Microsoft’s focus on enhancing security features in Windows has led to the introduction of Secured-Core PCs and the expansion of passwordless offerings through passkeys, all aimed at protecting users from hardware to cloud attacks. Passkeys, protected by Windows Hello technology, offer better identity protection, while the Secure Future Initiative (SFI) aims to ensure secure product and service delivery by implementing new security features in Windows 11 and enabling more security features by default.
By partnering with OEMs, Microsoft is able to offer secured-core PCs that come with enhanced security features by default. These PCs leverage hardware security features like Pluton security processors and firmware safeguards to protect user credentials, identities, and data from cyberattacks, even with physical access to the device. Windows Hello ESS is another security measure that utilizes both hardware and software components to secure biometric sign-ins, eliminating the need for passwords on these secure-core PCs.
Windows 11 puts security at the forefront by enabling default features like credential safeguards and application protection, which help reduce security incidents and firmware attacks. Multi-factor authentication with Windows Hello and passkeys protects against credential theft, while the deprecation of NTLM and Virtualization Security (VBS) is aimed at improving user authentication and key security to protect against advanced attacks.
Microsoft is also improving Windows security by focusing on application trust and user control. Smart App Control uses AI to block unknown or malicious apps, while Trusted Signing simplifies the process for developers to sign their apps for better reputation and compatibility with Smart App Control. Win32 app isolation helps contain damage from compromised apps, while just-in-time administrative access requires user approval for actions needing admin privileges, reducing the attack surface.
Furthermore, VBS enclaves, previously exclusive to Windows security features, are now available for developers to use within their applications to enhance protection of sensitive tasks. Windows Protected Print Mode, a new secure printing system that will be the default in the future, aims to improve overall system security. Additionally, TLS server authentication is being strengthened by no longer trusting weak 1024-bit RSA encryption keys to address common attacker strategies.
Windows 11 offers improved management features for commercial customers, such as Config Refresh, which allows administrators to set a schedule for devices to reapply security policies automatically. Firewall enforcement ensures all rules within a block are applied successfully or rolled back entirely to avoid partial deployment. Personal Data Encryption provides two levels of data protection based on user lock status and complements BitLocker for enhanced security. Zero Trust DNS, in preview, restricts outgoing traffic to approved network destinations resolved by trusted DNS servers, empowering IT administrators to manage and enforce security configurations on devices centrally.
In conclusion, Microsoft’s focus on enhancing security features in Windows 11 is a significant step towards protecting users from cyber threats. By implementing new security features, enabling more security features by default, and partnering with OEMs to offer secured-core PCs, Microsoft is taking proactive measures to ensure the security of its users and their data. These initiatives not only protect against current cyber threats but also aim to address evolving threats in the future, making Windows 11 a more secure operating system overall.