At its dedicated event geared towards hybrid work using Windows today, Microsoft unveiled a bunch of security capabilities that are coming to Windows 11 soon. Insiders may already be aware of most of these and may even be leveraging them in their daily workflows but Microsoft's announcement today deals with what will be hitting general availability in a "future release" of the OS.
For starters, we will see more PCs utilizing the Microsoft Pluton security chip for advanced security that begins at a hardware level. Interestingly, Microsoft has highlighted that Pluton will be the only processor that will be improved and updated through Windows Update, which takes some responsibility off from the shoulders of enterprises. The company says that Pluton is optimized for Windows 11 and emphasizes Microsoft's investment in the chip to cloud security strategy.
Hypervisor-protected Code Integrity (HVCI) will be enabled by default for more Windows 11 devices too. This will protect machines from infected and malicious drivers. The Vulnerable Driver Blocklist will leverage from HVCI and Windows Defender Application Control (WDAC) for this purpose. This is a kernel-level mitigation and will be enabled by default for machines with HVCI or Windows 11 SE.
Microsoft will also ship Smart App Control with new Windows 11 devices. This solution will expand beyond built-in browser protections to cover any unsigned and malicious apps. Smart App Control is powered by AI and does inferences from process signals every second of the day to ensure that only safe apps are being allowed to run. Unfortunately, existing Windows 11 will need to be reset and have a clean installation in order to take advantage this capability.
Enhanced phishing detection and prevention with Microsoft Defender SmartScreen in Windows will alert users when they are inserting credentials in a malicious application or website. Similarly, Credential Guard that utilizes hardware-backed, virtualization-based security capabilities will be enabled by default in Windows 11. Additional Local Security Authority (LSA) protection to confirm the identity of enterprise-joined Windows 11 PCs will also be the default implementation in the OS moving forward.
Personal Data Protection is coming to Windows 11 as well. In order to access privileged data, users will first need to authenticate via Windows Hello for Business so even if your device is stolen or misplaced, malicious actors won't be able to access sensitive data. Finally, Microsoft also reminded organizations of Config Lock, already present in Windows 11, that can be used to monitor registry keys and ensure that they comply with the baselines set by your organization and the IT industry in general.