With the new era of Windows as a service, Microsoft is rolling out changes to the operating system twice a year. Many of those changes will allow you to improve your security posture and offer more security choices. You no longer have to wait for a new operating system to deploy new security features.
Below is a summary of all the new security features and options in Windows 10 version 1903, which features Windows Defender Advanced Threat Protection (ATP) enhancements, more options for enterprises to defer updates, and Windows Sandbox, which provides a safe area to run untrusted software. Bookmark this article, because we will be adding new security features as Microsoft releases future Windows updates.
Windows 10 1903
Now that Microsoft has officially released Windows 10 1903, there are key security enhancements to look for and that I think are exciting. Here are my top picks for the 1903 release.
Changes to Windows update
The changes to Windows update and Windows update for business include key abilities to control updates. You can pause updates for all versions of Windows, including Home. Home version users may pause any updates for seven days. Pro version users continue to have the option to defer feature releases up to 365 days. Windows provides more visual clues that an update is pending on reboot.
A small dot next to the power icon is a new visual clue that indicates an update will install when your computer reboots. Active hours will be more responsive to your actual working hours and not reboot the computer while you are using it.
There are changes in Windows update for Business. The terms of “Semi Annual Channel” and “Semi Annual Targeted” have been removed. No longer will there be a designation that Windows 10 1903 is ready for business. Instead, you determine your deferral period from when the release came out.
You will need to revisit your Windows update for business policies as a result and set a deferral to a point in time that you deem that you will be ready for Windows 10 1903. My recommendation is to set a deferral period to an extreme point in the future: Select 365 days for your deferral. Then when you are ready to deploy 1903, you can reset this value to 0 to trigger the installs. You will want to review your Windows Update for Business settings for the new changes in 1903.
Also new in 1903 is the fact that you no longer are mandated to use a diagnostic data level of Basic or higher to enforce configured policies in Windows update for Business. If your organization is privacy sensitive, you no longer have to ensure that you participate in diagnostics.
Microsoft is adding more protection to this version of Windows 10—specifically, the much anticipated Windows Sandbox feature. It allows you to run untrusted executables in an isolated environment on a desktop PC. When you close Windows sandbox, everything in it is erased so it’s clean the next time you use it.
Both Pro and Enterprise SKUs can benefit from this new feature. To use it, you must have the following:
- Windows 10 Pro or Enterprise Insider build 18305 or later (1903)
- AMD64 architecture
- Virtualization capabilities enabled in BIOS
- At least 4GB of RAM (8GB recommended)
- At least 1 GB of free disk space (SSD recommended)
- At least two CPU cores (four cores with hyperthreading recommended)
You need to enable Windows Sandbox in Windows Features. If your machine does not have virtualization support, the feature will be greyed out. Once you’ve enabled Windows Sandbox, you will need to reboot your computer.
Now you have a built in virtual machine that will allow you to test malicious links without impacting your computer or, better yet, your network.
It is similar to the virtual Windows XP that many of us used to migrate from XP to Windows 7 with one major difference: It does not persist after you shut the virtual machine down.
Microsoft Defender ATP changes
Microsoft Defender ATP licensees will find many changes in this edition. You’ll need a Windows Enterprise license and an E5 Windows or E5 Microsoft 365 license. New offerings include:
- Attack surface area reduction: You can now specify allow and deny lists for specific URLs and IP addresses.
- Tamper protection. When this setting is enabled, you – and attackers – won’t be able to disable defender antivirus.
- Emergency outbreak protection. If a zero-day event occurs, machine learning and advanced diagnostics will automatically update devices with new intelligence when a new outbreak has been detected.
Microsoft is making a big push to get rid of passwords and enable multi-factor authentication, biometric authentication and other techniques to keep users accounts safe from attack. These changes include:
- Remote Desktop with biometrics. If you have Azure Active Directory and Active Directory users that use Windows Hello for Business, 1903 now allows biometric options to authenticate a user to a remote desktop session. This will also be helpful to protect Remote Desktop servers from credential cracking attacks.
- Windows Hello now has a FIDO2-certified authenticator. This enables passwordless logins for websites that support FIDO2, such as a Microsoft account and Azure Active Directory.
Microsoft has posted the security baseline documents for 1903 and has included changes and recommendations specific to the 1903 release. In particular, they recommend “Enabling the new ‘Enable svchost.exe mitigation options’ policy, which enforces stricter security on Windows services hosted in svchost.exe, including that all binaries loaded by svchost.exe must be signed by Microsoft, and that dynamically generated code is disallowed.”
As noted in the post, carefully review this setting as it might cause compatibility problems with third-party code that tries to use the svchost.exe hosting process, including third-party smart-card plugins. Microsoft has also released a preliminary Intune-based security baseline.
Deployment of Windows 10 1903 can be done in many ways. You can obtain it from Windows update once your machine is deemed worthy of the update. Microsoft monitors for issues and throttles the updates back on machines that can’t handle the update without vendor fixes. You can monitor for these blocking issues on the Windows release health dashboard site.
You can also deploy the update via WSUS, SCCM, and for new deployments using AutoPilot. You may want to review your deployment strategies and jump over any Windows 10 feature releases that you haven’t deployed and start testing the 1903 release now. The security enhancements and Windows update changes make this a very attractive release for those evaluating versions of Windows 10 to deploy.
Windows 10 1809
The October 2018 release of Windows 10, version 1809, will be what many enterprises will consider their Windows 10 version of choice for several years. The reason? It marks a big change in the patching cadence of Windows 10 as well as updating it.
Changes in .NET patching
Starting with the 1809 version, the .NET patching component has been pulled out of the cumulative Windows 10 update and will now be offered as a separate release similar to how Windows 7 releases .NET patches. If you have a business application that interacts unfavorably with patching, you can now apply the main cumulative update ensuring that you are patched for all the other security issues and hold back on the .NET updating should you need to work with your vendors to ensure compatibility.
Patching cadence changes
Also starting with the 1809 version, Microsoft is changing the cadence for patching for Enterprise and Education customers. As noted in its Microsoft 365 blog, the company is making a major change in how feature releases will be supported for these two versions of Windows 10. As stated on the blog, the cadence change allows an organization to choose the fall release of a feature update and skip two years of feature releases and still be fully supported. As stated in the blog:
All currently supported feature updates of Windows 10 Enterprise and Education editions (versions 1607, 1703, 1709, and 1803) will be supported for 30 months from their original release date. This will give customers on those versions more time for change management as they move to a faster update cycle.
All future feature updates of Windows 10 Enterprise and Education editions with a targeted release month of September (starting with 1809) will be supported for 30 months from their release date. This will give customers longer deployment cycles the time they need to plan, test and deploy.
All future feature updates of Windows 10 Enterprise and Education editions with a targeted release month of March (starting with 1903) will continue to be supported for 18 months from their release date. This maintains the semi-annual update cadence as our north star and retains the option for customers that want to update twice a year.
All feature releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (this applies to feature updates targeting both March and September).
If you are licensed for Enterprise or Education versions, choosing the fall release will give a firm a 30-month support window from when it is released. Thus, you can deploy the 1809 version and not deploy another feature release until October 2020 and be fully supported and receive security/quality updates that entire time. Spring feature releases will only receive an 18-month support window, so I predict that most Enterprises and Educational institutions will drop into this 30-month cadence and installation routine.
Windows 10 Professional and Home versions will have an 18-month support window for each spring and fall release. With the Professional version that allows for the easy deferral of the feature release, enterprises can then wait longer than a year between each release.
Windows Defender ATP improvements
If your firm has Windows Enterprise E5 or Microsoft 365 E5 subscription, you now have access to a Threat Analytics dashboard that lists recent attacks and risks.
This console provides updated information about recent threats and security incidents that target the Windows operating system. The threat dashboard provides guidance in mitigating and defending against the attacks.
Microsoft has also increased reporting in its cloud-based Microsoft Secure Score Dashboard. This is included in Windows 10 Enterprise E5 and Microsoft 365 E5 subscription and allows you to track the status of the antivirus application, operating system security updates, firewall, and other controls. On Windows 10, it drills into the security settings you haven’t enabled that would better protect your system from attacks and threats. In the sample below, the computer system scanned is missing Application Guard, Credential Guard and BitLocker as three protection mechanisms that could be enabled that would immediately increase the threat protection on the platform.
The console gives an overview of each Windows Enterprise 5 license and its risk level. This is not available to users of Windows Enterprise E3 or Microsoft 365 E3.
Windows Security Center
The Windows Defender Security Center has been renamed to merely Windows Security Center to better identify that it’s the main location for security information. Ransomware protection first introduced in 1709 has been simplified to make it easier to add blocked applications to the interface. Click “Allow an app” through “Controlled folder access.” After the prompt, click the + button and choose “Recently blocked apps” to find the application that has been blocked by the protection. You can then build in an exclusion and add them to the allowed list.
Because time syncing is so key to both authentication as well as being a requirement for obtaining updates, the Windows Time service is now monitored for being in sync with the proper time. Should the system sense that the time sync service is disabled, you will get a prompt to turn the service back on.
A new security providers section exposes all the antivirus, firewall and web protection software that is running on your system. In 1809, Windows 10 requires antivirus to run as a protected process to register. Any antivirus program that has not yet implemented the protected process methodology will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products.
Windows Defender Firewall
The firewall in Windows 10 now supports Windows Subsystem for Linux processes. If you are hosting Linux in virtual machines, you can add exceptions in the firewall for Linux processes such as SSH or a web server like Nginx.
The default browser for Windows 10 now includes more group policy settings. As noted, the new policies let you enable/disable full-screen mode, printing, favorites bar, or saving history. You can also prevent certificate error overrides, and configure the New Tab page, Home button, and startup options, as well as manage extensions.