With Windows 11 22H2 available now, Microsoft’s operating system update brings security upgrades alongside new features.
With ransomware, sophisticated hacks, and phishing threats showing no signs of slowing down, Microsoft has rethought security in Windows 11 with the goal of blocking more threats by default.
Windows 10 had many core security features, but Microsoft left it up to the user to enable and configure based on their own tradeoffs with performance and compatibility, David Weston, Microsoft’s vice president of enterprise and operating system security, told ZDNET.
“We really turned that philosophy on its head. We found that a very small percentage of people could actually understand what compromises they were making and really waited for Microsoft to find out. We took that feedback and incorporated it into Windows 11. We have a strong focus on preventing attacks,” Weston said.
“For Windows 11, we’re focusing on the threat landscape and the top attack vectors – phishing, malware via attachments or downloads, and privacy attacks. We are focused on solving these widespread attacks at the prevention layer.”
Windows 11 22H2 – also known as Windows 11 Update 2022 – includes many improvements that provide protection against attacks on the Windows kernel by vulnerable drivers, with more protection for credentials, better defense against nasty maiden attacks and easier passwordless authentication.
But according to Weston, the key security feature of Windows 11 is 22H2 Smart App Control, which enables application control by default.
Microsoft tried an allowlist approach in locked Windows 10 S on “tens of millions of devices” and saw “no malware” on them, says Weston. The problem was using a blunt policy tool: app installs were restricted to the Microsoft Store.
This time the application control relies on artificial intelligence to define the allow list. Microsoft tested this this year with Windows 11 Insiders via the Smart App Control feature.
The allow list only allows a set of applications to run their own Windows 11. Smart App Control is based on the same Windows functionality as Windows Defender Application Control, which requires manual definition of permission policies.
“Application control is one of the most effective things, and it’s also difficult to do in a traditional way,” Weston said.
So when users get an app that millions of others are using — whether it’s from the Store or a website — it “will work as usual,” says Weston. But if someone sends an application as an attachment that they recently generated to bypass antivirus, it won’t run because it’s not on the allowed list.
“Most of the applications we use today are used by millions of other people. Most malware is only seen by a few computers. We built this enforcement mechanism into the core of the operating system. Before Windows 11 22H2 this was a guideline for you had to write yourself in an XML file. As you can imagine, in the enterprise, it’s quite difficult to know what applications everyone needs to run,” Weston said.
Windows 11 22H2 also blocks “most script vectors from the internet”. This is partly due to the Office team’s decision to block untrusted macros from the web by default.
“Windows 11 22H2 took this idea further. We said no PowerShell, no LNK files, no Visual Basic from the web. Anyone with an eye on the threat landscape knows these are some of the favorites. In Windows 11, Smart App Control mode blocks these threats,” he said.
Microsoft will gradually roll out the security feature for users. There will be a one-click option for users to exit Smart App Control, which will require a reboot to exit. Over time, Microsoft will release more detailed policies, such as allowing a nominated app to run while the feature is otherwise enabled.
“For the people who can stay in this mode, based on our data from things like Defender, this will be one of the top security features out there, blocking scripting and most malware vectors,” Weston predicted.
Smart App Control is aimed at Windows 11 for consumers and small businesses. It will be enabled by default for Windows 11 in enterprise, but Microsoft doesn’t expect them to provide it as many enterprises have their line of business apps. Microsoft expects them to use Windows Defender Application Control instead, Weston says.
Other security improvements to protect credentials
In the first version of Windows 11, Microsoft turned it on virtualization-based security (VBS) only for the latest processors from AMD, Intel and Qualcomm. Weston sees Windows making more use of VBS in the future.
Also, for Enterprise editions of Windows 11 22H2, Microsoft enables Credential Guard by default. In Windows 10, Credential Guard moved NTLM credentials outside of Windows and into VBS to bypass credential dumping tools like Mimikatz.
Microsoft has now enabled protected processes for the Local Security Authority Subsystem Service (LSASS) for new enterprise-attached Windows 11 devices. LSA stores Microsoft and third-party credentials. With this protection, Windows only loads trusted, signed code, making it more difficult for attackers to steal credentials.
“What we said is: ‘No process, including administrators, can read or write from LSA.’ This defeats many common credential stealing and lateral movement tools. It’s not as powerful as VBS, and we’re eventually looking to move everything into VBS, but this is excellent bridging technology that will have a real impact. Jumping into LSA and dumping credentials is one of the most common attack vectors. It won’t happen again,” Weston said.
For its Secured Core PCs and laptops, Microsoft has also introduced a new encryption technology as a second layer to BitLocker called Personal Data Encryption (PDE).
If you lose a laptop and the attacker opens the login screen, the data on the hard drive will still be decrypted. If the attacker plugs in a special device or bypasses the lock screen to access data or run code, they can pick up the data.
While SecuredCore PCs counter this threat by locking the ports, PDE provides a way to enable file-specific encryption beyond BitLocker, so even if an attacker had a way to bypass BitLocker, they were still left with an encrypted file would face, effectively creating a second safety net beyond BitLocker.