We shared the Windows security vision and how that vision translates into new security enhancements in Windows 8.1 at the Black Hat conference this week. The upcoming Windows 8.1 update offers a full spectrum of new and improved security capabilities, from features that enables devices to be fully locked down by IT, to remote security options for BYOD devices, to safeguard for personal devices that need to access business resources outside of work.

Some high-level takeaways:

Trustworthy hardware. The Trusted Platform Module is a hardware security device or chip that’s a great tool for the enterprise, but until now has been an optional piece of technology for consumer devices. TPM provides a number of crypto functions, including securely storing keys and performing cryptographic measurements. We’re working to require TPM 2.0 on all devices by January 2015, which will help IT departments be confident that the devices their employees bring to work are fully capable of complying with corporate security policies.

Modern access control. With Windows 8.1, we’ve focused a lot of attention on the controls that IT departments can place on devices to restrict who can physically access a device. Windows 8.1 features first-class biometrics (go beyond swipe to capacitive full fingerprint), multifactor authentication for BYODs (more flexibility and control over how devices connect to internal networks), and trustworthy identities and devices (increased trustworthiness of PKIs that can be targeted by hackers).

Protecting sensitive data. Businesses can protect their data even when it resides on their employees’ personal devices through pervasive data encryption and remote data removal, which will allow an IT department to wipe corporate data off a BYOD device without affecting personal data.

Malware resistance. We’re continuing to step up our built-in malware resistance measures to stay ahead of attackers with an improved Windows Defender that enables it to detect certain bad behaviors in memory, the registry or the file system even before signatures have been created. Also, in Windows 8.1, there’s an API for Internet Explorer that enables anti-malware solutions to make a security determination before a binary extension is loaded (currently, malicious websites can sometimes access sensitive data by exploiting vulnerabilities in binary extension such as ActiveX controls).

Dustin Ingalls, group program manager for Windows Security & Identity, shares more details over on the Windows blog.

You might also be interested in:

Jennifer Chen
Microsoft News Center Staff