Enhancing Windows 11 security, accessibility, and management for enterprises

  • Thread starter Thread starter Harjit_Dhaliwal
  • Start date Start date
H

Harjit_Dhaliwal

Today, new innovations for Windows 11 will start to become available. Most of these new features will be enabled by default in the October 2023 optional non-security preview release for all editions of Windows 11, version 22H2 while others may roll out gradually. If you'd like the IT-managed devices in your organization to receive the latest features right away, you can enable optional updates using policy.

Now let's take a closer look at a few of these innovations and how they can benefit your organization.

Security enhancements


We're excited to announce enhanced management and capabilities for Windows Firewall! To help provide better overall protection, you can now:

  • Target Firewall rules to specific applications without an absolute file path in a secure way using Application Control for Business app ID tagging with Firewall rules via Microsoft Intune.
  • Configure network list manager settings to determine when a Microsoft Entra joined device is on your on-premises domain subnets. This helps ensure that Firewall rules are properly applied by using the network list manager settings for Firewall location awareness.
  • Configure more granular Firewall logging settings for domain, private, and public Firewall profiles.
  • Specify Firewall inbound and outbound rules for ICMP types and codes.

As I mentioned last week, the future is passwordless. You can now set a policy for Microsoft Entra joined devices so employees no longer see the option to enter a password when accessing company resources, both for device unlock as well as in-session authentication scenarios. This enables you to better protect user identities by removing the need to use passwords from day one. With Windows 11, version 22H2, employees can also easily set up passkeys with Windows Hello for Business to make signing in to websites or applications as simple as using their face, fingerprint, or PIN.

More tools in your device management toolbox


With the 2309 service release of Microsoft Intune, Mobile Application Management (MAM) for Windows is now generally available for Windows 11, version 22H2 devices. MAM is an option for users who don't enroll their personal devices, but still need access to organization email, Teams, and more. With MAM for Windows, you can better protect access to organizational data via Microsoft Edge on personal, unmanaged Windows device by ensuring the device is protected and healthy before granting protected service access via Entra ID. Windows Security Center threat defense integration with Intune Application Protection Policies (APP) allows you to detect local health threats on personal devices. And, with Intune Application Configuration Policies (ACP), you can customize the org user experience in Microsoft Edge.

Inclusive and productive Windows experiences for everyone


Windows 11, version 22H2 is the most accessible version of Windows yet. Voice access now works right when you start your PC and can easily be turned on from the accessibility flyout box on the Lock screen. This means that employees can use voice access to sign in to their PCs and access other areas on the Lock screen. Also new in voice access is the ability to dictate intricate and non-standard words through the new spelling experience, and new corrections functionality that rectifies any incorrectly recognized words. Finally, voice access now works for apps that run with Microsoft Defender Application Guard.

Narrator has been expanded with 7 new natural voices to enhance the listening experience and make it more natural and enjoyable for Chinese Mandarin, French, German, Japanese, Korean, Portuguese, Spanish (Spain, Mexico), and English (UK and India). Once downloaded, Narrator works without an internet connection. It also now offers a more succinct and efficient reading experience in Microsoft Excel, prioritizing announcements based on what you need to skim a workbook.

We've also enhanced the built-in tools and apps workers love. With the Snipping Tool, you can now extract specific text content from an image to paste in another application. You can also easily protect sensitive information with text redaction by using text actions on the post capture screen. Notepad now automatically saves your session so you can close the app as needed and pick up where you left off when you return. It will also automatically restore previously open tabs as well as unsaved content and edits across those open tabs. And, for creators, we've enhanced Paint and Photos with AI capabilities to make drawing and photo editing a breeze.

In direct response to your feedback, this update includes "never combined" mode for taskbar items so employees can view application windows and labels on the taskbar separately. It also adds an enhanced volume mixer to Quick Settings to make it easier to customize the audio level for each app separately. Other system tray enhancements include the ability to hide the date and time, a "view notification" button for urgent notifications received when you turn on do not disturb, and the ability to diagnose network problems by right-clicking on the network icon.

And, of course, this update to Windows 11, version 22H2 features the first preview of Copilot in Windows. Copilot in Windows appears as a side bar on the right side of the screen, providing assistance when needed, but will not overlap with desktop content or block open app windows. It uses the same Microsoft account (MSA) or Microsoft Entra ID account used to sign in to Windows. Copilot in Windows will start to release in preview to select global markets as part of our latest update to Windows 11. The initial markets for the Copilot in Windows preview include North America and parts of Asia and South America. It is our intention to add additional markets over time.

If you'd like the managed devices in your organization to receive the latest features right away, you can use a policy to enable optional updates. For more details on availability, see Copilot in Windows and new Cloud PC experiences coming to Windows 11.

Windows 365 Boot and Windows 365 Switch now generally available


I'm happy to announce that Windows 365 Switch and Windows 365 Boot both reached general availability today!

Windows 365 Switch provides the ability to easily move between a Windows 365 Cloud PC and a local desktop using the same familiar keyboard commands, as well as a mouse-click or a swipe gesture. Windows 365 Switch also enables a seamless experience from within Windows 11 via Task view.

With Windows 365 Boot, employees can log directly into their Windows 365 Cloud PCs as the primary Windows experience on the device—with no additional steps. This is a great solution for shared devices, where logging in with a unique user identity can take you to your own personal and secure Cloud PC.

Presence experience improvements and increased options for OEMs


We are pleased to announce a new presence-enabled feature: Adaptive Dimming for Windows 11. Adaptive Dimming dims your screen if the presence sensor[1] detects you are no longer paying attention. This helps reduce energy usage and can function as an alert to re-focus attention.

Adaptive Dimming, Wake on Approach, and Lock on Leave are all powered by presence experiences—and your end users will be able to enable these experiences as part of the out of the box (OOBE) setup in Windows 11 going forward. Wake on Approach and Lock on Leave are also now integrated with security features like Windows Hello and Dynamic Lock in Settings.

Windows OEMs can now offer inbox presence features (including Adaptive Dimming, Wake on Approach, and Lock on Leave) on external monitors. We are also providing OEMs a way to extend the functionality of Inbox Presence sensor in a safe, secure manner. This will empower them to develop new presence enabled hardware and introduce new experiences that users will be able to discover in Settings.

Coming soon: Config Refresh


Threat actors often launch attacks designed to evade security measures by changing settings and system configurations. With Config Refresh, you can ensure that your settings are retained the way you configured them. Use the Windows settings catalog to set a cadence for Windows devices to reapply previously received policy settings, without requiring devices to check in to Intune— every 90 minutes by default, or every 30 minutes if desired. This protects against configuration settings being unexpectedly changed through either malicious software or registry edits. It also helps with settings in the Policy Configuration Service Provider (CSP) that drift due to misconfiguration. Config Refresh can be paused for a configurable period of time, after which it will be automatically re-enabled, or turned back on manually at any time by an IT administrator. Config Refresh is currently available to Windows Insiders and will be rolled out more broadly in the coming months.

Get familiar with the latest innovations


In addition to today's announcement from Yusuf Mehdi, you can find highlights from this wave of continuous innovation in the release notes. For more details on availability and rollout plans, see How to get the latest Windows 11 innovations.


Continue the conversation. Find best practices. Bookmark the Windows Tech Community ,then follow us @MSWindowsITPro on X/Twitter. Looking for support? Visit Windows on Microsoft Q&A.


[1] Hardware-dependent

Continue reading...
 
Back
Top