At Microsoft, security stands as our foremost priority, and with each new release, we enhance the security features of Windows. During Ignite 2024, we will unveil a series of innovative security advancements designed to instill clarity and confidence in our customers and organizations as they navigate the complexities of the digital landscape. Additionally, we will share insights gleaned from the incident in July, alongside the investments we are making to bolster our security measures.
Safeguarding your data and maintaining the integrity of your systems is essential. From chip to cloud, Microsoft implements multiple layers of security to protect identities and data, fostering an expansive ecosystem for innovation at a pivotal moment. As the security landscape evolves, we are committed to continuously enhancing the security and resilience of Windows, ensuring it remains a secure platform for our partners, developers, and customers. A robust security posture is vital for your business and is a shared responsibility across our ecosystem.
This week at Ignite, we will delve deeper into our Secure Future Initiative (SFI), which underscores our commitment to embedding security into every facet of our operations at Microsoft. Since the launch of SFI, we have dedicated the equivalent of 34,000 full-time engineers to tackle our highest-priority security challenges. The upcoming November update will provide insights across all aspects of SFI, along with actionable learnings that customers can implement to enhance their own security posture.
Security and Resiliency: Our Top Priority
Protecting your organization’s data from emerging threats while ensuring system integrity is of utmost importance. Windows 11 elevates security and reliability standards while preserving the open ecosystem that allows customers and partners to innovate freely. We are steadfast in our mission to ensure that Windows remains the most reliable and resilient open platform for our customers. To support this commitment, we are launching the Windows Resiliency Initiative, which focuses on four key areas:
- Strengthening reliability based on insights from the July incident.
- Enabling more applications and users to operate without admin privileges.
- Implementing stronger controls over which applications and drivers are permitted to run.
- Enhancing identity protection to thwart phishing attacks.
Empowering IT administrators with effective tools during critical times is a priority for us. Our initial step, informed by the lessons learned from the July incident, is the introduction of Quick Machine Recovery. This feature will empower IT administrators to execute targeted fixes from Windows Update on PCs, even when they are unable to boot, eliminating the need for physical access to the machines. This remote recovery capability will enable employees to overcome widespread issues more swiftly than ever before. Quick Machine Recovery is set to be available to the Windows Insider Program community in early 2025.
We are also evolving our partnerships with endpoint security providers, who play a crucial role in keeping employees safe, as part of the Microsoft Virus Initiative (MVI). Together, we will adopt Safe Deployment Practices, ensuring that all security product updates are implemented gradually, utilizing deployment rings and monitoring to minimize any negative impacts from updates.
To bolster resilience among our customers and partners, we are developing new Windows capabilities that will enable security product developers to build their offerings outside of kernel mode. This shift allows security products, such as antivirus solutions, to operate in user mode, akin to applications. This change is expected to enhance security levels, facilitate easier recovery, and reduce the impact on Windows in the event of a crash or error. A private preview will be available for our security product ecosystem in July 2025. In alignment with the Secure Future Initiative, we are also transitioning to safer programming languages, gradually moving functionality from C++ to Rust.
Windows 11 Secure by Default: More Secure than Windows 10
Transitioning to Windows 11 offers a more secure environment equipped with advanced security features. Our focus remains on elevating defenses against sophisticated attacks. All new Windows 11 PCs are mandated to meet a hardware-backed security baseline, such as TPM 2.0 and virtualization-based security by default. This baseline serves as the foundation necessary to secure all other components within Windows.
Copilot+ PCs come with Windows Hello Enhanced Sign-in Security and the integrated Microsoft Pluton security processor, ensuring they adhere to the high standards of secured-core PCs right out of the box. New Windows 11 PCs, including Copilot+ models, feature a growing array of existing functionalities that are now enabled by default or enhanced with additional protections, significantly reducing the potential for attacks. These enhancements render Windows 11 inherently more secure than Windows 10, from chip to cloud. Notable features include Credential Guard, a vulnerable driver block list, Local Security Authority (LSA) protection, and BitLocker, which is enabled by default on most modern systems. Furthermore, insecure code and cryptographic algorithms have been eliminated, and kernel attack surfaces, such as Tool Tips, have been transitioned to user mode.
Our security teams are diligently working on your behalf, ensuring that you do not need to invest time in manually enabling security features on new or upgraded PCs. Our focused security initiatives, driven by an analysis of attacker patterns and behaviors, have led to a reported 62% reduction in security incidents, a threefold decrease in firmware attacks, and a 2.9 times reduction in reported instances of identity theft.
New Windows 11 Security
Security is an ongoing journey rather than a final destination. Today, we are excited to announce new features aimed at assisting commercial customers with three longstanding challenges in Windows security: overprivileged users and applications, unverified apps and drivers, and insecure credentials and authentications. These capabilities have been among the top requests from customers globally, including our internal Microsoft security team, with whom we are collaborating to ensure real-world testing in preparation for scaling to our largest customers.
Reducing Administrator Privileges
Running users and applications with administrator privileges undermines the principle of least privilege and contributes to numerous security incidents. As highlighted in the 2024 Microsoft Digital Defense Report, token theft incidents, which exploit user privileges, have surged to an estimated 39,000 per day.
Organizations face a complex binary challenge when establishing policy for employees. They can either grant users standard user permissions or administrator permissions. While administrator permissions allow for seamless modifications—such as adjusting time zones or installing applications—this convenience comes at a cost; if malware infiltrates an account, it gains direct access to critical system resources, potentially leading to disruptions or data loss.
Conversely, standard user permissions enhance security by blocking access to critical system resources by default, thereby preventing malware from making unauthorized changes. However, this approach can frustrate users who may find themselves unable to perform common tasks without administrator credentials, creating additional overhead for IT support unless they utilize tools like Microsoft Intune Endpoint Privilege Management.
- Administrator protection, currently in preview, introduces a new solution where users benefit from standard user permissions by default but can still easily make system changes, including app installations, when necessary. With administrator protection, if a system change requires elevated rights, the user is prompted to securely authorize the change using Windows Hello. Windows creates a temporary isolated admin token for the task, which is destroyed immediately upon completion, ensuring that admin privileges do not persist. This feature empowers users while thwarting malware by preventing automatic access to critical system security without specific Windows Hello authorization.
Protecting Credentials
Credential and identity theft remain primary targets for cyberattacks. Data from Microsoft Entra indicates that of more than 600 million identity attacks per day, over 99% are password-based. Our findings reveal that Multifactor Authentication (MFA) provides exceptional protection, with more than 99.99% of MFA-enabled accounts remaining secure during the investigation period. We continue to enhance protections for credentials and authentications.
- Windows Hello serves as the built-in MFA solution on Windows and has been further fortified to support passkeys. Users no longer have to choose between simplicity and security; Windows Hello now protects Recall and Personal Data Encryption as well.
Trusted Apps and Drivers
Many attacks stem from users downloading unsafe or unsigned applications and drivers. We are committed to enhancing protections to shield you and your organization from malicious software.
- Smart App Control and App Control for Business policies ensure that only verified applications can operate on your device, mitigating risks from malicious attachments or social engineering attacks. Leveraging AI, we have simplified deployment; IT administrators can select the ‘signed and reputable policy’ template in the app control wizard, allowing millions of verified apps to run regardless of their deployment location. Line-of-business applications unknown to Microsoft can be easily incorporated by IT admins through policy adjustments or via Microsoft Intune managed app deployments.
- Windows Protected Print seamlessly integrates with Mopria-certified devices without requiring third-party drivers, addressing many past security concerns associated with print drivers while providing a more streamlined experience.
Data Protection
Your commercial data is one of your business’s most critical assets, and we are enhancing encryption options, including Personal Data Encryption.
- Personal Data Encryption for known folders is a new capability in Windows 11 Enterprise that utilizes Windows Hello authentication to safeguard files stored in the Desktop, Documents, and Pictures folders. Protection is indicated by a lock icon on the file. With Personal Data Encryption activated, device administrators cannot access file content, as files remain encrypted until authenticated with Windows Hello. An IT administrator, using Microsoft Intune or another management tool, can select all or a subset of these folders for Personal Data Encryption. This feature integrates with OneDrive and SharePoint on Microsoft 365 to facilitate easy collaboration. Personal Data Encryption can function independently of BitLocker or other solutions, and when combined with BitLocker, it offers double-layer encryption protection. Enterprise developers can also utilize the Personal Data Encryption API to extend protection to their application data.
OS Management and Configuration
In addition to advancing security features, we continue to evolve tools that enable IT to manage and configure Windows at scale.
- Hotpatch in Windows is being introduced for Windows 11 Enterprise 24H2 and Windows 365. This groundbreaking feature allows businesses to apply critical security updates without necessitating a system restart, reducing the time required to adopt critical security updates by up to 60% from the moment they are offered. With hotpatching through your Windows Autopatch settings in Microsoft Intune, the number of system restarts for Windows updates can be reduced from 12 times a year to just four, minimizing security risks while maintaining system security and uninterrupted productivity. Hotpatch in Windows is currently in preview.
- Zero Trust DNS addresses the challenges of defining network destinations by domain names. It restricts Windows devices to approved domains, blocking outbound IPv4 and IPv6 traffic unless resolved by a Protected DNS server or permitted by the IT administrator. Learn more about the Zero Trust DNS preview.
- Config Refresh, now available, addresses the frequently encountered issue of configuration drift that can occur when users or applications alter a PC’s system registry. Config Refresh helps enforce MDM-defined security policies by automatically reverting PC settings to the preferred configuration. This feature operates locally on the PC without needing to connect to the MDM, enabling devices to self-manage setting drift even when offline.
Security and Innovation for a Reliable Digital Future
Nearly four decades after its inception, Windows continues to adapt to the challenges of an ever-evolving digital landscape, fulfilling expectations for reliability and security. Security is a collaborative effort; by partnering with OEMs, app developers, and others, we deliver Windows from chip to cloud, ensuring it is secure by design and by default.
The updated Windows Security book is now available to help you understand how to maintain security with Windows. For more information on Microsoft Security solutions, visit our website. Don’t forget to bookmark the Security blog for expert insights on security matters, and follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
