordless: Windows 11 devices with Windows Hello for Business or FIDO2 security keys can protect user identities by removing the need to use passwords from day one. IT can now set a policy for Microsoft Entra ID-joined machines, so users no longer see the option to enter a password when accessing company resources. Once the policy is set, it will remove passwords from the Windows user experience, both for device unlock as well as in-session authentication scenarios. With this change, users can now navigate through their core authentication scenarios using strong, phish-resistant credentials like Windows Hello for Business or FIDO2 security keys. If ever necessary, users can leverage recovery mechanisms such as Windows Hello for Business PIN reset or web sign-in. Web sign-in is now available for all supported Microsoft Entra ID authentication mechanisms in addition to Temporary Access Pass (TAP) and education scenarios.

Maintain IT policy control with Config Refresh: Config Refresh is designed to revert policies to a secured state if they’ve been tampered with by potentially unwanted applications or user tampering with the registry. Config Refresh allows Windows 11 devices to be reset every 90 minutes by default, or every 30 minutes if desired, within the policy configuration service provider (CSP). This capability ensures that your settings are retained in the way IT configured them. The policy CSP covers hundreds of settings that were traditionally set with Group Policy and does so through Mobile Device Management, like Microsoft Intune. To enable help desk technicians to support their teams more efficiently Config Refresh can also be paused by IT administrators for a configurable period of time, after which it will be automatically re-enabled. It can also be turned back on at any time by an IT administrator. Starting today, Config Refresh is available to our Insiders and coming soon to all organizations.

Only allow trusted apps with Custom App Control: Applications are the lifeblood of our digital experiences, but they can also become entry points for attackers. With application control, only approved and trusted apps are allowed onto devices. By controlling unwanted or malicious code from running, application control is a critical part of an overall security strategy. Application control is often cited as one of the most effective means of defending against malware. Organizations using Windows 10 and above use App Control for Business (formerly called Windows Defender Application Control) and its next-generation capabilities to protect their digital estate from malicious code. Organizations using Microsoft Intune to manage their devices are now able to configure App Control for Business in the admin console, including setting up Intune as a managed installer.

New configurations in Windows Firewall: We are excited to announce some enhanced management and capabilities for the built-in Windows Firewall to help IT provide better overall protection. Windows Firewall now supports:

• Application Control for Business (previously known as Windows Defender Application Control) app ID tagging with Windows Firewall rules though Intune. This enables IT to target Windows Firewall rules to specific applications without an absolute file path. 
• The ability to configure network list manager settings to determine when a Microsoft Entra ID (previously known as Azure Active Directory) device is on your on-premises domain subnets so firewall rules can properly apply. The network list manager settings for Windows Firewall can be used for location awareness. 
• There is now better support in settings to configure more granular Windows Firewall logging for domain, private, and public firewall profiles, as well as the ability to specify Windows Firewall inbound and outbound rules for ICMP types and codes.

Our continued investment in security and innovation

Our MORSE team, Microsoft Offensive Research and Security Engineering, has been working hard to ensure security is a critical piece of the software development lifecycle. In the last year, the team has dedicated 1.9 million virtual machine hours and more than 84,000 Azure CPU cores dedicated to proactively fuzzing code. In addition to that, we’ve made nearly 700 improvements in our code just the last few months by strengthening the software development lifecycle with security checks and balances, including new automation and AI to help developers find bugs on their own. The proactive work of this team to continue to improve the integrity of our code both old and new is part of our commitment to ongoing investment and innovation in security. The team has released learnings and tools to the community as well like our open source fuzzing tool, Microsoft OneFuzz.

We’re looking forward to continuing this journey to make Windows more secure from the chip to the cloud with every update.

Learn more

Learn more about Windows 11 security features.

Download our Windows security book.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.  

---

¹New security features for Windows 11 will help protect hybrid work, David Weston. April 5, 2022.

²DHS CISA Strategy to Fix Vulnerabilities Below the OS Among Worst Offenders, RSA Conference. May 19, 2021.

³Microsoft internal data.

READ MORE HERE