With the new era of Windows as a service, Microsoft is rolling out changes to the operating system twice a year. Many of those changes will allow you to improve your security posture and offer more security choices. You no longer have to wait for a new operating system to deploy new security features.
Windows 10 1909
Microsoft’s 1909 version of Windows 10 will have the fewest changes from prior versions. Several feature releases haven’t been as uneventful as they could have been, so 1909 is making a drastic change in how it rolls out.
1909 offered to unmanaged PCs, not pushed
The biggest change in how 1909 is released is in the unmanaged personal computer experience. If your computer is not behind Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM) and thus is managed by Windows Update, the 1909 update will be offered when you check for updates but won’t install.
This new “seeker” experience, noted in the Windows Experience blog, gives more control over the updating process. The install will be quick if you are on the 1903 release already and feels less like a service pack and more like a normal monthly patch process. If you have already deployed 1903, moving over to 1909 will be a trivial testing process.
1909 shares the same security update code base as 1903
As you test and patch 1909, you will notice that the security updates that apply to 1903 are labelled with the same knowledgebase numbers as those applied to 1909. These updates share exactly the same code base. For example, KB4524570, the November 12 security update for Windows 10 1903, also patches Windows 10 1909. The title, OS Builds 18362.476 and 18363.476, and the notation “Applies to: Windows 10, version 1903, Windows Server version 1903, Windows 10, version 1909, Windows Server version 1909,” clearly shows how the update installs on both platforms.
Enterprises or businesses that use corporate patching systems such as WSUS should look for an “Enablement package,” KB4517245. It turns on new features in Windows 10, version 1909, that were already included in the latest monthly quality update for Windows 10, version 1903 (released October 8, 2019), but are inactive. If you’ve already installed the October updates, you have 1909, just not all the features.
Similar to earlier versions of Windows 10, ensuring that you are up to date on BIOS, driver and other hardware related updates is key to successful deployment of feature releases. Also review the Windows health release dashboard for known issues and blocking items. For example, Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. KB4529832 notes that unsupported Realtek Bluetooth radios will block a device from receiving 1909. You will need to update to driver version 1.5.1012 or later to remove this safeguard hold.
30-month support window for Enterprise
If you are running the Enterprise version of Windows 10, the 1909 version is supported for 30 months. If you want to skip the next two years of feature releases, you can.
Windows 10 1909 allows users to customize their experience in Kiosk mode. You now have the option to allow a user to switch to various languages while keeping a block on accessing networking settings.
Microsoft BitLocker key rolling
The Key-rolling or Key-rotation feature enables secure rolling of recovery passwords on devices connected to Azure Active Directory (AAD) and Microsoft Mobile Device Management (MDM) on demand from Microsoft Intune/MDM tools or when recovery password is used to unlock the BitLocker-protected drive. This feature helps prevent accidental recovery password disclosure during manual BitLocker drive unlock by users.
Windows 10 Pro and Enterprise in S mode
The Windows 10 in S mode platform has the potential to provide much more security. Similar to the mobile phone platform where the vendor vets and approves applications before they can be installed, S mode allows applications to be deployed only from the Microsoft Store. With 1909 you can deploy and run traditional Win32 (desktop) apps without leaving the security of S mode by configuring the Windows 10 in S mode policy to support Win32 apps, then deploy them with MDM software such as Microsoft Intune.
Windows Defender Credential Guard supports ARM
Windows Defender Credential Guard is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices. More new devices use CPUs based on the RISC (reduced instruction set computer) architecture developed by Advanced RISC Machines (ARM) rather than AMD or Intel. The old Surface RT device, for example, was based on the ARM architecture. Microsoft’s more recent Surface Pro X device is also based on the ARM processor.
Windows Sandbox supports multiple OS versions
Windows Sandbox, originally was released in Windows 10, Version 1903, is an isolated desktop environment where you can install software and any malicious activity can’t impact the device. In 1909, Microsoft has included support for mixed-version container scenarios, allowing Sandbox to be run in a different version of Windows 10 than the host operating system. You can now test on different versions of Windows.
Windows 10 1909 brings the fewest changes to Windows 10. That, quite honestly, is a good thing. Past releases haven’t been without issues. Having a quiet release may be just the thing that all IT administrators need to standardize on Windows 10 1909 sooner rather than later.
Windows 10 1903
Below is a summary of all the new security features and options in Windows 10 version 1903, which features Windows Defender Advanced Threat Protection (ATP) enhancements, more options for enterprises to defer updates, and Windows Sandbox, which provides a safe area to run untrusted software. Bookmark this article, because we will be adding new security features as Microsoft releases future Windows updates.
Now that Microsoft has officially released Windows 10 1903, there are key security enhancements to look for and that I think are exciting. Here are my top picks for the 1903 release.
Changes to Windows update
The changes to Windows update and Windows update for business include key abilities to control updates. You can pause updates for all versions of Windows, including Home. Home version users may pause any updates for seven days. Pro version users continue to have the option to defer feature releases up to 365 days. Windows provides more visual clues that an update is pending on reboot.
A small dot next to the power icon is a new visual clue that indicates an update will install when your computer reboots. Active hours will be more responsive to your actual working hours and not reboot the computer while you are using it.
There are changes in Windows update for Business. The terms of “Semi Annual Channel” and “Semi Annual Targeted” have been removed. No longer will there be a designation that Windows 10 1903 is ready for business. Instead, you determine your deferral period from when the release came out.
You will need to revisit your Windows update for business policies as a result and set a deferral to a point in time that you deem that you will be ready for Windows 10 1903. My recommendation is to set a deferral period to an extreme point in the future: Select 365 days for your deferral. Then when you are ready to deploy 1903, you can reset this value to 0 to trigger the installs. You will want to review your Windows Update for Business settings for the new changes in 1903.
Also new in 1903 is the fact that you no longer are mandated to use a diagnostic data level of Basic or higher to enforce configured policies in Windows update for Business. If your organization is privacy sensitive, you no longer have to ensure that you participate in diagnostics.
Microsoft is adding more protection to this version of Windows 10—specifically, the much anticipated Windows Sandbox feature. It allows you to run untrusted executables in an isolated environment on a desktop PC. When you close Windows sandbox, everything in it is erased so it’s clean the next time you use it.
Both Pro and Enterprise SKUs can benefit from this new feature. To use it, you must have the following:
- Windows 10 Pro or Enterprise Insider build 18305 or later (1903)
- AMD64 architecture
- Virtualization capabilities enabled in BIOS
- At least 4GB of RAM (8GB recommended)
- At least 1 GB of free disk space (SSD recommended)
- At least two CPU cores (four cores with hyperthreading recommended)
You need to enable Windows Sandbox in Windows Features. If your machine does not have virtualization support, the feature will be greyed out. Once you’ve enabled Windows Sandbox, you will need to reboot your computer.
Now you have a built in virtual machine that will allow you to test malicious links without impacting your computer or, better yet, your network.
It is similar to the virtual Windows XP that many of us used to migrate from XP to Windows 7 with one major difference: It does not persist after you shut the virtual machine down.
Microsoft Defender ATP changes
Microsoft Defender ATP licensees will find many changes in this edition. You’ll need a Windows Enterprise license and an E5 Windows or E5 Microsoft 365 license. New offerings include:
- Attack surface area reduction: You can now specify allow and deny lists for specific URLs and IP addresses.
- Tamper protection. When this setting is enabled, you – and attackers – won’t be able to disable defender antivirus.
- Emergency outbreak protection. If a zero-day event occurs, machine learning and advanced diagnostics will automatically update devices with new intelligence when a new outbreak has been detected.
Microsoft is making a big push to get rid of passwords and enable multi-factor authentication, biometric authentication and other techniques to keep users accounts safe from attack. These changes include:
- Remote Desktop with biometrics. If you have Azure Active Directory and Active Directory users that use Windows Hello for Business, 1903 now allows biometric options to authenticate a user to a remote desktop session. This will also be helpful to protect Remote Desktop servers from credential cracking attacks.
- Windows Hello now has a FIDO2-certified authenticator. This enables passwordless logins for websites that support FIDO2, such as a Microsoft account and Azure Active Directory.
Microsoft has posted the security baseline documents for 1903 and has included changes and recommendations specific to the 1903 release. In particular, they recommend “Enabling the new ‘Enable svchost.exe mitigation options’ policy, which enforces stricter security on Windows services hosted in svchost.exe, including that all binaries loaded by svchost.exe must be signed by Microsoft, and that dynamically generated code is disallowed.”
As noted in the post, carefully review this setting as it might cause compatibility problems with third-party code that tries to use the svchost.exe hosting process, including third-party smart-card plugins. Microsoft has also released a preliminary Intune-based security baseline.
Deployment of Windows 10 1903 can be done in many ways. You can obtain it from Windows update once your machine is deemed worthy of the update. Microsoft monitors for issues and throttles the updates back on machines that can’t handle the update without vendor fixes. You can monitor for these blocking issues on the Windows release health dashboard site.
You can also deploy the update via WSUS, SCCM, and for new deployments using AutoPilot. You may want to review your deployment strategies and jump over any Windows 10 feature releases that you haven’t deployed and start testing the 1903 release now. The security enhancements and Windows update changes make this a very attractive release for those evaluating versions of Windows 10 to deploy.
Windows 10 1809
The October 2018 release of Windows 10, version 1809, will be what many enterprises will consider their Windows 10 version of choice for several years. The reason? It marks a big change in the patching cadence of Windows 10 as well as updating it.
Changes in .NET patching
Starting with the 1809 version, the .NET patching component has been pulled out of the cumulative Windows 10 update and will now be offered as a separate release similar to how Windows 7 releases .NET patches. If you have a business application that interacts unfavorably with patching, you can now apply the main cumulative update ensuring that you are patched for all the other security issues and hold back on the .NET updating should you need to work with your vendors to ensure compatibility.
Patching cadence changes