Best new Windows 10 security features: Improvements to Intune, Windows Defender Application Guard

Here's what you need to know about each security update to Windows 10 as they roll out from Microsoft. Now updated for the 21H1 feature release.

1 2 3 4 5 Page 3
Page 3 of 5

Also starting with the 1809 version, Microsoft is changing the cadence for patching for Enterprise and Education customers. As noted in its Microsoft 365 blog, the company is making a major change in how feature releases will be supported for these two versions of Windows 10. As stated on the blog, the cadence change allows an organization to choose the fall release of a feature update and skip two years of feature releases and still be fully supported. As stated in the blog:

All currently supported feature updates of Windows 10 Enterprise and Education editions (versions 1607, 1703, 1709, and 1803) will be supported for 30 months from their original release date. This will give customers on those versions more time for change management as they move to a faster update cycle.

All future feature updates of Windows 10 Enterprise and Education editions with a targeted release month of September (starting with 1809) will be supported for 30 months from their release date. This will give customers longer deployment cycles the time they need to plan, test and deploy.

All future feature updates of Windows 10 Enterprise and Education editions with a targeted release month of March (starting with 1903) will continue to be supported for 18 months from their release date. This maintains the semi-annual update cadence as our north star and retains the option for customers that want to update twice a year.

All feature releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (this applies to feature updates targeting both March and September).

If you are licensed for Enterprise or Education versions, choosing the fall release will give a firm a 30-month support window from when it is released. Thus, you can deploy the 1809 version and not deploy another feature release until October 2020 and be fully supported and receive security/quality updates that entire time. Spring feature releases will only receive an 18-month support window, so I predict that most Enterprises and Educational institutions will drop into this 30-month cadence and installation routine.

Windows 10 Professional and Home versions will have an 18-month support window for each spring and fall release. With the Professional version that allows for the easy deferral of the feature release, enterprises can then wait longer than a year between each release.

Windows Defender ATP improvements

If your firm has Windows Enterprise E5 or Microsoft 365 E5 subscription, you now have access to a Threat Analytics dashboard that lists recent attacks and risks.

windows 1809 threat analytics dashboard Microsoft

Defender Security Center Threat Analytics dashboard

This console provides updated information about recent threats and security incidents that target the Windows operating system. The threat dashboard provides guidance in mitigating and defending against the attacks.

Microsoft has also increased reporting in its cloud-based Microsoft Secure Score Dashboard. This is included in Windows 10 Enterprise E5 and Microsoft 365 E5 subscription and allows you to track the status of the antivirus application, operating system security updates, firewall, and other controls. On Windows 10, it drills into the security settings you haven’t enabled that would better protect your system from attacks and threats. In the sample below, the computer system scanned is missing Application Guard, Credential Guard and BitLocker as three protection mechanisms that could be enabled that would immediately increase the threat protection on the platform.

windows defender security center Microsoft

Microsoft Secure Score Dashboard

The console gives an overview of each Windows Enterprise 5 license and its risk level. This is not available to users of Windows Enterprise E3 or Microsoft 365 E3.

Windows Security Center

The Windows Defender Security Center has been renamed to merely Windows Security Center to better identify that it’s the main location for security information. Ransomware protection first introduced in 1709 has been simplified to make it easier to add blocked applications to the interface. Click “Allow an app” through “Controlled folder access.” After the prompt, click the + button and choose “Recently blocked apps” to find the application that has been blocked by the protection. You can then build in an exclusion and add them to the allowed list.

Because time syncing is so key to both authentication as well as being a requirement for obtaining updates, the Windows Time service is now monitored for being in sync with the proper time. Should the system sense that the time sync service is disabled, you will get a prompt to turn the service back on.

A new security providers section exposes all the antivirus, firewall and web protection software that is running on your system. In 1809, Windows 10 requires antivirus to run as a protected process to register. Any antivirus program that has not yet implemented the protected process methodology will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products.

Windows Defender Firewall

The firewall in Windows 10 now supports Windows Subsystem for Linux processes. If you are hosting Linux in virtual machines, you can add exceptions in the firewall for Linux processes such as SSH or a web server like Nginx.

Windows Edge

The default browser for Windows 10 now includes more group policy settings. As noted, the new policies let you enable/disable full-screen mode, printing, favorites bar, or saving history. You can also prevent certificate error overrides, and configure the New Tab page, Home button, and startup options, as well as manage extensions.

BitLocker enhancements

Changes have been made to allow BitLocker to be enabled on devices that don’t pass the Hardware Security Test Interface (HSTI). You can also deliver BitLocker policy to AutoPilot devices during Out of box experience process.

Windows Defender Application Guard improvements

If the device supports the settings, Windows Defender Application Guard settings can now be set in the Windows Security interface rather than merely through registry keys. The requirements to enable Application Guard to include having the hardware support Second Level Address Translation (SLAT) and either VT-x (Intel) or AMD-V virtualization extensions for virtualization-based security (VBS).

The new user interface allows end users to review settings their system administrator has made so they understand the behavior that they are seeing. The four settings that can be configured for Application Guard in the Windows Security app are Save data, Copy and paste, Print files and Advanced graphics. These settings impact as follows:

When you browse in Application Guard for Microsoft Edge, certain actions can be disabled. If save data is disabled, users are blocked from saving data while browsing using Application Guard for Microsoft Edge. Turning off copy-and-paste blocks the ability to copy and paste to and from the isolated browser. Disabling print files blocks the ability to print from Edge. Finally, disabling Advanced Graphics improves video and graphics performance with Hyper-V virtualization technology.

To enable these settings, open Windows Security and click on the App & browser control icon. Then click on the “Change Application Guard settings” link under the Isolated browsing section and make the adjustments. Then reboot the computer.

All these features strengthen the security of the Windows operating system. For even more security, configure dedicated workstations or virtual machines with Privileged Access Workstations combined with Azure AD Privileged Identity Management to access sensitive premises and cloud assets.

While 1809 doesn’t bring major changes in security, it is once again an incremental feature release that provides the enterprise to make it that much harder for attackers to infiltrate systems.

Windows 10 1803

This edition was slated to be released in March 2018. Due to quality and release issues including reported blue screens of death in some of the final testing releases, the feature release date was postponed to April 30. It is encouraging to see that Microsoft is putting an emphasis on quality and not just depending on shipping the feature update as a key milestone.

For best results, install your video driver and motherboard updates before installing any feature update. It’s also wise to reach out to your vendors, specifically for any third-party security software you depend on. Many have security software releases ready to go as Windows 1803 is released. Others might need time to revise their software to work with the new edition.

Windows 1803 is deemed to be in semi-annual targeted release. Enterprises should test and confirm that the update is acceptable to the business. In a few months when Microsoft declares the software is “semi-annual channel,” it’s deemed to be ready for businesses to fully deploy and for broader release. When Microsoft announces that release date, it will be re-released to the Windows Software Update Services channel and other enterprise patching platforms to allow for broader release.

The next feature release is expected in the September time frame. Windows is also aligning its feature release timetable with Office 365 releases. Even though there are only six months between feature releases, Microsoft supports each individual release for a reasonable about of time. Normally, Microsoft supports a Windows 10 edition with quality (security) updates for 18 months. Due to changes in Office, it added six months of support to 1607, 1703, and 1709 versions. Thus, you can choose to skip one version and jump over to the next in your deployment methodology.

Here are just a few reasons that you might want to deploy 1803 sooner versus later:

Privacy features

The European Union EU) is putting into place new rules to ensure privacy for EU citizens in the form of General Data Protection Regulations (GDPR). While not a requirement of GDPR, 1803 exposes what Microsoft is collecting from your system regarding telemetry.

Microsoft uses telemetry to track what features you use, the success or failure of updates, and various other settings. Enterprises in sensitive industries are often concerned that no information can be shared for any reason. Before the release of 1803, if you wanted to block all telemetry and still receive Windows updates, you needed to upgrade to the Windows Enterprise version to block telemetry and still receive updates.

To use and view the new Diagnostic Data Viewer you have to enable it in Settings. Then go to Privacy then go to Diagnostics & Feedback. Then click “Diagnostic Data Viewer” to download the tool from the Windows store.

WIndows 10 1803 Susan Bradley

Diagnostic Data Viewer is downloadable from the Windows Store

You can now launch and review what is being sent to Microsoft. The data is geared toward developers, so you might find that the details are a bit elusive. You can’t make sense of many of the items being tracked unless you understand the details of the operating system. However, it’s a good sign of good faith going forward that these items are now being exposed and can the examined by third-party reviewers to help us all understand what is being tracked and sent to Microsoft.

win 10 privacy fig 2 Susan Bradley

With Diagnostic Data Viewer, you can select what data goes to Microsoft.

Of related interest is the online privacy center where you can log in and review what Microsoft is collecting online regarding your browsing history and Cortana use. Review this site to determine what is currently being captured from your systems. Once there you can also remove data that was sent to Microsoft.

Windows update notifications

Microsoft is making small changes to Windows update notifications so that it is much more obvious that an update is going to take place and reboot your system. It has also added settings to assist with installing. When your computer is on, Windows Update will keep an inactive computer from going to sleep for two hours when installing an update.

Windows update changes

Administrators get more group policy and registry adjustments to better throttle Windows update bandwidth in a network setting. New features are located under Administrative Templates > Windows Components > Delivery Optimization. These new controls allow you to adjust bandwidth used by foreground downloads.

The amount of bandwidth can now be limited for both Windows Update and Microsoft Store updates. Previously, you could only limit the download bandwidth. Now you can specify Maximum Foreground Download Bandwidth (percentage) or Maximum Background Download Bandwidth (percentage). The process of installing feature updates has been designed to be faster to allow your machine to get back to functional access after the feature update has been triggered.

Administrators have been given the ability to customize the roll-back window. Before it was a set at 10 days that the system kept your old version, now the administrator has dism commands to customize the number of days the system will keep the prior version.

The following commands can be used to customize the roll-back window:

DISM /Online /Initiate-OSUninstall

Initiates an OS uninstall to take the computer back to the previous installation of windows.

DISM /Online /Remove-OSUninstall

Removes the OS uninstall capability from the computer.

DISM /Online /Get-OSUninstallWindow

Displays the number of days after upgrade during which uninstall can be performed.

DISM /Online /Set-OSUninstallWindow

Sets the number of days after upgrade during which uninstall can be performed.

Windows Hello

1 2 3 4 5 Page 3
Page 3 of 5
7 hot cybersecurity trends (and 2 going cold)