Cybersecurity is one of the top risks facing businesses. Organizations are struggling to navigate the ever-evolving cyberthreat landscape in which 600 million identity attacks are carried out daily.1 The median time for a cyberattacker to access private data from phishing is 1 hour and 12 minutes, and nation-state cyberattacks are on the rise.2 Organizations also face unprecedented complexity, making security jobs harder—57% of organizations are using more than 40 security tools, which requires significant resourcing and effort to integrate workflows and data.3 These challenges are magnified by the global security talent shortage organizations are facing and there are more than 4 million security jobs unfilled worldwide, rising insider risks, and the rapidly evolving regulatory landscape today.4 These cybersecurity challenges can not only increase significant business disruptions, they can also create devastating economic damages—the cost of cybercrime is expected to grow at 15% year over year, reaching $15.6 trillion by 2029.5
In November 2023, to address the evolution of the digital and regulatory landscape, and the unprecedented changes in the cyberthreat landscape, we announced the Microsoft Secure Future Initiative. The Secure Future Initiative (SFI) is a multiyear effort to revolutionize the way we design, build, test, and operate our products and services, to achieve the highest security standards. SFI is our commitment to improve Microsoft’s security posture, thereby improving the security posture of all our customers, and to work with governments and industry to improve the security posture of the entire ecosystem.
Last year, the Cybersecurity and Infrastructure Security Agency (CISA), through its “Secure by Design” pledge, called on the technology industry to prioritize security at every stage of product development and deployment. This approach of embedding cybersecurity in digital delivery from the outset is also reflected in the United Kingdom’s Government’s Cyber Security Strategy as well as in the Australian Cyber Security Centre (ACSC)’s “Essential Eight” mitigation strategies to protect against cyberthreats. Throughout this blog post, the term “Secure by Design” encompasses both “secure by design” and “secure by default.”
Microsoft committed to work towards key goals across a spectrum of Secure by Design principles advocated by numerous government agencies around the world. These goals aim to enhance security outcomes for customers by embedding robust cybersecurity practices throughout the product lifecycle. We continue to take our learnings, feed them back into our security standards, and operationalize these learnings as paved paths that can enable secure design and operations at scale. Our SFI updates provide examples of Microsoft’s progress in implementing secure by design, secure by default, and secure in operations principles, and provide best practices based on Microsoft’s own experience, demonstrating our dedication to improving security for customers.
Keep reading to learn about the initiatives Microsoft has undertaken over the past 18 months to support secure by design objectives as part of our SFI initiative. It is organized around our SFI principles to provide our customers and partners with an understanding of the robust security measures we are implementing to safeguard their digital environments.
Enhancing security with multifactor authentication and default password management
Phishing-resistant multifactor authentication provides the most robust defense against password-based cyberattacks, including credential stuffing and password theft. This includes promoting multifactor authentication among customers, implementing it as a default requirement for access, and participating in efforts to establish long-term standards in authentication.
In October 2024, Microsoft implemented mandatory multifactor authentication for the Microsoft Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. Since then, Microsoft has worked with our customers to reduce extensions and rapidly advance multifactor authentication adoption. A key achievement is our progress in eliminating passwords across products. Microsoft has introduced enhancements to streamline authentication and improve sign-in experiences, emphasizing usability and security. Users can now remove passwords from their accounts and use passkeys instead, addressing vulnerabilities and preventing unauthorized access.
On March 26, 2025, Microsoft launched a new sign-in experience for more than 1 billion users. By the end of April 2025, most Microsoft account users will see updated sign-in and sign-up user experience flows for web and mobile apps. This new user experience is optimized for a passwordless and passkey-first experience. Microsoft is also updating the account sign-in logic to make passkey the default sign-in choice whenever possible.
Additional examples of Microsoft improving authentication and how customers can learn from Microsoft’s approach and solutions include:
- Microsoft recommendations for organizations to get started deploying phishing-resistant passwordless authentication using Microsoft Entra ID.
- Security defaults make it easier to help protect against identity-related cyberattacks like password spray, replay, and phishing common in today’s environments. Learn more about preconfigured security settings available in Microsoft Entra ID.
- Microsoft’s Conditional Access uses identity-driven signals as part of access control decisions.
- To help prevent phishing, Microsoft added additional hardening to Windows Hello, which is the multifactor authentication solution built-in to Windows. Windows Hello has also been extended to support passkeys, which are an industry standard, and which we continue to evolve. With Hello and passkeys, on Windows, it means much of the web can be protected with multifactor authentication, and people no longer need to choose between a simple sign-in and a safe sign-in.
- Learn how Microsoft is advancing decentralized identity standards and verifiable credentials.
- Following GitHub’s April 2024 update on a year of progress in pushing multifactor authentication adoption, further cohorts requiring multifactor authentication enablement have been rolled out in the past year. This effort continues to drive multifactor authentication utilization with almost 50% of contributing GitHub users having multifactor authentication enabled. Of those, more than 38% of users have two or more methods of two-factor authentication enabled and more than 3.6 million users have a passkey enabled on their account. Additionally, GitHub has pushed for best practices in multifactor authentication methods, and in November 2024 shipped enhancements to the management of multifactor authentication settings for organizations and enterprises that allow the restriction of insecure methods of multifactor authentication such as text messaging.
Reducing entire classes of vulnerabilities
Most exploited vulnerabilities today stem from types that can often be mitigated on a large scale, such as SQL injection, cross-site scripting, and memory safety language vulnerabilities. Governments aim to reduce these by encouraging companies to adopt practices like eliminating authorization validation logic mistakes, enabling the use of memory-safe languages, creating secure firmware architectures, and implementing secure administrative protections. The goal is to minimize exploitation risks by addressing systemic vulnerabilities at their root.
Our introduction of mandatory use of the Microsoft Authentication Library (MSAL) across all Microsoft applications helps ensure that advanced identity defenses, such as token binding, continuous access evaluation, and advanced application attack detections, are consistently implemented. This standardizes secure authentication processes, making it significantly harder for attackers to exploit identity-related vulnerabilities. MSAL enables developers to acquire security tokens from the Microsoft identity platform to authenticate users and access secured web APIs.
Microsoft is also committed to adopting memory-safe languages, such as Rust, for developing new products and transitioning existing ones. This approach addresses common vulnerabilities related to memory safety. Microsoft is investing heavily into safe language to enhance the safety of our code, and we are applying this new approach to our security platform and other key areas like Microsoft Surface and Pluton security firmware.
In Windows 11, we’ve applied a secure by design strategy from the very first line of code. We have established a Hardware Security Baseline, which helps to ensure every Windows 11 PC has consistent hardware security forming a secure foundation. Windows 11 has secure by default settings and stronger controls for what apps and drivers are allowed to run. This is important as unverified apps and drivers lead to malware and script attacks. And most malware and ransomware apps are unsigned, which means they can be authored and distributed without being provably safe. For consumers and smaller organizations, Smart App Control is a new feature that uses cloud AI to enable millions of known safe apps to run, regardless of where you got them. For larger organizations, IT admins can layer on App Control for Business policies and deploy them using Intune.
With Windows powering business critical solutions across a wide variety of customers, we are committed to helping ensure that Windows remains the most secure and reliable platform. At Microsoft Ignite in 2024, we announced the Windows Resilience Initiative focused on enhancing the security and resilience of the Windows operating system. This involves implementing advanced security features, improving threat detection and response capabilities, and to help ensure that Windows can withstand and recover from cyberattacks. As part of the Windows Resilience Initiative, we are working to protect against common cyberattacks in addition to strengthening identity protection mentioned above.
As part of this we are addressing the long-standing challenge of overprivileged users and applications, which create significant risk. Yet many people do not want to give up admin control of their PC. To help strike the balance of admin privileges and security we are introducing Administrator protection (currently in Windows Insiders). Admin protection gives you the protection of standard user permissions by default, and when needed you can securely authorize a just-in-time system change using Windows Hello. Once the process has completed, the temporary admin token is destroyed. This means admin privileges do not persist. Admin protection will be disruptive to cyberattackers, as they no longer have elevated privileges by default, which will help organizations ensure they remain in control of Windows.
We are also collaborating with endpoint security partners to adopt safe deployment practices. This means all security product updates will be gradual, minimizing deployment risks and monitoring to help ensure any negative impact is kept to a minimum. Additionally, we are developing new Windows capabilities that allow security product developers to build their products outside of kernel mode, reducing the impact to Windows in the event of a security product crash.
Another key development is our secure by design user experience (UX) toolkit. Human error causes the majority of security breaches. The UX toolkit helps build more secure software and improve user security experiences. This toolkit represents a new way of thinking—where design and security aren’t siloed but are working together from the very beginning. Adopted internally and shared externally, the toolkit helps other software organizations in enhancing their security practices.
Other activities Microsoft has worked on to eliminate classes of vulnerabilities include:
- Continued support to enable developers to use the memory safe language Rust on Windows.
- Taking steps to mitigate Windows NT LAN (NTLM) Relay Attacks by default against Exchange Service, Active Directory Certificate Services and Lightweight Directory Access Protocol (LDAP).
- Zero Trust Domain Name System (DNS) preview expanded to include Windows 11 enterprise customers. This feature helps lock down devices to only access-approved network destinations.
- Surface embedded firmware products use of a common firmware architecture.
- Launch of the Windows 365 Link, which is the first Cloud PC device for Windows 365. Windows 365 Link eliminates local data and apps and has no local admin users and provides employees a way to more securely stream their Windows 365 Cloud PC.
- GitHub released CodeQL support for GitHub Actions workflow files. This new static analysis capability identifies common continuous integration and continuous delivery (CI/CD) flaws both in existing code bases and before they are introduced to help eliminate this class of vulnerabilities. Using this new feature, the GitHub Security Lab was able to help secure more than 75 GitHub Actions workflows in open source projects, disclosing more than 90 different vulnerabilities.
Boosting patch application rates
Timely and effective patch management is necessary for cybersecurity, as this is how we can reduce the window of opportunity for malicious actors to exploit software flaws.
Microsoft has made measurable increases in the installation of security patches, which we achieved by enabling automatic installation of software patches when possible and enabling this functionality by default, as well as by offering widespread support for these patches.
Microsoft continues to roll out major security updates on the second Tuesday of each month, known as Patch Tuesday. This regular schedule ensures that all systems receive timely updates to address critical vulnerabilities, thereby reducing the risk of exploitation by cyberattackers.
Building on this foundation, Microsoft has made significant strides in improving the update process with Windows 11. By reducing the number of required system restarts from 12 to four per year through the use of Hotpatch updates, we have further streamlined operations and encouraged organizations to remain compliant with patching requirements.
Other examples of our efforts in to boost patch and security update rates include:
- Windows Hotpatch: Announced at Microsoft Ignite 2024, this provides a 60% reduction in time to adopt security updates, assisted by applying updates seamlessly without system restarts.
- Microsoft has emphasized the importance of clearly communicating the expected lifespan of products at the time of sale and investing in provisioning capabilities to ease customer transitions to supported versions when products reach the end of their lifecycle. This strategy ensures that customers are well-informed and can smoothly adapt to new technologies.
Adopting a Vulnerability Disclosure Policy (VDP) and Common Vulnerabilities and Exposures (CVE)
Coordinated vulnerability disclosure, a practice Microsoft adopted more than a decade ago, benefits both security researchers and software manufacturers by enabling collaboration to enhance product security. A VDP that authorizes public testing of products, commits to refraining from legal action against those who follow the VDP in good faith, provides a clear channel for reporting vulnerabilities, and permits public disclosure of vulnerabilities according to coordinated vulnerability disclosure best practices and international standards makes a real difference for cybersecurity. Additionally, manufacturers can demonstrate transparency by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every CVE record for the manufacturer’s products.
Our adoption of the CWE and CPE standards in every CVE record for its products is an important achievement. This transparency facilitates accurate and detailed information about vulnerabilities, facilitating timely and effective remediation. By issuing CVEs promptly for all critical or high-impact vulnerabilities, Microsoft demonstrates its commitment to maintaining a secure environment and protecting its customers from potential cyberthreats.
Another notable highlight is the publication of a machine-readable CSAF files, which provide a clear channel for reporting vulnerabilities and authorizes public testing of Microsoft products. This fosters collaboration between security researchers and software manufacturers, enabling the identification and mitigation of vulnerabilities in a coordinated manner.
Other activities Microsoft has worked on to adopt VDP and CVE include:
Empowering customers to detect and document intrusions
Organizations should do more to detect cybersecurity incidents and understand their impact. To ensure they can do that, manufacturers should provide artifacts and evidence-gathering tools, like audit logs.
An example of Microsoft’s commitment in this area is our implementation of robust sensors and logs, enhancing detection of cyberthreats. This initiative provides customers with actionable insights into potential intrusions, enabling swift responses and risk mitigation.
Other activities Microsoft has worked on to empower customers to detect and document inclusions include:
- Microsoft Purview has expanded its audit logging and retention periods, among other security enhancements, to increase security visibility and incident response capabilities for cloud-based services.
- Microsoft Security Copilot offers prebuilt promptbooks to automate security-related tasks, such as incident investigations, user analysis, and threat intelligence assessments, enhancing efficiency and accuracy in cybersecurity operations.
- Microsoft has provided detailed guidance on implementing the United States Department of Defense (DoD) Zero Trust Strategy, with activities categorized into target and advanced phases to achieve full Zero Trust adoption by 2032.
- Microsoft’s Expanded Cloud Logs Implementation Playbook provides detailed guidance on operationalizing new logging capabilities in Microsoft Purview Audit (Standard).
- Microsoft has published a whitepaper on lessons learned from red teaming more than 100 generative AI products at Microsoft. The whitepaper highlights the importance of understanding AI systems, breaking them without computing gradients, and the necessity of human involvement in AI red teaming, among other topics.
GitHub shipped enhanced capabilities to the GitHub audit log to provide customers with increased visibility of API events and features to enable enterprise management, automation, and integration.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
1Microsoft Digital Defense Report 2024.
2Microsoft Digital Defense Report 2022.
3IDC North America Tools and Vendors Consolidation Survey, 2023.