Microsoft announces major new Windows 11 security features for 2022

Microsoft on Tuesday unveiled new and up to date Home windows 11 security measures which can be set to reach later in 2022, together with improved protections in opposition to phishing and malware that purpose to dramatically cut back work for safety groups, a Microsoft safety government informed VentureBeat.

Cybersecurity groups constantly face a “big funnel” of points that have to be fastened — however with the forthcoming safety capabilities coming to Home windows 11, “that funnel goes to be a lot, a lot smaller,” mentioned David Weston, vice chairman of OS and enterprise safety at Microsoft, in an interview. “That’s our aim. We need to cut back the variety of issues that safety groups have to take a look at and make their lives simpler. And that enables them to go deeper on the issues that matter.”

When Microsoft rolled out Home windows 11 beginning final October, the corporate mentioned a key driver for the brand new working system was to allow extra security measures to be turned on by default than had been in Home windows 10.

For the annual function replace arriving within the second half of 2022, Microsoft goals to go a lot additional with an array of latest Home windows 11 safety capabilities — together with many who will probably be on by default — that search to cut back the funnel of points for safety groups “to a trickle,” Weston mentioned.

Home windows 11 transition

Whereas the brand new options is not going to be arriving for months, Microsoft is disclosing particulars now partly to assist generate extra curiosity amongst companies in transferring to Home windows 11. Figures from AdDuplex show that Home windows 10 PCs nonetheless outnumber gadgets operating Home windows 11 by a four-to-one margin and the margin is probably going even greater amongst companies — which regularly take longer than customers to maneuver to new working system variations.

Among the many new options that Microsoft has introduced are capabilities which have the potential to make a “enormous dent” in phishing and focused malware assaults, in the end decreasing the proliferation of ransomware, Weston mentioned.

The Microsoft Defender SmartScreen resolution will supply improved phishing detection beginning with the following annual launch of Home windows 11, by alerting customers after they enter Microsoft credentials right into a malicious utility or web site.

Weston mentioned that whereas phishing prevention has been provided for browsers up to now, Microsoft is now transferring it into the working system layer for the primary time ever. “Which means each single utility now will get the power to have phishing prevention accessible,” he mentioned.

The function will even allow Microsoft to alert a consumer’s safety operations workforce when that consumer has fallen prey to a profitable phishing assault, in accordance with Weston.

Malware prevention

By way of stopping malware, Microsoft plans to introduce Sensible App Management — a brand new Home windows 11 function that may thwart malicious purposes by solely operating apps which can be cryptographically signed.

This leverages an idea that Microsoft had deployed in its Home windows 10S version, which locked down gadgets to solely be capable to run apps from the Microsoft Retailer. “It was nice for safety. We had no malware,” Weston mentioned.

Nonetheless, many customers wished the choice to run apps that weren’t within the Microsoft Retailer. With Sensible App Management, “this solves that drawback. It helps you to say, anybody who can signal an app, can now run,” Weston mentioned. Then again, “if we don’t know who wrote this and we don’t know [if] that particular person is understood for writing good apps — we’re not going to let it run.”

The end result, in accordance with Weston, is that “99% of the apps you’ll ever need to use will run simply high-quality. And principally what will probably be blocked is malware.”

“It’s inverting the ‘whack-a-mole’ mannequin into ‘show to me, you might be good,’” he mentioned. “It’s actually zero belief for apps.”

Beginning with the 2022 annual Home windows 11 function replace, Sensible App Management be robotically included with newly shipped gadgets. Different gadgets will have to be reset and endure a clear set up of Home windows 11 to make use of the function, in accordance with Microsoft. “We have to begin with a clear slate, so we will totally assess whether or not there [are] any incompatibilities with the system,” Weston mentioned.

In the end, on the subject of these new options to cut back phishing and malware, “our technique is to chop on the coronary heart of what strategies are getting used to abuse our customers right this moment — and cease that,” he mentioned.

Virtualization-based safety

Different safety enhancements that Microsoft is saying embody wider availability of virtualization-based safety (VBS), turned on by default, with the arrival of the 2022 annual Home windows 11 function replace.

With the preliminary model of Home windows 11, solely the most recent CPUs had been able to supporting VBS by default — however with the forthcoming model, virtualization-based safety will now be turned on by default for each single appropriate processor, Weston mentioned.

Virtualization-based safety permits a number of key security measures, which will probably be turned on by default in Home windows 11 with the upcoming launch of the OS. These options embody hypervisor-protected code integrity (HVCI), which prevents dynamic code from being injected into the Home windows kernel, as occurred in previous assaults together with WannaCry.

VBS turned on by default will even allow two new security measures to run robotically within the forthcoming Home windows 11 replace. Credential Guard is a function leveraging VBS to guard in opposition to credential theft techniques reminiscent of pass-the-hash, in addition to stopping system secrets and techniques to be accessed by malware. A second new on-by-default function will convey extra safety to the Native Safety Authority (LSA) course of, guaranteeing that the method solely hundreds signed code.

“The standard solution to goal that course of was by malicious drivers, however we’re blocking lots of these” with this forthcoming function, Weston mentioned.

New encryption function

An extra upcoming Home windows 11 safety function, private information encryption, will function a second layer of encryption past BitLocker. This second layer will probably be file-specific and will probably be tied to customers’ Home windows Hi there credentials. Thus, if an attacker was “by some means [able] to get previous BitLocker, these information would nonetheless keep encrypted,” Weston mentioned.

Microsoft can be utilizing this announcement to attract consideration to a safety function that had not beforehand been mentioned by the corporate, however has, in truth, been accessible in Home windows 11 for the reason that starting. That function, config lock, robotically restores methods to the group’s desired safety settings if they’re modified by a consumer or administrator.

Config lock supplies one other layer of safety in case of surprising system state change, in accordance with Weston — and notably, helps to alleviate some burden from safety and IT groups.

Safety chip

In that very same vein, Microsoft can be touting the industrial launch of its Pluton safety processor, set to happen throughout the subsequent month, which can convey advantages together with computerized firmware updates, Weston mentioned. Pluton will probably be accessible in some gadgets from distributors together with Lenovo, for PCs with AMD or Qualcomm processors (no Intel for now), he mentioned.

For gadgets with the Pluton safety chip, firmware updates will probably be delivered by Home windows Replace and gained’t require handbook effort, Weston mentioned.

All in all, with the Home windows 11 security measures disclosed by Microsoft right this moment, “we’re going to make everybody’s life simpler, by performing because the world safety workforce,” he mentioned.

“We aren’t going to push for them to config — we’re going to do it ourselves,” Weston mentioned. “We’re going to show issues on by default. We’re going to make that funnel smaller. And subsequently, safety groups can have much less to cope with and it’ll be higher safety high quality total.”