Windows serves as the backbone of enterprises around the world, powering more than a billion devices and supporting millions of apps. However Microsoft acknowledges that apps are increasingly going rogue, overriding settings, installing additional components, or altering critical Windows capabilities without user awareness or approval.

In response, the tech giant plans to roll out what it calls a “consent‑first” model. This new default baseline will grant access only to explicitly approved apps, although users will retain full control to permit, deny, or reverse permission decisions. They will also be given full visibility into app and agent behavior.

“This is a direct response to real-world abuse of misconfigured endpoints, credential theft via user-level execution, and post-exploitation living-off-the-land techniques,” said Ensar Seker, CISO at SOCRadar.

More control, without losing transparency

With Windows Baseline Security Mode, runtime safeguards will be enabled by default and will only allow “properly signed” apps, services, and drivers to run. However, users and admins will be able to override these safeguards for specific apps when needed, and they will have visibility into what protections are active and whether any exceptions have been granted. The goal, Microsoft notes, is to help protect the system from “tampering or unauthorized changes.”

In addition, through new transparency and consent measures, users will receive prompts when apps attempt to access their sensitive data and resources, such as files, cameras, or microphones, or when they attempt to install other “unintended software.” Users can grant or deny app requests to access their protected data and hardware, and can also choose to revoke previously-granted permissions.

Microsoft calls this a “more consistent and intuitive approach” to how Windows communicates security decisions. The company says these new measures are a direct response to customers calling for “stronger, more consistent security foundations” in the company’s operating system (OS).

“Windows must both remain an open platform and be secure by default — protecting the integrity of your experience regardless of the apps installed,” Logan Iyer, Windows Platform developer, wrote in a blog post.

Microsoft emphasized that it has a “long-standing tradition as an open platform,” and will “continue to preserve what has made it successful: Freedom to install any app and openness to every developer.”

Microsoft is in early stages with partners, devs

Microsoft says it will roll out these new measures in a “phased approach guided by clear principles,” although the company doesn’t provide more specific details on what that will look like for enterprises, or when they might expect the changes to take effect. The tech giant declined to provide further details to Computerworld.

Microsoft did say that it will provide tools and APIs to streamline adoption, and give users and IT admins visibility into how apps and agents behave in their systems. Existing “well-behaved” apps will work as usual, giving devs “the time and runway” to adhere to stronger security and privacy measures. The company is working with developers and partners, including CrowdStrike, OpenAI, Adobe, 1Password, and Raycast, on these initiatives.

“Microsoft is moving security posture left and down the stack by making baseline protections the default rather than an opt-in,” noted SOCRadar’s Seker. What stands out, he noted, is the “[explicit pairing of a] hardened default configuration with user-visible transparency and consent,” rather than silent control enforcement.

“This signals a shift from ‘security by policy’ to ‘security by design and expectation,’ especially at the OS level where many organizations historically under-invest,” said Seker.

Baseline security is no longer invisible

David Shipley of Beauceron Security called Microsoft’s new security and visibility measures a great idea.

“This is going to help curtail a whole world of hurt that threat actors are able to access way too easily, which is a huge win,” he said. Default secure behavior is critical, particularly given the agentic AI gold rush, which would be 10 times worse if the standard was non-secure by default.

“I think it’s that agentic AI push that’s finally caused someone to go, ‘Hey we need to put this fire out before we start another one,’” said Shipley.

By locking down common attack paths early, Microsoft is aiming to reduce the blast radius of phishing, initial access malware, and unmanaged privilege escalation, noted SocRadar’s Seker. This is particularly important in hybrid work and BYOD-adjacent environments, where endpoint consistency is weak.

“The biggest advantage is eliminating the ‘secure but never deployed’ problem,” said Seker. On by default baselines can dramatically reduce time-to-protection and decision fatigue for IT teams, he noted.

However, he pointed out, enterprises must be wary of challenges with friction: legacy apps, power users, and niche workflows may break or require exceptions. And, if those exceptions aren’t tightly governed, the same security gaps may be recreated and become even more complex.

Leaders should treat this shift as a “forcing function” to clean up endpoint sprawl, undocumented dependencies, and informal admin privileges, Seker advised. Preparation means testing baselines in realistic pilot groups, mapping exception workflows in advance, and aligning helpdesk teams so security controls don’t roll back due to user pressure.

“Strategically, this is less about a Windows feature and more about accepting that baseline security is no longer optional or invisible,” said Seker.