ADVERTISEMENT

ON SECURITY

By Susan Bradley

The recent Windows 11 update brings more security features, but with a big caveat — only users with specific license levels benefit.

In addition, hardware requirements are tighter; I’ll discuss those shortly.

I’ve received some key questions about Windows 11 from our readers, and I’m going to take the opportunity to answer some of those in this column.

The Windows 11 22H2 Professional and Home editions can be set up without the requirement for a Microsoft account.

However, the old trick of using the command OOBE\BYPASSNRO in a command window right after setting up the computer no longer works. Now the trick is to leave the PC connected to the Internet during the setup process and provide a fictitious email address that Microsoft has locked out. That “failure” allows setup to continue anyway, using a local account. (You can see it in action here.) For those with Windows 11 22H2 Professional, you merely choose the option to join a domain, and it allows you to set up a local account.

I have several machines running Windows 11 22H1, so my next question is whether the machine on which I used the “bypass the hardware requirements” Registry key to get around the hardware block will be offered the 22H2 update. The machine is an older Surface Go. I don’t know the answer yet, so I’ll be monitoring this device to see if the 22H2 update is offered. I chose this PC for the test because Surface devices appear to get offered feature releases later versus sooner.

Remember, Microsoft has indicated that machines not officially supported might not be offered updates. Because they currently have been offered the normal monthly releases with no blocking, it remains to be seen whether machines that “hacked” their way to Windows 11 21H2 will also be offered 22H2. I’ll report back if I see it offered to these older machines. My guess is that I may have to use the bypass trick again — entering the values in the registry in order to get Windows Update to offer the feature update.

Note that I do not recommend upgrading to Windows 11 on a computer that does not officially support it. I’m doing these experiments just to see whether Microsoft really holds back updates from one of these officially unsupported machines. It’s obvious to me that Microsoft intends to keep tightening these security nuts and bolts, so the escape valves that exist today may well vanish tomorrow.

There are certain features I am looking forward to that aren’t yet in 22H2. As Will Fastie reported last week, Windows Explorer will receive a tabbed interface. As Will suggested, heavy Windows users like us often end up with window clutter, which this enhancement should relieve. I’m looking forward to that one. Also coming out is a new and easier way to get to Task Manager. For us old folks who have right-clicked the taskbar for over a year, expecting a task manager that wasn’t there, this is long overdue. These aren’t security matters but do point to the fact that the 22H2 update contained more than just security updates.

Microsoft has noted that it will be releasing small, incremental changes similar to the “News and Interests” that was dribbled out to Windows 10. As Microsoft noted in its Delivering continuous innovation in Windows 11 support post, the Controlled Feature Rollout (CFR) technology will be used in Windows 11. We call it dribbled, Microsoft calls it controlled. According to Microsoft:

Using CFR, features will be gradually rolled out, starting with devices that install the monthly optional non-security preview release. When we’ve validated that each feature is ready, we’ll gradually roll it out to new devices, and eventually include it enabled-by-default in a subsequent monthly security update.

Microsoft will announce new enhancements and features when they’re ready, including documenting features shipped outside of the annual feature updates using our well-known existing process[.]

These include the preview updates, where I think Microsoft will first introduce these incremental changes — which will then be rolled into the security updates. Microsoft says that Enterprise, Educational, and domain-joined computers will be able to control these incremental changes using Intune or Group Policy and that these changes will be available in November. I’m curious about whether incremental changes can be controlled in the Home Edition through local Group Policy or Registry changes. It’s on my list of things to investigate.

Some security changes may impact home users. You may consider them bugs, I consider them a good thing. First off, Windows 11 22H2 makes changes to Server Message Block to make it more secure and to harden it from being attacked by ransomware. The side effect you the consumer may see relates to file access: Samba settings in Synology units is causing them not to connect to Windows 11 22H2 after the update, as noted in a Reddit thread. If you use any consumer file-share devices, you may need to review whether they still work after the update. You may need to reach out to the vendor and upgrade them to SMB v2 from SMB v1.

Home users will be able to get protection from phishing filtering in Web browsing. This is the one security setting that clearly will work, whether you use Microsoft account, Active Directory, Azure Active Directory, or a local password. As Microsoft’s post notes, Microsoft Defender SmartScreen does two things. First, it will let you know immediately that a password change is needed to reduce potential compromise to a site or a cloud service. Second, if the workstation is connected to a Microsoft 365 Defender ATP license (Microsoft 365 E5 license or a Microsoft 365 Business Professional license), it automatically reports the unsafe password usage to IT through the MDE portal so the incident can be tracked. Typically, these sites don’t use your actual password to check on their security. Instead, hash values are used to compare to the database of stolen passwords.

The additional features rolled out with this release showcase why Microsoft has established tough hardware requirements. For example, the ability to block malicious drivers depends on having a computer that supports Hypervisor-Protected Code Integrity (HVCI), a virtualization-based security feature that must be turned on in order for the blocking to be enabled.

As I noted in last week’s newsletter, Smart App Control, a technology that Microsoft claims will allow workstations to be protected from malicious applications, works only on freshly deployed computers and only with signed applications. I personally know that this will not work in my firm, and I predict that many businesses will find this problematic.

Windows 11 Enterprise version 22H2 devices will have Windows Defender Credential Guard turned on by default, but only for Windows E5 or Microsoft 365 E5 licensees. A Windows 11 Professional license won’t cut it.

Windows 11 22H2 supports additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials. This will provide additional hardening for Local Security Authority Subsystem Service (LSASS) processes. In your network, these settings will need to be tested before deploying them widely. You may have smart-card drivers and cryptographic plug-ins that need updates. I recommend enabling auditing before you deploy this.

Microsoft is introducing a new encryption that works separately from BitLocker and relies on Windows Hello password technology to encrypt files, rather than full volumes. Called Personal Data Encryption, the feature again requires an Education or Enterprise license .

As a small business owner who keeps getting pushed into annual subscription models, I love the power that group information brings to the table. It allows us to see the bigger picture about what attacks are going on and who is being targeted, and in general it keeps us more informed on threats and risks. But that “big picture” often comes with an annual cloud subscription requirement. Windows 11 22H2 is no different. If you truly want to take advantage of the security features of Windows 11, not only do you need the hardware to support Windows 11, you also need the annual subscription for either Microsoft 365 E5 (for larger businesses) or Microsoft 365 Business Premium (for a business of 300 users or fewer). It’s no wonder that the security division is growing
exponentially.

Even with all this, we are getting mixed messages about security. I launched Edge on a new system with 22H2, and it asked me which websites I wanted pinned to my taskbar (see Figure 1).

Figure 1. Edge asks which websites I wanted pinned to my taskbar

So on the one hand, Microsoft wants us to pay for a more expensive license to gain the security features; but on the other hand, the Edge browser is proposing settings that raise security concerns in my mind. Yes, I can easily opt out, but why the seeming contradiction? I would hope that everything in the operating system, everything in the browser, and everything Microsoft proposes is secure from the outset and not subject to a user mistake when selecting convenience options.

Here’s hoping folks on the Edge team get the memo.

References

Join the conversation! Your questions, comments, and feedback about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.

ADVERTISEMENT

Enjoying the newsletter? Become a PLUS member and get it all!
	Don’t miss any of our great content about Windows, Microsoft, Office, 365, PCs, hardware, software, privacy, security, safety, useful and safe freeware, important news, analysis, and Susan Bradley’s popular and sought-after patch advice. PLUS, these exclusive benefits: Every article, delivered to your inbox MS-DEFCON Alerts, delivered to your inbox MS-DEFCON Alerts available via TEXT message Total access to the archive of nearly two decades of newsletters No ads Identification as a Plus member in our popular forums We’re supported by donations — choose any amount for a one-year membership.