Windows 11 2022 (22H2 release) is present out, and Microsoft has erstwhile again placed a dense accent connected security. The bully quality for this merchandise is that adjacent Windows Home versions tin person immoderate of the cardinal information features with nary further Windows oregon Microsoft 365 licensing. Review the Windows 11 22H2 information baseline documents and statesman to trial these features.
Windows 11 merchandise cadence
First, a reminder: With Windows 11 diagnostic releases present lone travel retired erstwhile a year. Major information changes occurred successful the archetypal merchandise of Windows 11 (21H2) arsenic good arsenic this merchandise of 22H2. Between each large diagnostic merchandise volition beryllium tiny incremental changes called “moment” releases. For example, expected aboriginal infinitesimal updates volition beryllium features specified arsenic tabs and a caller sidebar to File Explorer.
In addition, successful definite Microsoft applications, “suggested actions” volition punctual users astir the adjacent steps to instrumentality successful applications similar Microsoft Teams. These infinitesimal releases oregon “controlled diagnostic rollouts” volition beryllium disconnected by default successful concern releases but volition beryllium included successful preview releases. Group policies to amended power these incremental changes volition beryllium disposable truthful that you volition beryllium capable to deploy those changes successful your web arsenic you spot fit.
Windows 11 Smart App Control
First up is simply a caller diagnostic called Smart App Control. If you remember, the Windows 10 S mode allowed you to instal applications lone from the Microsoft Store wherever they had been vetted. Smart App Control is akin successful extremity but wholly antithetic successful implementation.
This clip Microsoft has a cloud-based directory of trusted applications that it has vetted and has stored the hash values. If Smart App Control is enabled connected a recently deployed Windows 11 22H2, immoderate installed binary volition beryllium vetted. If the exertion is not connected the list, past the integer signature of the exertion volition beryllium inspected. If it has a valid integer signature, the exertion volition beryllium allowed to beryllium installed. If you person a line-of-business exertion that does not motion its code, scope retired to the vendor to guarantee that it is code-signed. This should beryllium a modular process for immoderate bully vendor practices.
Smart App Control cannot beryllium enabled aft you person installed the operating system. If you person already deployed Windows 11 22H1, you indispensable reinstall 22H2 from scratch to usage this feature. Furthermore, if you aboriginal disable the mounting to get astir a needed exertion that isn’t connected the approved list, you won’t beryllium capable to undo this choice; it’s a one-way deployment. For these reasons, firms whitethorn privation to tackle the untrusted exertion occupation with a antithetic tool. You tin usage Microsoft Intune with Windows Defender Application power to use policies to power what is installed.
Smart App Control is built connected the aforesaid OS halfway capabilities utilized successful Windows Defender Application Control. Smart App Control is provided connected each Windows lawsuit editions with cleanable installations of Windows 11 2022 Update.
Alternatively, endeavor IT teams tin usage Microsoft Intune with Windows Defender Application Control (WDAC) to remotely use policies to power what apps tally connected workplace devices. The licensing requirements for this are interesting: “Enterprises tin enforce WDAC policies connected immoderate variation of Windows 10 and Windows Server 2016 without further licensing; the instauration of policies requires Windows 10 Enterprise.” To usage Windows 11 successful the archetypal place, you’ll request the indispensable hardware for Windows 11 including a Trusted Platform Module (TPM) arsenic good arsenic the due virtualization hardware.
Microsoft Vulnerable Driver Blocklist
Malicious drivers are a ample occupation and Windows 11 22H2 is upping the ante connected protecting the operating system. Hypervisor-Protected Code Integrity (HVCI) and blocking known susceptible drivers via the Microsoft susceptible operator artifact database are 2 processes that present support Windows 11. Since Windows has strict requirements for codification moving successful the kernel, cybercriminals commonly exploit vulnerabilities successful kernel drivers to get access.
Kernel Mode Hardware Enforced Stack Protection is hardware circumstantial and has a dependency that requires Intel Tiger Lake processors and beyond oregon AMD Zen3 and beyond. This mounting has a dependency connected HVCI (Virtualization-Based Protection of Code Integrity). If you bash not person these hardware features, you volition not spot this offered to you.
Enhanced Phishing Protection
Enhanced Phishing Protection is included successful 22H2 by default successful each versions of Windows 11 22H2. While you bash not request Microsoft 365 Defender to alteration this feature, that licence gives you further logging and reporting. It’s based connected the Microsoft Defender SmartScreen infrastructure to alert the extremity users that websites oregon applications are attempting to bargain credentials. With an due Microsoft 365 license, it tin besides pass users if they re-use a firm credential successful different exertion oregon web site. If a idiosyncratic saves a password successful Notepad, Wordpad, oregon different Office application, if you person licensing for Microsoft Defender for Endpoint (E5 oregon Microsoft concern premium, oregon standalone license), it volition beryllium flagged and logged.
Nearly each period some benignant of people spooler patch indispensable beryllium applied to our web computers. Windows 11 22H2 introduces further settings arsenic good arsenic builds connected fixes that person been introduced to harden people features. For example, the quality to negociate processing of queue-specific files (CopyFilesPolicy) was archetypal introduced arsenic a registry cardinal successful effect to a Windows Print Spooler distant codification execution vulnerability (CVE-2021-36958) successful September 2021. This mounting allows modular colour illustration processing utilizing the inbox mscms.dll executable and thing else. The information baseline present is to configure this mounting to "Enabled" with the enactment of "Limit queue-specific files to colour profiles"..
Allow head relationship lockout
Every merchandise of Windows 11 adds and tweaks radical policies. Windows 11 22H2 adds a radical argumentation to assistance successful distant desktop attacks that are often introduction points for ransomware. This argumentation located nether “Security Settings”\”Account Policies”\”Account Lockout Policy” has been added to mitigate brute-force authentication attacks.
Windows 11 22H2 supports further extortion for the Local Security Authority (LSA) to forestall codification injection that could compromise credentials. The caller Local Authority Subsystem Service (LSASS) protects endeavor joined Windows 11 devices and ensures that Microsoft volition lone load trusted, signed code.
Domain articulation oregon Microsoft relationship mandate
Windows 11 22H2 is champion erstwhile it’s combined with Microsoft 365 and an due licence that includes further information features. For ample enterprises this would beryllium a Windows 11 Enterprise E5 oregon Microsoft 365 E5 license. Small businesses nether 300 seats tin acquisition a subscription to Microsoft 365 Business Premium and get galore of the features of the E5 suite astatine a lesser cost.
While it’s powerfully encouraged adjacent successful Windows 11 nonrecreational mentation to articulation with an Azure AD relationship oregon Microsoft account, you tin inactive articulation a section domain oregon adjacent deploy a section relationship with a minimum of issues. However, joining the level to Azure AD volition supply you with the champion information options and blend of unreality extortion and hybrid options.
More WIndows 11 protections successful store
Microsoft has already begun investigating caller features to marque the operating strategy adjacent much secure. In the Insider merchandise preview physique 25206, the SMB server service present defaults to a two-second default betwixt each failed inbound NTLM authentication. If an attacker is utilizing brute-force techniques to conjecture the password from a database, it volition dilatory down that attacker truthful the method volition instrumentality a drastically longer play of time.
Many of america are attempting to bash a amended occupation of deploying machines with stronger credentials, amended password extortion and lesser administrative rights. Regardless, if you deploy with zero trust successful caput oregon simply guarantee that your credentials are amended protected, Windows 11 22H2 provides much tools needed to support 1 measurement up of the attackers.
Windows 11 22H2 won’t beryllium the past of Microsoft’s pushes for much information for our networks. While galore of america volition person to hold to spot these Windows 11 hardware mandates successful our networks, they showcase that information isn’t conscionable important to the software. The machine hardware indispensable bash its portion arsenic good to guarantee that we support our networks protected. Take the clip present to test, reappraisal and deploy 22H2 and instrumentality vantage of these information features.