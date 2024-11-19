Microsoft has implemented some and is working on delivering several other security-related features and improvements for Windows 11.

Administrator protection will allow users to make system changes on their PCs without having administrator rights (that can be abused by attackers who have compromised the system).

“With administrator protection, if a system change requires administrator rights, like some app installations, the user is prompted to securely authorize the change using Windows Hello. Windows creates a temporary isolated admin token to get the job done. This temporary token is immediately destroyed once the task is complete, ensuring that admin privileges do not persist,” David Weston, Vice President Enterprise and OS Security at Microsoft, explained.

“Administrator protection helps ensure that users, and not malware, remain in control of system resources. It will also be disruptive to attackers as they no longer have automatic, direct access to the kernel or other critical system security without specific Windows Hello authorization.”

Windows Hello has been hardened and supports passkeys.

Third-party drivers for printers will slowly be eliminated with Windows Protected Print Mode.

Smart App Control and App Control for Business policies allow IT admins to prevent unverified apps from running on devices. “Line of business apps unknown to Microsoft can be easily added by the IT admin through policy changes or via Microsoft Intune managed app deployments,” the company notes.

Personal Data Encryption – if enabled, employees can keep files stored in the Desktop, Documents and Pictures folders encrypted, so that enterprise device administrators cannot access the files. “Enterprise developers can also leverage the Personal Data Encryption API to extend protection of their application data,” Microsoft says.

Hotpatch in Windows – Like in Windows Server 2025, implementing OS security updates by patching the in-memory code of running processes will soon be available for Windows 11 Enterprise 24H2 and Windows 365.

Config Refresh helps protect PCs from “configuration drift”, by automatically returning their settings to the preferred (secure) configuration.

Delegated managed service accounts – to help enterprises enable automatic credential management and rotation on service accounts.