MEM Employee and Student Communications at the OS Level
Internal communications can be ignored or forgotten, especially once employees or students log out of enterprise or educational social media or an intranet solution.
Targeted messages in Windows 11 resolve this. In Microsoft Endpoint Manager (MEM), IT admins can send messages directly to users’ operating systems. A message will appear containing information and links. The target user base can be edited using Microsoft Azure Active Directory (AD) group policy.
Enhanced Phishing Detection and Protection
In response to growing hybrid work models worldwide, Microsoft has bolstered its phishing detection and protection efforts. This extends to malware, ransomware, data loss prevention and in-person device attacks. Microsoft Defender SmartScreen achieves this by monitoring applications, website access and emails in real time. IT admins can configure rules with SmartScreen Group Policy or Microsoft InTune.
READ MORE: 5 Questions to ask before higher ed adopts Windows 11.
Simplified Endpoint Management via a Zero-Trust Security Model
Microsoft has announced a new zero-trust security model for Windows 11 Enterprise. This model is enforced at the hardware level using Pluton, a dedicated and isolated security processor that offers Trusted Platform Module 2.0, firmware protection and memory integrity protection.
In essence, this model assumes that all activities are guilty until proven innocent, using data points to verify user identity, location, device health and anomalies. Other considerations include endpoint compliance, authentication methods, device policy optimization, public/private network filtering and segmentation, and continuous threat intelligence.
Zero trust uses just-in-time access and just-enough access to grant permissions for end users to complete a task without overprovisioning via risk-adaptive policies.
Quick Assist Makes Remote Desktop Support Native for IT Admins
No longer will IT administrators need remote IT support applications. Microsoft has built upon the Remote Desktop Client with Quick Assist baked into Windows 11.
Now, IT admins can sign in using Microsoft Account (MSA) or Azure AD and remotely assist enterprise or educational users via Quick Assist. Local AD authentication is not currently supported.
LEARN MORE: To prevent ransomware attacks, understand the zero-trust model.
Hypervisor Shields Against Driver Vulnerabilities
Driver-based vulnerabilities are increasingly leveraged by malware like RobbinHood and Derusbi. Hypervisor Protected Code Integrity blocks vulnerable drivers from being installed on Windows 11 endpoints and VDs by default.
If drivers are installed, a kernel-level blocklisting feature prevents the driver from loading on device boot for greater peace of mind.
Local Security Authority and Config Lock Using MDM
Local Security Authority (LSA) is used to authenticate user credentials upon Windows login, including passwords and tokens for single sign-on. Protections have been bolstered for enterprise, as LSA only loads trusted, signed code to prevent credential theft.
Config Lock ensures device compliance much like a configuration management database configuration item would. MDM can detect configuration deviation via registry keys and automatically revert to the IT-desired state in seconds to maintain compliance with industry and corporate security baselines.