Windows 11 is getting its first major update - officially called Windows 11 2022 Update - starting today, and with it comes a wide range of improvements and new features, including many focused on security. Microsoft has added some new capabilities - like Smart App Control - and it's also enabling more existing security features by default for new devices, adding layers of protection against all kinds of attacks.

Additionally, the Windows 11 2022 Update also allows IT admins to lock down configurations to enhance security on all of a company's devices, even when they're not connected to the internet. Let's take a closer look at everything that's new.

Smart App Control

One of the biggest security-focused additions with the Windows 11 2022 Update is Smart App Control, and it's targeted at individuals and small business users who aren't looking to pay for dedicated protection services. Smart App Control uses an artificial intelligence model, backed by 43 trillion security signals which are gathered daily, to predict whether a given app is safe to install and run. Using this constantly-updated model, Smart App Control can block potentially unsafe apps from running on your PC, meaning you run less of a risk of being attacked by malware.

Windows 11 Smart App Control prompt flagging a potentially unsafe app

This is built on the same capabilities as Windows Defender Application Control, which is a feature meant for business users, but here, the process is more automated. And Smart App Control is available on all Windows 11 client devices, so you don't need a specific SKU or to be part of an organization to benefit from it.

Protections against vulnerable drivers

Device drivers are increasingly popular attack vectors for devices due to their access to the Windows kernel, which is typically very restricted. With the Windows 11 2022 Update, Microsoft is taking a couple of steps to increase protection against driver-based attacks. First, it's enabling Hypervisor-protected code integrity (HVCI) by default on new Windows 11 devices, meaning it uses virtualization-based security to run Kernel Mode Code Integrity (KMCI), preventing changes to the kernel mode code, such as drivers, that can compromise security.

HVCI ensures that the code integrity subsystem validates all code running in kernel mode, and even if a driver has bugs, they can't be leveraged to attack your PC. This offers protection against well-known ransomware threats like WannaCry, which injects code into the Windows kernel to carry out an attack.

Even with that protection, though, Microsoft is also enabling a block list for known vulnerable drivers. New Windows PCs running the Windows 11 2022 Update will now block drivers that are known to contain potentially exploitable security issues. This provides another layer of protection against driver-based attacks, strengthening security even further.

Identity protection

Microsoft has also made an array of improvements to enhance identity protection and prevent identity theft on Windows 11. With the Windows 11 2022 Update, Windows Defender Credential Guard is enabled by default on Windows 11 Enterprise SKUs, which uses virtualization-based, hardware-backed security to protect against credential theft techniques such as pass-the-hash or pass-the-ticket. It also prevents malware from accessing system secrets, even if a process is running with administrator privileges.

Another new layer of protection for new enterprise-joined devices is credential isolation with Local Security Authority (LSA) protection enabled by default. LSA makes it so that only trusted and signed code can run, so potential attackers can't steal your credentials as easily.

Windows 11 phishing detection

Microsoft Defender's Smartscreen feature also now offers more advanced phishing protection, meaning it will warn you when you try to enter your credentials into a compromised website. If a page is trying to disguise itself as a legitimate website, Windows can jump in and let you know that the website isn't actually what it seems to be, and that entering your information is potentially revealing it to an attacker.

Finally, Windows Hello for Business has a couple of improvements, including the ability to go passwordless for single-sign-on. Now, you can set up Windows Hello to only use your fingerprint, face, or PIN to sign you into your PC and cloud services. Plus, Microsoft has made it easier to deploy Windows Hello for Business, including removing requirements for public key infrastructure (PKI), so more enterprise devices can use Windows Hello. Microsoft has also built presence sensing into Windows 11, so your PC can detect when you approach it and wake up to sign you in, or lock automatically when you step away.

Config lock

The final new addition is the new Config lock capability for IT administrators, which is fairly self-explanatory. Now, IT admins can lock down configuration settings on enterprise devices, so even if the user of that device changes a setting, it automatically reverts back to the desired state set by the IT team. This works even if the device isn't connected to the internet, so you can always enforce company policies and ensure that all devices are secure.

With hybrid work being the new standard for many, it makes a lot of sense for Microsoft to roll out additional protections for Windows 11 PCs, so users can stay safe even as they work from home and increasingly rely on their computers. Microsoft says it will keep investing in security to ensure that users can confidently work on their PCs. The company has committed a $20 billion investment in security research and development over the span of five years.