Windows 11 Security: What’s New?

Threat actors capitalized on the shift to hybrid work by launching massive attacks on end users and remote applications. Microsoft Windows, being a leader in the desktop OS and SaaS markets, was a prominent target. Native security capabilities built into the Windows 10 platform worked overtime to protect users from numerous threats — 9.6 billion malware attacks, 35.7 billion phishing and malicious emails and 25.6 billion brute-force attempts (800+ password attacks per second).   

However, the improved targeting, speed and accuracy shown recently by threat actors presents a concern for IT and security teams attempting to keep their hybrid workforce safe. This is where Windows 11 comes in.  

At face value, the new OS may not seem like a major upgrade but it’s a sea change when it comes to security.  

Let’s look at the Windows 11 security features since each organization will have different requirements, impacting their decision on whether to enable or disable a particular feature. 


What is the purpose of Windows 11 security?

Microsoft’s Windows 11 is specially designed for a hybrid workforce with robust security features, effortless deployment and seamless management.   

Windows 11 OS was launched with the purpose of:  

Improving security standards: Windows 11 comes with advanced security features to meet evolving threats such as malware, ransomware and other cyberattacks.  

Creating a passwordless environment: Windows 11 ditches passwords to support a passwordless model to achieve a deploy-to-run state in a jiffy. IT admins can enable granular control of authentication methods and secure communication between cloud platforms for better corporate data protection. 

Combining security and productivity: Windows 11 helps deliver security and productivity from one place, ensuring user safety without compromising on quality, performance or experience.  

Providing comprehensive security and compliance: Windows 11 provides evidence of trust that forms the basis of compliance policies that organizations can rally behind to realize their true security posture.   

Does Windows 11 have built-in antivirus?

Windows 11 has a pre-installed antivirus program named Microsoft Defender, which is synced with Microsoft Defender for Endpoint to deliver protection on devices and in the cloud. However, Microsoft Defender falls short of protection against malware and ransomware, often falsely flagging clean programs and files. 

Does Windows 11 have ransomware protection? 

To stop ransomware in Windows 11, turn on Controlled Folder Access. It helps you block/unblock legit programs from access from certain locations or ports, allowing you to avoid files and folders being held for ransom. This feature is turned off by default because it causes hassles with legitimate programs that need access to Documents, Photos and other similar files. 

Does Windows 11 still require TPM? 

Windows 11 needs Trusted Platform Module (TPM) 2.0 support as part of its hardware requirement. A TPM chip is a cryptographic store that stores encryption keys, passwords and certificates. The TPM chip uses the stored items to identify and authenticate devices, software and users. It ensures malware can no longer attack your Windows 11 system during the booting process.   

What are the new security features in Windows 11? 

Windows 11 comes packed with new security features:  

Microsoft Pluton  

Built on the principles of Zero Trust, Pluton is directly integrated into the CPU and OS, making it the only security processor kept up to date regularly with key security and functionality updates through Windows Update. This means Pluton does not require manual steps to update the firmware. Pluton utilizes TPM 2.0 (Trust Platform Module, a dedicated processor to handle hardware-level encryption and enable biometric logins), firmware and identity protection, Direct Memory Access and Memory Integrity Protection to protect core parts of the OS and user credentials as soon as the device powers on.  

Smart App Control  

Smart App Control is built directly into the core of the OS at the process level. Using code signing along with AI, Smart App Control prevents users from running malicious applications by blocking untested or unsigned applications. Model inferences occur 24 hours a day, running on the latest threat intelligence that provides it with trillions of signals. When a new application runs on Windows 11, its core signing and features are checked against this model, ensuring only known safe applications run.  

Defender SmartScreen  

Deliver enhanced phishing detection and protection by alerting users when they enter their Microsoft credentials into a malicious application or hacked website. Defender SmartScreen makes Windows 11 the world’s first OS with built-in phishing safeguards. 

Credential Guard  

Credential Guard uses hardware-backed, virtualization-based security capabilities to protect systems from credential theft attacks such as pass-the-hash and pass-the-ticket. It also helps prevent malware from accessing system secrets, even in cases where the malicious process is running with admin privileges.  

Personal Data Encryption  

Personal Data Encryption provides a platform to protect user files and data even when the user is not signed into the device. To access data, the user must first authenticate with Windows Hello for Business, which links data encryption keys with the user’s passwordless credentials to ensure sensitive data is more resistant to attack in the event devices are lost or stolen.  

Config Lock  

Config Lock helps protect users from themselves by monitoring registry keys through mobile device management (MDM) policies to help ensure devices comply with industry and company security standards. When Config Lock detects a change in registry keys, it will automatically revert the impacted system to the IT-desired state in seconds.  

Hypervisor-Protected Code Integrity (HVCI)  

HVCI, which will be enabled by default in future Windows 11 releases, prevents attacks from injecting malicious code into drivers and helps ensure all drivers loaded onto the OS are signed and trustworthy. It combats malware attacks that have increasingly leveraged driver vulnerabilities to compromise systems. HVCI uses data from the wider security community, and the Microsoft Vulnerable and Malicious Driver Reporting Center automatically blocks vulnerable drivers. The driver blocklist leverages Windows Defender Application Control (WDAC) to prevent advanced persistent threats (APTs) and ransomware attacks that abuse and exploit known vulnerable drivers. 

How do I make Windows 11 more secure? 

The best practices to improve Windows 11 security:  

Keep Windows 11 updated   

Microsoft keeps releasing updates to Windows 11 to fix known issues and install new security patches to strengthen PC security. Keep your system updated by installing patches on time.   

Configure for biometrics 

Microsoft provides multiple sign-in options in Windows 11. It enables folks to make use of biometrics for multifactor authorization (MFA) by utilizing Pluton capabilities.   

Sign out when you’re away 

If you are away, sign out of the Windows operating system. Along with this, use the Dynamic Lock feature to allow Windows to automatically lock your device when you’re away.  

Utilize native malware scan  

Use Windows Defender for a malware scan to protect your PC in real time from viruses, malware and other threats.   

Confirm device security  

You can view the status and manage hardware security features. It includes issues with hardware, including TPM and Secure Boot process.  

Stay safe while online  

Enable Reputation-Based Protection. This option helps to protect your PC from malicious or potentially unwanted apps, files and websites.  

Manage application permissions  

In Windows 11, you can decide what level of permission should be given to applications based on your requirements.  

Encrypt your device and data  

Manage access privileges by using encryption to ensure restricted access to data to users or programs that don’t possess the required credentials.  

Find your device  

Windows 11, with your Microsoft account, helps you find your computer in case it gets lost or stolen. In case the device is unrecoverable, you can use Unified Bare Metal Recovery. It enables physical server recovery as well as physical to virtual or virtual to physical server restores.  

Enable endpoint backup  

In Windows 11, you can choose to back up files to OneDrive, or use File History or Backup and Restore to create file backups. 

Protect Windows with Unitrends 

Microsoft’s big push to make Windows 11 more secure is having an unintended effect. Folks believe they don’t need to do anything beyond meeting those hardware and security requirements. A dangerous belief indeed.  

Yes, Windows 11 will help safeguard users from threat actors and malicious activity. However, it is paramount that users remain productive in the event of a device failure, loss or theft.   

Secure your on-the-go workforce with Unitrends Endpoint Backup. Unitrends Endpoint backup enables simple, secure cloud backup with no on-premise storage or local IT management required. Endpoint Backup deploys a direct-to-cloud agent onto the devices you want to protect and replicates 256-bit encrypted backups for safekeeping in Unitrends immutable cloud storage.  

Replace lost or deleted files with ease and leverage Bare Metal Recovery to restore user data onto a new device in the event of destruction, loss or theft.  

Want to see Unitrends Endpoint Backup in action? Get a demo today!


Discover how Unitrends can help protect your organization's sensitive data