在 CrowdStrike 中斷後，微軟計劃在 2025 年對 Windows 進行重大安全性強化

繼今年夏天 CrowdStrike 宕機導致數百萬台電腦癱瘓後，微軟宣布對 Windows 安全性和彈性進行重大改進

Microsoft has announced a major hardening of Windows security in 2025, following the CrowdStrike outage this summer, which bricked millions of computers.

繼今年夏天 CrowdStrike 宕機導致數百萬台電腦癱瘓後，微軟宣佈在 2025 年對 Windows 安全進行重大強化。

The July incident left IT admins unable to remotely fix PCs, which were stuck in a boot loop. By early 2025, the Windows Insider community will be able to test the new Quick Machine Recovery feature.

7 月的事件導致 IT 管理員無法遠端修復陷入啟動循環的電腦。到 2025 年初，Windows Insider 社群將能夠測試新的快速機器復原功能。

This remote recovery tool allows the execution of targeted Windows Update fixes on PCs even when they are unable to boot, “without needing physical access to the PC.”

即使電腦無法啟動，此遠端復原工具也允許在電腦上執行有針對性的 Windows 更新修復，「無需實體存取電腦」。

“This remote recovery will unblock your employees from broad issues much faster than has been possible in the past,” promises David Weston, Vice President of Enterprise and OS Security at Microsoft.

微軟企業和作業系統安全副總裁 David Weston 承諾：“這種遠端恢復將比過去更快地幫助您的員工解決廣泛的問題。”

Multiple changes are pushing apps and users out of admin privileges. Microsoft sees overprivileged users and applications as one of its longstanding challenges.

多項變更正在將應用程式和使用者排除在管理員權限之外。微軟將過度特權的用戶和應用程式視為其長期面臨的挑戰之一。

Windows has a new Administrator protection solution in preview, where standard user permissions are set by default. When users need to make system changes, requiring admin rights, such as app installation, they’ll be prompted to securely authorize the change using the secure login system Windows Hello.

Windows 在預覽版中提供了新的管理員保護解決方案，其中預設設定標準使用者權限。當使用者需要進行系統變更（需要管理員權限）（例如應用程式安裝）時，系統會提示他們使用安全登入系統 Windows Hello 安全地授權變更。

Security will be improved by creating a temporary isolated admin token to get the job done.

透過建立臨時隔離的管理令牌來完成工作，可以提高安全性。

“This temporary token is immediately destroyed once the task is complete, ensuring that admin privileges do not persist. Administrator protection helps ensure that users, and not malware, remain in control of system resources,” Weston said in a blog post.

「一旦任務完成，這個臨時令牌就會立即銷毀，確保管理員權限不會持續存在。管理員保護有助於確保用戶（而不是惡意軟體）繼續控制系統資源，」韋斯頓在部落格文章中說。

Any potential attackers will be disrupted as they will no longer have automatic, direct access to the kernel or other critical system resources without specific authorization.

任何潛在的攻擊者都將受到干擾，因為未經特定授權，他們將無法再自動、直接存取核心或其他關鍵系統資源。

Microsoft says that even security solutions should stay out of the kernel.

微軟表示，即使是安全解決方案也應該遠離核心。

“We are developing new Windows capabilities that will allow security product developers to build their products outside of kernel mode. This means security products, like anti-virus solutions, can run in user mode just as apps do,” Weston explains.

「我們正在開發新的 Windows 功能，使安全產品開發人員能夠在核心模式之外建立他們的產品。這意味著安全產品（例如防毒解決方案）可以像應用程式一樣在使用者模式下運作。

In July 2025, Microsoft will make a private preview of the change available for the security product ecosystem. The hope is that this change will provide a high level of security while also affecting Windows less in the event of crashes and mistakes.

2025 年 7 月，Microsoft 將為安全產品生態系統提供此變更的私人預覽版。希望這項變更能夠提供高水準的安全性，同時在發生崩潰和錯誤時減少對 Windows 的影響。

Under the new initiative, partners will be required to roll-out security product updates gradually, leveraging deployment rings, as well as monitoring to ensure any negative impact from updates is kept to a minimum.

根據新舉措，合作夥伴將被要求逐步推出安全產品更新，利用部署環並進行監控，以確保更新帶來的負面影響降至最低。

According to the 2024 Microsoft Digital Defense Report, user privileges abusing token theft incidents have grown to 39,000 per day.

根據 2024 年微軟數位防禦報告，濫用代幣竊盜事件的使用者權限已成長至每天 39,000 起。

Microsoft suggests that businesses use Smart App Control policies to eliminate attacks such as malicious attachments and social-engineered malware.

Microsoft 建議企業使用智慧型應用程式控制策略來消除惡意附件和社交工程惡意軟體等攻擊。

“IT admins can simply select the ‘signed and reputable policy’ template in the app control wizard. This enables millions of verified apps to run regardless of the deployment location. Line of business apps unknown to Microsoft can be easily added by the IT admin through policy changes or via Microsoft Intune managed app deployments.”

「IT 管理員只需在應用程式控制精靈中選擇『已簽署且信譽良好的策略』範本即可。這使得數百萬個經過驗證的應用程式能夠運行，無論部署位置如何。 IT 管理員可以透過策略變更或透過 Microsoft Intune 託管應用程式部署輕鬆新增 Microsoft 未知的業務線應用程式。

The new, more secure Windows printing system works without extra third-party drivers.

新的、更安全的 Windows 列印系統無需額外的第三方驅動程式即可運作。

Windows Preview also contains a new Hotpatch ‘revolutionary feature,’ that allows businesses to apply critical security updates without requiring a system restart. Linux systems have had live patching for around a decade now.

Windows Preview 還包含一項新的 Hotpatch“革命性功能”，允許企業應用關鍵安全更新而無需重新啟動系統。 Linux 系統提供即時補丁已經有大約十年了。

“Hotpatch in Windows is being introduced for Windows 11 Enterprise 24H2 and Windows 365,” Weston said.

「Windows 中的熱補丁正在針對 Windows 11 Enterprise 24H2 和 Windows 365 引入，」Weston 說。

Hotpatch will shorten the time to adopt critical security updates “by up to 60% from the moment a security update is offered.”

Hotpatch 將「從提供安全性更新的那一刻起」將採用關鍵安全更新的時間縮短 60%。

Microsoft also believes the new feature will reduce the number of required system restarts from 12 times a year to just four.

微軟也認為，新功能將所需的系統重新啟動次數從每年 12 次減少到僅 4 次。

There are many other security features that Microsoft plans on highlighting at Ignite 2024.

Microsoft 計劃在 Ignite 2024 上重點介紹許多其他安全功能。

The tech giant is adopting safer programming languages, gradually moving functionality from C++ implementation to Rust.

這家科技巨頭正在採用更安全的程式語言，逐漸將功能從 C++ 實作轉移到 Rust。

To protect credentials, the built-in MFA solution Windows Hello has been further hardened and extended to support passkeys. Users no longer need to choose between a simple sign-in and a safe sign-in. Windows Hello is also being used to protect Recall and Personal Data Encryption.

為了保護憑證，內建 MFA 解決方案 Windows Hello 已進一步強化和擴展，以支援金鑰。使用者不再需要在簡單登入和安全登入之間進行選擇。 Windows Hello 也用於保護召回和個人資料加密。

Microsoft also provides more encryption options, such as Personal Data Encryption for known folders. When enabled, a device administrator won’t be able to view file content until authenticated with Windows Hello.

微軟還提供了更多加密選項，例如已知資料夾的個人資料加密。啟用後，裝置管理員在透過 Windows Hello 進行身份驗證之前將無法查看檔案內容。

IT admins can restrict access to unapproved domains and block outbound traffic using the IP addresses, thanks to the Zero Trust DNS solution, which was introduced in May 2024. It blocks all outbound traffic by default, except essential services.

由於採用2024 年5 月推出的零信任DNS 解決方案，IT 管理員可以限制對未經批准的網域的存取並使用IP 位址阻止出站流量。 。

The new Config feature is available now and allows admins to automatically fix settings that may have been changed accidentally by other users or apps.

新的配置功能現已推出，允許管理員自動修復可能被其他使用者或應用程式意外更改的設定。