As attacks become more sophisticated, so are our defenses. With recent inventions like secure core PCs that are 60% more resistant to malware than non-secure core PCs1, and the Microsoft Pluto security processor that adds more protection by isolating sensitive information like credentials and encryption keys, Windows 11 has raised the security bar. Security bar for everyone. Our goal is to protect organizations by simplifying security and building stronger protections from chip to cloud.
From stronger, easier-to-use authentication with multi-factor authentication to adding more layers of coverage for apps and data, we’ve simplified and enabled more default security features than ever before with Windows 11. These features are designed to help prevent attacks. We are also seeing more complicated and targeted attacks today that will become more widespread in the future. We also began adopting memory-safe languages like Rust, starting with the use of Rust code for two classic attack targets: Font Parsing and Win32k Kernel.
When we introduced Windows 11, it came with new hardware and software features like Secure Boot, virtualization-based security, hypervisor-protected code integrity, and Windows Hello, the Trusted Platform Module (TPM) enabled by default in many regions. With those features, organizations have reported a 58% reduction in security incidents and a threefold relief in firmware attacks, a very attractive and lucrative target for attackers. Our data shows that 83% of Windows 11 devices use at least three security features.
We’re excited to take the next step in this adventure with updates for IT and security pros available today and by default for new installations of Windows 11.
Windows 11 features give you the power to create, collaborate, and preserve your data.
Microsoft’s global threat intelligence processes more than 65 trillion security signals every day. This data showed us that there were more than 4,000 password attacks every second. 2 Daily cybercriminals, as well as attackers in geographic regions like Peach Sandstorm, leverage password-spraying attacks to compromise high-value targets in industries such as satellites, defense, and pharmaceuticals. Organizations can reduce their threat of compromise against such attacks with Windows passwordless authentication and multi-factor authentication features that offer more coverage than classic passwords.
Access keys make not having passwords less difficult and more universal: Windows 11 will make it much harder for hackers to exploit passwords stolen through phishing attacks by allowing users to update passwords. passes through access codes. Access keys constitute the long-term cross-platform secure login management. Microsoft and other generation leaders are selling access keys as a component of the FIDO alliance. A password creates a unique, uncrackable cryptographic identifier that is securely stored on your device. Instead of using a username and password to access an online page or app, Windows 11 users will be able to use and protect passwords using Windows Hello or Windows Hello for Business, or their phone. This will allow users to access the site or app using their face, fingerprint, or device PIN. Passkeys in Windows 11 will work in various browsers, including Microsoft Edge, Google Chrome, Firefox, and others. Setting a password in Windows is done by:
The new Windows 11 will also come with new, rugged PCs that will enable IT teams to ensure greater security for their organization and employees. We’re getting better authentication, which will make it easier for IT to lock down and configure policies by adding more controls. via Intune.
Phishing-resistant credentials with passwordless Windows Hello for Business: Windows 11 devices with Windows Hello for Business or FIDO2 security keys can protect user identities by eliminating the need for passwords in the first place. first day. IT can now set policies for machines related to Microsoft Login ID, so that users no longer see the option to enter a password when accessing corporate resources. Once the policy is set, passwords will be removed from the Windows user experience for both device unlocking and in-session authentication scenarios. With this change, users can now navigate their number one authentication scenarios with strong, phishing-resistant credentials, such as Windows Hello for Business or FIDO2 security keys. If necessary, users can take advantage of recovery mechanisms, such as resetting Windows Hello for Business PIN or Internet sign-in. Web sign-in is now available for all supported Microsoft Entra ID authentication mechanisms, as well as Temporary Access Pass (TAP) and educational scenarios.
Maintain control of IT policies with Config Refresh: Config Refresh is designed to repair policies to a safe state if they have been tampered with by potentially unwanted programs or by user manipulation of the registry. Config Refresh allows Windows 11 devices to reset each and every one of them. every 90 minutes by default, or every 30 minutes if desired, within the Policy Configuration Service Provider (CSP). This feature ensures that your settings are preserved as configured through IT. CSP covers a lot of settings historically established with the Policy Group and does so through mobile device management, such as Microsoft Intune. To enable help desk technicians in their groups more effectively, configuration updating can also be paused through IT Managers for a configurable period of time, after which it will be automatically re-allowed. It can also be reactivated at any time through an IT administrator. Starting today, Config Refresh is available to our Insiders and will soon be available to all organizations.
Enable only trusted apps with custom app control: Apps are the lifeblood of our virtual experiences, but they can also become access issues for attackers. With app control, only trusted apps are allowed on gadgets. By controlling the execution of unwanted applications or malicious code, application control is an essential component of an overall security strategy. Application control is cited as one of the most effective tactics to protect against malware. Organizations running Windows 10 and later use App Control for Business (formerly known as Windows Defender Application Control) and its next-generation features to protect their virtual wealth from malicious code. Organizations that use Microsoft Intune to manage their devices can now configure App Control for Business in the Admin console, adding Intune settings as a controlled installer.
New settings in Windows Firewall: We’re excited to announce enhanced features and control for Windows Firewall built in for IT to provide greater overall protection. Windows Firewall now supports:
Our MORSE team, Microsoft Offensive Research and Security Engineering, has worked hard to ensure that security is an essential component of the software development lifecycle. Over the past year, the team has invested 1. 9 million VM hours and more than 84,000 Azure CPU Cores committed to proactive code removal. Best of all, we’ve made around 700 modifications to our code in recent months strengthening the software development lifecycle with security checks and balances, adding new automation and artificial intelligence to help developers. locate insects themselves. This team’s proactive work to preserve the integrity of our code, old and new, is part of our commitment to continued investment and innovation in security. The team has also published teachings and gears for the community, such as our open source fuzzing tool, Microsoft OneFuzz.
We look forward to continuing this adventure to make Windows more secure, from chip to cloud, with every update.
Learn more about Windows security features.
Download our Windows Security Book.
To learn more about Microsoft security solutions, visit our website. Bookmark the Security Blog to comply with our dedicated security policy. Also follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest cybersecurity news and updates.
1New security features for Windows 11 will help hybrid work, David Weston, April 5, 2022.
2DHS CISA Strategy for Fixing Operating System Vulnerabilities with Worst Offenders, RSA Conference, May 19, 2021.
3Microsoft data.
Microsoft is a leader in cybersecurity and we take on our duty to make the world a safer place.