Microsoft received a few protection-related black eyes in recent years as incidents such as CrowdStrike, SolarWinds, Exchange hacks, scraped LinkedIn user data, exposed Azure accounts, and more have branded the companies services as security liability.
However, the company issued a security and privacy mandate to the entirety of its staff and partners earlier this year to make protecting users’ data and privacy a top priority. At Microsoft’s Ignite 2024 conference, the company laid out additional plans to meet its goal that look to boost its efforts regaining user trust in 2025 with a new Windows Resiliency Initiative.
Microsoft’s vice president of enterprise and OS security, David Weston explains the Windows Resiliency Initiative in detail with a post on the Windows Experience Blog following his keynote at Ignite 2024.
We are committed to ensuring that Windows remains the most reliable and resilient open platform for our customers. As part of this commitment, we are introducing the Windows Resiliency Initiative, covering four areas of focus:
- Strengthen reliability based on learnings from the incident we saw in July.
- Enabling more apps and users to run without admin privileges.
- Stronger controls for what apps and drivers are allowed to run.
- Improved identity protection to prevent phishing attacks.
As proven with the CrowdStrike incident that grounded the world to a halt, Microsoft’s security protocols are only as effective as their systems interact with partners, and to help prevent another incident the company will be looking to leverage Microsoft Virus Initiative (MVI) paired with the adoption of Safe Deployment Practices.
By combining the two initiatives, Microsoft is trying to ensure that all security updates will be more granular, properly adhere to deployment rings, and be monitored to minimize potential negative side effects or bugs.
Weston also announced Quick Machine Recovery which seems like a direct response to what happened with CrowdStrike. Based on the description and details from Weston, QMR will allow IT admins to apply ‘targeted fixes’ serviced through Windows Updates on PCs even if they are unable to boot. Part of the issue with CrowdStrike was that the update issued by the security firm put Windows devices into an unbootable loop that took on-premises troubleshooting to address.
Microsoft plans to roll out Quick Machine Recovery to Windows Insiders starting early 2025.
Other features meant to harden Windows resiliency will come in updates to anti-virus solutions that allow them to run in user mode to help troubleshoot crashes or mistakes outside of the kernel mode. Weston mentioned that these anti-virus solutions won’t be made available to the company’s host of security products until July of 2025 unfortunately.
In a throwaway mention, Weston also mentioned that Microsoft is boosting its efforts to support modern programming languages like Rust while also moving away from exploitative ones such as C++.
While general Windows 10 support is set to expire at the end of this year despite a stay of execution with an Long-Term Service Channel available for some enterprise licenses, Weston suggested customers move to Windows 11 as he touted several security benefits of the newer operating system.
All new Windows 11 PCs require a hardware-backed security baseline, such as TPM 2.0 and virtualization-based security by default. This baseline is the starting point, and the foundation needed to help secure everything else on Windows. Built into new Windows 11 PCs, including Copilot+ PCs, are a growing list of existing features now enabled by default, or with additional protections added to significantly reduce the potential for attacks.
David Weston, Vice President Enterprise and OS Security at Microsoft
These changes make Windows 11 more secure by default than Windows 10, from the chip to the cloud. Examples include Credential Guard, vulnerable driver block list, Local Security Authority (LSA) protection now enabled by default for new consumer devices, and BitLocker enabled by default on most modern systems. In addition, insecure code and crypto algorithms have been removed, and kernel attack surfaces, like Tool Tips, have been moved to user mode.
While Windows 11 is objectively more secure than Windows 10, it’s obviously not without its own holes and Weston mentioned several additional things the company is looking to address as part of its ongoing security and resiliency efforts.
Weston mentions that the company is looking to reduce admin privileges by offering a middle ground between standard and admin permissions called Administrator Protection. Administrator protection is preview program that will offer users with standard permissions to make system changes only after securely authenticating through Windows Hello that triggers a temporary isolated admin token that only lasts the instance of change and is destroyed afterwards.
Through this method, malware will have a harder time gaining direct access to system level resources that lead to latent long-term havoc.
Weston also pushed the implementation of Windows Hello to propagate the practice of Multifactor Authentication (MFA) which was cited to protect over “99.99% of MFA-enabled accounts.”
And because employees are dumb sometimes, Weston reiterated the use of Microsoft’s Smart App Control and App Control for Business to help prevent users from downloading unsafe or unsigned apps or drivers on secure devices. Windows Protected Print also works as a security stopgap for Mopria-certified devices and reduce the number of incidents caused by old print drivers.
Other security call outs from Weston include:
- Personal Data Encryption for known folders is a new Windows 11 Enterprise capability using Windows Hello authentication to help protect files stored in the Desktop, Documents and Pictures folders. Protection is indicated by the lock icon on the file. With Personal Data Encryption enabled, a device administrator won’t be able to view file content, as the files remain encrypted until you authenticate with Windows Hello. An IT admin, using Microsoft Intune (or another management tool) can select all or a subset of these folders to apply Personal Data Encryption. It integrates with OneDrive and SharePoint on Microsoft 365 to allow for easy collaboration. Personal Data Encryption can be used independently of BitLocker, or other solutions, and when combined with BitLocker, it offers double encryption protection. Enterprise developers can also leverage the Personal Data Encryption API to extend protection of their application data.
- Hotpatch in Windows is being introduced for Windows 11 Enterprise 24H2 and Windows 365. This revolutionary feature allows businesses to apply critical security updates without requiring a system restart, shortening your time to adopt critical security updates by up to 60% from the moment a security update is offered. With hotpatching through your Windows Autopatch settings in Microsoft Intune, you can reduce the number of system restarts for Windows updates from 12 times a year to just four, minimizing security risk while keeping systems secure and productivity uninterrupted. This means consistent protection, and a streamlined, seamless experience for your users. Hotpatch in Windows is currently in preview.
- Zero Trust DNS. Network destinations are often defined by domain names, making enforcement challenging. Zero Trust DNS restricts Windows devices to approved domains, blocking outbound IPv4 and IPv6 traffic unless resolved by a Protected DNS server or allowed by IT admin. Learn more about the Zero Trust DNS preview.
- Config Refresh, available now, is a frequently requested feature as configuration drift can occur when a user or app makes changes to a PCs system registry. Config Refresh helps enforce MDM-defined security policies by automatically returning PC settings to the preferred configuration. Config Refresh works locally on the PC without needing to connect to the MDM, so devices can self-manage settings drift even when offline.
Microsoft has made a lot promises for 2025, let’s see if they keep them as well as how effective they are in turning around the company’s security brand.
