Whereas assaults are getting extra refined, so are our defenses. With current improvements like secured-core PCs which can be 60 p.c extra resilient to malware than non-secured-core PCs,¹ and the Microsoft Pluton Safety Processor that provides extra safety by isolating delicate information like credentials and encryption keys, Home windows 11 has elevated the safety bar for all. Our purpose is to guard organizations by simplifying safety, constructing in stronger protections from the chip to the cloud.

From safer and easy-to-use authentication with multifactor authentication to including further layers of safety for purposes and information, we’ve simplified and enabled extra security measures by default than ever earlier than with Home windows 11. These options are designed to assist cease assaults we’re seeing now as effectively the extra refined and focused assaults that we anticipate to turn out to be extra mainstream sooner or later. We have now additionally begun to undertake memory-safe languages like Rust, beginning with utilizing Rust code for 2 conventional assault targets—Font Parsing and Win32k Kernel.

After we launched Home windows 11 it got here with new {hardware} and software program options like safe boot, virtualization-based safety, hypervisor-protected code integrity, and Home windows Whats up utilizing the Trusted Platform Module (TPM) on by default in lots of areas. Since turning these options on, organizations have reported a 58 p.c discount in safety incidents, and a thrice discount in firmware assaults—a extremely engaging and profitable goal for attackers. Our information reveals that 83 p.c of Home windows 11 units use three or extra security measures. 

We’re excited to take the following step on this journey with updates for safety and IT professionals obtainable in the present day and on by default for brand spanking new installs of Home windows 11.

New Home windows 11 security measures

Home windows 11 options provide the energy to create, collaborate, and preserve your stuff protected.

The following step in the direction of eliminating passwords totally

Microsoft world risk intelligence processes greater than 65 trillion safety alerts each day. That intel has proven us there are greater than 4,000 password assaults each second.² On a regular basis cybercriminals in addition to nation-state attackers like Peach Sandstorm are leveraging password spray assaults to compromise high-value targets in sectors like satellite tv for pc, protection, and prescription drugs. Organizations can scale back their threat of compromise to those sorts of assaults with Home windows passwordless authentication and multifactor authentication options that supply extra safety than conventional passwords.

Passkeys make passwordless simpler and extra common: Home windows 11 will make it a lot tougher for hackers who exploit stolen passwords via phishing assaults by empowering customers to switch passwords with passkeys. Passkeys are the cross-platform way forward for safe sign-in administration. Microsoft and different expertise leaders are selling passkeys as a part of the FIDO Alliance. A passkey creates a singular, unguessable cryptographic credential that’s securely saved in your machine. As an alternative of utilizing a username and password to entry an internet site or utility, Home windows 11 customers will be capable of use and defend passkeys utilizing Home windows Whats up or Home windows Whats up for Enterprise, or their telephone. This can enable customers to entry the positioning or app utilizing their face, fingerprint, or machine PIN. Passkeys on Home windows 11 will work on a number of browsers together with Microsoft Edge, Google Chrome, Firefox, and others. Establishing a passkey in Home windows is achieved by:

• The web site or utility proprietor creates a passkey and gives it to you as a sign-in choice as an alternative of your password—web site and app homeowners might want to develop their very own passkeys infrastructure on their sign-in expertise.
• When you create the passkey in your machine, the following time you check in to that web site or app out of your machine it should acknowledge that you’ve its passkey, and you need to use it as an alternative of a password. If you’re utilizing Home windows Whats up or Home windows Whats up for Enterprise, it is possible for you to to make use of your face, PIN, or fingerprint to signal in additional simply. As well as, now you can use a passkey out of your telephone or pill to finish the sign-in course of.
• Customers could have a administration dashboard via Settings –> Accounts –> Passkeys to see and handle passkeys on their Home windows 11 machine.

Simplifying and modernizing safety for IT by decreasing the assault floor 

The most recent Home windows 11 may also embody highly effective new instruments that allow IT groups to maintain their organizations and staff safer. We’re bettering authentication, making it simpler for IT to lock down and keep coverage configurations, including extra controls via Intune.

Phish-resistant credentials with Home windows Whats up for Enterprise Passwordless: Home windows 11 units with Home windows Whats up for Enterprise or FIDO2 safety keys can defend person identities by eradicating the necessity to use passwords from day one. IT can now set a coverage for Microsoft Entra ID-joined machines, so customers now not see the choice to enter a password when accessing firm sources. As soon as the coverage is ready, it should take away passwords from the Home windows person expertise, each for machine unlock in addition to in-session authentication situations. With this variation, customers can now navigate via their core authentication situations utilizing robust, phish-resistant credentials like Home windows Whats up for Enterprise or FIDO2 safety keys. If ever vital, customers can leverage restoration mechanisms similar to Home windows Whats up for Enterprise PIN reset or internet sign-in. Net sign-in is now obtainable for all supported Microsoft Entra ID authentication mechanisms along with Momentary Entry Go (TAP) and training situations.

Keep IT coverage management with Config Refresh: Config Refresh is designed to revert insurance policies to a secured state in the event that they’ve been tampered with by doubtlessly undesirable purposes or person tampering with the registry. Config Refresh permits Home windows 11 units to be reset each 90 minutes by default, or each half-hour if desired, inside the coverage configuration service supplier (CSP). This functionality ensures that your settings are retained in the way in which IT configured them. The coverage CSP covers tons of of settings that have been historically set with Group Coverage and does so via Cellular System Administration, like Microsoft Intune. To allow assist desk technicians to help their groups extra effectively Config Refresh can be paused by IT directors for a configurable time period, after which it will likely be robotically re-enabled. It can be turned again on at any time by an IT administrator. Beginning in the present day, Config Refresh is on the market to our Insiders and coming quickly to all rganizations.

Solely enable trusted apps with Customized App Management: Functions are the lifeblood of our digital experiences, however they’ll additionally turn out to be entry factors for attackers. With utility management, solely authorized and trusted apps are allowed onto units. By controlling undesirable or malicious code from operating, utility management is a vital a part of an total safety technique. Software management is commonly cited as probably the most efficient technique of defending in opposition to malware. Organizations utilizing Home windows 10 and above use App Management for Enterprise (previously known as Home windows Defender Software Management) and its next-generation capabilities to guard their digital property from malicious code. Organizations utilizing Microsoft Intune to handle their units are actually capable of configure App Management for Enterprise within the admin console, together with establishing Intune as a managed installer.

New configurations in Home windows Firewall: We’re excited to announce some enhanced administration and capabilities for the built-in Home windows Firewall to assist IT present higher total safety. Home windows Firewall now helps:

• Software Management for Enterprise (beforehand often known as Home windows Defender Software Management) app ID tagging with Home windows Firewall guidelines although Intune. This allows IT to focus on Home windows Firewall guidelines to particular purposes with out an absolute file path. 
• The flexibility to configure community listing supervisor settings to find out when a Microsoft Entra ID (beforehand often known as Azure Lively Listing) machine is in your on-premises area subnets so firewall guidelines can correctly apply. The community listing supervisor settings for Home windows Firewall can be utilized for location consciousness. 
• There may be now higher help in settings to configure extra granular Home windows Firewall logging for area, non-public, and public firewall profiles, in addition to the flexibility to specify Home windows Firewall inbound and outbound guidelines for ICMP sorts and codes.

Our continued funding in safety and innovation

Our MORSE team, Microsoft Offensive Analysis and Safety Engineering, has been working onerous to make sure safety is a vital piece of the software program improvement lifecycle. Within the final 12 months, the group has devoted 1.9 million digital machine hours and greater than 84,000 Azure CPU cores devoted to proactively fuzzing code. Along with that, we’ve made practically 700 enhancements in our code simply the previous few months by strengthening the software program improvement lifecycle with safety checks and balances, together with new automation and AI to assist builders discover bugs on their very own. The proactive work of this group to proceed to enhance the integrity of our code each outdated and new is a part of our dedication to ongoing funding and innovation in safety. The group has launched learnings and instruments to the group as effectively like our open supply fuzzing device, Microsoft OneFuzz.

We’re wanting ahead to persevering with this journey to make Home windows safer from the chip to the cloud with each replace.

Study extra

Study extra about Home windows 11 security measures.

Obtain our Home windows safety e-book.

To study extra about Microsoft Safety options, go to our web site. Bookmark the Safety weblog to maintain up with our skilled protection on safety issues. Additionally, comply with us on LinkedIn (Microsoft Safety) and Twitter (@MSFTSecurity) for the most recent information and updates on cybersecurity.  

¹New security measures for Home windows 11 will assist defend hybrid work, David Weston. April 5, 2022.

²DHS CISA Technique to Repair Vulnerabilities Beneath the OS Amongst Worst Offenders, RSA Convention. Might 19, 2021.

³Microsoft inner information.