Windows 11: New security improvements for the hybrid work era

Microsoft has announced a series of security improvements for Windows 11 to address hybrid working concerns. These features are designed to help businesses and users have more confidence in the software they are running, whether it's the operating system itself or its applications, which is especially important at a time when many users are working away from the office. Many of these things aren't entirely new, but they're either coming soon or have recently become available.

Microsoft Pluton

Microsoft Pluton Security Processor is new hardware bundled into new devices that integrates directly with the CPU as well as Windows 11. In fact, it is the only secure processor whose firmware can be updated directly through Windows Update, making it easier to add new features and functionality without the need for complex manual updates in enterprise environments. Updates can be managed like any other update for Windows 11. This tight integration also means that Microsoft Pluton is designed to work well with features like BitLocker and Windows Hello in Windows 11. Pluton's firmware is developed by the same people on the Windows team, so everything works together.

Integration with the CPU also protects the device from physical attacks, so this is a broad security solution for enterprises that simplifies configuration.

Hypervisor-Protected Code Integrity

Starting with the next Windows 11 version, Microsoft will enable Hypervisor-Protected Code Integrity (HVCI) on more Windows 11 devices. This feature is designed to protect users from driver vulnerabilities, which are a major source of malware attacks. HVCI prevents malware from being loaded into driver packages and verifies that installed drivers are trustworthy. It uses data from the Microsoft Vulnerable and Malicious Driver Reporting Center to automatically block known vulnerable drivers and blocks vulnerable drivers in the Windows kernel so they never have a chance to be exploited.

Smart App Control

Smart App Control, which first appeared in Windows 11 build 22567, allows Windows to automatically block potentially dangerous applications from running. Of course, that's already there to some extent, but there's more to it this time. SAC uses code signing and artificial intelligence to predict potentially malicious behavior of applications before deciding whether those applications can run. It uses continuously updated inference models to determine an application's security, using the latest threat intelligence as well as code certificates to ensure the application is secure before running. This way, users don't have to worry about unknowingly running potentially dangerous applications.

Smart app controls will be available on new devices shipped with the next version of Windows 11. If you upgraded from the current version, you will have to reset your PC or do a clean install of Windows 11 using an ISO to see it.

Credentials and Account Security

Microsoft has also made some enhancements to overall account security in Windows 11. First, it uses Microsoft Defender's SmartScreen feature to bake phishing detections directly into Windows 11. Microsoft says it has blocked more than 25.6 billion brute force attacks against Aure Active Directory and blocked 35.7 billion phishing emails using Microsoft Defender for Office 365 - just last year - and now this protection will be operational Provided at system level.

#Microsoft also enables Credential Guard by default on Windows 11 Enterprise. This feature helps protect devices from credential theft using techniques like pass-the-hash, and it also prevents malware from accessing system secrets even if its process runs with administrator privileges.

Finally, Microsoft is making improvements to Local Security Authority (LSA) to combat attacks that exploit this feature to steal user credentials. Specifically, the company is enabling LSA to load only trusted and signed code, so malicious programs cannot sneak into the process and steal credentials passed through LSA. This additional protection will be enabled by default for new Windows 11 devices joining the enterprise in the future.

Personal Data Encryption

The name of this feature is self-explanatory. Essentially, personal data encryption will ensure that user data is protected by encryption and will only be decrypted when the corresponding user logs in. This is a platform feature that applications and IT departments can use to ensure data is protected in case devices are stolen. Encryption is tied to Windows Hello for Business so users must log in with passwordless credentials to access data, making it harder for someone with physical access to the device to steal said data.

Configuration Lock

Finally, there’s Config Lock, a feature more targeted at organizations’ internal IT departments that’s actually already available. According to Microsoft, a common problem for enterprises is that employees have limited control over the device once it is used. With Config Lock, IT admins can use MDM policies to monitor registry keys on each device and if any changes are made, Config Lock automatically restores them "within seconds", constantly ensuring devices adhere to required security Strategy.

---

As you'd expect, many of these features are enterprise-focused, but they're definitely important. As hybrid working becomes the standard for many companies, these steps are critical to keeping users and businesses safe, especially as cyberattacks have also increased over the past few years.

The above is the detailed content of Windows 11: New security improvements for the hybrid work era. For more information, please follow other related articles on the PHP Chinese website!