The original Windows 11 feature updates themselves are offered on an annual basis. Security changes are being made at the release of Windows 11 21H2, Windows 11 22H2, or Q2. Between each major feature release, there are also small updates called ‘moment releases’.
You can also see ‘suggested actions’ in certain Microsoft applications. An application like Microsoft Teams provides a command prompt to take the next step, and so on. These moment updates or ‘controlled feature rollouts’ are not included by default for enterprise releases, but are included in preview releases. Having a separate enterprise deployment policy allows you to effectively control incremental updates and deploy changes on a case-by-case basis.
smart app controlFirst, let’s take a look at a new feature called Smart App Control. In the Microsoft Store in Windows 10 S mode, it was possible to first check permissions and install applications. Smart App Control serves the same purpose, but is implemented in a completely different way.
Microsoft created a specific list based on the cloud this time, and stored a separate hash value in that list and stored information about apps that checked reliability. When you enable Smart App Control on a new Windows, all installed binaries are probed. If the app is not listed, the app’s digital signature is validated separately. If the digital signature is valid, the app can be installed. If you have an enterprise app that didn’t sign the code, contact the vendor to verify the code signing. This is a necessary procedure for good practice.
Smart App Control cannot be activated after installing the operating system. If you have already deployed Windows 11 22H1, you will need to reinstall 22H2 from scratch to use this feature. Also, if you disable this setting to use a specific app that isn’t on the authorized list, it’s impossible to re-enable it. Because it is a one-way distribution. For this reason, businesses may want to use other tools to address their app’s reliability issues. If you use Microsoft Intune with Windows Defender Application control, you can apply policies to installed apps. Smart App Control is built on the same OS technology used by Windows Defender Application Control. Smart App Control will also be available on all Windows customer editions with an update to Windows 11 2022.
Instead, corporate IT teams can use Microsoft Intune and Windows Defender Application Control (WDAC) to remotely apply new policies and control apps running on work devices. The license requirements required here are interesting. “Businesses can apply WDAC policies to all Windows 10 editions and Windows Server 2016 without an additional license,” Microsoft said. “You need Windows 10 Enterprise to make policies.” To use Windows 11 in the first place, you will need the appropriate virtualization hardware as well as hardware for Windows 11, including the Trusted Platform Module (TPM).
Microsoft Vulnerable Driver Block ListMalicious drivers are a serious problem, and Windows 11 22H2 handles that problem well with two processes. It provides Hypervisor-Protected Code Integrity (HVCI) and Microsoft Vulnerable Driver Blocklist, and so on. Because Windows has strict requirements for code that runs in the kernel, cybercriminals typically exploit vulnerabilities in kernel drivers.
The Kernel Mode Hardware Enforced Stack protection function varies depending on the type of hardware, and by default, an Intel Tiger Lake processor or higher or AMD Zen3 or higher is required. This setting process is affected by HVCI (Virtualization-Based Protection of Code Integrity). In other words, if you don’t have the right hardware features, you won’t get them.
Improved anti-phishing protectionEnhanced Phishing Protection is included in 22H2 by default in all versions of Windows 11 22H2. Although Microsoft 365 Defender is not required to activate this feature, this license provides additional logging and reporting capabilities. Improved anti-phishing protection is based on the Microsoft Defender SmartScreen infrastructure, which can alert users when a website or app is attempting to steal credentials. It also informs users that corporate credentials are being reused across apps and websites with the appropriate Microsoft 365 license usage. If you have a license for Microsoft Defender for Endpoint, when a user saves a password in Notepad, WordPad, or another office application, the password is displayed or logged.
Printer protectionCertain print spooler patches require installation on a network computer almost monthly. Windows 11 22H2 provides additional settings to make it easier to build fixes. For example, the file-by-queue (CopyFilesPolicy) processing management feature was first introduced as a registry key in September 2021 to counter the Windows Spooler Remote Code Execution Vulnerability (CVE-2021-36958). This setting allows only the inbox mscm.dlll executable to handle standard color profiles. Now the security baseline is to configure that setting to ‘Enabled’ using the ‘Limit queue-specific files to color profiles’ option.
Allow administrator account lockoutWhen a new Windows 11 release is released, group policies are added or changed. Windows 11 22H2 added Group Policy to support resolving desktop remote attacks, which are primarily ransomware entry points. Located in ‘Security Settings’/’Account Policies’/’Account Lockout Policy’, this policy has been added to mitigate brute-force credential attacks.
Credential ProtectionWindows 11 22H2 supports additional protection for the Local Security Authority (LSA) to prevent code injection that could compromise credentials. The new Local Security Authority Server Service (LSASS) protects enterprise Windows 11 installations and ensures that only code that is trusted and signed by Microsoft is loaded.
Join a domain or delegate a Microsoft accountWindows 11 22H2 is best paired with Microsoft 365 and an appropriate license that includes additional security features. For large enterprises, this could be a Windows 11 Enterprise E5 or Microsoft 365 E5 license. Small businesses with fewer than 300 employees can purchase a Microsoft 365 Business Premium subscription, and many of the features of the E5 suite can be purchased at a lower cost.
Of course, we strongly recommend registering an Azure AD or Microsoft account in the Windows 11 Pro version, but you can still join a local domain or deploy a local account with minimal errors. However, by subscribing to the Azure AD platform, users benefit from the best security options and combined cloud protection and hybrid options.
Windows 11 Protection Coming SoonMicrosoft has already begun testing new features to make the operating system more secure. As of Insider release preview build 25206, the current SMB Server service defaults to a default value of 2 seconds between each failed inbound NTLM authentication. If an attacker attempts to guess passwords from a database using brute force attack techniques, it slows down the attacker and takes a significant amount of time to use the attack technique.
zero trustMost enterprises want to more effectively deploy devices with stronger credential and password protection and minimal administrator privileges. Still, if you’re deploying with zero trust in mind, or simply tightening credential protection, Windows 11 22H2 gives you more tools to stay one step ahead of attackers.
Windows 11 will add more features to enhance network security in the future. In particular, the Windows 11 hardware delegation within networks feature will take some time to arrive, but it will show that the importance of security isn’t limited to software. Computer hardware must not only perform its functions, but also continuously protect the network. Microsoft right now official siteAfter reviewing the Windows 11 22H2 security standards document in , let’s start functional testing.
Source: ITWorld Korea by www.itworld.co.kr.
*The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!