• United States



Contributing Writer

Best new Windows 10 security features: Improvements to Intune, Windows Defender Application Guard

Jun 15, 202151 mins
Network SecurityOperating SystemsSecurity

Here's what you need to know about each security update to Windows 10 as they roll out from Microsoft. Now updated for the 21H1 feature release.

With the new era of Windows as a service, Microsoft is rolling out changes to the operating system twice a year. Many of those changes will allow you to improve your security posture and offer more security choices. You no longer have to wait for a new operating system to deploy new security features.

Windows 10 21H1

The May 2021 release of Windows 10 may be the most stable Windows 10 release ever. Because of the pandemic, and due to potential more changes in the next version of Windows 10, this release is nearly anti-climatic in it’s release. If you are already on 2004 or 20H2, the install will be fast and should not cause any major issues.

If you have never used Windows Server Update Services (WSUS) or Intune to approve and manage feature releases to Windows 10, this might be the release you’ll want to test the process with. Look for the “Feature Update to Windows 10 Version 21H1 x64-based systems 2021-05 via Enablement Package” and approve that in your WSUS console to upgrade to 21H1. In a sign that this release is not major, the ADK for 2004 and 20H2 still works for 21H1.

Servicing stack changes

As with 20H2, Windows 10 21H1 combines the update with the related servicing stack update so you no longer need to install the servicing stack first if you manually approve updates. Rather, the two are combined for easy installation and the experience is similar using Windows Update for servicing.

Windows Intune changes

For those moving to cloud-only connections, Windows Intune is maturing as a potential replacement for WSUS. Windows Update for Business can be used to manage patching versus using WSUS. If you have Windows 10 Professional, you can use Group Policy to manage and deploy the Windows update for business settings. If you have Microsoft 365 E3 or higher, you can use Intune to manage the settings. More information about Windows Intune and its ability to manage patches can be obtained online. Additional features can be reviewed online

Windows Hello

Multi-camera support has been added to 21H1, which allows users to choose an external camera priority when external and internal Windows Hello-capable cameras are present.

Windows Defender Application Guard

Windows Defender Application Guard (WDAG) has been improved to increase the document opening times, in particular when opening a file over a universal naming convention (UNC) path or server message block (SMB) shares. Finally, the performance of robocopy is improved when copying large files.

What’s been removed

The biggest change between 21H1 and its predecessors is the removal of the original Edge browser. The Chrome-based Edge browser is now the new recommended browser of the Windows 10 ecosystem. Microsoft will also be making a big change with its Internet Explorer browser in June 2022 by finally retiring it in versions of Windows 10. Note that this does not impact LTSB (long term servicing branch) versions of Windows as those will still support IE. While the launching of the browser will be removed, components of the application will remain under the operating system for developers to still call on for legacy desktop applications.

For those that love the WMI command line (WMIC), 21H1 announces the beginning of the end. The WMIC tool is deprecated in Windows 10 version 21H1 and the 21H1 semi-annual channel release of Windows Server. This tool is superseded by Windows PowerShell for WMI. WMI itself is not affected.

Windows 10 20H2

Microsoft’s semi-annual Windows 10 feature release for Windows 10, called 20H2, for the second half of 2020 is the smaller May incremental release to version 2004. The naming changed to align with the Windows Insider channel releases. You can move from any older version of Windows 10 to the 20H2 release. If you move from 2004, the installation time will be quick as 20H2 is an enablement package for software already installed. Installing from any older release will take longer as it will go through the normal installation and staging process.

Microsoft has also released a draft of the security baseline documents for 20H2. (Security baselines for Edge are released separately as you can install it separately from the operating system.)

Version 20H2 is supported through May 10, 2022, for Home, Pro, Pro Education, Pro for Workstations and IoT Core, and through May 9, 2023, for Enterprise, Education and IoT Enterprise.

Chromium-based Edge browser

The major change in 20H2 is the inclusion of Microsoft’s new Edge browser based on the Chromium engine. To download the Group Policy files to control the new Edge in your environment, go to the Edge for business web page. Click the drop-down menu item “Select Channel/Build”, then choose the version of Edge you plan to use. Next, select the platform from the drop-down menu and select your operating system. Click on “Get policy files” to download the Cabinet (CAB) Group Policy files you need to manage Edge.

Service stack update changes

Deployment of servicing stack updates has changed with 20H2. You no longer must look for and approve servicing stack updates separately from the latest cumulative updates. Servicing stack updates help keep Windows 10 updating healthy. Before 20H2 when a servicing stack update was released and you used Windows Server Update Service (WSUS), System Center Configuration Manager (SCCM) or another patching platform to look for and approve latest cumulative update and then find and approve the servicing stack released for the month (if there was one). If both were not approved, you risked having patching issues with the operating system. Now both are included in one update, like the streamlined process for consumer patching.

DisableAntiSpyware setting

In 20H2 Microsoft has deprecated the DisableAntiSpyware setting. Now when Microsoft Defender sees another antivirus tool installed, it will automatically turn itself off. Note that if you deploy Windows Server or Long Term Servicing Branch (LTSB) versions, you might still need this setting or to manually disable antivirus tools as those versions don’t sense all antivirus vendors.

Microsoft Defender Application Guard for Office

The 20H2 release also includes support for Microsoft Defender Application Guard for Office. With this enabled, untrusted Office documents sent from outside of your organization automatically open in an isolated sandbox. This prevents malicious content from compromising your system. You will need a Microsoft 365 E5 license to fully implement this solution.

Expanded Windows Sandbox policies

Windows Sandbox policies have been expanded to support Windows Intune policies. The additional policies include:

  • WindowsSandbox/AllowAudioInput allows you to enable or disable audio input to the Sandbox.
  • WindowsSandbox/AllowClipboardRedirection allows you to enable or disable sharing of the host clipboard with the sandbox.
  • WindowsSandbox/AllowPrinterRedirection allows you to enable or disable printer sharing from the host into the Sandbox.
  • WindowsSandbox/AllowVGPU allows you to enable or disable virtualized GPU for Windows Sandbox.
  • WindowsSandbox/AllowVideoInput allows you to enable or disable video input to the Sandbox.

Biometric authentication via Windows Hello

Windows Hello offers support for fingerprint and face sensors in virtualization so it further isolates and ensures that a user’s biometric authentication.

Four new security settings

Four new settings included in 20H2 are an interesting mix, and one addresses a recent security vulnerability that has been in the headlines.

The first new setting is “Domain controller: Allow vulnerable Netlogon secure channel connections”. This is needed due to the Zerologon vulnerability that has been recently patched. It allows exclusions for non-complying devices that cannot connect to a domain after these patches (CVE-2020–1472) have been applied to your domain controllers. It is located at “Machine”, then “Security Options”.

The next new setting is “Turn off cloud optimized content”. This is located at “Machine” then “Windows ComponentsCloud Content”.

Another new setting relating to Windows Update is “Disable Safeguards for Feature Updates”. Microsoft blocks feature updates to systems that are not able to properly deploy the feature releases. This setting allows you to override that block. It is located at “Machine” and then at “Windows ComponentsWindows UpdateWindows Update for Business”.

The final new setting is “Configure the inclusion of Edge tabs into Alt-Tab”. It is located at “User” and then at “Windows ComponentsMultitasking”.

Windows 10 2004

Microsoft released Windows 10 2004 to developers in mid-May 2020 and then to the general public at the end of May. Many organizations are on 1903 and have not moved to 1909. Version 2004 has new security features that might make an upgrade worthwhile.

Windows 10 2004 is a spring feature release, so has an 18-month servicing time from release date. Version 1909 will be supported until May 11, 2021 for Home, Pro, Pro Education, and Pro for Workstations editions, and until May 10, 2022 for Education and Enterprise versions. This extended due date in response to the impact of the public health situation. Version 2004 was built to minimize update processing time and does not share the code of Windows 10 1903/1909, and thus is a more impactful feature release than version 1909.

Windows 10 Hello

Windows 10 Version 2004 emphasizes passwordless technology and lets you use Windows 10 Hello biometric security system to sign on. To turn this feature on, launch “Settings”. Then click on “Accounts” and “Sign-in options” Under “Require Windows Hello sign-in for Microsoft accounts,” select “On”. Once Hello is enabled you can then login for Microsoft services on company devices.

Windows Hello allows for log in with your face, iris, fingerprint, or a PIN. Support depends on you’re your devices support for authentication. Windows Hello can take data from a camera, iris sensor, or fingerprint reader. The data is then encrypted before it’s stored on the device. Research if your hardware supports Windows Hello before deploying it.

Windows Defender Application Guard upgrades

Windows Defender Application Guard is a security tool originally developed for Microsoft’s HTML-based Edge browser. It protects users by isolating files received from untrusted or potentially dangerous sites. In Windows 10 2004 Pro or Enterprise. Application Guard also works in the new Chromium-based Edge and allows Edge extensions to run in containers. This is a change from prior versions, which allowed Device Guard/ Application Guard policies to be created only on Enterprise but enforced on any SKU. Version 2004 allows Application Guard policies for Windows 10 Pro specifically for the new Edge version.

Windows Update Delivery Optimization

Microsoft has enhanced Delivery Optimization to allow for more control over the bandwidth used during Windows 10 updates.  You can set a limit cap at which the computer will stop Delivery Optimization features to more efficiently use network resources while downloading installation packages.

bradley 2004 1 Susan Bradley

Delivery Optimization settings

Controlling rebooting

Microsoft has long struggled to make updates more dependable and take less time. The company claims that user downtime during feature updates for version 2004 has been reduced to 20 minutes and requires just one reboot. Updates are optimized when the computer has adequate resources. Even with these changes, it’s still recommended to optimize your Windows 10 deployments by providing devices with SSD hard drives and adequate RAM for the function you need them to perform. Unless the device is purpose built, I recommend at least 8GB of RAM.

Resetting the PC

Microsoft has made the process of deploying Windows 10 extremely fast. This process has normally required an ISO file mounted locally. Windows 10 2004 allows you to reset the PC with the option of downloading the media from online. If any of the following optional features are installed, However, the reset from cloud will not work if any of these optional features are installed:

  • EMS and SAC Toolset for Windows 10
  • IrDA infrared
  • Print Management Console
  • RAS Connection Manager Administration Kit (CMAK)
  • RIP Listener
  • All RSAT tools
  • Simple Network Management Protocol (SNMP)
  • Windows Fax and Scan
  • Windows Storage Management
  • Wireless Display
  • WMI SNMP Provider
bradley 2004 2 Susan Bradley

Reset PC now allows for cloud downloads

The cloud download option can use more than 4GB of data, so plan accordingly.

Windows Subsystem for Linux 2

A new version of Windows Subsystem for Linux (WSL) is released in 2004. Unlike the prior version that used an emulator, WSL 2 uses its own kernel. This should increase compatibility and performance. The new version allows you to run ELF64 Linux binaries on Windows. Individual Linux distros can be run either as a WSL 1 or WSL 2 distro. They can also be upgraded or downgraded at any time, and you can run WSL 1 and WSL 2 distros side by side.

The new Microsoft Edge browser

While not part of Windows 10 2004, the new Edge browser based on Chrome should be included in your deployment plans. The major advantage of the new Edge is that it’s based on Chromium, the same foundation as Google’s Chrome, so any Chome extensions you use can be easily ported over to the new Edge.

Microsoft will roll out the new Edge to consumers over the next several months. The company does not plan to push it out to enterprises, as Windows 10 Enterprise, Education and Pro for Workstations Edition devices will not be automatically updated. If you use Windows 10 Pro, you can block the automatic deployment of Edge using the Blocker toolkit. You can download a deployment package to install on your systems. If you’ve been previewing the Edge beta, the final version will install side by side and will not replace the beta.

You can use Group Policy settings for the new Edge as well. Go to the Microsoft Edge for Business page and download the policy setting. Choose the “Channel/Version, “Build” and “Platform” to enable the “Get Policy Files” download. You can use the policy settings for:

  • Cast
  • Default search provider
  • HTTP authentication
  • Password manager and protection
  • Proxy server
  • Content
  • Allowed extensions
  • Native messaging
  • Printing
  • Smart screen
  • Startup, home page and new tab page
  • Update policy and update period override 

Windows 10 1909

Microsoft’s 1909 version of Windows 10 will have the fewest changes from prior versions. Several feature releases haven’t been as uneventful as they could have been, so 1909 is making a drastic change in how it rolls out.

1909 offered to unmanaged PCs, not pushed

The biggest change in how 1909 is released is in the unmanaged personal computer experience. If your computer is not behind Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM) and thus is managed by Windows Update, the 1909 update will be offered when you check for updates but won’t install.

bradley 1909 Susan Bradley

1909 offered for unmanaged PCs

This new “seeker” experience, noted in the Windows Experience blog, gives more control over the updating process. The install will be quick if you are on the 1903 release already and feels less like a service pack and more like a normal monthly patch process. If you have already deployed 1903, moving over to 1909 will be a trivial testing process.

1909 shares the same security update code base as 1903

As you test and patch 1909, you will notice that the security updates that apply to 1903 are labelled with the same knowledgebase numbers as those applied to 1909. These updates share exactly the same code base. For example, KB4524570, the November 12 security update for Windows 10 1903, also patches Windows 10 1909. The title, OS Builds 18362.476 and 18363.476, and the notation “Applies to: Windows 10, version 1903, Windows Server version 1903, Windows 10, version 1909, Windows Server version 1909,” clearly shows how the update installs on both platforms.

Enablement package

Enterprises or businesses that use corporate patching systems such as WSUS should look for an “Enablement package,” KB4517245. It turns on new features in Windows 10, version 1909, that were already included in the latest monthly quality update for Windows 10, version 1903 (released October 8, 2019), but are inactive. If you’ve already installed the October updates, you have 1909, just not all the features.

Similar to earlier versions of Windows 10, ensuring that you are up to date on BIOS, driver and other hardware related updates is key to successful deployment of feature releases. Also review the Windows health release dashboard for known issues and blocking items. For example, Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. KB4529832 notes that unsupported Realtek Bluetooth radios will block a device from receiving 1909. You will need to update to driver version 1.5.1012 or later to remove this safeguard hold.

30-month support window for Enterprise

If you are running the Enterprise version of Windows 10, the 1909 version is supported for 30 months. If you want to skip the next two years of feature releases, you can.

Kiosk mode

Windows 10 1909 allows users to customize their experience in Kiosk mode. You now have the option to allow a user to switch to various languages while keeping a block on accessing networking settings.

Microsoft BitLocker key rolling

The Key-rolling or Key-rotation feature enables secure rolling of recovery passwords on devices connected to Azure Active Directory (AAD) and Microsoft Mobile Device Management (MDM) on demand from Microsoft Intune/MDM tools or when recovery password is used to unlock the BitLocker-protected drive. This feature helps prevent accidental recovery password disclosure during manual BitLocker drive unlock by users.

Windows 10 Pro and Enterprise in S mode

The Windows 10 in S mode platform has the potential to provide much more security. Similar to the mobile phone platform where the vendor vets and approves applications before they can be installed, S mode allows applications to be deployed only from the Microsoft Store. With 1909 you can deploy and run traditional Win32 (desktop) apps without leaving the security of S mode by configuring the Windows 10 in S mode policy to support Win32 apps, then deploy them with MDM software such as Microsoft Intune.

Windows Defender Credential Guard supports ARM

Windows Defender Credential Guard is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices. More new devices use CPUs based on the RISC (reduced instruction set computer) architecture developed by Advanced RISC Machines (ARM) rather than AMD or Intel. The old Surface RT device, for example, was based on the ARM architecture. Microsoft’s more recent Surface Pro X device is also based on the ARM processor.

Windows Sandbox supports multiple OS versions

Windows Sandbox, originally was released in Windows 10, Version 1903, is an isolated desktop environment where you can install software and any malicious activity can’t impact the device. In 1909, Microsoft has included support for mixed-version container scenarios, allowing Sandbox to be run in a different version of Windows 10 than the host operating system. You can now test on different versions of Windows.

Windows 10 1909 brings the fewest changes to Windows 10. That, quite honestly, is a good thing. Past releases haven’t been without issues. Having a quiet release may be just the thing that all IT administrators need to standardize on Windows 10 1909 sooner rather than later.

Windows 10 1903

Below is a summary of all the new security features and options in Windows 10 version 1903, which features Windows Defender Advanced Threat Protection (ATP) enhancements, more options for enterprises to defer updates, and Windows Sandbox, which provides a safe area to run untrusted software. Bookmark this article, because we will be adding new security features as Microsoft releases future Windows updates.

Now that Microsoft has officially released Windows 10 1903, there are key security enhancements to look for and that I think are exciting. Here are my top picks for the 1903 release.

Changes to Windows update

The changes to Windows update and Windows update for business include key abilities to control updates. You can pause updates for all versions of Windows, including Home. Home version users may pause any updates for seven days. Pro version users continue to have the option to defer feature releases up to 365 days. Windows provides more visual clues that an update is pending on reboot.

A small dot next to the power icon is a new visual clue that indicates an update will install when your computer reboots. Active hours will be more responsive to your actual working hours and not reboot the computer while you are using it.

There are changes in Windows update for Business. The terms of “Semi Annual Channel” and “Semi Annual Targeted” have been removed. No longer will there be a designation that Windows 10 1903 is ready for business. Instead, you determine your deferral period from when the release came out.

You will need to revisit your Windows update for business policies as a result and set a deferral to a point in time that you deem that you will be ready for Windows 10 1903. My recommendation is to set a deferral period to an extreme point in the future: Select 365 days for your deferral. Then when you are ready to deploy 1903, you can reset this value to 0 to trigger the installs. You will want to review your Windows Update for Business settings for the new changes in 1903.

Also new in 1903 is the fact that you no longer are mandated to use a diagnostic data level of Basic or higher to enforce configured policies in Windows update for Business. If your organization is privacy sensitive, you no longer have to ensure that you participate in diagnostics.

Threat protection

Microsoft is adding more protection to this version of Windows 10—specifically, the much anticipated Windows Sandbox feature. It allows you to run untrusted executables in an isolated environment on a desktop PC. When you close Windows sandbox, everything in it is erased so it’s clean the next time you use it.

Both Pro and Enterprise SKUs can benefit from this new feature. To use it, you must have the following:

  • Windows 10 Pro or Enterprise Insider build 18305 or later (1903)
  • AMD64 architecture
  • Virtualization capabilities enabled in BIOS
  • At least 4GB of RAM (8GB recommended)
  • At least 1 GB of free disk space (SSD recommended)
  • At least two CPU cores (four cores with hyperthreading recommended)

You need to enable Windows Sandbox in Windows Features. If your machine does not have virtualization support, the feature will be greyed out. Once you’ve enabled Windows Sandbox, you will need to reboot your computer.

Now you have a built in virtual machine that will allow you to test malicious links without impacting your computer or, better yet, your network.

bradley 1903 2 Susan Bradley

Windows Sandbox

It is similar to the virtual Windows XP that many of us used to migrate from XP to Windows 7 with one major difference: It does not persist after you shut the virtual machine down.

Microsoft Defender ATP changes

Microsoft Defender ATP licensees will find many changes in this edition. You’ll need a Windows Enterprise license and an E5 Windows or E5 Microsoft 365 license. New offerings include:

  • Attack surface area reduction: You can now specify allow and deny lists for specific URLs and IP addresses.
  • Tamper protection. When this setting is enabled, you – and attackers – won’t be able to disable defender antivirus.
  • Emergency outbreak protection. If a zero-day event occurs, machine learning and advanced diagnostics will automatically update devices with new intelligence when a new outbreak has been detected.

Identity management

Microsoft is making a big push to get rid of passwords and enable multi-factor authentication, biometric authentication and other techniques to keep users accounts safe from attack. These changes include:

  • Remote Desktop with biometrics. If you have Azure Active Directory and Active Directory users that use Windows Hello for Business, 1903 now allows biometric options to authenticate a user to a remote desktop session. This will also be helpful to protect Remote Desktop servers from credential cracking attacks.
  • Windows Hello now has a FIDO2-certified authenticator. This enables passwordless logins for websites that support FIDO2, such as a Microsoft account and Azure Active Directory.

Security baselines

Microsoft has posted  the security baseline documents for 1903 and has included changes and recommendations specific to the 1903 release. In particular, they recommend “Enabling the new ‘Enable svchost.exe mitigation options’ policy, which enforces stricter security on Windows services hosted in svchost.exe, including that all binaries loaded by svchost.exe must be signed by Microsoft, and that dynamically generated code is disallowed.”

As noted in the post, carefully review this setting as it might cause compatibility problems with third-party code that tries to use the svchost.exe hosting process, including third-party smart-card plugins. Microsoft has also released a preliminary Intune-based security baseline.


Deployment of Windows 10 1903 can be done in many ways. You can obtain it from Windows update once your machine is deemed worthy of the update. Microsoft monitors for issues and throttles the updates back on machines that can’t handle the update without vendor fixes. You can monitor for these blocking issues on the Windows release health dashboard site.

You can also deploy the update via WSUS, SCCM, and for new deployments using AutoPilot. You may want to review your deployment strategies and jump over any Windows 10 feature releases that you haven’t deployed and start testing the 1903 release now. The security enhancements and Windows update changes make this a very attractive release for those evaluating versions of Windows 10 to deploy.

Windows 10 1809

The October 2018 release of Windows 10, version 1809, will be what many enterprises will consider their Windows 10 version of choice for several years. The reason? It marks a big change in the patching cadence of Windows 10 as well as updating it.

Changes in .NET patching

Starting with the 1809 version, the .NET patching component has been pulled out of the cumulative Windows 10 update and will now be offered as a separate release similar to how Windows 7 releases .NET patches. If you have a business application that interacts unfavorably with patching, you can now apply the main cumulative update ensuring that you are patched for all the other security issues and hold back on the .NET updating should you need to work with your vendors to ensure compatibility.

Patching cadence changes

Also starting with the 1809 version, Microsoft is changing the cadence for patching for Enterprise and Education customers. As noted in its Microsoft 365 blog, the company is making a major change in how feature releases will be supported for these two versions of Windows 10. As stated on the blog, the cadence change allows an organization to choose the fall release of a feature update and skip two years of feature releases and still be fully supported. As stated in the blog:

All currently supported feature updates of Windows 10 Enterprise and Education editions (versions 1607, 1703, 1709, and 1803) will be supported for 30 months from their original release date. This will give customers on those versions more time for change management as they move to a faster update cycle.

All future feature updates of Windows 10 Enterprise and Education editions with a targeted release month of September (starting with 1809) will be supported for 30 months from their release date. This will give customers longer deployment cycles the time they need to plan, test and deploy.

All future feature updates of Windows 10 Enterprise and Education editions with a targeted release month of March (starting with 1903) will continue to be supported for 18 months from their release date. This maintains the semi-annual update cadence as our north star and retains the option for customers that want to update twice a year.

All feature releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (this applies to feature updates targeting both March and September).

If you are licensed for Enterprise or Education versions, choosing the fall release will give a firm a 30-month support window from when it is released. Thus, you can deploy the 1809 version and not deploy another feature release until October 2020 and be fully supported and receive security/quality updates that entire time. Spring feature releases will only receive an 18-month support window, so I predict that most Enterprises and Educational institutions will drop into this 30-month cadence and installation routine.

Windows 10 Professional and Home versions will have an 18-month support window for each spring and fall release. With the Professional version that allows for the easy deferral of the feature release, enterprises can then wait longer than a year between each release.

Windows Defender ATP improvements

If your firm has Windows Enterprise E5 or Microsoft 365 E5 subscription, you now have access to a Threat Analytics dashboard that lists recent attacks and risks.

windows 1809 threat analytics dashboard Microsoft

Defender Security Center Threat Analytics dashboard

This console provides updated information about recent threats and security incidents that target the Windows operating system. The threat dashboard provides guidance in mitigating and defending against the attacks.

Microsoft has also increased reporting in its cloud-based Microsoft Secure Score Dashboard. This is included in Windows 10 Enterprise E5 and Microsoft 365 E5 subscription and allows you to track the status of the antivirus application, operating system security updates, firewall, and other controls. On Windows 10, it drills into the security settings you haven’t enabled that would better protect your system from attacks and threats. In the sample below, the computer system scanned is missing Application Guard, Credential Guard and BitLocker as three protection mechanisms that could be enabled that would immediately increase the threat protection on the platform.

windows defender security center Microsoft

Microsoft Secure Score Dashboard

The console gives an overview of each Windows Enterprise 5 license and its risk level. This is not available to users of Windows Enterprise E3 or Microsoft 365 E3.

Windows Security Center

The Windows Defender Security Center has been renamed to merely Windows Security Center to better identify that it’s the main location for security information. Ransomware protection first introduced in 1709 has been simplified to make it easier to add blocked applications to the interface. Click “Allow an app” through “Controlled folder access.” After the prompt, click the + button and choose “Recently blocked apps” to find the application that has been blocked by the protection. You can then build in an exclusion and add them to the allowed list.

Because time syncing is so key to both authentication as well as being a requirement for obtaining updates, the Windows Time service is now monitored for being in sync with the proper time. Should the system sense that the time sync service is disabled, you will get a prompt to turn the service back on.

A new security providers section exposes all the antivirus, firewall and web protection software that is running on your system. In 1809, Windows 10 requires antivirus to run as a protected process to register. Any antivirus program that has not yet implemented the protected process methodology will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products.

Windows Defender Firewall

The firewall in Windows 10 now supports Windows Subsystem for Linux processes. If you are hosting Linux in virtual machines, you can add exceptions in the firewall for Linux processes such as SSH or a web server like Nginx.

Windows Edge

The default browser for Windows 10 now includes more group policy settings. As noted, the new policies let you enable/disable full-screen mode, printing, favorites bar, or saving history. You can also prevent certificate error overrides, and configure the New Tab page, Home button, and startup options, as well as manage extensions.

BitLocker enhancements

Changes have been made to allow BitLocker to be enabled on devices that don’t pass the Hardware Security Test Interface (HSTI). You can also deliver BitLocker policy to AutoPilot devices during Out of box experience process.

Windows Defender Application Guard improvements

If the device supports the settings, Windows Defender Application Guard settings can now be set in the Windows Security interface rather than merely through registry keys. The requirements to enable Application Guard to include having the hardware support Second Level Address Translation (SLAT) and either VT-x (Intel) or AMD-V virtualization extensions for virtualization-based security (VBS).

The new user interface allows end users to review settings their system administrator has made so they understand the behavior that they are seeing. The four settings that can be configured for Application Guard in the Windows Security app are Save data, Copy and paste, Print files and Advanced graphics. These settings impact as follows:

When you browse in Application Guard for Microsoft Edge, certain actions can be disabled. If save data is disabled, users are blocked from saving data while browsing using Application Guard for Microsoft Edge. Turning off copy-and-paste blocks the ability to copy and paste to and from the isolated browser. Disabling print files blocks the ability to print from Edge. Finally, disabling Advanced Graphics improves video and graphics performance with Hyper-V virtualization technology.

To enable these settings, open Windows Security and click on the App & browser control icon. Then click on the “Change Application Guard settings” link under the Isolated browsing section and make the adjustments. Then reboot the computer.

All these features strengthen the security of the Windows operating system. For even more security, configure dedicated workstations or virtual machines with Privileged Access Workstations combined with Azure AD Privileged Identity Management to access sensitive premises and cloud assets.

While 1809 doesn’t bring major changes in security, it is once again an incremental feature release that provides the enterprise to make it that much harder for attackers to infiltrate systems.

Windows 10 1803

This edition was slated to be released in March 2018. Due to quality and release issues including reported blue screens of death in some of the final testing releases, the feature release date was postponed to April 30. It is encouraging to see that Microsoft is putting an emphasis on quality and not just depending on shipping the feature update as a key milestone.

For best results, install your video driver and motherboard updates before installing any feature update. It’s also wise to reach out to your vendors, specifically for any third-party security software you depend on. Many have security software releases ready to go as Windows 1803 is released. Others might need time to revise their software to work with the new edition.

Windows 1803 is deemed to be in semi-annual targeted release. Enterprises should test and confirm that the update is acceptable to the business. In a few months when Microsoft declares the software is “semi-annual channel,” it’s deemed to be ready for businesses to fully deploy and for broader release. When Microsoft announces that release date, it will be re-released to the Windows Software Update Services channel and other enterprise patching platforms to allow for broader release.

The next feature release is expected in the September time frame. Windows is also aligning its feature release timetable with Office 365 releases. Even though there are only six months between feature releases, Microsoft supports each individual release for a reasonable about of time. Normally, Microsoft supports a Windows 10 edition with quality (security) updates for 18 months. Due to changes in Office, it added six months of support to 1607, 1703, and 1709 versions. Thus, you can choose to skip one version and jump over to the next in your deployment methodology.

Here are just a few reasons that you might want to deploy 1803 sooner versus later:

Privacy features

The European Union EU) is putting into place new rules to ensure privacy for EU citizens in the form of General Data Protection Regulations (GDPR). While not a requirement of GDPR, 1803 exposes what Microsoft is collecting from your system regarding telemetry.

Microsoft uses telemetry to track what features you use, the success or failure of updates, and various other settings. Enterprises in sensitive industries are often concerned that no information can be shared for any reason. Before the release of 1803, if you wanted to block all telemetry and still receive Windows updates, you needed to upgrade to the Windows Enterprise version to block telemetry and still receive updates.

To use and view the new Diagnostic Data Viewer you have to enable it in Settings. Then go to Privacy then go to Diagnostics & Feedback. Then click “Diagnostic Data Viewer” to download the tool from the Windows store.

WIndows 10 1803 Susan Bradley

Diagnostic Data Viewer is downloadable from the Windows Store

You can now launch and review what is being sent to Microsoft. The data is geared toward developers, so you might find that the details are a bit elusive. You can’t make sense of many of the items being tracked unless you understand the details of the operating system. However, it’s a good sign of good faith going forward that these items are now being exposed and can the examined by third-party reviewers to help us all understand what is being tracked and sent to Microsoft.

win 10 privacy fig 2 Susan Bradley

With Diagnostic Data Viewer, you can select what data goes to Microsoft.

Of related interest is the online privacy center where you can log in and review what Microsoft is collecting online regarding your browsing history and Cortana use. Review this site to determine what is currently being captured from your systems. Once there you can also remove data that was sent to Microsoft.

Windows update notifications

Microsoft is making small changes to Windows update notifications so that it is much more obvious that an update is going to take place and reboot your system. It has also added settings to assist with installing. When your computer is on, Windows Update will keep an inactive computer from going to sleep for two hours when installing an update.

Windows update changes

Administrators get more group policy and registry adjustments to better throttle Windows update bandwidth in a network setting. New features are located under Administrative Templates > Windows Components > Delivery Optimization. These new controls allow you to adjust bandwidth used by foreground downloads.

The amount of bandwidth can now be limited for both Windows Update and Microsoft Store updates. Previously, you could only limit the download bandwidth. Now you can specify Maximum Foreground Download Bandwidth (percentage) or Maximum Background Download Bandwidth (percentage). The process of installing feature updates has been designed to be faster to allow your machine to get back to functional access after the feature update has been triggered.

Administrators have been given the ability to customize the roll-back window. Before it was a set at 10 days that the system kept your old version, now the administrator has dism commands to customize the number of days the system will keep the prior version.

The following commands can be used to customize the roll-back window:

DISM /Online /Initiate-OSUninstall

Initiates an OS uninstall to take the computer back to the previous installation of windows.

DISM /Online /Remove-OSUninstall

Removes the OS uninstall capability from the computer.

DISM /Online /Get-OSUninstallWindow

Displays the number of days after upgrade during which uninstall can be performed.

DISM /Online /Set-OSUninstallWindow

Sets the number of days after upgrade during which uninstall can be performed.

Windows Hello

Windows Hello is making significant investments in changes to password and password management. First, it supports FIDO 2.0 authentication for Azure AD-joined Windows 10 devices and has increased options and features for support for shared devices. Windows 10 S mode (more on this later) is taking passwords to the next level by placing the authentication process into your mobile device.

The Microsoft Authenticator app is available for Android and iPhone and can be the authentication software used to log in. It replaces the traditional password authentication process. The process to prompt you through setting up Windows Hello’s alternative password techniques is easier as well. You can now start the process from the main log-in screen and can choose Windows Hello Face, Fingerprint or PIN options.

Deployment and password options

Microsoft is encouraging original equipment manufacturers to use AutoPilot to deploy and provision computers in a secure fashion for enterprises. Surface, Lenovo, and Dell currently support AutoPilot, and in the coming months Microsoft expects support from more vendors including HP, Toshiba, Panasonic, and Fujitsu. Combined with Intune, AutoPilot ensures the machine is locked during the setup process and delivered to the end-user in a secure deployment fashion.

For standalone computers, Windows 10 1803 now allows setting up security questions to make it easier to reset a local account that has a forgotten password.

Windows Defender renamed to Windows Security

Microsoft has renamed and slightly redesigned Windows Defender and is now calling it Windows Security. Virus and threat, account protections, and firewall and network protections; app and browser control; device security; device performance; and health and family options are now subsets of the Security section. Controlled folder access, added in 1709, has moved to the Ransomware protection section.

Windows Security now shares status between Microsoft 365 services and interoperates with Windows Defender Advanced Threat Protection, Microsoft’s cloud-based forensic analysis tool. Windows Defender Exploit Guard includes virtualization (VBS) and Hypervisor-protected code integrity (HVCI). Windows Defender Application Guard has added support for Edge and now can be enabled on Windows Pro, and not just the previously supported Enterprise version. Application Guard has to be enabled using Intune, Group policy or Powershell in Enterprise, but it can be enabled for standalone computers.

Edge browser updates

The Edge browser now allows extensions when the browser is used in Private mode. In addition, Windows Defender Application Guard is now available for Edge and Internet Explorer for Pro versions with the new release of 1803. You can identify which sites are trusted and if a user surfs to an untrusted website through Microsoft Edge or Internet Explorer.

Microsoft Edge will open the site in an isolated Hyper-V-enabled container. This is separate from the host operating system. If the untrusted site is malicious, then the host PC is protected. The isolated container is then anonymous, so an attacker can’t get to your employee’s enterprise credentials. Enabling Application Guard requires hardware that supports virtualization. Then go into the Control Panel, Programs and Features and turn Features on. Click to install Windows Defender Application Guard feature. In 1803 this major protection is now included in the pro SKU and is no longer limited to the Enterprise version.

Ransomware protection

First introduced in 1709, Controlled Folder Access, which protects local folders most often attacked by ransomware, has been moved to its own location in the Windows Security section. If you subscribe to Office 365, additional ransomware protections and detections have been included. If you are a personal subscriber or Home subscriber, Ransomware Detection now notifies you when the OneDrive files have been encrypted.

Kiosk mode

Often in Enterprises, you want to deploy what is termed “kiosk mode.” The deployment will be a locked down browser with a minimum amount of application support. With the release of 1803, Intune is now the preferred methodology to deploy a Windows 10 system in kiosk mode. As noted by Microsoft, the Kiosk Browser can be deployed from the Microsoft Store. Once deployed, you can configure a start URL, allowed URLs, and enable/disable navigation buttons through the deployment.

Windows S mode

The biggest change, and largest potential security gain, is the introduction of Windows S mode. It has the potential for a lock-down deployment methodology similar to how mobile phones can only install appls from the mobile phone vendor’s store. Applications are Microsoft-verified for security and performance and can only be deployed from the Microsoft store.

Security baseline draft released

Finally, Microsoft has released a draft of the recommended Security baseline. The differences between the draft for 1803 and the released baseline for 1709 include:

  1. Two scripts to apply settings to local policy: one for domain-joined systems and one that removes the prohibitions on remote access for local accounts, which is particularly helpful for non-domain-joined systems, and for remote administration using Local Administrator Password Solution (LAPS)-managed accounts.
  2. Increased alignment with the Advanced Auditing recommendations in the Windows 10 and Windows Server 2016 security auditing and monitoring reference document.
  3. Updated Windows Defender Exploit Guard Exploit Protection settings (a separate EP.xml file).
  4. New Windows Defender Exploit Guard Attack Surface Reduction (ASR) mitigations.
  5. Removal of numerous settings that no longer provide mitigations against contemporary security threats. The GPO differences are listed in a spreadsheet in the package’s Documentation folder.

Again, your organizations should upgrade to the 1803 release once it has tested and verified compatibility and checked with your vendors for compatibility. It’s expected to be declared semi-annual channel and thus ready for business in three to four months.

Windows 10 1709

The Windows 10 Fall Creators Edition release is, in my opinion, is the first release where Microsoft is vastly increasing and acknowledging the impact of ransomware. Key security features included in the 1709 release give IT professionals the ability to provide additional means to prevent and defend against ransomware. Here are the edition’s key features:

Window Defender Exploit Guard

Window Defender Exploit Guard is the name of four different feature sets that help to block and defend from attacks. The four features of Exploit Guard include Exploit Protection, Attack Surface Reduction tools, Network Protection, and Controlled Folder Access. Exploit Protection is the only feature that works if you use a third-party antivirus tool. The other three features require Windows Defender and will not work if you use third-party antivirus software. This prerequisite is unlikely to change due to the reliance on Windows Defender to provide the needed API and infrastructure to support the features.

Exploit Protection

This is the only one of the four Exploit Guard technologies that does not require Windows Defender to be your primary antivirus. Exploit Protection can be controlled via group policy or PowerShell. An additional cloud-based logging service called Windows Defender Advanced Threat Protection provides forensic tracking evidence of threats and attacks can be used to better track and investigate Exploit Guard events. It is not mandatory to enable this technology.

To enable Exploit Protection, begin by deploying the technology on test machines before deploying widely. Open Settings, go to Update and Security, open the Windows Defender app, and then open the Windows Defender Security Center. Then go into App and Browser Control and scroll down to Exploit Protection. Open Exploit Protection Settings.

By default, Windows 10 has the following settings:

  • Control Flow Guard (CFG) (on by default) is a mitigation that prevents redirecting control flow to an unexpected
  • Data Execution Prevention (DEP) (on by default) is a security feature that was introduced in Vista and later platforms. The feature helps to prevent damage to your computer from viruses and other security threats. DEP protects your computer by monitoring programs to make sure they use system memory safely. When DEP senses malware, it might trigger a blue screen of death to protect the operating system.
  • Force Randomization for Images (Mandatory ASLR) (off by default) is a technique to evade attackers by randomizing where the position of processes will be in memory. Address space layout randomization (ASLR) places address space targets in unpredictable locations. If an attacker attempts to launch an exploit, the target application will crash (blue screen), therefore stopping the attack.
  • Randomize Memory Allocations (Bottom-up ASLR) (on by default) enables bottom-up allocations (VirtualAlloc() VirtualAllocEx()) to be randomized. Attacks that use bypassed ASLR and DEP on Adobe Reader are prevented with this setting.
  • Validate Exception Chains (SEHOP) (on by default) prevents an attacker from using the Structured Exception Handler (SEH) overwrite exploitation technique. Since first being published in September 2003, this attack has often been in many hackers’ arsenal.
  • Validate Heap Integrity (on by default) protects against memory corruption attacks.

You can set both system settings and program settings and then export them in an XML file to then deploy them to other computers via PowerShell.

Attack Surface Reduction

Attack Surface Reduction is a new set of tools that block primarily Office, Java, and other zero-day-type attacks. With the addition of a Windows E5 license and Windows Advanced Threat Protection, you will receive a cloud-based alerting system when these rules are triggered. However, it’s not mandatory to have the E5 license to manage and defend systems. This is one of the three Windows Defender Exploit Guard features that will not work with third-party antivirus deployed. You must use Windows Defender to enable this protection.    

To enable these protections, you can use group policy, registry keys, or mobile device management. To enable via group policy, go to Computer Configuration in the Group Policy Management Editor, then Policies, then Administrative Templates. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction. Double-click the Configure Attack surface reduction rules setting and set the option to Enabled. To enable Attack Surface Reduction using PowerShell, enter Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled.

Now you need to determine what you plan on blocking. It is recommended to begin in audit mode to evaluate the impact on your network and devices. The values you can set to enable Attack Surface Reduction are:

  • Block mode = 1
  • Disabled = 0
  • Audit mode = 2

Once you have determined that the protection will not impact productivity, you can set the value to Block Mode to fully enable the protections. Enter each rule on a new line as a name-value pair with a GUID code and then the value of 1 to enforce blocking, 0 to disable the rule, or 2 to set the rule to audit. When beginning to evaluate rules, set the value to 2 and monitor the results in the event log.

  • Name column: Enter a valid ASR rule ID or GUID
  • Value column: Enter the status ID that relates to state you want to specify for the associated rule

The following rules can be enabled to better protect your computer and your network.

Rule: Block executable content from email client and webmail. ASR Rule ID or GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550

  • Blocks executable files (such as .exe, .dll, or .scr)
  • Blocks script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
  • Block script archive files

Rule: Block Office applications from creating child processes. ASR Rule ID or GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A

This rule blocks Microsoft Office applications from creating child content. This is typical malware behavior, especially with macro-based attacks.

Rule: Block Office applications from creating executable content. ASR Rule ID or GUID: 3B576869-A4EC-4529-8536-B80A7769E899.

This rule blocks Office applications from creating executable content. This is typical malware behavior. Attacks often use Windows Scripting Host (.wsh files) to run scripts.

Rule: Block Office applications from injecting code into other processes. ASR Rule ID or GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84.

Office applications such as Word, Excel, and PowerPoint will not be able to inject code into other processes. Malware typically uses this to avoid antivirus detection.

Rule: Block JavaScript or VBScript from launching downloaded executable content. ASR Rule ID or GUID: D3E037E1-3EB8-44C8-A917-57927947596D

This rule blocks the use of JavaScript and VBScript to launch applications, thus preventing malicious use of scripts to launch malware.

Rule: Block execution of potentially obfuscated scripts. ASR Rule ID or GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC

This rule prevents scripts that appear to be obfuscated from running. It uses the AntiMalware Scan Interface (AMSI) to determine if a script is malicious.

Rule: Block Win32 API calls from Office macro. ASR Rule ID or GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B

Malware often uses macro code Office files to import and load Win32 DLLs, which then use API calls to further infect the system.  

Network Protection

Network Protection is designed to protect your computer and your network from domains that may host phishing scams, exploits, and other malicious content on the internet. It can be enabled either via PowerShell or Group Policy. In the Group Policy Management Editor go to Computer Configuration, then Policies, then Administrative Templates. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network Protection. Double-click the Prevent Users and Apps from Accessing Dangerous Websites setting and set the option to Enabled.

To enable using PowerShell, enter Set-MpPreference -EnableNetworkProtection Enabled. To enable audit mode type in Set-MpPreference -EnableNetworkProtection AuditMode. To fully enable protection, you need to reboot the computer.

Once enabled you can test the feature by going to this website. The site should be blocked and you should see a notification indicating the site’s threat status in the system tray. The system now relies on Microsoft SmartScreen technology to block web sites. If a false positive is found, you must submit a request to whitelist a website using Microsoft’s submission page.

This is one of the three Windows Defender Exploit Guard features that will not work with third-party antivirus deployed. You must use Windows Defender to enable this protection.        

Controlled Folder Access

Controlled Folder Access protection is designed to prevent and defend from typical ransomware attacks. It can be enabled using Windows Defender Security Center app via Group Policy, PowerShell or configuration service providers for mobile device management. All applications that access any executable file (including .exe, .scr, and .dll files) use the Windows Defender Antivirus interface to determine if the application is safe. If the application is malicious, it is blocked from making changes to files in protected folders.

Certain folders are protected by default and then the administrator can add folders they deem need additional protection. To enable controlled folder access via PowerShell type in the following command: Set-MpPreference -EnableControlledFolderAccess Enabled. To enable controlled folder access via group policy, Group Policy Management Editor, go to Computer Configuration, click Policies, then Administrative Templates, and then expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access. Double-click the Configure Controlled Folder Access setting and set the option to Enabled.

By default, the following folders are enabled for protection:

  • C:UsersDocuments
  • C:UsersPublicDocuments
  • C:UsersPictures
  • C:UsersPublicPictures
  • C:UsersVideos
  • C:UsersPublicVideos
  • C:UsersMusic
  • C:UsersPublicMusic
  • C:UsersDesktop
  • C:UsersPublicDesktop
  • C:UsersFavorites

You can then manually add folders as you see fit. If you have an application that is blocked by Controlled Folder Access, you can allow an application. To allow an override, go into Group Policy Management Editor and then go to Computer Configuration. Click on Policies and then Administrative Templates. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access. Double-click the Configure Allowed Applications setting and set the option to Enabled. Click Show and enter each app. To allow an application via PowerShell, enter Add-MpPreference -ControlledFolderAccessAllowedApplications ““. You will want to test the settings before widespread deployment to note what adjustments you need to make for full application compatibility.

This is the final one of the three Windows Defender Exploit Guard features that will not work with third-party antivirus deployed. You must use Windows Defender to enable this protection.        

Windows Security Baselines

Windows Security Baseline configurations have been updated to support Windows 10 1709. Security baselines are a set of recommended configurations to best secure systems in enterprises. Organizations can use the Security Compliance Toolkit to review recommended group policy settings. Microsoft certifies that they test updates against these configurations.

Windows Defender Advanced Threat Protection (ATP)

Windows Defender ATP is a cloud-based console that allows for forensic tracking of threats and attacks. It is enabled once you purchase a Windows E5 or Microsoft Office 365 E5 subscription. Once you purchase the subscription, you can enroll workstations via group policy or registry keys, which then upload telemetry to a cloud service. The service monitors for lateral attacks, ransomware, and other typical attacks. Release 1709 increases the analytics and security stack integration for better reports and integration.

On February 12, Microsoft announced that it is offering Windows Defender ATP down-level support for Windows 7 SP1 and Windows 8.1. In a blog post, the company said it is offering the service in recognition that many companies have a mix of Windows versions in place as they transition to Windows 10. 

Windows Defender Application Guard

Application Guard ensures that enterprises can control Microsoft’s new Edge browser to best block and defend workstations from attacks. Application Guard must be deployed on 64-bit machines, and the machines must have Extended Page Tables, also called Second Level Address Translation (SLAT), as well as either Intel VT-x extensions or AMD-V. Windows 10 Enterprise version is also mandated.

Application guard can be controlled via group policy, Intune, or System Center. Application Guard can be deployed via features or PowerShell using Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard. Once enabled, you can limit websites to block outside content in Internet Explorer and Edge, limit printing, the use of clipboard, and isolate the browser to only use local network resources.

Windows Defender Device Guard

Device Guard is a new name for software restriction policies. Unless an application is trusted, it cannot be run on the system. Rather than the current model of software that we use now, where we trust software by default, Device Guard assumes all software is suspect and only allows software you trust to run on your system. Like Application guard, the requirements include virtualization technology.

Windows Information Protection (WIP)

WIP now works with Office and Azure Information Protection. WIP used to be called Enterprise Data Protection. Setting a WIP policy ensures that files downloaded from an Azure location will be encrypted. You can set a listing of apps that are allowed to access this protected data.


The minimum PIN length for BitLocker was changed in version 1709 from six to four, with six as the default.

Windows Hello

Microsoft’s facial authentication system has been improved in version 1709 to use proximity settings to allow multifactor authentication in more sensitive deployments.

Windows Update for Business

The group policy settings that allow you to better control updating in Windows 10 now include the ability to control the use of Insider Edition on systems in your network. This allows you to enroll business systems in Microsoft’s beta testing process. Organizations may wish to opt into this program to better test and prepare for feature releases.

Security features prior to version 1709

Security changes and enhancements introduced in previous editions include the following:

Windows Defender Advanced Threat Protection

Windows 10 1703 introduced the ability to use the threat intelligence API to build custom alerts. Improvements were made in operating system memory and kernel sensors to better detect attacks deep into the operating system. It also allowed for six months of historical detection to better review for patterns. Antivirus detection and Device Guard events were placed in the Threat Protection portal. Windows 10 1607 originally introduced the online cloud forensic tool to the Windows 10 platform for the first time.

Windows Defender Antivirus

This was renamed from Windows Defender in Version 1703 and was integrated into the Windows Defender Security Center Application. In addition, updated behavior monitoring and real-time protection was enhanced. In Windows 10 1607, PowerShell cmdlets were introduced to configure options and run scans.

Windows Defender Credential Guard

Usernames and passwords are stolen on a regular basis to gain access into systems. An attacker gains access into one compromised system and then using attacks such as “Pass the hash” or “Pass the ticket” can harvest credentials saved in systems to perform lateral movement attacks across a network. Credential guard protects NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials from attackers. However, be aware that single sign-on applications may not work if credential guard is enabled.

Windows 10 1703 increased the hardware requirement to deploy Device Guard and Credential Guard to better protect from vulnerabilities in UEFI runtime scenarios:

  • Support for virtualization-based security (required)
  • Secure boot (required)
  • TPM 2.0 either discrete or firmware (preferred – provides binding to hardware)
  • UEFI lock (preferred – prevents attacker from disabling with a simple registry key change)

If you want to enable credential guard on virtual machines where the risk of lateral movement may be higher, additional hardware requirements include:

  • 64-bit CPU
  • CPU virtualization extensions plus extended page tables
  • Windows Hypervisor

Windows 10 1511 introduced the ability to enable Credential Guard by using the registry to allow you to disable Credential Guard remotely.

Group Policy Security

Windows 10 1703 introduced a new security policy specifically to make the username more private during sign in. Interactive logon: Don’t display username at sign-in allows for more granular control over the sign in process.

Windows Hello for Business

Windows 10 1703 introduced the ability to reset a forgotten PIN without losing profile data. Windows 10 1607 combined the technologies of Microsoft Passport and Windows Hello.

Windows Update for Business

Feature update installation can be deferred by 365 days, increased from the prior 180 days allowed.

Virtual Private Network (VPN)

Windows 10 1607 allowed the VPN client to integrate with the Conditional Access Framework and can integrate with the Windows Information Protection policy for more security.


Windows 10 1507 introduced a new parameter that allows you to choose if executable and DLL rules will apply to non-interactive processes.


BitLocker received new features in Windows 10 1511 including enhancements in the XTS-AES encryption algorithm to better protect from attacks on encryption that utilize manipulating cipher texts. Windows 10 1507 introduced the ability to encrypt and recover a device with Azure Active Directory.

Windows 10 auditing

Windows 10 Version 1507 added more auditing events and increased fields to better track processes and events.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author