Jun 17 2022

Windows 11 Introduces New Higher Education and Hybrid Workforce Features

The latest improvements, rolled out earlier this year, focus on full-spectrum security.

Windows 11 has been slowly rolling out to desktops and laptops since October 2021. As of April 2022, Microsoft is introducing new functionality to assist higher education institutions and businesses with a hybrid workforce. These features are focused on security improvements for hardware, software, drivers, credentials and encryption.

Here is an overview of all the new Windows 11 security features announced this year.

Windows 365 Enables Cloud VDI Access on Device Boot

One big announcement was the release of Windows 365 last year. This is beneficial for hybrid work at enterprises and higher education institutions, as it enables seamless access to virtual desktop infrastructure (VDI). Users can launch a cloud virtual desktop (VD) instance on demand or boot the device straight to the cloud environment.

Here’s an overview:

  • Microsoft Windows 365 virtual desktops get the very latest cumulative updates automatically.
  • Cloud PCs on Windows 365 are also automatically enrolled in the Microsoft Endpoint Manager service. This reduces the administrative burden for IT teams while applying security policies like mobile device management (MDM) and mobile application management via Microsoft InTune.
  • Microsoft Defender for Endpoint is available on enterprise licenses, with a more basic Microsoft Defender available for all Windows 365 machines.
  • Windows 365 Switch will allow cloud desktops to automatically sync and resume on the devices, or vice versa.
  • Windows 365 Offline accommodates spotty networking conditions, enabling offline work and syncing after internet connectivity returns, with zero disruption or data loss.

Click the banner below for exclusive content about software in higher ed.

MEM Employee and Student Communications at the OS Level

Internal communications can be ignored or forgotten, especially once employees or students log out of enterprise or educational social media or an intranet solution.

Targeted messages in Windows 11 resolve this. In Microsoft Endpoint Manager (MEM), IT admins can send messages directly to users’ operating systems. A message will appear containing information and links. The target user base can be edited using Microsoft Azure Active Directory (AD) group policy.

Enhanced Phishing Detection and Protection

In response to growing hybrid work models worldwide, Microsoft has bolstered its phishing detection and protection efforts. This extends to malware, ransomware, data loss prevention and in-person device attacks. Microsoft Defender SmartScreen achieves this by monitoring applications, website access and emails in real time. IT admins can configure rules with SmartScreen Group Policy or Microsoft InTune.

READ MORE: 5 Questions to ask before higher ed adopts Windows 11.

Simplified Endpoint Management via a Zero-Trust Security Model

Microsoft has announced a new zero-trust security model for Windows 11 Enterprise. This model is enforced at the hardware level using Pluton, a dedicated and isolated security processor that offers Trusted Platform Module 2.0, firmware protection and memory integrity protection.

In essence, this model assumes that all activities are guilty until proven innocent, using data points to verify user identity, location, device health and anomalies. Other considerations include endpoint compliance, authentication methods, device policy optimization, public/private network filtering and segmentation, and continuous threat intelligence.

Zero trust uses just-in-time access and just-enough access to grant permissions for end users to complete a task without overprovisioning via risk-adaptive policies.

Quick Assist Makes Remote Desktop Support Native for IT Admins

No longer will IT administrators need remote IT support applications. Microsoft has built upon the Remote Desktop Client with Quick Assist baked into Windows 11.

Now, IT admins can sign in using Microsoft Account (MSA) or Azure AD and remotely assist enterprise or educational users via Quick Assist. Local AD authentication is not currently supported.

LEARN MORE: To prevent ransomware attacks, understand the zero-trust model.

Hypervisor Shields Against Driver Vulnerabilities

Driver-based vulnerabilities are increasingly leveraged by malware like RobbinHood and Derusbi. Hypervisor Protected Code Integrity blocks vulnerable drivers from being installed on Windows 11 endpoints and VDs by default.

If drivers are installed, a kernel-level blocklisting feature prevents the driver from loading on device boot for greater peace of mind.

Local Security Authority and Config Lock Using MDM

Local Security Authority (LSA) is used to authenticate user credentials upon Windows login, including passwords and tokens for single sign-on. Protections have been bolstered for enterprise, as LSA only loads trusted, signed code to prevent credential theft.

Config Lock ensures device compliance much like a configuration management database configuration item would. MDM can detect configuration deviation via registry keys and automatically revert to the IT-desired state in seconds to maintain compliance with industry and corporate security baselines.

Maria Symchych-Navrotska/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT