Your Windows 11 PC is doing a lot to keep you safe from the myriad of threats in today's digital age. These risks come from malicious apps, phishing, snooping on unencrypted traffic, and even loopholes at the local PC administrator level.

Below, we look at some of Microsoft's cutting-edge security innovations integrated directly into Windows 11.

Smart App Control (SAC)

Smart App Control is a feature that works to stop threats and potentially unwanted apps at the process level long before they can ever cause damage to your PC. It does this using a sophisticated cloud-powered AI service that tries to determine whether the app you are trying to run is deemed to be safe.

As per Microsoft: If the service believes the app to be safe, Smart App Control will allow it to run. If the app is believed to be malicious or potentially unwanted, then Smart App Control will block it. If the service cannot make a confident prediction about the app, then Smart App Control checks to see if the app has a valid signature.

Type "Smart App Control" in the search box in the Start menu to access the system settings.

It's worth noting that there is currently no way to bypass or white list protection for individual apps aside from turning the feature off. Turning Smart App Control off is also permanent unless you factory reset or perform a clean installation of Windows 11.

Also, to use Smart App Control on a PC already running Windows 11, you will need to start from a clean slate.

Because Smart App Control is tightly woven into the core of the OS. Smart App Control will only be enabled on a clean installation of Windows 11 or optionally a fully up-to-date, factory reset version of Windows 11.

DNS Over HTTPS: (DoH)

By default, Domain Name System (DNS) requests are sent over a plaintext UDP or TCP connection. This inherently makes traditional unencrypted DNS traffic vulnerable to eavesdropping and spoofing.

DNS over HTTPS is an advanced encryption protocol. Designed to add protection at the transport layer, DNS over HTTPS wraps the DNS query within a standard HTTPS request and then encrypts it.

Put simply, this means that your DNS queries and their corresponding responses will be indistinguishable from all other HTTPS traffic on the network.

Windows 11 now supports DNS over HTTPS configuration at the network level, as shown below.

How to Configure DNS Over HTTPS on Windows 11

If you'd like to enable this feature on your PC, here's how:

1. Click Start and go to Settings > Network & internet.
2. Click on either your Wi-Fi or Ethernet connection.

   

3. Click on Hardware properties.

   

4. Click Edit on DNS server assignment.
5. Switch to Manual on the Edit DNS settings popup.
6. Turn on either the IPv4 or IPv6 toggle. Note: IPv4 is the standard and is mandatory for accessing most websites. IPv6 is newer and can be configured optionally in conjunction with IPv4.

   

7. Enter the primary IP address of your DNS server in the Preferred DNS field.
8. Enter the secondary IP address of your DNS server in the Alternate DNS field.
9. Select On (automatic template) in both DNS over HTTPS dropdown fields and click Save.

   

10. You should see (Encrypted) listed next to your IPv4 or IPv6 DNS server properties.

Secured-Core PC Configuration Lock

One of the many challenges facing an administrator in an enterprise organization is the process of maintaining security policies across multiple devices.

For instance, a user with local admin rights may change a setting and put the device out of sync with security policies. This creates what is known as "configuration drift."

With this in mind, Microsoft's Secured-Core PC configuration lock enables administrators to enforce security policies on their secured-core PC (SCPC) corporate devices.

Secured-Core PC configuration lock works by monitoring specific registry keys related to the secured-core PC configuration on the client operating system. Then if configuration drift is detected by either intentional or unintentional misalignment of settings, the changes are reverted within seconds.

Secured-Core PC configuration lock isn't enabled by default on Windows 11 or turned on during boot. Instead, it is managed separately by an administrator using Microsoft Intune.

You can check out step-by-step documentation provided by Microsoft for enabling Secured-Core PC configuration lock.

Enhanced Phishing Protection

Microsoft's Enhanced Phishing Protection works within the Microsoft Defender SmartScreen ecosystem. It was introduced in the Windows 11 Update Version 22H2,

Enhanced Phishing Protection is Microsoft's answer to the ever-growing threat of bad actors trying to steal sensitive user data, like passwords. It aims to protect a user's organizational or school Windows 11 password when typed into a potentially unsafe website or app.

The feature protects the integrity of a user's password in three ways.

• Malicious apps and sites: If you type your password into any website or app deemed malicious by Microsoft Defender SmartScreen, you will receive an alert as well as a prompt to change your password. Currently, this feature is limited to Chromium-based browsers such as Microsoft Edge, Google Chrome, and Opera.
• Password reuse: Enhanced Phishing protection will warn you if it detects that your Windows 11 password was reused on another website or app. This is irrespective of whether the website or app in question is deemed to be malicious or not.
• Password storage: If you store your Windows 11 password in Notepad, Word, or any Microsoft 365 Office app, Enhanced Phishing Protection will warn you and recommend that you delete your password from the file.

It's easy for administrators to set up and configure Enhanced Phishing Protection. It can be configured in Microsoft Intune, Group Policy Objects via the Group Policy Editor, or as a Configuration Service Provider with an MDM service.

Windows 11 Protects From Risky Business

As the world transitions more and more to hybrid, remote, and new ways of working, the imperative will always be security. Organizations and everyday people alike cannot afford their sensitive data to get into the wrong hands. Microsoft is pushing the envelope with Windows security and leveraging the latest tech in a bid to keep us safe.