Best new Windows 10 security features: Passwordless authentication, Chromium-based Edge support

Here's what you need to know about each security update to Windows 10 as they roll out from Microsoft. Now updated for the 2004 feature release.

1 2 3 4 5 Page 3
Page 3 of 5

This edition was slated to be released in March 2018. Due to quality and release issues including reported blue screens of death in some of the final testing releases, the feature release date was postponed to April 30. It is encouraging to see that Microsoft is putting an emphasis on quality and not just depending on shipping the feature update as a key milestone.

For best results, install your video driver and motherboard updates before installing any feature update. It’s also wise to reach out to your vendors, specifically for any third-party security software you depend on. Many have security software releases ready to go as Windows 1803 is released. Others might need time to revise their software to work with the new edition.

Windows 1803 is deemed to be in semi-annual targeted release. Enterprises should test and confirm that the update is acceptable to the business. In a few months when Microsoft declares the software is “semi-annual channel,” it’s deemed to be ready for businesses to fully deploy and for broader release. When Microsoft announces that release date, it will be re-released to the Windows Software Update Services channel and other enterprise patching platforms to allow for broader release.

The next feature release is expected in the September time frame. Windows is also aligning its feature release timetable with Office 365 releases. Even though there are only six months between feature releases, Microsoft supports each individual release for a reasonable about of time. Normally, Microsoft supports a Windows 10 edition with quality (security) updates for 18 months. Due to changes in Office, it added six months of support to 1607, 1703, and 1709 versions. Thus, you can choose to skip one version and jump over to the next in your deployment methodology.

Here are just a few reasons that you might want to deploy 1803 sooner versus later:

Privacy features

The European Union EU) is putting into place new rules to ensure privacy for EU citizens in the form of General Data Protection Regulations (GDPR). While not a requirement of GDPR, 1803 exposes what Microsoft is collecting from your system regarding telemetry.

Microsoft uses telemetry to track what features you use, the success or failure of updates, and various other settings. Enterprises in sensitive industries are often concerned that no information can be shared for any reason. Before the release of 1803, if you wanted to block all telemetry and still receive Windows updates, you needed to upgrade to the Windows Enterprise version to block telemetry and still receive updates.

To use and view the new Diagnostic Data Viewer you have to enable it in Settings. Then go to Privacy then go to Diagnostics & Feedback. Then click “Diagnostic Data Viewer” to download the tool from the Windows store.

WIndows 10 1803 Susan Bradley

Diagnostic Data Viewer is downloadable from the Windows Store

You can now launch and review what is being sent to Microsoft. The data is geared toward developers, so you might find that the details are a bit elusive. You can’t make sense of many of the items being tracked unless you understand the details of the operating system. However, it’s a good sign of good faith going forward that these items are now being exposed and can the examined by third-party reviewers to help us all understand what is being tracked and sent to Microsoft.

win 10 privacy fig 2 Susan Bradley

With Diagnostic Data Viewer, you can select what data goes to Microsoft.

Of related interest is the online privacy center where you can log in and review what Microsoft is collecting online regarding your browsing history and Cortana use. Review this site to determine what is currently being captured from your systems. Once there you can also remove data that was sent to Microsoft.

Windows update notifications

Microsoft is making small changes to Windows update notifications so that it is much more obvious that an update is going to take place and reboot your system. It has also added settings to assist with installing. When your computer is on, Windows Update will keep an inactive computer from going to sleep for two hours when installing an update.

Windows update changes

Administrators get more group policy and registry adjustments to better throttle Windows update bandwidth in a network setting. New features are located under Administrative Templates > Windows Components > Delivery Optimization. These new controls allow you to adjust bandwidth used by foreground downloads.

The amount of bandwidth can now be limited for both Windows Update and Microsoft Store updates. Previously, you could only limit the download bandwidth. Now you can specify Maximum Foreground Download Bandwidth (percentage) or Maximum Background Download Bandwidth (percentage). The process of installing feature updates has been designed to be faster to allow your machine to get back to functional access after the feature update has been triggered.

Administrators have been given the ability to customize the roll-back window. Before it was a set at 10 days that the system kept your old version, now the administrator has dism commands to customize the number of days the system will keep the prior version.

The following commands can be used to customize the roll-back window:

DISM /Online /Initiate-OSUninstall

Initiates an OS uninstall to take the computer back to the previous installation of windows.

DISM /Online /Remove-OSUninstall

Removes the OS uninstall capability from the computer.

DISM /Online /Get-OSUninstallWindow

Displays the number of days after upgrade during which uninstall can be performed.

DISM /Online /Set-OSUninstallWindow

Sets the number of days after upgrade during which uninstall can be performed.

Windows Hello

Windows Hello is making significant investments in changes to password and password management. First, it supports FIDO 2.0 authentication for Azure AD-joined Windows 10 devices and has increased options and features for support for shared devices. Windows 10 S mode (more on this later) is taking passwords to the next level by placing the authentication process into your mobile device.

The Microsoft Authenticator app is available for Android and iPhone and can be the authentication software used to log in. It replaces the traditional password authentication process. The process to prompt you through setting up Windows Hello’s alternative password techniques is easier as well. You can now start the process from the main log-in screen and can choose Windows Hello Face, Fingerprint or PIN options.

Deployment and password options

Microsoft is encouraging original equipment manufacturers to use AutoPilot to deploy and provision computers in a secure fashion for enterprises. Surface, Lenovo, and Dell currently support AutoPilot, and in the coming months Microsoft expects support from more vendors including HP, Toshiba, Panasonic, and Fujitsu. Combined with Intune, AutoPilot ensures the machine is locked during the setup process and delivered to the end-user in a secure deployment fashion.

For standalone computers, Windows 10 1803 now allows setting up security questions to make it easier to reset a local account that has a forgotten password.

Windows Defender renamed to Windows Security

Microsoft has renamed and slightly redesigned Windows Defender and is now calling it Windows Security. Virus and threat, account protections, and firewall and network protections; app and browser control; device security; device performance; and health and family options are now subsets of the Security section. Controlled folder access, added in 1709, has moved to the Ransomware protection section.

Windows Security now shares status between Microsoft 365 services and interoperates with Windows Defender Advanced Threat Protection, Microsoft’s cloud-based forensic analysis tool. Windows Defender Exploit Guard includes virtualization (VBS) and Hypervisor-protected code integrity (HVCI). Windows Defender Application Guard has added support for Edge and now can be enabled on Windows Pro, and not just the previously supported Enterprise version. Application Guard has to be enabled using Intune, Group policy or Powershell in Enterprise, but it can be enabled for standalone computers.

Edge browser updates

The Edge browser now allows extensions when the browser is used in Private mode. In addition, Windows Defender Application Guard is now available for Edge and Internet Explorer for Pro versions with the new release of 1803. You can identify which sites are trusted and if a user surfs to an untrusted website through Microsoft Edge or Internet Explorer.

Microsoft Edge will open the site in an isolated Hyper-V-enabled container. This is separate from the host operating system. If the untrusted site is malicious, then the host PC is protected. The isolated container is then anonymous, so an attacker can't get to your employee's enterprise credentials. Enabling Application Guard requires hardware that supports virtualization. Then go into the Control Panel, Programs and Features and turn Features on. Click to install Windows Defender Application Guard feature. In 1803 this major protection is now included in the pro SKU and is no longer limited to the Enterprise version.

Ransomware protection

First introduced in 1709, Controlled Folder Access, which protects local folders most often attacked by ransomware, has been moved to its own location in the Windows Security section. If you subscribe to Office 365, additional ransomware protections and detections have been included. If you are a personal subscriber or Home subscriber, Ransomware Detection now notifies you when the OneDrive files have been encrypted.

Kiosk mode

Often in Enterprises, you want to deploy what is termed “kiosk mode.” The deployment will be a locked down browser with a minimum amount of application support. With the release of 1803, Intune is now the preferred methodology to deploy a Windows 10 system in kiosk mode. As noted by Microsoft, the Kiosk Browser can be deployed from the Microsoft Store. Once deployed, you can configure a start URL, allowed URLs, and enable/disable navigation buttons through the deployment.

Windows S mode

The biggest change, and largest potential security gain, is the introduction of Windows S mode. It has the potential for a lock-down deployment methodology similar to how mobile phones can only install appls from the mobile phone vendor’s store. Applications are Microsoft-verified for security and performance and can only be deployed from the Microsoft store.

Security baseline draft released

Finally, Microsoft has released a draft of the recommended Security baseline. The differences between the draft for 1803 and the released baseline for 1709 include:

  1. Two scripts to apply settings to local policy: one for domain-joined systems and one that removes the prohibitions on remote access for local accounts, which is particularly helpful for non-domain-joined systems, and for remote administration using Local Administrator Password Solution (LAPS)-managed accounts.
  2. Increased alignment with the Advanced Auditing recommendations in the Windows 10 and Windows Server 2016 security auditing and monitoring reference document.
  3. Updated Windows Defender Exploit Guard Exploit Protection settings (a separate EP.xml file).
  4. New Windows Defender Exploit Guard Attack Surface Reduction (ASR) mitigations.
  5. Removal of numerous settings that no longer provide mitigations against contemporary security threats. The GPO differences are listed in a spreadsheet in the package’s Documentation folder.

Again, your organizations should upgrade to the 1803 release once it has tested and verified compatibility and checked with your vendors for compatibility. It’s expected to be declared semi-annual channel and thus ready for business in three to four months.

Windows 10 1709

The Windows 10 Fall Creators Edition release is, in my opinion, is the first release where Microsoft is vastly increasing and acknowledging the impact of ransomware. Key security features included in the 1709 release give IT professionals the ability to provide additional means to prevent and defend against ransomware. Here are the edition’s key features:

Window Defender Exploit Guard

Window Defender Exploit Guard is the name of four different feature sets that help to block and defend from attacks. The four features of Exploit Guard include Exploit Protection, Attack Surface Reduction tools, Network Protection, and Controlled Folder Access. Exploit Protection is the only feature that works if you use a third-party antivirus tool. The other three features require Windows Defender and will not work if you use third-party antivirus software. This prerequisite is unlikely to change due to the reliance on Windows Defender to provide the needed API and infrastructure to support the features.

Exploit Protection

This is the only one of the four Exploit Guard technologies that does not require Windows Defender to be your primary antivirus. Exploit Protection can be controlled via group policy or PowerShell. An additional cloud-based logging service called Windows Defender Advanced Threat Protection provides forensic tracking evidence of threats and attacks can be used to better track and investigate Exploit Guard events. It is not mandatory to enable this technology.

To enable Exploit Protection, begin by deploying the technology on test machines before deploying widely. Open Settings, go to Update and Security, open the Windows Defender app, and then open the Windows Defender Security Center. Then go into App and Browser Control and scroll down to Exploit Protection. Open Exploit Protection Settings.

By default, Windows 10 has the following settings:

1 2 3 4 5 Page 3
Page 3 of 5
The 10 most powerful cybersecurity companies