Microsoft on Tuesday announced multiple security enhancements for Windows 11 devices that it said are designed to help organizations protect users and data in hybrid environments.
Among the updates is Microsoft Pluto, a security processor built directly into versions of AMD Ryzen and Qualcomm CPUs; an intelligent application control feature to prevent unsigned and untrusted applications from running; and controls enabled by default for credential theft protection, user authentication, and blocking of vulnerable drivers.
David Weston, vice president of enterprise and operating system security at Microsoft, describes the new features as reducing complexity for organizations that have been forced to deal with the new challenges posed by the rapid shift to remote work. Malware, credential theft, phishing, improperly secured devices, user error, and physical attacks on lost or stolen devices have become major security issues for organizations, says Weston.
“We’re simplifying security for customers in Windows 11 by turning on these new security features by default,” says Weston. “We let customers know what’s coming with the next version of Windows as they plan their operating system and device upgrade cycles.” Microsoft will provide more information on timing at a later date, she notes.
the security announcements are part of a larger Microsoft Preview of new features for Windows 11 and Windows 365 for business customers of your software. According to the company, the features are designed to help organizations implement a zero-trust security model from the chip to the cloud. In addition to security features, Microsoft also provided a preview of new productivity and management capabilities that will soon be available with the two technologies, which the company says are optimized for the future of hybrid working.
Pluto, which Microsoft first preview as of November 2020, it’s basically a security processor built into the CPU. The processor is designed to protect things like encryption keys, user credentials, identities, and other data that technologies like Microsoft’s BitLocker encryption feature and Windows Hello authentication system rely on.
Pluton emulates the Trusted Platform Module (TPM) computer chip technology that Windows has supported for over 10 years. the TPM chip It is typically embedded in the motherboard of modern computers and is designed to provide secure hardware-based protection of artifacts used during secure boot and to ensure platform integrity and reliability. Since 2015, Microsoft has required systems to have a TPM chip to be considered Windows certified systems. With Windows 11, TPM capabilities are a basic security requirement, meaning the operating system will only work on systems that have a TPM.
Pluton integrates the TPM functionality into the CPU itself, rather than separately on the motherboard, which makes it much more difficult for attackers to extract secrets from it.
“Discrete TPMs are still susceptible to hardware hacking, where encryption keys have been read by touching the [communication] between the TPM and the CPU,” says Ed Lee, an analyst at IDC. “The benefit of having the TPM built into the CPU is that it protects you from this type of attack, even if someone has physical possession of the computer,” he says. .
Another key difference is that Pluton can provide TPM emulation and features that are unique to Windows, says Weston. For example, the technology can be kept up to date regularly through the Windows update mechanism, she says.
“Pluton’s differentiator is that it’s flexible, upgradable, and integrated into the Windows update process, which means Pluton can receive security updates based on the evolving threat landscape,” says Weston. The AMD Ryzen 6000 Pro and Qualcomm 8cx Gen 2 currently ship with Pluto.
The fact that Pluton firmware updates come directly from Microsoft through Windows Update will ensure that they have been tested and verified as safe to install by Microsoft, adds Lee. If a business has to roll out a firmware update company-wide, it can be initiated and deployed from a central location and wouldn’t require IT to access each computer individually to manually update them, says Lee.
From the chip to the cloud
Meanwhile, Microsoft’s Smart Application Control feature is designed to prevent Windows 11 device users from running malicious apps by blocking all unsigned or suspicious software by default. The technology combines real-time threat intelligence from Microsoft with AI to determine if a new app running on a Windows 11 system is safe or presents a threat that should be automatically blocked.
“Intelligent app control requires apps to be signed and/or trusted before they can run on Windows 11,” says Weston. “This can be seen as a zero-trust approach to application security where an application must prove its security, rather than the approach of trying to determine if an application is bad.” Intelligent application control not only validates the trust of executables through the use of AI, but also blocks all scripts from the Internet, she says.
The next version of Windows 11 will also have a feature known as Hypervisor Protected Code Integrity (HVCI) enabled by default. The technology aims to ensure, among other things, that all drivers loaded by the operating system are reliable and free of malicious code. The feature is designed to prevent advanced persistent threat actors and ransomware groups from injecting malicious code and abusing known vulnerable drivers in attacks.
“The highlight of this Windows 11 announcement is that a layered approach to security starts at the chip and runs through the firmware, operating system, and applications,” says IDC analyst Michael Suby. “Businesses and consumers alike should not rely solely on aftermarket security software plugins. While essential in a layered defense, threat attackers will exploit gaps in the integrity of the operating system and below.”