- Published on
MS Build 2026: Windows to be safer
- Authors
- Name
- aimode.news
- @aimode_news
At the developer conference Microsoft Build 2026 introduces the company's most relevant innovations for developers. But there are also innovations that the users of the Windows- Operating systems themselves relate directly to IT security.
An overview post in the Windows blog calls various changes that help developers in particular. At the end of the article, however, there are also innovations to make Windows safer for everyone. Most of them can already be tested in Windows Insider Previews. Thus, the authors of the paper explain that Windows now wants to expand the support of post-quantant cryptography (PQC, post-quantum Cryptography) on the Windows platform and anchor it deeper. The enclosed PQ hybrid key exchange in the Windows TLS stack as well as the support of composite PQC algorithms by the Windows cryptographyAPIs (CNG). Active Directory Certificate Services (ADCS) will now be able to distribute PQ certificates. A blog post in Microsoft Techcommunity provides deeper insights to interested parties.
Help with NTLM exit
NTLM (NT LAN Manager) is a security nightmare. Googles subsidiary Mandiant now provides assistance in cracking NTLM hashashes, which significantly affects the security of Windows networks with NTLM authentication. The next version of Windows Server should no longer support NTLM. Until then, Microsoft's developers are working to enforce safer default settings and secure known attack vectors for outdated authentication. The WIP server and client can now configure “IAKerb” and “LocalKDC” with registry keys. This is intended to reduce the use of NTLM and allow the use of stronger Kerberos-based authentication in other scenarios. A contribution in the Windows IT-Pro blog also provides deeper insights.
To ensure that Windows only loads trusted drivers, Microsoft now requires a stricter certification process. By default, Windows only loads drivers that were signed in the Windows Hardware Compatibility Program (WHCP). The developers have been testing this in first Windows Insider previews since March. Specifically, this means that Windows does not charge any drivers that have been signed in the Cross-Signed Root program. Behind this is an option that Certificate Authorities (CA) trust public keys from other CAs; such cross-signed root certificates accept Windows no longer.
Video by heise
Microsoft also highlights that Windows devices are protected from untrusted apps by Smart App Control for end users and the business variant. Without going further into details, reputation-based enforcement is to be strengthened and new APIs for integration and policy-based control come in the enterprise environment.
(dmk)
