Windows 11 2022 has now been released and Microsoft has once again placed a heavy emphasis on security. The good news is that even Windows Home versions can receive some of the key security features with no additional license. If you review the Windows 11 22H2 security baseline documents and test these features, you won’t be left behind.
The Windows 11 release cadence
In addition, Microsoft will be implementing “suggested actions” in their software applications. These certain data releases that Microsoft is calling “controlled feature rollouts” will not be included in business-safe releases but will be present in preview versions. Group policies to better control these incremental changes will be available so that you can deploy those changes in your network as you see fit.
SmartApps for Windows 11
The new Smart App Control feature will instantly enable your Windows 10 S device. Windows 10 S mode allowed you to install only vetted applications from the Microsoft Store, which was a great feature. The implementation of this new Smart App Control, however, is totally different.
This time when Microsoft launches Windows 22H2, any binary application you install will be vetted by a cloud-based directory of trusted programs. If an application is not on the list, the digital signature for it will get inspected. If it has a valid digital signature, it will be allowed to be installed. Line-of-business applications that don’t sign their code should reach out to the vendor and make sure that standard procedure is followed for good practices.
Smart App Control cannot be enabled if you’ve already installed Windows 11 22H1. You can only enable it if you reinstall the operating system from scratch, a one-way deployment. Furthermore, firms may want to use a tool other than Smart App Control if they need to control what’s deployed on their laptop. For this reason, Microsoft Intune with Windows Defender Application Control is a good option for firms looking for more control over their software choices.
Smart App Control is built on the same OS capabilities used in Windows Defender Application Control. Smart App Control is available on all Windows desktops and laptops that have a clean installation of Windows 11 release.
Alternatively, enterprise IT teams can use Microsoft Intune with Windows Defender Application Control (WDAC) to remotely apply policies to control what apps run on workplace devices. The licensing requirements for this are interesting: “Enterprises can enforce WDAC policies on any edition of Windows 10 and Windows Server 2016 without additional licensing; the creation of policies requires Windows 10 Enterprise.” To use Windows 11 in the first place, you’ll need the necessary hardware for Windows 11 including a Trusted Platform Module (TPM), as well as the proper virtualization hardware.
Microsoft Vulnerable Driver Blocklist v2.2
Windows 11 22H2 has some powerful new features to protect against malicious drivers. For example, Hypervisor-Protected Code Integrity (HVCI) and blocking known vulnerable drivers via the Microsoft VULNERABLE DRIVER BLOCK LIST will then protect it. The code running in the kernel must meet strict requirements, so cybercriminals usually exploit vulnerabilities in the kernel drivers in order to get access.
Kernel Mode Hardware Enforced Stack Protection is hardware-specific and requires either Intel tiger lake processors and beyond or AMD Zen3 and beyond. This setting also requires HVCI (Virtualization-Based Protection of Code Integrity). If you don’t have these features, this protection can’t be offered to you.
With Enhanced Phishing Protection®, you’ll be alerted to phishing links whenever they try to steal your personal or financial information. This enhanced security will help keep you and your company safe.
By default, Enhanced Phishing Protection is turned on and available in Windows 11 22H2. This can be enabled regardless of whether you have a Microsoft 365 Defender license, but adding that license will give you the added security of increased logging and reporting on top of SmartScreen to monitor unauthorized websites. With the right Microsoft Defender for Endpoints, E5 or Microsoft Business Premium, or standalone licenses, it can also warn users about re-using company passwords in other applications or sites.
Protection for your printer
In order to maintain the reliability of our network computers, we often have to install a new printer patch every couple of months. Microsoft Windows 11 22H2 introduces an additional setting in addition to all the recent improvements they’ve been making with printers. This latest update addresses an issue that involves managing processing of queue-specific files (CopyFilesPolicy). This registry key was first introduced as a response to a Windows Print Spooler remote code execution vulnerability (CVE-2021-36958) in September 2021. Certain print jobs could be maliciously constructed to execute or modify your system, so it’s important to configure this setting accordingly. Ask your local IT team for guidance on how best to set this option; the default is typically “Enabled” with the option of “Limit queue-specific files to color profiles.”
Enable administrator account lockout
Windows 11 22H2 comes with a new security feature, which aims to eliminate a common point of entry for malware. This is known as the “Security Settings” under “Account Policies” and is found under “Account Lockout Policy”.
Unbeatable security
Windows 11’s latest features include protections that help keep both your credentials and the operating system secure. The new Local Authority Subsystem Service and additional protections for the Local Security Authority (LSA) protect against API exploitation that could lead to credential theft.
Domain join or Microsoft account mandate.
Windows 11 22H2 is best when it’s combined with Microsoft 365 and an appropriate license that includes additional security features. Large enterprises can opt for a Windows 11 Enterprise E5 or Microsoft 365 E5 license. Small businesses, under 300 seats, can purchase a subscription to Microsoft 365 Business Premium and still get many of the features of the Enterprise suite at a lesser cost.
Windows 11 offers many security options and gives you the ability to create a Microsoft account or Azure AD account. While it’s encouraged that you sign up for either one, you can still use a local domain or even deploy a local account with little trouble. The downside is that signing up for either one provides you with better security and the ability to try out cloud-based protection as well as some hybrid options.
Windows 11 has many new protections to ensure a better overall experience
With the new preview build of Windows 10, the way Microsoft handles security is improved. The SMB server service now defaults to a two-second default between each failed inbound NTLM authentication. This feature slows down those using brute-force techniques to guess passwords from databases, slowing them down drastically.
Zero fraud
Regardless, if you deploy with zero trust in mind or protect your credentials better, Windows 11 22H2 provides more protection and tools to keep attackers one step behind.
According to security experts, Windows 11 22H2 won’t be the last of Microsoft’s pushes for more security for our networks. While this is great news, many of us will have to wait to see these hardware standards on their networks. In the meantime, they can take advantage of the advances in computer hardware that have been made and make sure they’re protected with Windows 11 22H2.
