News

Microsoft Answers Some Windows 11 Security Questions

• By Kurt Mackie
• 04/11/2022

Microsoft's coming Windows 11 security improvements, announced last week, may be available for Windows 10 machines as well.

That notion came from David Weston, vice president for enterprise and OS security at Microsoft, who led a Thursday "Windows Security AMA" Q&A session (now available on demand) with members of Microsoft's security teams. The talk featured five panelists and ranged across security topics, including Windows 11 security.

With Windows 11, Microsoft is just making the operating system's security features -- such as Windows Defender Application Control, BitLocker drive encryption and driver blocking -- easier to access, Weston contended.

"I would say the vast majority of the security features we're talking about in Windows 11 can be also implemented in Windows 10 -- and sometimes in a different way," Weston said. "A lot of our goal of Windows 11 is to make this easier, better, faster at home by default."

In its announcement last week, Microsoft highlighted new Windows 11 features to come, such as Pluton processors in PCs, Personal Data Encryption tied to Window Hello biometric sign-ins, driver block lists and Smart App Control for application blocking. Arrival dates for these new features weren't specified, though.

Smart App Control and WDAC
One Windows 11 security feature that won't be in Windows 10 is the coming Smart App Control, which blocks the running of untrusted or unsigned applications.

Moreover, Microsoft had earlier explained that Smart App Control, when available, would be appear on new Windows 11 PCs. Smart App Control would only be available for existing Windows 11 PCs if a "clean installation" operating system upgrade were to be performed.

However, Windows 10 users can still get similar app protections using Microsoft's Windows [Defender] Application Control solution to block the running of untrusted applications. This point was explained by Jordan Geurten, a Microsoft program manager on the OS security team, as follows:

Smart App control is limited to Windows 11. Smart App Control does run on a feature called WDAC or Windows Application Control. Application Control essentially allows a user or an IT admin to specify a policy for what apps and essentially all code that runs on the system, both in kernel mode and user mode. So while Smart App Control isn't necessarily available on Windows 10, you can make use of the great app control features as far back as Windows 10. So WDAC or application control is available on Windows 10 and above. There are no hardware or SKU limitations and it also ties into Defender reputation AI in the cloud.

Geurten built Microsoft's open source WDAC Policy Wizard tool, which provides a graphical user interface for configuring WDAC policies, instead of having to use XML or PowerShell.

WDAC used to be called "Configurable Code Integrity" and was part of Microsoft's "Device Guard" operating system feature (which is now a defunct name), according to this Microsoft document. WDAC essentially is replacing AppLocker, another solution for locking down applications, which was first introduced with Windows 7.

Microsoft explained why it's favoring WDAC over AppLocker as follows, per the document:

Generally, it is recommended that customers, who are able to implement application control using WDAC rather than AppLocker, do so. WDAC is undergoing continual improvements, and will be getting added support from Microsoft management platforms. Although AppLocker will continue to receive security fixes, it will not undergo new feature improvements.

There's still a case for using AppLocker, though, for organizations having "a mixed Windows operating system (OS) environment" or having shared computers, the document explained.

Driver Block List
Microsoft will be bringing a Driver Block List feature to Windows 11, which will block vulnerable drivers by default when Hypervisor-Protected Code Integrity (HVCI) protections get turned on. The block list gets updated by various security team members, according to Geurten.

"The way we actually update it is we have a virtual team of people across our security teams -- enterprise security, Defender, Defender for Endpoint folks, MSRC -- [and] we work closely to triage and investigate drivers that get reported," Geurten said.

Microsoft uses static analysis and reverse engineering to figure out what the drivers are doing and then coordinates back with the driver publishers, Geurten added.

Microsoft has a portal for reporting suspicious drivers, called the "Microsoft Vulnerable and Malicious Driver Reporting Center," but it's not tied to a bug bounty program. Microsoft is also working on a Windows improvement that will limit what the Windows kernel will trust.

"We are evaluating a new feature shortly that that will help limit the scope of what Windows trusts in the kernel, but also keeping compatibility and performance at the forefront," Geurten said.

Weston noted that groups such as the Confidential Computing Consortium have been looking at creating "ledgers or transparent viewpoints on the security and integrity of binaries," which could prove promising for OS kernel security.

Pluton Integration
Pluton is Microsoft's security solution that's already used in Xbox gaming systems and Azure Sphere chips for Internet of Things devices. Pluton is also expected to appear in some new Windows 11 PCs coming this year.

The Windows security team was asked if Microsoft's Pluton security component uses some new way of talking with a machine's CPU. Weston instead described Pluton as an approach to reduce the attack surface along the CPU's "route of trust."

"Basically, the concept of Pluton is to integrate what we call the route of trust, or security processor onto the CPU package or die," Weston said. "And that's going to be very architectural -- dependent on how the CPU vendor does that."

The more that this route of trusts gets packaged together, the smaller the physical attack surface will be on the device. Weston also later clarified during the talk that the side-channel physical attack he had performed in a demo to exfiltrate information from a machine's processor would not only be blocked on Pluton-based PCs, but it also would be blocked in a machine with a Trusted Platform Module, or even in BitLocker plus PIN authentication scenarios.

Multifactor Authentication
The Windows security team was asked about how to make it easier to deploy multifactor authentication with Windows Hello. Weston suggested it was an easy matter for Windows 11 users.

"You can, from a Windows 11 machine, use Windows Hello, enroll in Windows Hello for Business and you have multifactor authentication without logging into phone or doing any kind of push requests, which can have challenges from a deployment perspective," Weston said.

For organizations needing more fine-grained control over multifactor authentication, Microsoft has a configuration tool called "Multi-factor Unlock," which lets IT pros specify the use of "a combination of factors and trusted signals" for users to unlock their devices," according to Microsoft's "Multi-factor Unlock" document.

The hour-long Q&A talk was filled with lots of other insights shared by the Windows security team members, including career advice on getting into the security field. Technical questions were answered as well.