Microsoft on Tuesday announced multiple security enhancements for Windows 11 devices that it said are designed to help organizations protect users and data in hybrid environments.

Among the updates is Microsoft Pluton, a security processor integrated directly into versions of AMD Ryzen and Qualcomm CPUs; a Smart App Control feature for preventing unsigned and untrusted apps from running; and controls enabled by default for protecting against credential theft, for authenticating users, and for blocking vulnerable drivers.

David Weston, vice president of enterprise and OS security at Microsoft, describes the new features as reducing complexity for organizations that have been forced to deal with new challenges posed by the rapid shift to remote work. Malware, credential theft, phishing, improperly secured devices, user error, and physical attacks on lost and stolen devices have all become major security issues for organizations, Weston says.

"We are simplifying security for customers in Windows 11 by turning on these new security features by default," Weston says. "We're letting customers know what's coming to the next version of Windows as they plan their OS and device refresh cycles." Microsoft will provide more information on timing later, he notes.

The security announcements are part of a broader Microsoft preview of new features for Windows 11 and Windows 365 for commercial customers of its software. According to the company, the features are designed to help organizations implement a zero-trust security model all the way from the chip to the cloud. In addition to the security features, Microsoft also provided a preview of new productivity and management capabilities that will soon be available with the two technologies, which the company says are optimized for the future of hybrid work.

Pluton, which Microsoft first previewed in November 2020, is basically a security processor that is integrated into the CPU. The processor is designed to protect things like encryption keys, user credentials, identities, and other data that technologies like Microsoft's BitLocker encryption feature and Windows Hello authentication system rely on.

Pluton implements the Trusted Platform Module (TPM) computer chip technology that Windows has supported for more than 10 years. The TPM chip is typically integrated into the motherboard of modern computers and is designed to provide secure, hardware-based protection of artifacts that are used during secure boot-up and for ensuring platform integrity and trustworthiness. Since 2015, Microsoft has required systems to have a TPM chip to be considered as Windows-certified systems. With Windows 11, TPM capabilities are a baseline security requirement — meaning the OS will work only on systems that have a TPM.

Pluton integrates TPM functionality into the CPU itself — rather than separately on the motherboard — making it much harder for attackers to extract secrets from it.

"Discrete TPMs are still susceptible to hardware hacking, where the encryption keys have been read by tapping into the [communication] bus between the TPM and CPU," says Ed Lee, an analyst with IDC. "The benefit of having the TPM integrated into the CPU is that is protects it from this kind of attack, even if someone has physical possession of the computer," he says.

Another key difference is that Pluton can provide both TPM support and features that are unique to Windows, Weston says. For instance, the technology can be regularly kept up to date via the Windows Update mechanism, he says.

"Pluton's differentiator is that it's flexible, updatable, and integrated into the Windows update process, meaning Pluton can receive security updates based on the evolving threat landscape," Weston says. The AMD Ryzen 6000 Pro and Qualcomm 8cx Gen 3 are currently shipping with Pluton.

Having Pluton firmware updates come directly from Microsoft through Windows Update will ensure they have been tested and verified by Microsoft as safe to install, Lee adds. If an enterprise has to roll out a firmware update across the company, it can be initiated and implemented from a central location and would not require IT to access each computer individually to manually update them, Lee says.

From Chip to the Cloud
Microsoft's Smart App control feature, meanwhile, is designed to prevent users of Windows 11 devices from running malicious applications by blocking suspicious software by default. The technology combines real-time Microsoft threat intelligence with AI to determine if a new application that is being run on a Windows 11 system is safe or presents a threat that needs to be automatically blocked.

"Smart App control requires apps to be signed and/or be reputable before they can be run on Windows 11," Weston says. "This can be seen as a zero-trust approach to app security where an app must prove its safety, rather than the whack-a-mole approach of trying to determine if an app is bad." Smart App control not only validates executables for trust using AI, but it also blocks all scripts from the Internet, he says.

The next version of Windows 11 will also have a feature known as Hypervisor-Protected Code Integrity (HVCI) enabled by default. The technology is aimed at ensuring — among other things — that all drivers that the OS loads are trustworthy and free of malicious code. The feature is designed to prevent advanced persistent threat actors and ransomware groups from injecting malicious code and abusing known vulnerable drivers in attacks.

"The prominent takeaway of this Windows 11 announcement is that a layered approach to security starts at the chip and builds up through the firmware, OS, and applications," says Michael Suby, an analyst at IDC. "Businesses as well as consumers should not exclusively rely on after-market security software add-ons. While essential in a layered defense, threat attackers will exploit gaps in the integrity of the OS and below."