Resiliency (Premium)

Quick: When you think about Windows, what’s the first thing that comes to mind? I bet it’s not security or resiliency. And yet, that’s the message coming out of Microsoft Ignite this week, that security is the firm’s top priority–left unsaid, that means it’s not AI–and that Windows, despite all the horribleness of this past year, “remains a secure platform for [Microsoft’s] partners, developers and customers.”

Microsoft has been talking security–and, more specifically, Windows security–for decades, but if you’re familiar with the history, you know that talk and reality often diverge wildly. Over the long term, Microsoft has consistently drifted away from its security promises, like a cat distracted by a laser pointer. And in more recent years, the quality of Windows has spiraled downward at an alarming rate. I recently made the case that the latest version, Windows 11 version 24H2, is the least reliable and lowest-quality version yet. Sadly, Microsoft has gone on to prove my point by introducing fixes for some of the problems that–wait for it–introduce new quality problems of their own.

I’ve tied my career to Windows for better or worse, so I find this all personally troubling. But there are bright spots, too, examples of good ideas and even good engineering, that suggest that there are, in some ways, two Windows. There is a set of underlying foundational technologies, which is managed by the Azure group now. And then there’s the clown car that adds new end-user features to the product with reckless abandon. In the former, we see strategy and adult supervision. In the latter, we see a college freshman kegger that ends badly for everyone.

Rectifying these two sides of Windows is impossible. But it’s difficult to take announcements about the foundational bits seriously when the user-facing group spends their days defacing this once-proud product with in-box tracking, advertising, crapware, and superfluous new features. Worse, they undermine the work done by the Azure group by not properly testing anything they create, and then they update the product too often and too chaotically. It’s like Windows is bipolar , and we’re all family members forced to deal with a schizophrenic personality we used to know and love.

With all that in mind, let’s assess what Microsoft is saying about Windows “resiliency” this week at its annual Ignite conference.

And let’s be fair about it. As noted, this part of Windows does good work. This is the group that created Windows Hello Enhanced Sign-In Security (ESS), a technology that elevates the security baseline of Copilot+ PCs and other modern PCs that utilize it far beyond that of a typical PC. It’s the reason–or a reason–why Recall isn’t just safe and secure, but also negates the issues the naysayers invented to undermine this feature. When Microsoft artificially inflated the hardware minimums for Windows 11, we scoffed, correctly. But in Windows Hello ESS and Copilot+ PC, we belatedly see the vision that makes sense of those seemingly artificial requirements. The net result, extruded out over time, will be a safer, healthier ecosystem and user base.

These things take time. During Microsoft’s previous big security push, the Trustworthy Computing initiative of almost 25 years ago, it introduced the notion of a security hardware chip, the Trusted Platform Module (TPM), into a PC ecosystem that didn’t see the need, and that took 15 or more years to become standard equipment. Microsoft started the transition from 32-bit x86 to 64-bit x64 around the same time, but that didn’t become the standard until the first version of Windows 11 shipped in 2021. Windows Hello ESS and Copilot+ PCs are available now for those in the know. But in time, these things will also become part of the security baseline for all PCs. That transition can’t happen quickly enough, but it is happening.

Microsoft introduced its new Trustworthy Computing push, called Secure Future Initiative (SFI) because branding is hard, about a year ago. The ink on the SFI announcement was still wet when Microsoft suffered from an infamous. months-long hack of its own infrastructure by Russian operatives. And so Microsoft re-announced SFI a few months later, and this is when it first claimed that security–and, cough, not AI–was its “top priority.” But history is unkind, and the disastrous CrowdStrike episode reminded everyone that the emperor has no clothes just a month and a half later. It’s been quite the year for Microsoft security. And as a reminder, this is the part of the company I actually trust. Yikes.

The timing of all that is, of course, unfortunate. Not just for Microsoft, but also for the corporate customers who no doubt spent much of 2024 wondering about the inertia that got them here and whether there are safer, more secure alternatives on the client.

There are, so Microsoft has opened Ignite this week loaded for bear.

On the Windows front, which is pretty much all I care about, Microsoft has announced the Windows Resiliency Initiative because you can’t make this stuff up. WSI, as I’ll now call it, is basically SFI for Windows, and in the words of Microsoft’s David Weston, who I do trust, the aim is nothing less than “ensuring that Windows remains the most reliable and resilient open platform for [its] customers.” That’s the second time in this article I’ve referenced Microsoft using the term “remains,” and there’s an interesting escalation between the two. In the first quote, at the top, Windows “remains a secure platform,” but in this new quote, Weston has promoted that to Windows being “the most reliable and resilient open platform.”

Leaving aside the open platform bit–seriously, what does that even mean at this point?–the WSI focuses on four key areas: It will strengthen reliability based on learnings from the [CrowdStrike] incident, enable more apps and users to run without admin privileges, provide stronger controls for what apps and drivers are allowed to run, and improve identity protection to prevent phishing attacks. While vague, this is a not-unsubstantial list of changes. And Weston does provide some details.

He also references what I noted above, that Copilot+ PCs–including those based on new AMD and Intel chips that aren’t yet officially Copilot+ PCs–raise the security bar dramatically with Windows Hello ESS and their integrated Pluton processors (which are a form of TPM designed by Microsoft), plus a “growing list of existing features now enabled by default.” Windows Hello ESS is among those features: It’s been available to PC makers for a few years, and I’ve even used at least one pre-Copilot+ PC that included it, but its incredibly stringent requirements, the associated costs of those requirements, and a lack of customer understanding and demand ensured that didn’t happen broadly. Now, like TPM, it’s the baseline.

The “additional protections added to [these secured-core and Copilot+ PCs] significantly reduce the potential for attacks,” Weston correctly notes. But then he goes off the rails a little, retroactively crediting these changes for “making Windows 11 more secure by default than Windows 10,” thus justifying the artificially higher Windows 11 system requirements. But this isn’t true. As first shipped in 2021, and with statistically almost every single PC running Windows 11 today, Windows 11 is no more secure than Windows 10. It can be more secure, if PC makers implement secured-core and Copilot+ PC hardware components and configure them correctly. But to date, few have, as noted, and only Copilot+ PCs, which represent a tiny percentage of PCs in use today, actually achieve this high bar. That’s fine, these things take time. But I vaguely resent what he implies there. Because it’s not true in the real world.

Here’s another example of walking around the truth. He cites specific examples of security features that make Windows 11 “more secure by default” than Windows 10, including Local Security Authority (LSA) protection (now “enabled by default for new consumer” PCs) and BitLocker (“enabled by default on most modern systems”). But as I discovered after exhaustive testing of the latter, BitLocker–really, Device Encryption–isn’t enabled by default on new PCs–and then, only those running Windows 10 version 24H2–any more than was the case before. If you sign in with a Microsoft account (MSA) or Microsoft Work or school account (WSA), the PC’s system disk is encrypted automatically and the recovery key is stored in OneDrive with no prompts or notifications. But if you do not, the disk isn’t encrypted until you manually store that key, and if you’re running Home edition, you must sign in to the PC using an MSA. Functionally speaking, this isn’t an improvement at all. In the real world, it works just as it did before 24H2.

What Weston is relying on here is semantics, to some degree, but also an audience that just accepts what he says. And while I’d like to do that–I do trust the guy, as noted–I can’t because I know what’s really happening and I’ve analyzed the language Microsoft uses for so long that I can see through this. Yes, there are technologies in Windows 11–and in secured-core PCs and Copilot+ PCs specifically–that raise the bar on security. But these things only matter if there’s enabled by default. And they’re not, not on most of the PCs being sold as you read this. So there’s a promise, and an ideal. Words. But it diverges with reality. And that’s the gray are we need to really focus on. We’re discussing security here, not some random feature that will show up in your Start menu when the dufuses in Windows client get around to CFRing it.

Here’s the thing. It’s getting it better. It really is. I’ve experienced this on Copilot+ PC, and I’ve seen where the security controls in those systems diverge, sometimes wildly, from those in more standard PC configurations. But per the early discussion, and per more general thoughts about how and when end-user features that are currently limited to Copilot+ PCs will make their way to the broader ecosystem, the answer the same. It will happen. It is happening. These things take time. Which would have been a much more honest point for Weston to make, as opposed to “we did it.”

Oddly, he then makes that point. After an unattributed set of very specific claims about how the improvements in Windows 11 have made the system more secure for customers, he writes that “Security is a pursuit, and not a destination.” Yes. A million times yes. And to that end, Microsoft this week is introducing new features for Windows 11 that will help commercial customers–and not consumers–with challenges related to user and app privileges. That is, both are given far too much leeway over how they can impact the system, and these capabilities are often exploited by hackers to compromise PCs.

The first and most obvious is reducing administrator privileges. Microsoft long ago–literally in Windows XP in 2001–moved to a simplified user privilege model in which there are administrators and standard users. In doing so, it ran into the same issue it ran into when bifurcating that same release into Home and Professional SKUs: Deciding which capabilities are available to each side of this divide. It’s been adjusting that mix ever since, in both cases. And today, it’s introducing a new wrinkle called administrator protection. Currently in preview, this feature allows users to run as a standard user but then authenticate with Windows Hello to perform tasks that require administrative privileges. The implementation is interesting–Windows creates a temporary admin token on the fly and then destroys it once the task is complete–but to me, it’s the seamless nature of Windows Hello authentication that sells this feature. (Assuming, you’re not just using a PIN.) More to the point, this feature will be “disruptive to attackers as they no longer have automatic, direct access to the kernel or other critical system security without specific Windows Hello authorization.”

The second new feature is about identity theft. Thanks to the expansion of Windows Hello (in Windows 11 version 23H2 and newer) to include integrated passkey support, Windows now includes an integrated multifactor authentication (MFA) system that’s seamless and effective, and it doesn’t require another device, like phone-based MFA solutions. So there’s nothing new here per se, this feature is just available in Windows 11 today, and it will soon be enhanced with a more modern user experience that explicitly references its use of passkeys. (I wrote up the history of this work in late 2023, it’s worth checking out.)

Next up is trusted apps and drivers: Today, unsafe or unsigned apps and drivers are a major vector for remote attacks, and so Microsoft has been working on two related features–Smart App Control and App Control for Business–that ensure that only verified apps and drivers run on your PC. I’ve been working on a Smart App Control chapter for the Windows 11 Field Guide since late last year, but I haven’t published it yet because this feature–which impacts consumers, too–is somewhat elusive and difficult to test effectively, plus it can only be enabled soon after setting up a new PC, and then it can’t be re-enabled (using normal means) if you later disable it. My understanding was that it would be enabled by default in 24H2, but I confirmed that’s not the case. Weston doesn’t address this–these features are all directed at Microsoft’s commercial audience, which can use policy to push Smart App Control (and App Control for Business) to their users. But it’s worth knowing about, so I’ll add it to the book soon. (To see whether you can enable it, open Windows Security and navigate to App & browser control > Smart App Control,)

The next feature is interesting. Personal Data Encryption tackles another crucial security area, data protection, by building off–wait for it–OneDrive Folder backup, the bane of my existence. It’s limited to Windows 11 Enterprise–indicating that Microsoft’s SKU-based product differentiation continues to be an issue–and when enabled, the user’s Desktop, Documents, and Pictures folders are encrypted (separately from the full-disk encryption of Device Encryption/BitLocker) and can’t be accessed until an admin-class user authenticates with Windows Hello. This bit sounds like a joke, but Weston claims that when used with Device Encryption/BitLocker, Personal Data Encryption “offers double encryption protection.” LOL.

Weston also highlights a few features tied to Windows OS configuration and management. Windows 11 Enterprise version 24H2 introduces a “revolutionary” new Hotpatch feature that allows businesses to apply critical security updates without requiring a system restart, a feature that should be added to all supported Windows PCs. There’s a new Zero Trust DNS feature, now in preview, that blocks outbound network traffic to unapproved domains. And a feature called Config Refresh, that’s available now and enforces Mobile Device Management (MDM)-based configuration policies so that users can’t move off the preferred configuration; it’s unclear how this wasn’t always a base feature, but it does work offline, so maybe that was the issue.

So there you go.

Microsoft Ignite is Microsoft’s biggest annual conference, and it’s aimed at business users, not consumers. But it’s impossible not to imagine most of these advances coming to all Windows users in time. As noted, the most important of them are already available now in Copilot+ PCs, which are mostly aimed at consumers. And others, like Smart App Control, can be enabled manually if you know about them in the first place.

But I keep coming back to the central premise. In the wake of Microsoft’s infrastructure hack and the CrowdStrike incident, and given the decades of broken promises and Microsoft’s ADHD-like inability to stay focused on security, or anything else, can we trust these guys? Can we really trust Windows?

Copilot+ PC is the poster child of this internal conflict. Microsoft and its PC maker partners market these devices for the most superfluous of reasons, mostly asinine local AI features that won’t matter day-to-day to most people. But lurking inside each Copilot+ PC, there are good reasons–great reasons–to believe that Windows not only has a future, but a future that can be as secure and resilient as Microsoft claims. You see it in the superior Windows 11 on Arm architecture. And hopefully, today, you see it, too, in the superior security baseline these PCs provide.

It’s like the future of Windows … today. Now there’s a tagline. Microsoft should consider using it.