在 CrowdStrike 中断之后，微软计划在 2025 年对 Windows 进行重大安全强化

继今年夏天 CrowdStrike 宕机导致数百万台计算机瘫痪后，微软宣布对 Windows 安全性和弹性进行重大改进

Microsoft has announced a major hardening of Windows security in 2025, following the CrowdStrike outage this summer, which bricked millions of computers.

继今年夏天 CrowdStrike 宕机导致数百万台计算机瘫痪后，微软宣布在 2025 年对 Windows 安全进行重大强化。

The July incident left IT admins unable to remotely fix PCs, which were stuck in a boot loop. By early 2025, the Windows Insider community will be able to test the new Quick Machine Recovery feature.

7 月份的事件导致 IT 管理员无法远程修复陷入启动循环的电脑。到 2025 年初，Windows Insider 社区将能够测试新的快速机器恢复功能。

This remote recovery tool allows the execution of targeted Windows Update fixes on PCs even when they are unable to boot, “without needing physical access to the PC.”

即使电脑无法启动，该远程恢复工具也允许在电脑上执行有针对性的 Windows 更新修复，“无需物理访问电脑”。

“This remote recovery will unblock your employees from broad issues much faster than has been possible in the past,” promises David Weston, Vice President of Enterprise and OS Security at Microsoft.

微软企业和操作系统安全副总裁 David Weston 承诺：“这种远程恢复将比过去更快地帮助您的员工解决广泛的问题。”

Multiple changes are pushing apps and users out of admin privileges. Microsoft sees overprivileged users and applications as one of its longstanding challenges.

多项更改正在将应用程序和用户排除在管理员权限之外。微软将过度特权的用户和应用程序视为其长期面临的挑战之一。

Windows has a new Administrator protection solution in preview, where standard user permissions are set by default. When users need to make system changes, requiring admin rights, such as app installation, they’ll be prompted to securely authorize the change using the secure login system Windows Hello.

Windows 在预览版中提供了新的管理员保护解决方案，其中默认设置标准用户权限。当用户需要进行系统更改（需要管理员权限）（例如应用程序安装）时，系统会提示他们使用安全登录系统 Windows Hello 安全地授权更改。

Security will be improved by creating a temporary isolated admin token to get the job done.

通过创建临时隔离的管理令牌来完成工作，可以提高安全性。

“This temporary token is immediately destroyed once the task is complete, ensuring that admin privileges do not persist. Administrator protection helps ensure that users, and not malware, remain in control of system resources,” Weston said in a blog post.

“一旦任务完成，这个临时令牌就会立即销毁，确保管理员权限不会持续存在。管理员保护有助于确保用户（而不是恶意软件）继续控制系统资源，”韦斯顿在博客文章中说。

Any potential attackers will be disrupted as they will no longer have automatic, direct access to the kernel or other critical system resources without specific authorization.

任何潜在的攻击者都将受到干扰，因为未经特定授权，他们将无法再自动、直接访问内核或其他关键系统资源。

Microsoft says that even security solutions should stay out of the kernel.

微软表示，即使是安全解决方案也应该远离内核。

“We are developing new Windows capabilities that will allow security product developers to build their products outside of kernel mode. This means security products, like anti-virus solutions, can run in user mode just as apps do,” Weston explains.

“我们正在开发新的 Windows 功能，使安全产品开发人员能够在内核模式之外构建他们的产品。这意味着安全产品（例如防病毒解决方案）可以像应用程序一样在用户模式下运行。”Weston 解释道。

In July 2025, Microsoft will make a private preview of the change available for the security product ecosystem. The hope is that this change will provide a high level of security while also affecting Windows less in the event of crashes and mistakes.

2025 年 7 月，Microsoft 将为安全产品生态系统提供此更改的私人预览版。希望这一更改能够提供高水平的安全性，同时在发生崩溃和错误时减少对 Windows 的影响。

Under the new initiative, partners will be required to roll-out security product updates gradually, leveraging deployment rings, as well as monitoring to ensure any negative impact from updates is kept to a minimum.

根据新举措，合作伙伴将被要求逐步推出安全产品更新，利用部署环并进行监控，以确保更新带来的负面影响降至最低。

According to the 2024 Microsoft Digital Defense Report, user privileges abusing token theft incidents have grown to 39,000 per day.

根据 2024 年微软数字防御报告，滥用令牌盗窃事件的用户权限已增长至每天 39,000 起。

Microsoft suggests that businesses use Smart App Control policies to eliminate attacks such as malicious attachments and social-engineered malware.

Microsoft 建议企业使用智能应用程序控制策略来消除恶意附件和社交工程恶意软件等攻击。

“IT admins can simply select the ‘signed and reputable policy’ template in the app control wizard. This enables millions of verified apps to run regardless of the deployment location. Line of business apps unknown to Microsoft can be easily added by the IT admin through policy changes or via Microsoft Intune managed app deployments.”

“IT 管理员只需在应用程序控制向导中选择‘已签名且信誉良好的策略’模板即可。这使得数百万个经过验证的应用程序能够运行，无论部署位置如何。 IT 管理员可以通过策略更改或通过 Microsoft Intune 托管应用程序部署轻松添加 Microsoft 未知的业务线应用程序。”

The new, more secure Windows printing system works without extra third-party drivers.

新的、更安全的 Windows 打印系统无需额外的第三方驱动程序即可运行。

Windows Preview also contains a new Hotpatch ‘revolutionary feature,’ that allows businesses to apply critical security updates without requiring a system restart. Linux systems have had live patching for around a decade now.

Windows Preview 还包含一项新的 Hotpatch“革命性功能”，允许企业应用关键安全更新而无需重新启动系统。 Linux 系统提供实时补丁已经有大约十年了。

“Hotpatch in Windows is being introduced for Windows 11 Enterprise 24H2 and Windows 365,” Weston said.

“Windows 中的热补丁正在针对 Windows 11 Enterprise 24H2 和 Windows 365 引入，”Weston 说。

Hotpatch will shorten the time to adopt critical security updates “by up to 60% from the moment a security update is offered.”

Hotpatch 将“从提供安全更新的那一刻起”将采用关键安全更新的时间缩短 60%。

Microsoft also believes the new feature will reduce the number of required system restarts from 12 times a year to just four.

微软还认为，新功能会将所需的系统重新启动次数从每年 12 次减少到仅 4 次。

There are many other security features that Microsoft plans on highlighting at Ignite 2024.

Microsoft 计划在 Ignite 2024 上重点介绍许多其他安全功能。

The tech giant is adopting safer programming languages, gradually moving functionality from C++ implementation to Rust.

这家科技巨头正在采用更安全的编程语言，逐渐将功能从 C++ 实现转移到 Rust。

To protect credentials, the built-in MFA solution Windows Hello has been further hardened and extended to support passkeys. Users no longer need to choose between a simple sign-in and a safe sign-in. Windows Hello is also being used to protect Recall and Personal Data Encryption.

为了保护凭据，内置 MFA 解决方案 Windows Hello 已得到进一步强化和扩展，以支持密钥。用户不再需要在简单登录和安全登录之间进行选择。 Windows Hello 还用于保护召回和个人数据加密。

Microsoft also provides more encryption options, such as Personal Data Encryption for known folders. When enabled, a device administrator won’t be able to view file content until authenticated with Windows Hello.

微软还提供了更多加密选项，例如已知文件夹的个人数据加密。启用后，设备管理员在通过 Windows Hello 进行身份验证之前将无法查看文件内容。

IT admins can restrict access to unapproved domains and block outbound traffic using the IP addresses, thanks to the Zero Trust DNS solution, which was introduced in May 2024. It blocks all outbound traffic by default, except essential services.

得益于 2024 年 5 月推出的零信任 DNS 解决方案，IT 管理员可以限制对未经批准的域的访问并使用 IP 地址阻止出站流量。它默认阻止除基本服务之外的所有出站流量。

The new Config feature is available now and allows admins to automatically fix settings that may have been changed accidentally by other users or apps.

新的配置功能现已推出，允许管理员自动修复可能被其他用户或应用程序意外更改的设置。