New Windows 11 security features are designed for hybrid work

Attackers are constantly evolving, becoming increasingly sophisticated and destructive—the median time for an attacker to access your private data if you fall victim to a phishing email is 1 hour, 12 minutes.¹ Microsoft tracks more than 35 ransomware families and more than 250 unique nation-state attackers, cybercriminals, and other actors. We have unparalleled threat intelligence—processing more than 43 trillion signals per day, including 2.5 billion daily endpoint queries and 921 password attacks blocked every second. We work alongside more than 15,000 partners in our security ecosystem and we have more than 8,500 engineers, researchers, data scientists, cybersecurity experts, threat hunters, geopolitical analysts, investigators, and frontline responders across 77 countries. We combine human and machine intelligence with built-in AI to continuously learn from the attack landscape, and we have a dedicated team, the Microsoft Offensive Research and Security Engineering (MORSE), that works to stop threats before they reach your device.² All of this goes into the design process to deliver a more secure Windows with every release.

“Because Microsoft designed the security model of Windows 11 from the ground up to assume that some component has already been compromised, threat actors will find it orders of magnitude more difficult to remain undetected [and persist] in the environment than in traditional architectures.”

–SANS Institute

Protection that evolves with the threat landscape

Today, we’re proud to announce that the security features you heard about in April 2022 are now available on Windows 11.

Application Control

We’ve added features that give people the flexibility to choose their own applications, while still maintaining tight security. Smart App Control is a new feature for individuals or small businesses designed to help prevent scripting attacks and protect users from running untrusted or unsigned applications often associated with malware or attack tools.³ This feature creates an AI model using intelligence, based on the 43 trillion security signals gathered daily, to predict if an app is safe. App control is known to be one of the most effective approaches to protecting against malware but can be complex to deploy. Windows 11 uses the power of AI to generate a continually updated app control policy that allows common and known safe apps to run while blocking unknown apps often associated with new malware. Our customers have asked us to make this simpler and we have responded.

The Smart App Control approach achieves the goal of making advanced app control protection widely available. Smart App Control is built on the same same OS core capabilities used in Windows Defender Application Control. Smart App Control is provided on all Windows client editions with clean installations of Windows 11 2022 Update. Alternatively, for enterprises, your IT team can use Microsoft Intune with Windows Defender Application Control to remotely apply policies to control what apps run on workplace devices.

Vulnerable driver protection

Malware increasingly targets drivers to exploit vulnerabilities, disable security agents, and compromise systems. Window 11 uses virtualization-based security (VBS) for enhanced kernel protection against potential threats.

• Hypervisor-protected code integrity (HVCI), also called memory integrity, will be enabled by default on all new Windows 11 devices. HVCI uses VBS to run kernel mode code integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel mode code such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn’t been tampered with before it is allowed to run.

HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can help prevent the injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.

• The Microsoft vulnerable driver block list is another important safeguard against advanced persistent threats and ransomware attacks that exploit known vulnerable drivers. Beginning with the 2022 Update, the block policy is now on by default for all new Windows computers, and users can opt in to enforce the policy from the Windows Security app.

The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Taking advantage of Windows Defender Application Control, the kernel blocklisting feature prevents vulnerable versions of drivers from running. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. Users who want the highest level of protection can still specify an allow list to implement driver control.

Enhanced identity protection and simplified password management

With Windows 11, you can protect your valuable data and enable secure hybrid work with the latest advanced security that small or medium-sized businesses say results in 2.8 times fewer instances of identity theft.⁵ Here are a few enhancements that can help you stay secure now and in the future:

• Windows Defender Credential Guard is enabled by default with Windows 11 Enterprise. Credential Guard uses hardware-backed, virtualization security to help protect against credential theft techniques such as pass-the-hash or pass-the-ticket. In addition, this feature helps prevent malware from accessing system secrets even if the process is running with admin privileges.
• Credential isolation with Local Security Authority (LSA) protection enabled by default provides extra protection to new, enterprise-joined Windows 11 devices. LSA is one of the critical processes that verify a user’s identity. With LSA protection, Windows will load only trusted, signed code, making it significantly more difficult for attackers to steal credentials.
• Enhanced phishing protection in Microsoft Defender Smartscreen can detect and warn you when you’re entering your password into a known compromised app or website. It also promotes good credential hygiene by warning users when they try to re-use passwords or store them in an unsafe location such as a text file. This goes beyond browser-based protection to build advanced phishing protection into the operating system itself, empowering users to take proactive action before passwords can be used against them or their organization. IT admins can customize alerts using a mobile device management (MDM) solution like Microsoft Intune.⁴
• Go Passwordless with Windows Hello for Business. With built-in protection already enabled, Windows 11 helps block software and firmware attack from the moment you turn on your device. And for secure, convenient single sign-on (SSO), you can take advantage of the protection and convenience of passwordless authentication using Windows Hello for Business and a unique identifier such as your face, fingerprint, or PIN. These unique identifiers are bound to your device and can only be used by you from that device for secure, convenient SSO across your computer and cloud services.
• We’ve also made Windows Hello for Business much easier to deploy. For example, we’ve removed requirements for public key infrastructure (PKI). Look into this deployment model for an easy, secure way to set up a modern, passwordless sign-in experience.
• And if you’re going passwordless, you’ll be able to take advantage of presence sensing for hands-free secure sign-in. Presence detection sensors work with Windows Hello to sign you in when you approach, and lock when you leave.⁵ The feature is optional and can be easily enabled on devices equipped with presence sensors.

Locking down IT policy and compliance

• Config lock, available only on Secured-core PCs that are designed for added security, helps prevent the configuration drift that occurs when users with local admin rights change settings and put devices out-of-sync with IT security policies. With config lock, Windows 11 monitors the registry keys that configure each feature even when the device isn’t connected to the internet. When a drift is detected, the device immediately reverts to the IT-desired Secured-core computer state.

Config lock builds on the security fundamentals of Windows 11 and is, in part, secured by specific hardware features. The feature monitors a pre-configured set of configuration service providers (CSPs) and policies. If you assign any of these policies to devices in your tenant, enabling config lock will maintain your defined settings.

Ongoing innovation to improve security for all

We’re continuing to add protection from chip to cloud, with an emphasis on the benefits of using new, modern devices with hardware features optimized for security and hybrid work.

For example, if you work in data-sensitive scenarios, Secured-core PCs with Windows 11 can be a great choice. These devices come with additional safeguards enabled, including advanced firmware protection, for the highest level of Windows security. We also will now detect if a device is capable of Windows Defender System Guard and alert users in the Windows Security app that the feature can be enabled. This update to the Windows Security app is currently available to the Windows Insider population and will be broadly available soon.

The Microsoft Pluton security processor, designed by Microsoft and our silicon partners, directly integrates into the silicon of the CPU, providing protection for sensitive assets like credentials and encryption keys by isolating them from the rest of the system. The Pluton firmware also gets security updates straight from the cloud through the Windows updates process which helps security and IT teams simplify management and ensure they have the latest, ongoing protection against threats. 

We’re all working together toward a more secure future, and we look forward to delivering more innovation that will not only detect threats but help prevent them. Microsoft has committed a USD20 billion investment in security research and development over five years.⁴ We’re committed to your security and to continuously improving the foundational security provided by Windows with default security baselines to help you thrive now and in the future.

To get more information on Windows 11 chip-to-cloud security, visit our website and check out the Windows 11 Security Book details on how Microsoft optimizes Windows 11 for Zero Trust.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Cyber Signals: 3 strategies for protection against ransomware, Vasu Jakkal. August 30, 2022.

²MORSE security team takes proactive approach to finding bugs, Elliott Smith. August 3, 2022.

³Availability may vary by region.

⁴Microsoft has a $20 billion hacking plan, but cybersecurity has a big spending problem, Eric Rosenbaum. September 8, 2021.

⁵Hardware dependent.