Microsoft have announced a raft of new security features for Windows 11 – aimed squarely at the new trend of hybrid working.
With millions of users working remotely post-Covid, the enhancements largely focus on hardware security and identity protection, as end-user devices access ever more cloud-resources from a broader range of working environments.
‘Microsoft Pluton’ is the name of a new security processor integrated into CPUs on devices shipping with the new operating system – an App Control feature designed to prevent untrusted apps from running, block the theft of user credentials, and counter dangers from outdated drivers.
As we’ve noted before, Pluton (like Windows 11 itself) also relies upon Trusted Platform Module (TPM) technology to fire up a PC securely – but some TPM chips remain vulnerable to encryption keys being intercepted between components. Pluton devices are expected to close off that weakness, preventing this kind of hardware attack.
Smart App Control
As many predicted, Application Management begins taking centre-stage in 2022, as bigger organisations seek to prevent users introducing rogue software into their IT infrastructure (or worse, introducing it back into the company network themselves.)
Smart App Control blocks unsigned or suspicious apps at the OS level, and will receive regular updates daily.
However – it’s worth noting this core feature only applies to newly shipped devices – so even those who adopted Windows 11 early would have to complete a full operating system reinstall to ensure Smart App is live.
Microsoft Defender SmartScreen
SmartScreen helps protect identity by alerting the user if they’ve begun interacting with a known malicious application, fake or hacked website – with the added advantage that the safeguard is pre-installed for all users.
Microsoft are keen to demonstrate SmartScreen’s record of success elsewhere – blocking nearly 26 billion brute force attacks on Microsoft Azure Active Directory, and nearly 36 billion phishing emails that were intercepted by Microsoft 365, last year alone.
Another ‘by default’ upgrade – Credential Guard isolates really important system secrets in a way that is designed to stop ‘pass the hash’ style attacks where a hacker is able to use the encrypted version of a password to gain entry, and (Microsoft claim) can even prevent malicious applications that have somehow obtained Admin-user privileges on their device from accessing those secrets.
You can discover the full list of the security enhancements coming to Windows 11 here.