News

Microsoft Outlines New Security Protections Coming to Windows 11

• By Kurt Mackie
• 04/07/2022

Microsoft on Tuesday described security enhancements coming in "a future release of Windows 11."

The exact release of Windows 11 getting the security enhancements wasn't described, nor was the timing. In some cases, the enhancements will just arrive on new Windows 11 PCs, or a clean install of the operating system may be needed to leverage the improvements. In some cases, the Enterprise edition of Windows 11 may be required.

These coming "chip to cloud" protections were included in Microsoft's general argument, promulgated this week, that Windows 11 is an operating system designed to support the current "hybrid work" (or work-from-home) trend. The coming security protections are needed since IT departments don't have access to the physical devices used under work-from-home conditions, Microsoft argued.

Secured-Core PCs with Pluton Processors
Microsoft touted the use of Secured-core PCs that also use the Microsoft Pluton security processor as a coming security improvement.

Secured-core PCs have been commercially available for a couple of years, incorporating Trusted Platform Module (TPM) 2.0 support, which is required for running Windows 11. However, it seems that Secured-core PCs with Pluton processors are yet to come. Dell is one of Microsoft's original equipment maker partners that plans to opt out from using Pluton, according to a March 9 story by The Register.

Pluton processors are integrated with a machine's CPU so that information can't be exfiltrated via physical side-channel attacks. This concept was demonstrated by David Weston, Microsoft's vice president for enterprise and OS security, in a "Security Fundamentals" video released by Microsoft on Tuesday. Weston leads the "red team" of attacker testers at Microsoft.

Organizations don't have to update firmware when using machines with Pluton processors. Microsoft indicated that "Pluton is the only security processor which is kept regularly up to date with key security and functionality updates coming through Windows Update just like any other Windows component."

Moreover, Pluton processors are optimized to work with Microsoft's BitLocker drive encryption and its Windows Hello passwordless biometric sign-in scheme, Microsoft argued.

Smart App Control
Microsoft will be bringing a new Smart App Control feature to a future Windows 11 release. It blocks the running of untrusted or unsigned applications and is built into "the core of the OS at the process level."

Smart App Control checks if the apps are signed with certificates, and it also uses an artificial intelligence (AI) model to predict that running the app will be safe. The AI model taps into Microsoft's signals intelligence stream indicating possible threats.

Microsoft plans to include Smart App Control on new Windows 11 devices. Existing Windows 11 users will need to perform a "clean installation" of the Windows 11 operating system if they want to use the coming Smart App Control feature.

Personal Data Encryption
Microsoft will be bringing a Personal Data Encryption safeguard to a future release of Windows 11. It ensures that data can only be accessed on a device after a user authenticates using Windows Hello for Business.

Personal Data Encryption is said to link "data encryption keys with the user's passwordless credentials." It assures resistance to attack, even when a device is lost or stolen.

HVCI and Driver Blocklist
Microsoft is planning to enable Hypervisor-Protected Code Integrity (HVCI) protections "by default on a broader set of devices running Windows 11," which will "block vulnerable drivers by default." HVCI ensures that "all drivers loaded onto the OS are signed and trustworthy."

Microsoft described other driver protections in Windows 11 as well. There's already a Web portal for reporting suspicious drivers, called the "Microsoft Vulnerable and Malicious Driver Reporting Center." Microsoft also has a kernel driver blocklist feature, and "devices running HVCI or Windows SE have the blocklist enabled by default," Microsoft explained. Users also will be able to turn on the driver blocklist feature from the "Device Security" option menu in Windows 11.  

New Alerts in Microsoft Defender SmartScreen
Microsoft Defender SmartScreen is an existing service that checks the reputation of site URLs to protect users against phishing attacks. It'll be getting an enhancement that will show alerts when a user starts entering their credentials in a form on a "malicious application or hacked website."

Microsoft demonstrated these SmartScreen alerts in its video. Users get offered a prompt to change their password when they get compromised, per the video's description.

Default Credential Guard and LSA Protections
Future Enterprise edition releases of Windows 11 will be adding Credential Guard and enhanced Local Security Authority (LSA) protections, which will be enabled by default.

Credential Guard is an existing security solution that uses "hardware-backed, virtualization-based security capabilities" to protect a system's secrets. It's designed to thwart "pass-the-hash or pass-the-ticket" attack techniques.

LSA is a process that handles passwords and tokens, enabling "single sign-on to Microsoft accounts and Azure services," but it's been "abused" by attackers. Microsoft is planning to enhance LSA's protections against stolen credentials, which will be "enabled by default in the future for new, enterprise-joined Windows 11 devices."

Config Lock
Config Lock is a management feature that locks down Windows 11 devices against Registry changes or any other changes that conflict with an organization's set mobile device management security policies. It'll revert any such changes made by an end user or an attacker.

Config Lock is "already in Windows 11," Microsoft indicated.