Microsoft announces major new Windows 11 security features for 2022

Microsoft on Tuesday unveiled new and updated Windows 11 security features that are set to arrive later in 2022, including improved protections against phishing and malware that aim to dramatically reduce work for security teams, a Microsoft security executive told VentureBeat.

Cybersecurity teams continuously face a “giant funnel” of issues that need to be fixed — but with the forthcoming security capabilities coming to Windows 11, “that funnel is going to be much, much smaller,” said David Weston, vice president of OS and enterprise security at Microsoft, in an interview. “That’s our goal. We want to reduce the number of things that security teams have to look at and make their lives easier. And that allows them to go deeper on the things that matter.”

When Microsoft rolled out Windows 11 starting last October, the company said a key driver for the new operating system was to enable more security features to be turned on by default than had been in Windows 10.

For the annual feature update arriving in the second half of 2022, Microsoft aims to go much further with an array of new Windows 11 security capabilities — including many that will be on by default — that seek to reduce the funnel of issues for security teams “to a trickle,” Weston said.

Windows 11 transition

While the new features will not be arriving for months, Microsoft is disclosing details now in part to help generate more interest among businesses in moving to Windows 11. Figures from AdDuplex show that Windows 10 PCs still outnumber devices running Windows 11 by a four-to-one margin and the margin is likely even higher among businesses — which often take longer than consumers to move to new operating system versions.

Among the new features that Microsoft has announced are capabilities that have the potential to make a “huge dent” in phishing and targeted malware attacks, ultimately reducing the proliferation of ransomware, Weston said.

The Microsoft Defender SmartScreen solution will offer improved phishing detection starting with the next annual release of Windows 11, by alerting users when they enter Microsoft credentials into a malicious application or website.

Weston said that while phishing prevention has been offered for browsers in the past, Microsoft is now moving it into the operating system layer for the first time ever. “That means every single application now gets the ability to have phishing prevention available,” he said.

The feature will also enable Microsoft to alert a user’s security operations team when that user has fallen prey to a successful phishing attack, according to Weston.

Malware prevention

In terms of stopping malware, Microsoft plans to introduce Smart App Control — a new Windows 11 feature that will thwart malicious applications by only running apps that are cryptographically signed.

This leverages a concept that Microsoft had deployed in its Windows 10S edition, which locked down devices to only be able to run apps from the Microsoft Store. “It was great for security. We had no malware,” Weston said.

However, many users wanted the option to run apps that were not in the Microsoft Store. With Smart App Control, “this solves that problem. It lets you say, anyone who can sign an app, can now run,” Weston said. On the other hand, “if we don’t know who wrote this and we don’t know [if] that person is known for writing good apps — we’re not going to let it run.”

The result, according to Weston, is that “99% of the apps you’ll ever want to use will run just fine. And mostly what will be blocked is malware.”

“It’s inverting the ‘whack-a-mole’ model into ‘prove to me, you are good,'” he said. “It’s really zero trust for apps.”

Starting with the 2022 annual Windows 11 feature update, Smart App Control be automatically included with newly shipped devices. Other devices will need to be reset and undergo a clean installation of Windows 11 to use the feature, according to Microsoft. “We need to start with a clean slate, so we can fully assess whether there [are] any incompatibilities with the system,” Weston said.

Ultimately, when it comes to these new features to reduce phishing and malware, “our strategy is to cut at the heart of what techniques are being used to abuse our users today — and stop that,” he said.

Virtualization-based security

Other security enhancements that Microsoft is announcing include wider availability of virtualization-based security (VBS), turned on by default, with the arrival of the 2022 annual Windows 11 feature update.

With the initial version of Windows 11, only the latest CPUs were capable of supporting VBS by default — but with the forthcoming version, virtualization-based security will now be turned on by default for every single compatible processor, Weston said.

Virtualization-based security enables several key security features, which will be turned on by default in Windows 11 with the upcoming release of the OS. Those features include hypervisor-protected code integrity (HVCI), which prevents dynamic code from being injected into the Windows kernel, as occurred in past attacks including WannaCry.

VBS turned on by default will also enable two new security features to run automatically in the forthcoming Windows 11 update. Credential Guard is a feature leveraging VBS to protect against credential theft tactics such as pass-the-hash, as well as preventing system secrets to be accessed by malware. A second new on-by-default feature will bring more protection to the Local Security Authority (LSA) process, ensuring that the process only loads signed code.

“The traditional way to target that process was through malicious drivers, but we’re blocking many of those” with this forthcoming feature, Weston said.

New encryption feature

An additional upcoming Windows 11 security feature, personal data encryption, will serve as a second layer of encryption beyond BitLocker. This second layer will be file-specific and will be tied to users’ Windows Hello credentials. Thus, if an attacker was “somehow [able] to get past BitLocker, these files would still stay encrypted,” Weston said.

Microsoft is also using this announcement to draw attention to a security feature that had not previously been discussed by the company, but has, in fact, been available in Windows 11 since the beginning. That feature, config lock, automatically restores systems to the organization’s desired security settings if they are changed by a user or administrator.

Config lock provides another layer of protection in case of unexpected device state change, according to Weston — and notably, helps to relieve some burden from security and IT teams.

Security chip

In that same vein, Microsoft is also touting the commercial launch of its Pluton security processor, set to occur within the next month, which will bring benefits including automatic firmware updates, Weston said. Pluton will be available in some devices from vendors including Lenovo, for PCs with AMD or Qualcomm processors (no Intel for now), he said.

For devices with the Pluton security chip, firmware updates will be delivered through Windows Update and won’t require manual effort, Weston said.

All in all, with the Windows 11 security features disclosed by Microsoft today, “we’re going to make everyone’s life easier, by acting as the world security team,” he said.

“We are not going to push for them to config — we’re going to do it ourselves,” Weston said. “We’re going to turn things on by default. We’re going to make that funnel smaller. And therefore, security teams will have less to deal with and it’ll be better security quality overall.”