Microsoft claims that Windows 11 will bring major security improvements and has now detailed a number of them.
Not many businesses are using Windows 11 right now because of the high bar of its minimum hardware requirements, but it has been rolling out rapidly to consumers since its October release.
Microsoft teamed up with Intel to deliver its Secured-core PCs for enterprise customers and create the Pluton security co-processor with Intel, AMD and Qualcomm for storing encrypted secrets like passwords. The hardware-based security efforts, which were introduced in 2019, aim to thwart attacks on firmware, where attackers may have physical access to the computer, like a state-sponsored hacker.
And Microsoft has now said that its work on secured-core PCs and servers is producing benefits.
"Our data shows that these devices are 60 percent more resilient to malware than PCs that don't meet the Secured-core specifications," says David Weston, Microsoft's vice president of enterprise and security.
"The stronger protection these devices provide helped build the foundation that the Windows 11 hardware baselines were designed upon. In upcoming releases of Windows, we are advancing security even further with built-in protections to help defend from advanced and targeted phishing attacks."
Weston said that a future release of Windows 11 will introduce "significant security updates" that add even more protection from the chip to the cloud by combining modern hardware and software.
"We're also adding more protection for your applications, personal data, and devices and empowering IT with the ability to lock security configurations as more enterprise devices are sent directly to users," he said.
Weston argues Windows 11 is the right choice for organizations that are implementing zero-trust networks, which the White House is urging all businesses to implement.
Windows 11 upgrades require the hardware has Trusted Platform Module (TPM) 2.0, firmware and identity protection, Direct Memory Access, and Memory Integrity protection, says Weston.
"While those features provide protection from many attack patterns we see today, we know that attackers have shifted their sights to hardware which is why we're looking ahead to the Microsoft Pluton Security Processor as an innovative solution to securing that critical layer of computing," says Weston.
"Pluton is the only security processor which is kept regularly up to date with key security and functionality updates coming through Windows Update just like any other Windows component. This means that Pluton does not require enterprises to take the traditional manual steps to update firmware, making it much easier to stay secure.
Weston says Pluton is optimized for Windows 11 and underwent serious penetration testing to ensure it protects against physical attacks through its direct integration into the CPU. Admins need to do less to protect Windows machines from attacks who have physical access to a machine.
He also pointed to other security updates including Smart App Control which is currently being tested which prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications.
"Smart App Control goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level. Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud."
He also said that Credential Guard, which helps protect systems from credential theft attack techniques like pass-the-hash or pass-the-ticket, will in the future be enabled by default for organizations using the Enterprise edition of Windows 11. Local Security Authority, responsible for authenticating users and verifying Windows logins, will also be enabled by default in the future for new, enterprise-joined Windows 11 devices "making it significantly more difficult for attackers to steal credentials by ensuring LSA loads only trusted, signed code," he said.
Microsoft is also bringing new Personal Data Encryption coming to Windows 11 to protect user files and data when the user is not signed into the device. "To access the data, the user must first authenticate with Windows Hello for Business, linking data encryption keys with the user's passwordless credentials so that even if a device is lost or stolen, data is more resistant to attack," he said.