What are the new security features in Windows 11 22H2?


Windows 11 2022 (version 22H2) is now available and Microsoft has once again focused on security. The good news for this release is that even Windows Home builds can receive some of the key security features without an additional Windows or Microsoft 365 license. Review the Windows 11 22H2 Security Reference Documents and start testing these features.

Windows 11 release cadence

First, a reminder: with Windows 11, feature releases are only released once a year. Major security changes took place in the first version of Windows 11 (21H2) as well as this version of 22H2. Between each major feature release, there will be small incremental changes called “snapshot” releases. For example, expected future updates will be features like tabs and a new sidebar for File Explorer.

Additionally, in some Microsoft apps, “suggested actions” will prompt users for next steps in apps like Microsoft Teams. These instant releases or “controlled feature rollouts” will be disabled by default in retail releases, but will be included in preview releases. Group policies to better control these incremental changes will be available so that you can deploy these changes to your network as you see fit.

Windows 11 Smart App Control

The first is a new feature called Smart App Control. If you recall, Windows 10 S mode allowed you to install apps only from the Microsoft Store where they were approved. Smart App Control has a similar purpose but a totally different implementation.

This time, Microsoft has a cloud-based repository of trusted apps that it has verified and stored hash values. If Smart App Control is enabled on a newly deployed Windows 11 22H2, any installed binary will be checked. If the app is not on the list, the app’s digital signature will be inspected. If it has a valid digital signature, the app will be allowed to install. If you have a line-of-business application that does not sign its code, contact the vendor to ensure that it is code signed. This should be a standard process for all vendor best practices.

Smart App Control cannot be activated after installing the operating system. If you have already deployed Windows 11 22H1, you must reinstall 22H2 from scratch to use this feature. Also, if you later disable the setting to bypass a required application that is not on the approved list, you will not be able to undo that choice; it’s a one-way deployment. For these reasons, companies may want to tackle the problem of untrusted applications with a different tool. You can use Microsoft Intune with Windows Defender Application Control to apply policies to control what gets installed.

Smart App Control is based on the same core operating system features used in Windows Defender Application Control. Smart App Control comes on all Windows client editions with clean installs of Windows 11 2022 Update.

Alternatively, corporate IT teams can use Microsoft Intune with Windows Defender Application Control (WDAC) to remotely enforce policies to control apps running on workplace devices. The licensing requirements for this are interesting: “Enterprises can enforce WDAC policies on any edition of Windows 10 and Windows Server 2016 without additional licensing; policy creation requires Windows 10 Enterprise. To use Windows 11 in the first place, you will need the necessary hardware for Windows 11, including a Trusted Platform Module (TPM) as well as appropriate virtualization hardware.

Microsoft Vulnerable Driver Block List

Malicious drivers are a big deal, and Windows 11 22H2 ups the ante when it comes to OS protection. Hypervisor Protected Code Integrity (HVCI) and blocking known vulnerable drivers via Microsoft’s Vulnerable Driver Blocklist are two processes that now protect Windows 11. Since Windows has strict requirements for code executed in the kernel, cybercriminals usually exploit vulnerabilities in kernel drivers to gain access.

Kernel-mode hardware-enhanced stack protection is hardware-specific and has a dependency that requires Intel Tiger Lake processors and above or AMD Zen3 and above. This setting depends on HVCI (Virtualization-Based Protection of Code Integrity). If you do not have these hardware features, this will not be offered to you.

Improved Phishing Protection

Enhanced Phishing Protection is included by default in 22H2 in all versions of Windows 11 22H2. Although you don’t need Microsoft 365 Defender to enable this feature, this license gives you additional logging and reporting. It is based on the Microsoft Defender SmartScreen framework to alert end users that websites or applications attempt to steal credentials. With an appropriate Microsoft 365 license, it can also notify users if they reuse a corporate ID in another app or website. If a user logs a password in Notepad, Wordpad, or another Office application, if you have a license for Microsoft Defender for Endpoint (E5 or Microsoft Business Premium, or standalone license), it will be flagged and logged .

Printer Protection

Almost every month, some kind of print spooler fix has to be applied to our network computers. Windows 11 22H2 introduces additional settings along with fixes that have been introduced to enhance printing functionality. For example, the ability to manage the processing of queue-specific files (CopyFilesPolicy) was first introduced as a registry key in response to a spooler remote code execution vulnerability. windows printing (CVE-2021-36958) in September 2021. This setting enables standard color profile processing using the inbox mscms.dll executable and nothing else. The security baseline is now to configure this setting to “Enabled” with the option “Limit queue specific files to color profiles”..

Allow administrator account lockout

Each version of Windows 11 adds and modifies group policies. Windows 11 22H2 adds Group Policy to help remote desktop attacks which are often entry points for ransomware. This policy located under “Security Settings””Account Policies””Account Lockout Policy” has been added to mitigate brute force authentication attacks.

Protection of identifiers

Windows 11 22H2 supports additional Local Security Authority (LSA) protection to prevent code injection that could compromise credentials. The new Local Authority Subsystem Service (LSASS) protects enterprise-joined Windows 11 devices and ensures that Microsoft will only load signed and trusted code.

Domain Join or Microsoft Account Mandate

Windows 11 22H2 is best when paired with Microsoft 365 and an appropriate license that includes additional security features. For large enterprises, this would be a Windows 11 Enterprise E5 or Microsoft 365 E5 license. Small businesses with less than 300 seats can purchase a Microsoft 365 Business Premium subscription and benefit from many features of the E5 suite at a lower cost.

Although it is strongly recommended even in the professional version of Windows 11 to join an Azure AD account or a Microsoft account, you can still join a local domain or even deploy a local account with minimal hassle. However, joining the platform with Azure AD will give you the best security options and a mix of cloud protection and hybrid options.

More Windows 11 protections in store

Microsoft has already started testing new features to make the operating system even more secure. In Insider Build Preview build 25206, the SMB server service now defaults to a default of two seconds between incoming NTLM authentication failures. If an attacker uses brute force techniques to guess a database password, it will slow that attacker down, so the technique will take significantly longer.

zero trust

Many of us try to do a better job of deploying machines with stronger credentials, better password protection, and less admin rights. Either way, whether you’re deploying with zero trust in mind or just making sure your credentials are better protected, Windows 11 22H2 provides more of the tools needed to stay ahead. on attackers.

Windows 11 22H2 won’t be the last of Microsoft’s push for more security for our networks. While many of us will have to wait to see these Windows 11 hardware mandates in our networks, they show that security isn’t just important for software. Computer hardware must also do its part to ensure the protection of our networks. Take the time now to test, review and deploy 22H2 and take advantage of these security features.

Copyright © 2022 IDG Communications, Inc.

Source link