As attacks become more sophisticated, so do our defenses. Recent innovations, such as secured-core PCs, which are 60 percent more resistant to malware than non-secured-core PCs, and the Microsoft Pluton Security Processor, which enhances protection by isolating sensitive data like credentials and encryption keys, have significantly raised the security standards in Windows 11. Our objective is to protect organizations by simplifying security and building stronger protections from the chip to the cloud.
Windows 11 offers more secure and user-friendly authentication through multifactor authentication and adds extra layers of protection for applications and data. We've simplified and enabled more security features by default than ever before. These features are designed to counter current attacks and anticipate more sophisticated and targeted threats in the future. Additionally, we've begun adopting memory-safe languages like Rust, initially applying Rust code to traditionally vulnerable areas such as Font Parsing and the Win32k Kernel.
With the launch of Windows 11, we introduced new hardware and software features like secure boot, virtualization-based security, hypervisor-protected code integrity, and Windows Hello using the Trusted Platform Module (TPM), enabled by default in many regions. Since these features were activated, organizations have reported a 58 percent reduction in security incidents and a threefold decrease in firmware attacks, a prime target for attackers. Our data shows that 83 percent of Windows 11 devices use three or more security features.
We're excited to continue this journey with new updates for security and IT professionals, available today and enabled by default for new installations of Windows 11.
The next step towards eliminating passwords entirely
Microsoft's global threat intelligence processes more than 65 trillion security signals daily, revealing over 4,000 password attacks every second. Cybercriminals and nation-state attackers, like Peach Sandstorm, frequently use password spray attacks to target high-value sectors such as satellite, defense, and pharmaceuticals. Organizations can mitigate the risk of such attacks with Windows passwordless authentication and multifactor authentication features, which provide stronger protection than traditional passwords.
Passkeys make passwordless authentication easier and more universal. Windows 11 significantly raises the bar against hackers exploiting stolen passwords through phishing by enabling users to replace passwords with passkeys. Passkeys represent the cross-platform future of secure sign-in management. Supported by Microsoft and other technology leaders as part of the FIDO Alliance, a passkey creates a unique, unguessable cryptographic credential securely stored on your device. Instead of using a username and password to access websites or applications, Windows 11 users can utilize passkeys protected by Windows Hello, Windows Hello for Business, or their phone. This allows access using facial recognition, fingerprint, or device PIN.
Passkeys on Windows 11 will work on multiple browsers including Microsoft Edge, Google Chrome, Firefox, and others. Website or application owners can create passkeys as a sign-in option, which users can set up on their devices. Once a passkey is created, it allows users to sign in without a password using Windows Hello or their phone/tablet for face, PIN, or fingerprint authentication. Windows 11 provides a management dashboard in Settings -> Accounts -> Passkeys for users to see and manage their passkey.
Simplifying and modernizing security for IT by reducing the attack surface
The latest Windows 11 includes powerful new tools for IT teams to enhance security for their organizations and employees. We’re improving authentication, simplifying policy configuration maintenance, and adding more controls via Intune.
Phish-Resistant Credentials with Windows Hello for Business Passwordless: Windows 11 devices with Windows Hello for Business or FIDO2 security keys can eliminate the need for passwords, protecting user identities from day one. IT can set a policy for Microsoft Entra ID-joined machines, removing the password option when accessing company resources. This policy removes passwords from the Windows user experience, both for device unlock and in-session authentication, enabling users to navigate core authentication scenarios using strong, phish-resistant credentials. If necessary, users can use recovery mechanisms like Windows Hello for Business PIN reset or web sign-in, now available for all supported Microsoft Entra ID authentication mechanisms, including Temporary Access Pass (TAP) and education scenarios.
Maintain IT Policy Control with Config Refresh: Config Refresh ensures policies revert to a secured state if tampered with by unwanted applications or registry changes. Windows 11 devices can reset every 90 minutes by default, or every 30 minutes if desired, using the policy configuration service provider (CSP). This capability ensures settings are maintained as IT configures them, covering hundreds of settings traditionally set with Group Policy through Mobile Device Management like Microsoft Intune. Config Refresh can be paused by IT administrators for a configurable period and re-enabled automatically or manually, enhancing help desk support efficiency. Available now to Insiders, Config Refresh is coming soon to all organizations.
Only Allow Trusted Apps with Custom App Control: Application control is crucial for security, allowing only approved and trusted apps on devices to prevent unwanted or malicious code from running. This is a critical part of a security strategy, often cited as one of the most effective means of defending against malware. Organizations using Windows 10 and above can use App Control for Business (formerly Windows Defender Application Control) to protect their digital estate from malicious code. Microsoft Intune users can now configure App Control for Business in the admin console, including setting up Intune as a managed installer.
Microsoft is excited to announce enhanced management and capabilities for the built-in Windows Firewall to improve overall protection. Windows Firewall now supports:
Application Control for Business: App ID tagging with Windows Firewall rules through Intune, allowing IT to target rules to specific applications without needing an absolute file path.
Network List Manager Settings: Configuration settings to identify when a Microsoft Entra ID (formerly Azure Active Directory) device is on on-premises domain subnets, enabling proper application of firewall rules. These settings enhance location awareness for Windows Firewall.
Granular Logging and ICMP Rules: Improved support for detailed Windows Firewall logging across domain, private, and public profiles, along with the ability to specify inbound and outbound rules for ICMP types and codes.
Microsoft's continued investment in security and innovation
Microsoft's Offensive Research and Security Engineering (MORSE) team has been dedicated to integrating security into the software development lifecycle. Over the past year, the team has utilized 1.9 million virtual machine hours and over 84,000 Azure CPU cores for proactive code fuzzing. Additionally, they have made nearly 700 code improvements in the last few months, enhancing the software development lifecycle with security checks, automation, and AI to help developers identify bugs independently. This proactive effort to enhance code integrity, both old and new, demonstrates their commitment to continuous investment and innovation in security. The team has also shared their learnings and tools with the community, including the open-source fuzzing tool, Microsoft OneFuzz.
Learn more here.