Microsoft is releasing a whole host of additions, improvements and new features for Windows. Microsoft announced these at its own Ignite event in Chicago, although many were already available in preview. Among them are Administrator Protection and a series of patch and update integrations with Microsoft Ignite and Windows Hello.
Windows 11 includes several new security features, which Microsoft calls ‘the most significant step in a generation. ‘ One notable one is Administrator Protection, which changes the default settings for user permissions to those of a standard user. This new functionality ensures that administrators or authorized users can make necessary system changes only after authorization through Windows Hello.
No lingering permissions
When an administrator needs to make changes, the system creates a temporary, isolated admin token that automatically disappears after completing the task. This solution prevents admin rights from lingering in systems, reducing the risk of unauthorized access.
To step up protection against malicious apps and programmes, Microsoft is releasing policies for Smart App Control and App Control for Business. These policies ensure that only authenticated apps can run on a device, which should prevent the installation of malware via attachments and malicious emails. With AI help, businesses can quickly implement the right policies to allow apps, regardless of where those apps come from.
Passkey support in Windows Hello
Then, there is the area of user credentials. Windows Hello now supports passkeys, which improves security and hopefully simplifies login. Windows Hello integrates with both Recall and Personal Data Encryption, meaning that these features are ‘monitored’ by Hello. In the case of Recall, this prevents the accidental disclosure of sensitive data via this much-talked-about snapshot functionality.
Another security update concerns Windows Protected Print, which ensures that Mopria-certified printers work without needing third-party drivers (Mopria is an industry standard for printing and scanning). Fewer third-party add-ons mean a smaller attack surface, is the idea.
In addition, Microsoft is introducing Delegated Managed Service Accounts (DMSA) to combat the rise of MFA attacks targeting service accounts. This feature automates the management and rotation of credentials for such accounts. An important tool, but only available to companies using Windows 24H2 or Windows Server 2025 and an upgraded Server 2025 domain controller.
Tip: Microsoft unifies artificial intelligence on Azure AI Foundry
An additional layer of security
Personal Data Encryption provides additional protection for files stored in known folders on enterprise devices. By encrypting these files twice, Windows now ensures that only the authorized user can access them (again via Windows Hello).
Windows Enterprise already encrypts data when a device is turned off. However, even if a device is stolen and still p;powered on or on standby, the thief cannot access individual files because of the lack of Hello authentication. This feature also works with OneDrive or SharePoint on Microsoft 365. Only system administrators can set up this feature through Microsoft Intune or another management tool.
Microsoft has also revamped its tools for managing Windows devices at scale. Zero Trust DNS ensures that devices can only access approved domains, while Configuration Refresh helps enforce MDM security policies and prevent configuration drift even when devices are offline. This prevents unwanted registry changes and brings the device ‘back in line’ at the security level. According to Microsoft, this feature has been in high demand, so now it has finally been implemented.
Backup and update improvements
Windows Backup now supports devices paired via Entra ID, making backup and restore easier. To conclude, the functionality previously called ‘Windows Update for Business deployment service’ is now integrated into Windows Autopatch. That means better integration across the board, whether a user wants to update the Windows OS, Microsoft 365 Apps for Enterprise, Microsoft Teams, or Microsoft Edge.
One for the road, then. Hotpatch functionality (in preview) downloads and installs updates in the background, so users don’t have to restart their device to deploy the updates. Anyone familiar with restarting their device to activate updates will breathe a sigh of relief. Both Autopatch and Hotpatch are integrated with Microsoft Intune, making them available to IT teams.
Also read: Microsoft’s new Copilot agents aren’t really agents