Microsoft's latest Windows hardening guidance and key dates


  • Staff

 Microsoft Support:

Change log

Change dateChange description
March 10, 2024Revised the Monthly timeline adding more hardening related content and removed the February 2024 entry from the timeline as it is not hardening related.

Introduction

Hardening is a key element of our ongoing security strategy to help keep your estate protected while you focus on your job. Increasingly creative cyberthreats target weaknesses anywhere possible, from the chip to the cloud. Have you seen our publications on hardening on the Windows message center? Some of those recently enforced include DCOM authentication hardening and Netjoin: domain join hardening. Let's review vulnerable areas that are undergoing hardening in the upcoming months.

Note: This article will be updated over time to provide the latest information about hardening changes and timelines. Last updated: March 10, 2024.

Hardening changes at a glance

Review the visual timeline to focus on the specific changes that are of interest to you. Find the details for each phase below.

Hardening changes in 2023


Figure 1: A visual timeline of the hardening changes taking place in 2023.

Hardening changes in 2024


Figure 2: A visual timeline of the hardening changes taking place in 2024.

Hardening changes by month

Consult the details for all upcoming hardening changes by month to help you plan for each phase and final enforcement.

April 2024

  • Secure Boot bypass protections KB5025885 | Phase 3

    Third Deployment phase. This phase will add additional boot manager mitigations. This phase will start no sooner than April 9, 2024.

October 2024 or later

  • Secure Boot bypass protections KB5025885 | Phase 3

    Mandatory Enforcement phase. The revocations (Code Integrity Boot policy and Secure Boot disallow list) will be programmatically enforced after installing updates for Windows to all affected systems with no option to be disabled.

February 2025 or later

  • Certificate-based authentication KB5014754 | Phase 3

    Full Enforcement mode. If a certificate cannot be strongly mapped, authentication will be denied.


 Source:

KB5036534: Latest Windows hardening guidance and key dates - Microsoft Support

support.microsoft.com support.microsoft.com
 

Attachments

  • Windows_Security.png
    Windows_Security.png
    6 KB · Views: 1
Click to expand...
From the top of the "source" link...

Image1.png


Point of no return dates... :-)

Image1.png
 
Last edited:

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦22631.3527 ♦♦♦♦♦♦♦23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 4702)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Internet Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Mouse
    Logitech Optical M-BT96a
    Keyboard
    Logitech Classic Keybooard 200
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 13 years?
I meet all of their requirements , it seems that Microsoft does not want their users to dual boot with anything but a MS Product.
 

My Computers

System One System Two

  • OS
    Win 11 Pro 22631.3527
    Computer type
    PC/Desktop
    Manufacturer/Model
    Digital Storm Velox
    CPU
    Intel Core i9-10940X
    Motherboard
    MSI X299 PRO (Intel X299 Chipset) (Up to 4x PCI-E Devices)
    Memory
    128 GB DDR4 3200 MHz Corsair Vengance LPX
    Graphics Card(s)
    EVGA GeForce RTX 2080 Ti Black
    Sound Card
    Integrated Motherboard Audio-Realtek
    Monitor(s) Displays
    CORSAIR XENEON 32QHD
    Screen Resolution
    2560 x 1440
    Hard Drives
    2 Samsung 980 Pro NVME 2TB
    1x Storage (6TB Western Digital
    PSU
    Corsair / EVGA / Thermaltake (Modular) (80 Plus Gold)
    Case
    VELOX
    Cooling
    H20: Stage 2: Digital Storm Vortex Liquid CPU Cooler (Dual Fan) (Fully Sealed + No Maintenance)
    Keyboard
    Corsair K63 Wireless
    Mouse
    Corsair NIGHTSWORD RGB
    Internet Speed
    1000Gb's Down-20 Up
    Browser
    Firefox 125.0.2
    Antivirus
    Windows Defender
    Other Info
    Cyber power CP1350AVRLCD -UPS
    NVIDIA 552.22 Driver
  • Operating System
    Arch Linux
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC13ANHi3
    CPU
    Intel Core i3 1315u
    Motherboard
    NUC13AN
    Memory
    64GB GSKILL DDR4 3200
    Graphics card(s)
    Intel On Board
    Sound Card
    Intel on Board
    Monitor(s) Displays
    Dell 2419HGCF
    Screen Resolution
    1920 X 1080
    Hard Drives
    1TB Crucial M2NVME
    PSU
    External 90 Watt
    Case
    NUC Tall
    Cooling
    Fan
    Mouse
    Razer
    Keyboard
    Logitech
    Internet Speed
    1GB
    Browser
    Slimjet 43.0.1.0
    Other Info
    quiet & fast
Josey Wales said:
I meet all of their requirements , it seems that Microsoft does not want their users to dual boot with anything but a MS Product.
Click to expand...

If you're referring to Secure Boot and Linux...Linux supports this already and if your distro does not, then switch to something else
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 build 10.0.22631.3296 (Release Channel) / Linux Mint 21.3 Cinnamon
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo A485
    CPU
    Ryzen 7 2700U Pro
    Motherboard
    Lenovo (WiFi/BT module upgraded to Intel Wireless-AC-9260)
    Memory
    32GB
    Graphics Card(s)
    iGPU Vega 10
    Sound Card
    Realtek
    Monitor(s) Displays
    14" FHD (built-in) + 14" Lenovo Thinkvision M14t (touch+pen) + 32" Asus PB328
    Screen Resolution
    FHD + FHD + 1440p
    Hard Drives
    Intel 660p m.2 nVME PCIe3.0 x2 512GB
    PSU
    65W
    Keyboard
    Thinkpad / Logitech MX Keys
    Mouse
    Logitech MX Master 2S
    Internet Speed
    600/300Mbit
    Browser
    Edge (Chromium)
    Antivirus
    Windows Defender
    Other Info
    SecureBoot: Enabled
    TPM2.0: Enabled
    AMD-V: Enabled
  • Operating System
    Windows 11 Pro 23H2 build 10.0.22631.3296(Release Preview Channel)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom
    CPU
    i7-7700k @4.8GHz
    Motherboard
    Asus PRIME Z270-A
    Memory
    32GB 2x16GB 2133MHz CL15
    Graphics card(s)
    EVGA GTX1080Ti FTW 11GB
    Sound Card
    Integrated
    Monitor(s) Displays
    32" 10-bit Asus PB328Q
    Screen Resolution
    WQHD 2560x1440
    Hard Drives
    512GB ADATA SX8000NP NVMe PCIe Gen 3 x4
    PSU
    850W
    Case
    Fractal Design Define 7
    Cooling
    Noctua NH-D15 chromax.black
    Mouse
    Logitech MX Master 2S
    Keyboard
    Logitech MX Keys
    Internet Speed
    600/300Mbit
    Browser
    Edge (Cromium)
    Antivirus
    Windows Defender
    Other Info
    AC WiFi Card
Josey Wales said:
I meet all of their requirements , it seems that Microsoft does not want their users to dual boot with anything but a MS Product.
Click to expand...

SlicEnDicE said:
If you're referring to Secure Boot and Linux...Linux supports this already and if your distro does not, then switch to something else
Click to expand...

I don't know why you would bother dual booting anything anymore when Virtual Machines are so powerful and work quite well.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell G15 5525
    CPU
    Ryzen 7 6800H
    Memory
    32 GB DDR5 4800mhz
    Graphics Card(s)
    RTX 3050 4GB Vram
    Screen Resolution
    1920 x 1080
    Hard Drives
    2TB Solidigm™ P41 Plus nvme
    Internet Speed
    800mbps down, 20 up
  • Operating System
    Windows 11
    Computer type
    Tablet
    Manufacturer/Model
    Lenovo ideapad flex 14API 2 in 1
    CPU
    Ryzen 5 3500u
    Motherboard
    LENOVO LNVNB161216 (FP5)
    Memory
    12GB DDR4
    Graphics card(s)
    AMD Radeon Vega 8 Graphics
    Hard Drives
    256 GB Samsung ssd nvme
I've never used Secure Boot and hopefully still won't have too....
 

My Computer

System One

  • OS
    Windows 11 Pro 23H2 (RP channel)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Gigabyte
    CPU
    AMD Ryzen 5900X 12-core
    Motherboard
    X570 Aorus Xtreme
    Memory
    64GB Corsair Platinum RGB 3600MHz CL16
    Graphics Card(s)
    MSI Suprim X 3080 Ti
    Sound Card
    Soundblaster AE-5 Plus
    Monitor(s) Displays
    ASUS TUF Gaming VG289Q
    Screen Resolution
    3840x2160
    Hard Drives
    Samsung 990 Pro 2TB
    Samsung 980 Pro 2TB
    Samsung 970 Evo Plus 1TB
    Samsung 870 Evo 4TB
    Samsung T7 Touch 1TB
    PSU
    Asus ROG Strix 1000W
    Case
    Corsair D750 Airflow
    Cooling
    Noctua NH-D15S
    Keyboard
    Asus ROG Flare
    Mouse
    Logitech G903 with PowerPlay charger
    Internet Speed
    500Mb/sec
    Browser
    Microsoft Edge
    Antivirus
    Windows Defender
andrew129260 said:
I don't know why you would bother dual booting anything anymore when Virtual Machines are so powerful and work quite well.
Click to expand...
For hardware acceleration. In Hyper-V it is nearly impossible to get HW acceleration. And in many other VMs you need a dedicated GPU for passthrough or a translation layer which makes it quite a bit slower. Nothing beats native experience not even the best virtual machines.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 build 10.0.22631.3296 (Release Channel) / Linux Mint 21.3 Cinnamon
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo A485
    CPU
    Ryzen 7 2700U Pro
    Motherboard
    Lenovo (WiFi/BT module upgraded to Intel Wireless-AC-9260)
    Memory
    32GB
    Graphics Card(s)
    iGPU Vega 10
    Sound Card
    Realtek
    Monitor(s) Displays
    14" FHD (built-in) + 14" Lenovo Thinkvision M14t (touch+pen) + 32" Asus PB328
    Screen Resolution
    FHD + FHD + 1440p
    Hard Drives
    Intel 660p m.2 nVME PCIe3.0 x2 512GB
    PSU
    65W
    Keyboard
    Thinkpad / Logitech MX Keys
    Mouse
    Logitech MX Master 2S
    Internet Speed
    600/300Mbit
    Browser
    Edge (Chromium)
    Antivirus
    Windows Defender
    Other Info
    SecureBoot: Enabled
    TPM2.0: Enabled
    AMD-V: Enabled
  • Operating System
    Windows 11 Pro 23H2 build 10.0.22631.3296(Release Preview Channel)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom
    CPU
    i7-7700k @4.8GHz
    Motherboard
    Asus PRIME Z270-A
    Memory
    32GB 2x16GB 2133MHz CL15
    Graphics card(s)
    EVGA GTX1080Ti FTW 11GB
    Sound Card
    Integrated
    Monitor(s) Displays
    32" 10-bit Asus PB328Q
    Screen Resolution
    WQHD 2560x1440
    Hard Drives
    512GB ADATA SX8000NP NVMe PCIe Gen 3 x4
    PSU
    850W
    Case
    Fractal Design Define 7
    Cooling
    Noctua NH-D15 chromax.black
    Mouse
    Logitech MX Master 2S
    Keyboard
    Logitech MX Keys
    Internet Speed
    600/300Mbit
    Browser
    Edge (Cromium)
    Antivirus
    Windows Defender
    Other Info
    AC WiFi Card
SlicEnDicE said:
For hardware acceleration. In Hyper-V it is nearly impossible to get HW acceleration. And in many other VMs you need a dedicated GPU for passthrough or a translation layer which makes it quite a bit slower. Nothing beats native experience not even the best virtual machines.
Click to expand...
For sure nothing beats native, but I doubt most people are doing something in another dual boot os that needs to be super intensive or something. I use vmware player and it is pretty fast in everything I do.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell G15 5525
    CPU
    Ryzen 7 6800H
    Memory
    32 GB DDR5 4800mhz
    Graphics Card(s)
    RTX 3050 4GB Vram
    Screen Resolution
    1920 x 1080
    Hard Drives
    2TB Solidigm™ P41 Plus nvme
    Internet Speed
    800mbps down, 20 up
  • Operating System
    Windows 11
    Computer type
    Tablet
    Manufacturer/Model
    Lenovo ideapad flex 14API 2 in 1
    CPU
    Ryzen 5 3500u
    Motherboard
    LENOVO LNVNB161216 (FP5)
    Memory
    12GB DDR4
    Graphics card(s)
    AMD Radeon Vega 8 Graphics
    Hard Drives
    256 GB Samsung ssd nvme
Hardening is achieved by the Virtual Interface Application Generating Robust Access.
 

My Computer

System One

  • OS
    Windows 10 Pro + others in VHDs
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 14
    CPU
    I7
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    N/A
    Screen Resolution
    1920x1080
    Hard Drives
    1 TB Optane NVME SSD, 1 TB NVME SSD
    PSU
    Yep, got one
    Case
    Yep, got one
    Cooling
    Stella Artois
    Keyboard
    Built in
    Mouse
    Bluetooth , wired
    Internet Speed
    72 Mb/s :-(
    Browser
    Edge mostly
    Antivirus
    Defender
    Other Info
    TPM 2.0

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 build 10.0.22631.3296 (Release Channel) / Linux Mint 21.3 Cinnamon
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo A485
    CPU
    Ryzen 7 2700U Pro
    Motherboard
    Lenovo (WiFi/BT module upgraded to Intel Wireless-AC-9260)
    Memory
    32GB
    Graphics Card(s)
    iGPU Vega 10
    Sound Card
    Realtek
    Monitor(s) Displays
    14" FHD (built-in) + 14" Lenovo Thinkvision M14t (touch+pen) + 32" Asus PB328
    Screen Resolution
    FHD + FHD + 1440p
    Hard Drives
    Intel 660p m.2 nVME PCIe3.0 x2 512GB
    PSU
    65W
    Keyboard
    Thinkpad / Logitech MX Keys
    Mouse
    Logitech MX Master 2S
    Internet Speed
    600/300Mbit
    Browser
    Edge (Chromium)
    Antivirus
    Windows Defender
    Other Info
    SecureBoot: Enabled
    TPM2.0: Enabled
    AMD-V: Enabled
  • Operating System
    Windows 11 Pro 23H2 build 10.0.22631.3296(Release Preview Channel)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom
    CPU
    i7-7700k @4.8GHz
    Motherboard
    Asus PRIME Z270-A
    Memory
    32GB 2x16GB 2133MHz CL15
    Graphics card(s)
    EVGA GTX1080Ti FTW 11GB
    Sound Card
    Integrated
    Monitor(s) Displays
    32" 10-bit Asus PB328Q
    Screen Resolution
    WQHD 2560x1440
    Hard Drives
    512GB ADATA SX8000NP NVMe PCIe Gen 3 x4
    PSU
    850W
    Case
    Fractal Design Define 7
    Cooling
    Noctua NH-D15 chromax.black
    Mouse
    Logitech MX Master 2S
    Keyboard
    Logitech MX Keys
    Internet Speed
    600/300Mbit
    Browser
    Edge (Cromium)
    Antivirus
    Windows Defender
    Other Info
    AC WiFi Card

My Computers

System One System Two

  • OS
    Win 11 Pro (Insider Beta channel)
    Computer type
    Laptop
    Manufacturer/Model
    Acer AN515-54
    CPU
    Intel(R) Core(TM) i5-9300H CPU @ 2.40GHz 2.40 GHz
    Memory
    32GB
    Graphics Card(s)
    Nvidia GeForce GTX 1650, Intel UHD 630
    Monitor(s) Displays
    Acer CB272D
    Screen Resolution
    1920x1080
    Hard Drives
    256GB and 1T SSD
    Keyboard
    Logitech K375S
    Mouse
    Logitech M510
    Internet Speed
    250MB
    Browser
    Edge
    Antivirus
    Malwarebytes
  • Operating System
    Win 11 Pro (Insider Canary Channel, unsupported)
    Computer type
    Laptop
    Manufacturer/Model
    Dell E6430
    CPU
    Intel(R) Core(TM) i7-3540M CPU @ 3.00GHz 3.00 GHz (non-compliant)
    Memory
    16 GB
    Graphics card(s)
    Intel HD Graphics 4000, NVIDIA NVS 5200M
    Screen Resolution
    1366x768
    Antivirus
    Windows Defender
You must log in or register to reply here.

Similar threads

  • Article
Reminder: Changes to Windows Boot Manager revocations for Secure Boot effective April 9, 2024
Replies
11
Views
2K
ThrashZone
ThrashZone
  • Article
Latest Windows hardening guidance and key dates
Replies
2
Views
1K
BrianInEngland
B
  • Article
Deprecated features in Windows 11 and Windows 10 for March 2024
Replies
0
Views
748
Brink
Brink
  • Article
Updating Microsoft Secure Boot keys
4 5 6
Replies
106
Views
7K
THEBOSS619
THEBOSS619
  • Article
Additional guidance for devices using Secure Boot to address CVE-2023-24932
6 7 8
Replies
154
Views
19K
hsehestedt
hsehestedt

Latest Support Threads

Latest Tutorials

Back
Top Bottom