Best new Windows 10 security features: Biometric authentication, Edge browser

Here's what you need to know about each security update to Windows 10 as they roll out from Microsoft. Now updated for the 20H2 feature release.

1 2 3 4 5 Page 2
Page 2 of 5

Similar to earlier versions of Windows 10, ensuring that you are up to date on BIOS, driver and other hardware related updates is key to successful deployment of feature releases. Also review the Windows health release dashboard for known issues and blocking items. For example, Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. KB4529832 notes that unsupported Realtek Bluetooth radios will block a device from receiving 1909. You will need to update to driver version 1.5.1012 or later to remove this safeguard hold.

30-month support window for Enterprise

If you are running the Enterprise version of Windows 10, the 1909 version is supported for 30 months. If you want to skip the next two years of feature releases, you can.

Kiosk mode

Windows 10 1909 allows users to customize their experience in Kiosk mode. You now have the option to allow a user to switch to various languages while keeping a block on accessing networking settings.

Microsoft BitLocker key rolling

The Key-rolling or Key-rotation feature enables secure rolling of recovery passwords on devices connected to Azure Active Directory (AAD) and Microsoft Mobile Device Management (MDM) on demand from Microsoft Intune/MDM tools or when recovery password is used to unlock the BitLocker-protected drive. This feature helps prevent accidental recovery password disclosure during manual BitLocker drive unlock by users.

Windows 10 Pro and Enterprise in S mode

The Windows 10 in S mode platform has the potential to provide much more security. Similar to the mobile phone platform where the vendor vets and approves applications before they can be installed, S mode allows applications to be deployed only from the Microsoft Store. With 1909 you can deploy and run traditional Win32 (desktop) apps without leaving the security of S mode by configuring the Windows 10 in S mode policy to support Win32 apps, then deploy them with MDM software such as Microsoft Intune.

Windows Defender Credential Guard supports ARM

Windows Defender Credential Guard is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices. More new devices use CPUs based on the RISC (reduced instruction set computer) architecture developed by Advanced RISC Machines (ARM) rather than AMD or Intel. The old Surface RT device, for example, was based on the ARM architecture. Microsoft’s more recent Surface Pro X device is also based on the ARM processor.

Windows Sandbox supports multiple OS versions

Windows Sandbox, originally was released in Windows 10, Version 1903, is an isolated desktop environment where you can install software and any malicious activity can’t impact the device. In 1909, Microsoft has included support for mixed-version container scenarios, allowing Sandbox to be run in a different version of Windows 10 than the host operating system. You can now test on different versions of Windows.

Windows 10 1909 brings the fewest changes to Windows 10. That, quite honestly, is a good thing. Past releases haven’t been without issues. Having a quiet release may be just the thing that all IT administrators need to standardize on Windows 10 1909 sooner rather than later.

Windows 10 1903

Below is a summary of all the new security features and options in Windows 10 version 1903, which features Windows Defender Advanced Threat Protection (ATP) enhancements, more options for enterprises to defer updates, and Windows Sandbox, which provides a safe area to run untrusted software. Bookmark this article, because we will be adding new security features as Microsoft releases future Windows updates.

Now that Microsoft has officially released Windows 10 1903, there are key security enhancements to look for and that I think are exciting. Here are my top picks for the 1903 release.

Changes to Windows update

The changes to Windows update and Windows update for business include key abilities to control updates. You can pause updates for all versions of Windows, including Home. Home version users may pause any updates for seven days. Pro version users continue to have the option to defer feature releases up to 365 days. Windows provides more visual clues that an update is pending on reboot.

A small dot next to the power icon is a new visual clue that indicates an update will install when your computer reboots. Active hours will be more responsive to your actual working hours and not reboot the computer while you are using it.

There are changes in Windows update for Business. The terms of “Semi Annual Channel” and “Semi Annual Targeted” have been removed. No longer will there be a designation that Windows 10 1903 is ready for business. Instead, you determine your deferral period from when the release came out.

You will need to revisit your Windows update for business policies as a result and set a deferral to a point in time that you deem that you will be ready for Windows 10 1903. My recommendation is to set a deferral period to an extreme point in the future: Select 365 days for your deferral. Then when you are ready to deploy 1903, you can reset this value to 0 to trigger the installs. You will want to review your Windows Update for Business settings for the new changes in 1903.

Also new in 1903 is the fact that you no longer are mandated to use a diagnostic data level of Basic or higher to enforce configured policies in Windows update for Business. If your organization is privacy sensitive, you no longer have to ensure that you participate in diagnostics.

Threat protection

Microsoft is adding more protection to this version of Windows 10—specifically, the much anticipated Windows Sandbox feature. It allows you to run untrusted executables in an isolated environment on a desktop PC. When you close Windows sandbox, everything in it is erased so it’s clean the next time you use it.

Both Pro and Enterprise SKUs can benefit from this new feature. To use it, you must have the following:

  • Windows 10 Pro or Enterprise Insider build 18305 or later (1903)
  • AMD64 architecture
  • Virtualization capabilities enabled in BIOS
  • At least 4GB of RAM (8GB recommended)
  • At least 1 GB of free disk space (SSD recommended)
  • At least two CPU cores (four cores with hyperthreading recommended)

You need to enable Windows Sandbox in Windows Features. If your machine does not have virtualization support, the feature will be greyed out. Once you’ve enabled Windows Sandbox, you will need to reboot your computer.

Now you have a built in virtual machine that will allow you to test malicious links without impacting your computer or, better yet, your network.

bradley 1903 2 Susan Bradley

Windows Sandbox

It is similar to the virtual Windows XP that many of us used to migrate from XP to Windows 7 with one major difference: It does not persist after you shut the virtual machine down.

Microsoft Defender ATP changes

Microsoft Defender ATP licensees will find many changes in this edition. You’ll need a Windows Enterprise license and an E5 Windows or E5 Microsoft 365 license. New offerings include:

  • Attack surface area reduction: You can now specify allow and deny lists for specific URLs and IP addresses.
  • Tamper protection. When this setting is enabled, you – and attackers – won’t be able to disable defender antivirus.
  • Emergency outbreak protection. If a zero-day event occurs, machine learning and advanced diagnostics will automatically update devices with new intelligence when a new outbreak has been detected.

Identity management

Microsoft is making a big push to get rid of passwords and enable multi-factor authentication, biometric authentication and other techniques to keep users accounts safe from attack. These changes include:

  • Remote Desktop with biometrics. If you have Azure Active Directory and Active Directory users that use Windows Hello for Business, 1903 now allows biometric options to authenticate a user to a remote desktop session. This will also be helpful to protect Remote Desktop servers from credential cracking attacks.
  • Windows Hello now has a FIDO2-certified authenticator. This enables passwordless logins for websites that support FIDO2, such as a Microsoft account and Azure Active Directory.

Security baselines

Microsoft has posted  the security baseline documents for 1903 and has included changes and recommendations specific to the 1903 release. In particular, they recommend “Enabling the new ‘Enable svchost.exe mitigation options’ policy, which enforces stricter security on Windows services hosted in svchost.exe, including that all binaries loaded by svchost.exe must be signed by Microsoft, and that dynamically generated code is disallowed.”

As noted in the post, carefully review this setting as it might cause compatibility problems with third-party code that tries to use the svchost.exe hosting process, including third-party smart-card plugins. Microsoft has also released a preliminary Intune-based security baseline.


Deployment of Windows 10 1903 can be done in many ways. You can obtain it from Windows update once your machine is deemed worthy of the update. Microsoft monitors for issues and throttles the updates back on machines that can’t handle the update without vendor fixes. You can monitor for these blocking issues on the Windows release health dashboard site.

You can also deploy the update via WSUS, SCCM, and for new deployments using AutoPilot. You may want to review your deployment strategies and jump over any Windows 10 feature releases that you haven’t deployed and start testing the 1903 release now. The security enhancements and Windows update changes make this a very attractive release for those evaluating versions of Windows 10 to deploy.

Windows 10 1809

The October 2018 release of Windows 10, version 1809, will be what many enterprises will consider their Windows 10 version of choice for several years. The reason? It marks a big change in the patching cadence of Windows 10 as well as updating it.

Changes in .NET patching

Starting with the 1809 version, the .NET patching component has been pulled out of the cumulative Windows 10 update and will now be offered as a separate release similar to how Windows 7 releases .NET patches. If you have a business application that interacts unfavorably with patching, you can now apply the main cumulative update ensuring that you are patched for all the other security issues and hold back on the .NET updating should you need to work with your vendors to ensure compatibility.

Patching cadence changes

Also starting with the 1809 version, Microsoft is changing the cadence for patching for Enterprise and Education customers. As noted in its Microsoft 365 blog, the company is making a major change in how feature releases will be supported for these two versions of Windows 10. As stated on the blog, the cadence change allows an organization to choose the fall release of a feature update and skip two years of feature releases and still be fully supported. As stated in the blog:

All currently supported feature updates of Windows 10 Enterprise and Education editions (versions 1607, 1703, 1709, and 1803) will be supported for 30 months from their original release date. This will give customers on those versions more time for change management as they move to a faster update cycle.

All future feature updates of Windows 10 Enterprise and Education editions with a targeted release month of September (starting with 1809) will be supported for 30 months from their release date. This will give customers longer deployment cycles the time they need to plan, test and deploy.

All future feature updates of Windows 10 Enterprise and Education editions with a targeted release month of March (starting with 1903) will continue to be supported for 18 months from their release date. This maintains the semi-annual update cadence as our north star and retains the option for customers that want to update twice a year.

All feature releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (this applies to feature updates targeting both March and September).

If you are licensed for Enterprise or Education versions, choosing the fall release will give a firm a 30-month support window from when it is released. Thus, you can deploy the 1809 version and not deploy another feature release until October 2020 and be fully supported and receive security/quality updates that entire time. Spring feature releases will only receive an 18-month support window, so I predict that most Enterprises and Educational institutions will drop into this 30-month cadence and installation routine.

Windows 10 Professional and Home versions will have an 18-month support window for each spring and fall release. With the Professional version that allows for the easy deferral of the feature release, enterprises can then wait longer than a year between each release.

Windows Defender ATP improvements

If your firm has Windows Enterprise E5 or Microsoft 365 E5 subscription, you now have access to a Threat Analytics dashboard that lists recent attacks and risks.

windows 1809 threat analytics dashboard Microsoft

Defender Security Center Threat Analytics dashboard

This console provides updated information about recent threats and security incidents that target the Windows operating system. The threat dashboard provides guidance in mitigating and defending against the attacks.

Microsoft has also increased reporting in its cloud-based Microsoft Secure Score Dashboard. This is included in Windows 10 Enterprise E5 and Microsoft 365 E5 subscription and allows you to track the status of the antivirus application, operating system security updates, firewall, and other controls. On Windows 10, it drills into the security settings you haven’t enabled that would better protect your system from attacks and threats. In the sample below, the computer system scanned is missing Application Guard, Credential Guard and BitLocker as three protection mechanisms that could be enabled that would immediately increase the threat protection on the platform.

1 2 3 4 5 Page 2
Page 2 of 5
Subscribe today! Get the best in cybersecurity, delivered to your inbox.