Skip to main content
  • EN

Microsoft says that Windows 11 will get more security improvements in upcoming releases, which will add more protection against cybersecurity threats, offer better encryption, and block malicious apps and drivers. Perhaps you want to learn how you can protect your device against theft as a consult due to frequent travels etc: Kindly take a look at link1 and link2. I have a torn of guides on this topic. Kindly ensure to search the archive!

It was also noted in the report that significant security updates which adds even more protection from the chip to the cloud by combining modern hardware and software will be added. Below are some of the key features.

  • Enhanced phishing protection against targeted phishing attacks with the help of Microsoft Defender SmartScreen, a cloud-based anti-phishing and anti-malware service.
  • With SmartScreen integrated into the OS, Windows users will be warned when entering their credentials into malicious applications or hacked websites.

    This has been proven to work and effectively blocked over 25.6 billion Azure Active Directory brute force authentication attacks and was able to intercept more than 35.7 billion phishing emails before landing in the recipients' inboxes just in the last year alone.

These enhancements will make Windows the world's first operating system with phishing safeguards built directly into the platform and shipped out of the box to help users stay productive and secure without having to learn to be their own IT department," he added.

 

Protection for user data and against malicious drivers 

Western also highlighted that “Windows 11 users would get additional layers of security that protect their data and act as a defence against malicious drivers.

The newly planned Personal Data Encryption feature, for instance, protects users' files and data when they are not signed into the device by blocking access until they authenticate via Windows Hello.

  • To access the data, the user must first authenticate with Windows Hello for Business, linking data encryption keys with the user's passwordless credentials so even if a device is lost or stolen, data is more resistant to attack and sensitive data has another layer of protection built in”. I will be sharing how this can be achieved in subsequence guide here in the community

Windows users will also be able to enable a vulnerable driver blocklist that uses Windows Defender Application Control (WDAC) to block drivers with known vulnerabilities automatically.

This will harden Windows systems against third party-developed drivers in the following ways below.

  • Known security vulnerabilities that attackers can exploit to elevate privileges in the Windows kernel
  • Malicious behaviors (malware) or certificates used to sign malware
  • Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel.

Windows 11 App Improvements

Weston added that the Smart App Control is another crucial security enhancement planned for Windows 11 that will be integrated with the OS at the process level to block users from running malicious apps using code signing coupled with an AI model.

"When a new application is run on Windows 11, its core signing and core features are checked against this model, ensuring only known safe applications are allowed to run. This means, Windows 11 users can be rest assured and confident that they are using only safe and reliable applications on their devices.

Microsoft also wants to enable Credential Guard by Default and additional protection for Local Security Authority (LSA) for organizations using Windows 11 Enterprise to improve security in enterprise environments further.

Also worth highlighting, Config Lock, locks security settings to have them automatically reverted if end-users or attackers try to modify them. It uses MDM policies to monitor and revert registry keys to the original states if users are altering them, likely rendering their devices insecure and exposed to attacks.

Want to hear from the horse’s mouth, click here 😁

Unfortunately, I've tried two times to upgrade my laptop, but my graphics card start doing weird things, and my dock station stops recognizing the ethernet port, my laptop is not new but not old, 2 years old now, HPE Zbook 14u G6.

Windows 11 looks very amazing in terms of cybersecurity, apps, great looking, etc… but we cannot forget that the number 1 risk, the users!

thanks for sharing!

Unfortunately, I've tried two times to upgrade my laptop, but my graphics card start doing weird things, and my dock station stops recognizing the ethernet port, my laptop is not new but not old, 2 years old now, HPE Zbook 14u G6.

Windows 11 looks very amazing in terms of cybersecurity, apps, great looking, etc… but we cannot forget that the number 1 risk, the users!

thanks for sharing!

Windows 11 is great! For the issue you reported, you aren’t experiencing the issues with the requirement of Win11 upgrade. 
- Why not update your card. Here is the specification and I am sure you can upgrade if your device meets the requirements. https://support.hp.com/za-en/document/c06336530. If it doesn’t, there are a lot of registry hacks which we have also tested in our lab. But this isn’t recommended as you May never get security updates, and the device will no longer be SUPPORTED! Therefore, do not do it!!!

Unfortunately, I've tried two times to upgrade my laptop, but my graphics card start doing weird things, and my dock station stops recognizing the ethernet port, my laptop is not new but not old, 2 years old now, HPE Zbook 14u G6.

Windows 11 looks very amazing in terms of cybersecurity, apps, great looking, etc… but we cannot forget that the number 1 risk, the users!

thanks for sharing!

Windows 11 is great! For the issue you reported, you aren’t experiencing the issues with the requirement of Win11 upgrade. 
- Why not update your card. Here is the specification and I am sure you can upgrade if your device meets the requirements. https://support.hp.com/za-en/document/c06336530. If it doesn’t, there are a lot of registry hacks which we have also tested in our lab. But this isn’t recommend as you May never get security updates, and the device will no longer be SUPPORTED! Therefore, do not do it!!!

Don't get me wrong mate! fo sure is a great OS, but for me right now doesn't work properly on my laptop.
Hp says that is fully supported, but still have work to be done here.
My windows 10 still has security updates, and before end of support, I will definitely give it a shot or change my laptop.
(I'm a OSX user, my laptop is just for work, home and home lab, OSX)
Many thanks for the links and the advice, I will keep them for sure!!
cheers!

Been using this since it came out in the Insider program and use it on my work laptop.  Works great and only improving things.  Love many of the improvements they have done with the OS to make working easier.

Unfortunately, I've tried two times to upgrade my laptop, but my graphics card start doing weird things, and my dock station stops recognizing the ethernet port, my laptop is not new but not old, 2 years old now, HPE Zbook 14u G6.

Windows 11 looks very amazing in terms of cybersecurity, apps, great looking, etc… but we cannot forget that the number 1 risk, the users!

thanks for sharing!

Windows 11 is great! For the issue you reported, you aren’t experiencing the issues with the requirement of Win11 upgrade. 
- Why not update your card. Here is the specification and I am sure you can upgrade if your device meets the requirements. https://support.hp.com/za-en/document/c06336530. If it doesn’t, there are a lot of registry hacks which we have also tested in our lab. But this isn’t recommend as you May never get security updates, and the device will no longer be SUPPORTED! Therefore, do not do it!!!

Don't get me wrong mate! fo sure is a great OS, but for me right now doesn't work properly on my laptop.
Hp says that is fully supported, but still have work to be done here.
My windows 10 still has security updates, and before end of support, I will definitely give it a shot or change my laptop.
(I'm a OSX user, my laptop is just for work, home and home lab, OSX)
Many thanks for the links and the advice, I will keep them for sure!!
cheers!

Thank you very much for the clarification @HunterLF “Hp says that is fully supported, but still have work to be done here”. 

Whoa - great stuff @Iams3le !!  I thought I’d share here also a good YouTube playlist of Windows Security videos from Leo at PC Security Channel: (248) Windows Security - YouTube  From Firewall to Defender, they cover it all!

Whoa - great stuff @Iams3le !!  I thought I’d share here also a good YouTube playlist of Windows Security videos from Leo at PC Security Channel: (248) Windows Security - YouTube  From Firewall to Defender, they cover it all!

Thank you very much @Rick Vanover for your input!

Interesting video series @Rick Vanover 

Thank you 👍🏼

Some screen about these enhancements:

Windows 11 enhanced phishing protection
Microsoft Vulnerable Driver Blocklist
Windows 11 Smart App Control

 

Some screen about these enhancements:

Windows 11 enhanced phishing protection
Microsoft Vulnerable Driver Blocklist
Windows 11 Smart App Control

 

These are very cool

Great article full of detail, I wanna highlight one VERY surprising detail about Smart App Control.

 

You can only enable this feature on new Win 11 installs, to enable for an existing install you have to perform a reset, full details in the link below:

 

https://support.microsoft.com/en-au/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003

Great article full of detail, I wanna highlight one VERY surprising detail about Smart App Control.

 

You can only enable this feature on new Win 11 installs, to enable for an existing install you have to perform a reset, full details in the link below:

 

https://support.microsoft.com/en-au/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003

You are right! Let’s hope this changes in the future...

Great article full of detail, I wanna highlight one VERY surprising detail about Smart App Control.

 

You can only enable this feature on new Win 11 installs, to enable for an existing install you have to perform a reset, full details in the link below:

 

https://support.microsoft.com/en-au/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003

You are right! Let’s hope this changes in the future...

I’m glad my PC can’t upgrade yet 😆 (unsupported hardware)

Great article full of detail, I wanna highlight one VERY surprising detail about Smart App Control.

 

You can only enable this feature on new Win 11 installs, to enable for an existing install you have to perform a reset, full details in the link below:

 

https://support.microsoft.com/en-au/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003

You are right! Let’s hope this changes in the future...

I’m glad my PC can’t upgrade yet 😆 (unsupported hardware)

You are lucky! As a windows insider, I could upgrade to Win11. But because my Lab PC does not meet the req., I can no longer participate unfortunately. I will be getting a new lab PC tho as I have a lot to blog on on Windows11. I have left this particular PC for Microsoft to do whatever they wish 😁

 

Thanks @Iams3le for the info

I’m curious how Windows 11 works in a lab environment. Last I remember reading about it, was that a TPM2.0 chip was required at the hardware level. It wasn't as simple to run as Windows 10 in a Virtual lab environment. 

Would appreciate any feedback. 

Thanks @Iams3le for the info

I’m curious how Windows 11 works in a lab environment. Last I remember reading about it, was that a TPM2.0 chip was required at the hardware level. It wasn't as simple to run as Windows 10 in a Virtual lab environment. 

Would appreciate any feedback. 

You need to set up a virtual TPM using an Encryption provider in VMware.  I have set up both VMware Standard and an actual Key Provider using Fornetix.  Then you power off the VM and add the vTPM to it.  Then you can install and use Win11 in a virtual environment.

Also worth adding, TPM/vTPM is required for some security features, but it isn’t a HARD requirement in the sense that it can’t work without one. Windows 11 is supported without TPM for OEM purposes where necessary (think specialist machinery etc). It can be forced, but as TPM is recommended, I wouldn’t suggest trying to circumvent just “because you can” as some features will be unavailable.

 

Chris has already covered the vTPM piece enough I have no value to add there!

Thanks @Iams3le for the info

I’m curious how Windows 11 works in a lab environment. Last I remember reading about it, was that a TPM2.0 chip was required at the hardware level. It wasn't as simple to run as Windows 10 in a Virtual lab environment. 

Would appreciate any feedback. 

You need to set up a virtual TPM using an Encryption provider in VMware.  I have set up both VMware Standard and an actual Key Provider using Fornetix.  Then you power off the VM and add the vTPM to it.  Then you can install and use Win11 in a virtual environment.

Also on HyperV, you can easily enale vTPM and Secureboot. 

Unfortunately, I've tried two times to upgrade my laptop, but my graphics card start doing weird things, and my dock station stops recognizing the ethernet port, my laptop is not new but not old, 2 years old now, HPE Zbook 14u G6.

Windows 11 looks very amazing in terms of cybersecurity, apps, great looking, etc… but we cannot forget that the number 1 risk, the users!

thanks for sharing!

Windows 11 is great! For the issue you reported, you aren’t experiencing the issues with the requirement of Win11 upgrade. 
- Why not update your card. Here is the specification and I am sure you can upgrade if your device meets the requirements. https://support.hp.com/za-en/document/c06336530. If it doesn’t, there are a lot of registry hacks which we have also tested in our lab. But this isn’t recommended as you May never get security updates, and the device will no longer be SUPPORTED! Therefore, do not do it!!!

Microsoft says that Windows 11 will get more security improvements in upcoming releases, which will add more protection against cybersecurity threats, offer better encryption, and block malicious apps and drivers. Perhaps you want to learn how you can protect your device against theft as a consult due to frequent travels etc: Kindly take a look at link1 and link2. I have a torn of guides on this topic. Kindly ensure to search the archive!

It was also noted in the report that significant security updates which adds even more protection from the chip to the cloud by combining modern hardware and software will be added. Below are some of the key features.

  • Enhanced phishing protection against targeted phishing attacks with the help of Microsoft Defender SmartScreen, a cloud-based anti-phishing and anti-malware service.
  • With SmartScreen integrated into the OS, Windows users will be warned when entering their credentials into malicious applications or hacked websites.

    This has been proven to work and effectively blocked over 25.6 billion Azure Active Directory brute force authentication attacks and was able to intercept more than 35.7 billion phishing emails before landing in the recipients' inboxes just in the last year alone.

These enhancements will make Windows the world's first operating system with phishing safeguards built directly into the platform and shipped out of the box to help users stay productive and secure without having to learn to be their own IT department," he added.

 

Protection for user data and against malicious drivers 

Western also highlighted that “Windows 11 users would get additional layers of security that protect their data and act as a defence against malicious drivers.

The newly planned Personal Data Encryption feature, for instance, protects users' files and data when they are not signed into the device by blocking access until they authenticate via Windows Hello.

  • To access the data, the user must first authenticate with Windows Hello for Business, linking data encryption keys with the user's passwordless credentials so even if a device is lost or stolen, data is more resistant to attack and sensitive data has another layer of protection built in”. I will be sharing how this can be achieved in subsequence guide here in the community

Windows users will also be able to enable a vulnerable driver blocklist that uses Windows Defender Application Control (WDAC) to block drivers with known vulnerabilities automatically.

This will harden Windows systems against third party-developed drivers in the following ways below.

  • Known security vulnerabilities that attackers can exploit to elevate privileges in the Windows kernel
  • Malicious behaviors (malware) or certificates used to sign malware
  • Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel.

Windows 11 App Improvements

Weston added that the Smart App Control is another crucial security enhancement planned for Windows 11 that will be integrated with the OS at the process level to block users from running malicious apps using code signing coupled with an AI model.

"When a new application is run on Windows 11, its core signing and core features are checked against this model, ensuring only known safe applications are allowed to run. This means, Windows 11 users can be rest assured and confident that they are using only safe and reliable applications on their devices.

Microsoft also wants to enable Credential Guard by Default and additional protection for Local Security Authority (LSA) for organizations using Windows 11 Enterprise to improve security in enterprise environments further.

Also worth highlighting, Config Lock, locks security settings to have them automatically reverted if end-users or attackers try to modify them. It uses MDM policies to monitor and revert registry keys to the original states if users are altering them, likely rendering their devices insecure and exposed to attacks.

Want to hear from the horse’s mouth, click here 😁

We have started implementing some of the new security features. Kindly take a look at this blog post “Smart App Control and how to enable Phishing Protection: Windows 11 New Security Features”.

 

 

Thanks everyone!

It will be interesting to see how those features perform in the wild. Vendors are always one step behind the bad guys, so as soon as a new security feature is implemented, they just move on to something else. Vendors are focusing on security since long time and many great capabilities have been introduced so far, but still we see an increasing number of successful attacks, from SMB to enterprises. Don't get me wrong, all those countermeasures are great and they do work, but at the end it just needs a single successful attack out of billion blocked attempts.

It’s like this saying, ‘Defenders need to be successful all the time whilst bad guys only need to be successful once’

Comment


Terms & Conditions