Ahead of the Microsoft Build 2024 conference, Microsoft announced a new class of Windows computers, Copilot+ PC. Alongside this exciting new class of PCs, Microsoft are introducing important security features and updates that make Windows 11 more secure for users and organisations and give developers the tools to prioritise security.

 

With cyberattackers increasingly exploiting hardware, Microsoft introduced the Secured-core PC to help secure from chip to cloud and that critical layer of computing. Microsoft also announced passkey support for Microsoft consumer accounts and for device-bound passkeys in the Microsoft Authenticator app for iOS and Android users, expanding our support of this industry initiative backed by the FIDO Alliance. Passkeys on Windows are protected by Windows Hello technology that encompasses both Windows Hello and Windows Hello for Business. This latest step builds on nearly a decade of critical work strengthening Windows Hello to give users easier and more secure sign-in options and eliminate points of vulnerability. 

 

Modern, secure hardware

All Copilot+ PCs will be Secured-core PCs, bringing advanced security to both commercial and consumer devices. In addition to the layers of protection in Windows 11, Secured-core PCs provide advanced firmware safeguards and dynamic root-of-trust measurement to help protect from chip to cloud. All Copilot+ PCs will also ship with Windows Hello Enhanced Sign-in Security (ESS). This provides more secure biometric sign-ins and removes the necessity for a password. ESS adds an extra layer of security to biometric data by utilising specialised hardware and software elements, including Virtualization-Based Security (VBS) and Trusted Platform Module 2.0. These components help to isolate and safeguard authentication data and secure the communication channel. ESS is also available on other compatible Windows 11 devices

 

Stay ahead of evolving threats with Windows

Windows 11 is designed with multiple layers of security enabled by default, allowing you to concentrate on your work rather than your security settings. Features such as credential safeguards, malware protection, and application defence have resulted in a reported 58% reduction in security incidents, including a 3.1-fold decrease in firmware attacks. In Windows 11, hardware and software collaborate to reduce the attack surface, protect system integrity, and secure valuable data.

 

Latest Updates: 

  • Local Security Authority (LSA) protection: LSA, which authenticates users and verifies Windows sign-ins, handling tokens and credentials for single sign-on to Microsoft accounts and Azure services, is now enabled by default on new consumer devices, as it was previously for new commercial devices. For users upgrading where it hasn't been previously enabled, LSA protection will enter a grace period. LSA protection prevents the loading of untrusted code and blocks untrusted processes from accessing LSA memory, significantly enhancing protection against credential theft.

  • NT LAN Manager (NTLM) deprecation: Deprecating NTLM, a major request from our security community, is planned for the second half of 2024, to strengthen user authentication.

  • Advancing key protection with VBS: Now in public preview for Windows Insiders, this feature offers higher security than software isolation and better performance compared to hardware-based solutions, powered by the device’s CPU. While hardware-backed keys provide strong protection, VBS is beneficial for services requiring high security, reliability, and performance.

  • Windows Hello hardening: Windows Hello technology has been extended to protect passkeys. For devices without built-in biometrics, Windows Hello has been further secured by using VBS to isolate credentials, protecting against admin-level attacks.

 

Windows is both creating new inbox capabilities as well as providing more features for the Windows app developer community to help strengthen app security.

 

  • Smart App Control: Enabled by default on select new systems, this feature uses AI based on Microsoft's daily 78 trillion security signals to predict app safety. It allows known safe apps to run and blocks potentially harmful ones, providing strong malware protection.

  • Trusted Signing: Unsigned apps pose risks, as much malware is unsigned. Signing your app ensures compatibility with Smart App Control and maintains its "good reputation." Trusted signing, now in public preview, simplifies certificate management and integrates with Azure DevOps and GitHub.

  • Win32 App Isolation: In preview, this feature helps contain damage and protect user privacy during app compromises. Built on AppContainers, it virtualises resources and is nearing general availability, with seamless Visual Studio integration.

  • Enhanced Admin Security: Windows now requires just-in-time admin access for critical services, reducing the risk of apps misusing admin privileges. Users will be prompted for approval when special permissions are needed, managed securely via Windows Hello. This feature is in private preview, with public preview coming soon.

  • VBS Enclaves: Now available to third-party application developers, VBS enclaves offer deep protection for sensitive workloads within a host application's address space. This enhances security by shielding the enclave from other system processes and the host application.

Microsoft continues to harden Windows code to address where bad actors are spending their time and energy with these tools: 

  • Windows Protected Print

  • Tool Tips

  • TLS Server Authentication

 

Lastly, with each Windows release Microoft add more levers for commercial customers to lock down Windows within their environment.

  • Config Refresh: Allows administrators to schedule reapplication of policy settings on devices without checking in with management systems. Default refresh is every 90 minutes, with options for every 30 minutes or pausing for maintenance.

  • Firewall: The Firewall CSP now enforces all-or-nothing application of rule blocks. If any rule in a block fails, the entire block is rolled back, preventing partial rule deployment.

  • Personal Data Encryption (PDE): PDE encrypts data and only decrypts it when the user unlocks their PC with Windows Hello for Business. It offers two protection levels and complements BitLocker for dual-layer encryption. Currently in preview, PDE can be managed via mobile device management solutions.

  • Zero Trust DNS: In private preview, this feature restricts Windows devices to connect only to approved domains. Outbound traffic is blocked unless resolved by a trusted DNS server or configured as an exception by an IT admin.

 

Learn more about Windows 11.