Last summer’s CrowdStrike meltdown caused billions of dollars in damage and exposed some fundamental architectural flaws in the Windows platform. A single flawed update from one vendor was enough to crash millions of PCs and servers worldwide, and getting those machines back online required direct human intervention on every one of those endpoints.
See also: “What caused the great CrowdStrike-Windows meltdown of 2024? History has the answer.”
In a blog post kicking off this week’s Ignite conference, Microsoft VP of Enterprise and OS Security David Weston announced changes that should dramatically lessen the likelihood of another such meltdown.
Today’s announcements are the first tangible results from a cooperative effort between Microsoft and the community of endpoint security vendors that collectively bring in billions of dollars in revenue each year protecting business networks. Security product developers will be bound by a new set of Safe Deployment Practices that require them to do additional testing and to deliver product updates gradually; instead of pushing out updates to an entire installed base at once, security vendors will be expected to use deployment rings and monitoring tools to detect a flawed update and pause or roll back the deployment before it can do extensive damage.
A new feature called Quick Machine Recovery will make it easier for IT professionals to remotely repair a machine that’s stuck in a reboot loop because of a bad update or driver. According to Microsoft, “This feature will enable IT Administrators to execute targeted fixes from Windows Update on PCs, even when machines are unable to boot, without needing physical access to the PC.” The feature leverages the Windows Recovery Environment and can be used to install fixes from Microsoft or from third parties. It will be available for testing through the Windows Insider Program in early 2025.
The biggest change of all will allow developers to build security products that can operate in user mode instead of requiring kernel mode. The company says it will share a private preview with its partners in the security endpoint community in July 2025. Given the fundamental nature of that change, it’s likely to be months or years before security products leveraging those changes are widely available.
New security tools for Windows 11
Since the launch of Windows 11 in 2021, Microsoft has touted the new operating system’s improved security, much of it attributable to new default settings that enable features that were optional in Windows 10.
A new round of security features scheduled to appear in Windows 11 over the next year will address more fundamental security concerns.
Also: How to upgrade an ‘incompatible’ Windows 10 PC to Windows 11: Two ways
The biggest security issue is that the overwhelming majority of Windows users run using an account with administrator privileges. If they’re tricked into running a piece of malicious code, that malware has the same administrative rights, meaning it can install additional software and generally wreak havoc on the system.
The fix is a feature called Administrator Protection, which gives the user standard permissions by default. If they need to perform an action that requires administrator rights, such as installing an app or changing a system setting, they’ll need to authenticate using Windows Hello biometrics or a device-specific PIN. That authorization creates a temporary token that is valid only for the current action and is destroyed as soon as the task is completed. Microsoft argues that this change will be “disruptive to attackers as they no longer have automatic, direct access to the kernel or other critical system security without specific Windows Hello authorization.”
The addition of Windows Hello is the game-changer here. Being able to authenticate using biometrics instead of having to enter a password should reduce the hassle factor dramatically.
The feature is in preview now and should be released to the public in 2025.
A second feature, Smart App Control, is designed to block malware by preventing unknown apps from running on a Windows 11 PC. Apps that are well known will run without issue, but unsigned and unfamiliar apps will be prevented from running; the feature will also block all scripts from the internet, including those that try to leverage PowerShell as a vector for installing malware.
Smart App Control will be on by default for consumer PCs. In corporate environments, IT administrators will need to enable App Control for Business policies and select a “signed and reputable policy” template; they can then add internal apps using management tools.
Also: Microsoft blocked your Windows 11 upgrade? This trusty tool can (probably) fix that
Finally, Windows Protected Print mode eliminates the need for third-party print drivers, which have become an aggressive and effective entry point for attackers.
Enterprise edition gets new encryption and hotpatching
For businesses that use Windows Enterprise edition, this week’s announcements include a handful of new features that should make client PCs more secure and easier to manage.
Personal Data Encryption for known folders provides a double level of encryption for personal files on a user’s PC in the so-called known folders — Desktop, Documents, and Pictures. Accessing those files will require biometric authentication by the user, making it impossible for a device administrator to snoop in personal files. The feature uses the same enhanced encryption that will protect data collected by Windows Recall, and a Personal Data Encryption API will allow third-party developers to extend protection to their application’s data.
Another currently available feature, Configuration Refresh, will allow administrators to enforce security policy on devices when users or apps make changes to the Windows registry. The feature works locally and can reset the security configuration without requiring access to mobile device management servers.
Finally, Hotpatch allows admins to apply critical security updates without requiring a reboot. Microsoft claims that using hotpatching with Windows Autopatch settings in Microsoft Intune can reduce the number of system restarts for Windows updates from once a month to just four times per year. The feature is currently in preview and will be available in Windows 11 Enterprise version 24H2.