Best new Windows 10 security features: Improvements to Intune, Windows Defender Application Guard

Here's what you need to know about each security update to Windows 10 as they roll out from Microsoft. Now updated for the 21H1 feature release.

Microsoft Windows security  >  Windows laptop + logo with binary lock and key
Microsoft / Gerd Altmann

With the new era of Windows as a service, Microsoft is rolling out changes to the operating system twice a year. Many of those changes will allow you to improve your security posture and offer more security choices. You no longer have to wait for a new operating system to deploy new security features.

Windows 10 21H1

The May 2021 release of Windows 10 may be the most stable Windows 10 release ever. Because of the pandemic, and due to potential more changes in the next version of Windows 10, this release is nearly anti-climatic in it’s release. If you are already on 2004 or 20H2, the install will be fast and should not cause any major issues.

If you have never used Windows Server Update Services (WSUS) or Intune to approve and manage feature releases to Windows 10, this might be the release you’ll want to test the process with. Look for the “Feature Update to Windows 10 Version 21H1 x64-based systems 2021-05 via Enablement Package” and approve that in your WSUS console to upgrade to 21H1. In a sign that this release is not major, the ADK for 2004 and 20H2 still works for 21H1.

Servicing stack changes

As with 20H2, Windows 10 21H1 combines the update with the related servicing stack update so you no longer need to install the servicing stack first if you manually approve updates. Rather, the two are combined for easy installation and the experience is similar using Windows Update for servicing.

Windows Intune changes

For those moving to cloud-only connections, Windows Intune is maturing as a potential replacement for WSUS. Windows Update for Business can be used to manage patching versus using WSUS. If you have Windows 10 Professional, you can use Group Policy to manage and deploy the Windows update for business settings. If you have Microsoft 365 E3 or higher, you can use Intune to manage the settings. More information about Windows Intune and its ability to manage patches can be obtained online. Additional features can be reviewed online

Windows Hello

Multi-camera support has been added to 21H1, which allows users to choose an external camera priority when external and internal Windows Hello-capable cameras are present.

Windows Defender Application Guard

Windows Defender Application Guard (WDAG) has been improved to increase the document opening times, in particular when opening a file over a universal naming convention (UNC) path or server message block (SMB) shares. Finally, the performance of robocopy is improved when copying large files.

What’s been removed

The biggest change between 21H1 and its predecessors is the removal of the original Edge browser. The Chrome-based Edge browser is now the new recommended browser of the Windows 10 ecosystem. Microsoft will also be making a big change with its Internet Explorer browser in June 2022 by finally retiring it in versions of Windows 10. Note that this does not impact LTSB (long term servicing branch) versions of Windows as those will still support IE. While the launching of the browser will be removed, components of the application will remain under the operating system for developers to still call on for legacy desktop applications.

For those that love the WMI command line (WMIC), 21H1 announces the beginning of the end. The WMIC tool is deprecated in Windows 10 version 21H1 and the 21H1 semi-annual channel release of Windows Server. This tool is superseded by Windows PowerShell for WMI. WMI itself is not affected.

Windows 10 20H2

Microsoft’s semi-annual Windows 10 feature release for Windows 10, called 20H2, for the second half of 2020 is the smaller May incremental release to version 2004. The naming changed to align with the Windows Insider channel releases. You can move from any older version of Windows 10 to the 20H2 release. If you move from 2004, the installation time will be quick as 20H2 is an enablement package for software already installed. Installing from any older release will take longer as it will go through the normal installation and staging process.

Microsoft has also released a draft of the security baseline documents for 20H2. (Security baselines for Edge are released separately as you can install it separately from the operating system.)

Version 20H2 is supported through May 10, 2022, for Home, Pro, Pro Education, Pro for Workstations and IoT Core, and through May 9, 2023, for Enterprise, Education and IoT Enterprise.

Chromium-based Edge browser

The major change in 20H2 is the inclusion of Microsoft’s new Edge browser based on the Chromium engine. To download the Group Policy files to control the new Edge in your environment, go to the Edge for business web page. Click the drop-down menu item “Select Channel/Build”, then choose the version of Edge you plan to use. Next, select the platform from the drop-down menu and select your operating system. Click on “Get policy files” to download the Cabinet (CAB) Group Policy files you need to manage Edge.

Service stack update changes

Deployment of servicing stack updates has changed with 20H2. You no longer must look for and approve servicing stack updates separately from the latest cumulative updates. Servicing stack updates help keep Windows 10 updating healthy. Before 20H2 when a servicing stack update was released and you used Windows Server Update Service (WSUS), System Center Configuration Manager (SCCM) or another patching platform to look for and approve latest cumulative update and then find and approve the servicing stack released for the month (if there was one). If both were not approved, you risked having patching issues with the operating system. Now both are included in one update, like the streamlined process for consumer patching.

DisableAntiSpyware setting

In 20H2 Microsoft has deprecated the DisableAntiSpyware setting. Now when Microsoft Defender sees another antivirus tool installed, it will automatically turn itself off. Note that if you deploy Windows Server or Long Term Servicing Branch (LTSB) versions, you might still need this setting or to manually disable antivirus tools as those versions don’t sense all antivirus vendors.

Microsoft Defender Application Guard for Office

The 20H2 release also includes support for Microsoft Defender Application Guard for Office. With this enabled, untrusted Office documents sent from outside of your organization automatically open in an isolated sandbox. This prevents malicious content from compromising your system. You will need a Microsoft 365 E5 license to fully implement this solution.

Expanded Windows Sandbox policies

Windows Sandbox policies have been expanded to support Windows Intune policies. The additional policies include:

  • WindowsSandbox/AllowAudioInput allows you to enable or disable audio input to the Sandbox.
  • WindowsSandbox/AllowClipboardRedirection allows you to enable or disable sharing of the host clipboard with the sandbox.
  • WindowsSandbox/AllowPrinterRedirection allows you to enable or disable printer sharing from the host into the Sandbox.
  • WindowsSandbox/AllowVGPU allows you to enable or disable virtualized GPU for Windows Sandbox.
  • WindowsSandbox/AllowVideoInput allows you to enable or disable video input to the Sandbox.

Biometric authentication via Windows Hello

Windows Hello offers support for fingerprint and face sensors in virtualization so it further isolates and ensures that a user’s biometric authentication.

Four new security settings

Four new settings included in 20H2 are an interesting mix, and one addresses a recent security vulnerability that has been in the headlines.

The first new setting is “Domain controller: Allow vulnerable Netlogon secure channel connections”. This is needed due to the Zerologon vulnerability that has been recently patched. It allows exclusions for non-complying devices that cannot connect to a domain after these patches (CVE-2020–1472) have been applied to your domain controllers. It is located at “Machine”, then “Security Options”.

The next new setting is “Turn off cloud optimized content”. This is located at “Machine” then “Windows Components\Cloud Content”.

Another new setting relating to Windows Update is “Disable Safeguards for Feature Updates”. Microsoft blocks feature updates to systems that are not able to properly deploy the feature releases. This setting allows you to override that block. It is located at “Machine” and then at “Windows Components\Windows Update\Windows Update for Business”.

The final new setting is “Configure the inclusion of Edge tabs into Alt-Tab”. It is located at “User” and then at “Windows Components\Multitasking”.

Windows 10 2004

Microsoft released Windows 10 2004 to developers in mid-May 2020 and then to the general public at the end of May. Many organizations are on 1903 and have not moved to 1909. Version 2004 has new security features that might make an upgrade worthwhile.

Windows 10 2004 is a spring feature release, so has an 18-month servicing time from release date. Version 1909 will be supported until May 11, 2021 for Home, Pro, Pro Education, and Pro for Workstations editions, and until May 10, 2022 for Education and Enterprise versions. This extended due date in response to the impact of the public health situation. Version 2004 was built to minimize update processing time and does not share the code of Windows 10 1903/1909, and thus is a more impactful feature release than version 1909.

Windows 10 Hello

Windows 10 Version 2004 emphasizes passwordless technology and lets you use Windows 10 Hello biometric security system to sign on. To turn this feature on, launch “Settings”. Then click on “Accounts” and “Sign-in options” Under “Require Windows Hello sign-in for Microsoft accounts,” select “On”. Once Hello is enabled you can then login for Microsoft services on company devices.

Windows Hello allows for log in with your face, iris, fingerprint, or a PIN. Support depends on you’re your devices support for authentication. Windows Hello can take data from a camera, iris sensor, or fingerprint reader. The data is then encrypted before it’s stored on the device. Research if your hardware supports Windows Hello before deploying it.

Windows Defender Application Guard upgrades

Windows Defender Application Guard is a security tool originally developed for Microsoft’s HTML-based Edge browser. It protects users by isolating files received from untrusted or potentially dangerous sites. In Windows 10 2004 Pro or Enterprise. Application Guard also works in the new Chromium-based Edge and allows Edge extensions to run in containers. This is a change from prior versions, which allowed Device Guard/ Application Guard policies to be created only on Enterprise but enforced on any SKU. Version 2004 allows Application Guard policies for Windows 10 Pro specifically for the new Edge version.

Windows Update Delivery Optimization

Microsoft has enhanced Delivery Optimization to allow for more control over the bandwidth used during Windows 10 updates.  You can set a limit cap at which the computer will stop Delivery Optimization features to more efficiently use network resources while downloading installation packages.

bradley 2004 1 Susan Bradley

Delivery Optimization settings

Controlling rebooting

Microsoft has long struggled to make updates more dependable and take less time. The company claims that user downtime during feature updates for version 2004 has been reduced to 20 minutes and requires just one reboot. Updates are optimized when the computer has adequate resources. Even with these changes, it’s still recommended to optimize your Windows 10 deployments by providing devices with SSD hard drives and adequate RAM for the function you need them to perform. Unless the device is purpose built, I recommend at least 8GB of RAM.

Resetting the PC

Microsoft has made the process of deploying Windows 10 extremely fast. This process has normally required an ISO file mounted locally. Windows 10 2004 allows you to reset the PC with the option of downloading the media from online. If any of the following optional features are installed, However, the reset from cloud will not work if any of these optional features are installed:

  • EMS and SAC Toolset for Windows 10
  • IrDA infrared
  • Print Management Console
  • RAS Connection Manager Administration Kit (CMAK)
  • RIP Listener
  • All RSAT tools
  • Simple Network Management Protocol (SNMP)
  • Windows Fax and Scan
  • Windows Storage Management
  • Wireless Display
  • WMI SNMP Provider
bradley 2004 2 Susan Bradley

Reset PC now allows for cloud downloads

The cloud download option can use more than 4GB of data, so plan accordingly.

Windows Subsystem for Linux 2

A new version of Windows Subsystem for Linux (WSL) is released in 2004. Unlike the prior version that used an emulator, WSL 2 uses its own kernel. This should increase compatibility and performance. The new version allows you to run ELF64 Linux binaries on Windows. Individual Linux distros can be run either as a WSL 1 or WSL 2 distro. They can also be upgraded or downgraded at any time, and you can run WSL 1 and WSL 2 distros side by side.

The new Microsoft Edge browser

While not part of Windows 10 2004, the new Edge browser based on Chrome should be included in your deployment plans. The major advantage of the new Edge is that it’s based on Chromium, the same foundation as Google’s Chrome, so any Chome extensions you use can be easily ported over to the new Edge.

1 2 3 4 5 Page 1
Page 1 of 5
7 hot cybersecurity trends (and 2 going cold)