News

Microsoft Enhances Phishing Protections for Windows 11, but Not Windows 10

• By Kurt Mackie
• 09/21/2022

Microsoft offered more details this week about its enhanced phishing protection technology that kicked off with the newly released Windows 11 version 22H2.

So far, it's looking like the useful phishing protections enabled by a Microsoft Defender SmartScreen capability are just for Windows 11 users, starting with version 22H2. Windows 10 support seems not to be available.

SmartScreen Windows 11 Protections
Microsoft describes its Defender SmartScreen capability as "a feature of Windows, Internet Explorer, and Microsoft Edge," per this Microsoft FAQ document. SmartScreen was perhaps better known previously as site reputation screening service for users of Microsoft's Web browsers. It sends warnings to browser users when they start to access scam sites.

However, as a Windows 11 version 22H2 feature, SmartScreen offers additional protective capabilities against phishing-style attacks.

For instance, Microsoft Defender SmartScreen in Windows 11 version 22H2 can warn end users when they are trying to enter a password that is deemed unsafe, perhaps because it's been detected by Microsoft's sensor information as having been compromised. Users get prompted to change their passwords in such cases.

Here's how that capability was described by Sinclaire Hamilton, a product manager on the Web Defense team at Microsoft, per the announcement:

When SmartScreen sees the right signals indicating unsafe usage of the password typed to sign into the Windows device, it jumps into action -- whether you use a Microsoft Account, Active Directory, Azure Active Directory, or local password. SmartScreen does two things. First, it lets users know right in the moment that they need to change their password to reduce potential compromise to organizational resources. Secondly, it automatically reports the unsafe password usage to IT through the MDE [Microsoft Defender for Endpoint] portal so the incident can be tracked.

Moreover, Microsoft Defender SmartScreen wards off end users from trying to save passwords in Microsoft applications, such as "Notepad, Wordpad or Microsoft 365 apps." Doing so is deemed to be an unsafe practice.

Alerts and Logs, but Just for Windows 11
With Microsoft Defender SmartScreen, IT pros can configure phishing alerts for end users, which is done using Group Policy or the Microsoft Endpoint Manager Admin Center portal. There are four types of configurations for IT pros, namely "Notify Malicious," "Notify Password Reuse," "Notify Unsafe App" and "Service Enabled," per this Microsoft Defender SmartScreen document.

"We recommend that you enable all four settings, as doing so will alert your users for all protection scenarios," Hamilton wrote.

The last item, Service Enabled," turns on an audit mode that "captures unsafe password entry events and sends telemetry through Microsoft Defender," per Microsoft's document. It's turned on by default. Oddly, when it's on, end users don't get notifications.

"Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode," the document indicated.

Unfortunately, though, the ability to configure the four phishing settings isn't available for organizations with Windows 10 users, as noted by Microsoft Solutions Architect Kris Debkowski, in the comments section of Microsoft's announcement. He pointed to this Microsoft document, which showed Windows 10 as not being supported.

E5 Licensing Needed to View Alert Info
There's also a bit of a snag for IT departments eager to use the Microsoft Defender SmartScreen feature with Windows 11 version 22H2. They will need E5-type licensing to view the logged alert activities.

Here's how Hamilton described that nuance, which came in response to a licensing question posed by Microsoft Most Valuable Professional Susan Bradley:

Enhanced Phishing Protection is available to all consumers and enterprises using Windows 11 22H2 without a special license tier. However, in order to view Enhanced Phishing Protection alerts in the M365 Defender security portal (security.microsoft.com), commercial customers must have a license that provides you M365D security portal access, such as E5.

That answer seems to mean that Microsoft provides the enhanced phishing protections to all Windows 11 version 22H2 users, but organizations wanting to see log reports on phishing prevention activities will need E5 licensing.

There are two Microsoft Defender for Endpoint plans to use security and compliance features, per this Microsoft document. Plan 1 is included with E3/A3 Microsoft 365 subscriptions. Plan 2, which was the original Microsoft Defender for Endpoint product offering name before a product restructuring in November, is available with E5/A5 subscriptions.

"Plan 2 of the product will remain a free offering for those who have purchased E5," this Dec. 21, 2021 AgileIT partner blog explained. Plan 2 is also offered as a "standalone" product, which is priced at "$5.20 per user," per AgileIT.