With the new era of Windows as a service, Microsoft is rolling out changes to the operating system twice a year. Many of those changes will allow you to improve your security posture and offer more security choices. You no longer have to wait for a new operating system to deploy new security features.
Below is a summary of all the new security features and options in Windows 10 version 1809, which features Windows Defender Advanced Threat Protection (ATP) enhancements, more options for enterprises to update and patch Windows, and other security improvements. Bookmark this article, because we will be adding new security features as Microsoft releases future Windows updates.
Windows 10 1809 security enhancements
The October 2018 release of Windows 10, version 1809, will be what many enterprises will consider their Windows 10 version of choice for several years. The reason? It marks a big change in the patching cadence of Windows 10 as well as updating it.
Changes in .NET patching
Starting with the 1809 version, the .NET patching component has been pulled out of the cumulative Windows 10 update and will now be offered as a separate release similar to how Windows 7 releases .NET patches. If you have a business application that interacts unfavorably with patching, you can now apply the main cumulative update ensuring that you are patched for all the other security issues and hold back on the .NET updating should you need to work with your vendors to ensure compatibility.
Patching cadence changes
Also starting with the 1809 version, Microsoft is changing the cadence for patching for Enterprise and Education customers. As noted in its Microsoft 365 blog, the company is making a major change in how feature releases will be supported for these two versions of Windows 10. As stated on the blog, the cadence change allows an organization to choose the fall release of a feature update and skip two years of feature releases and still be fully supported. As stated in the blog:
All currently supported feature updates of Windows 10 Enterprise and Education editions (versions 1607, 1703, 1709, and 1803) will be supported for 30 months from their original release date. This will give customers on those versions more time for change management as they move to a faster update cycle.
All future feature updates of Windows 10 Enterprise and Education editions with a targeted release month of September (starting with 1809) will be supported for 30 months from their release date. This will give customers longer deployment cycles the time they need to plan, test and deploy.
All future feature updates of Windows 10 Enterprise and Education editions with a targeted release month of March (starting with 1903) will continue to be supported for 18 months from their release date. This maintains the semi-annual update cadence as our north star and retains the option for customers that want to update twice a year.
All feature releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (this applies to feature updates targeting both March and September).
If you are licensed for Enterprise or Education versions, choosing the fall release will give a firm a 30-month support window from when it is released. Thus, you can deploy the 1809 version and not deploy another feature release until October 2020 and be fully supported and receive security/quality updates that entire time. Spring feature releases will only receive an 18-month support window, so I predict that most Enterprises and Educational institutions will drop into this 30-month cadence and installation routine.
Windows 10 Professional and Home versions will have an 18-month support window for each spring and fall release. With the Professional version that allows for the easy deferral of the feature release, enterprises can then wait longer than a year between each release.
Windows Defender ATP improvements
If your firm has Windows Enterprise E5 or Microsoft 365 E5 subscription, you now have access to a Threat Analytics dashboard that lists recent attacks and risks.
This console provides updated information about recent threats and security incidents that target the Windows operating system. The threat dashboard provides guidance in mitigating and defending against the attacks.
Microsoft has also increased reporting in its cloud-based Microsoft Secure Score Dashboard. This is included in Windows 10 Enterprise E5 and Microsoft 365 E5 subscription and allows you to track the status of the antivirus application, operating system security updates, firewall, and other controls. On Windows 10, it drills into the security settings you haven’t enabled that would better protect your system from attacks and threats. In the sample below, the computer system scanned is missing Application Guard, Credential Guard and BitLocker as three protection mechanisms that could be enabled that would immediately increase the threat protection on the platform.
The console gives an overview of each Windows Enterprise 5 license and its risk level. This is not available to users of Windows Enterprise E3 or Microsoft 365 E3.
Windows Security Center
The Windows Defender Security Center has been renamed to merely Windows Security Center to better identify that it’s the main location for security information. Ransomware protection first introduced in 1709 has been simplified to make it easier to add blocked applications to the interface. Click “Allow an app” through “Controlled folder access.” After the prompt, click the + button and choose “Recently blocked apps” to find the application that has been blocked by the protection. You can then build in an exclusion and add them to the allowed list.
Because time syncing is so key to both authentication as well as being a requirement for obtaining updates, the Windows Time service is now monitored for being in sync with the proper time. Should the system sense that the time sync service is disabled, you will get a prompt to turn the service back on.
A new security providers section exposes all the antivirus, firewall and web protection software that is running on your system. In 1809, Windows 10 requires antivirus to run as a protected process to register. Any antivirus program that has not yet implemented the protected process methodology will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products.
Windows Defender Firewall
The firewall in Windows 10 now supports Windows Subsystem for Linux processes. If you are hosting Linux in virtual machines, you can add exceptions in the firewall for Linux processes such as SSH or a web server like Nginx.
The default browser for Windows 10 now includes more group policy settings. As noted, the new policies let you enable/disable full-screen mode, printing, favorites bar, or saving history. You can also prevent certificate error overrides, and configure the New Tab page, Home button, and startup options, as well as manage extensions.
Changes have been made to allow BitLocker to be enabled on devices that don’t pass the Hardware Security Test Interface (HSTI). You can also deliver BitLocker policy to AutoPilot devices during Out of box experience process.
Windows Defender Application Guard improvements
If the device supports the settings, Windows Defender Application Guard settings can now be set in the Windows Security interface rather than merely through registry keys. The requirements to enable Application Guard to include having the hardware support Second Level Address Translation (SLAT) and either VT-x (Intel) or AMD-V virtualization extensions for virtualization-based security (VBS).
The new user interface allows end users to review settings their system administrator has made so they understand the behavior that they are seeing. The four settings that can be configured for Application Guard in the Windows Security app are Save data, Copy and paste, Print files and Advanced graphics. These settings impact as follows:
When you browse in Application Guard for Microsoft Edge, certain actions can be disabled. If save data is disabled, users are blocked from saving data while browsing using Application Guard for Microsoft Edge. Turning off copy-and-paste blocks the ability to copy and paste to and from the isolated browser. Disabling print files blocks the ability to print from Edge. Finally, disabling Advanced Graphics improves video and graphics performance with Hyper-V virtualization technology.
To enable these settings, open Windows Security and click on the App & browser control icon. Then click on the “Change Application Guard settings” link under the Isolated browsing section and make the adjustments. Then reboot the computer.
All these features strengthen the security of the Windows operating system. For even more security, configure dedicated workstations or virtual machines with Privileged Access Workstations combined with Azure AD Privileged Identity Management to access sensitive premises and cloud assets.
While 1809 doesn’t bring major changes in security, it is once again an incremental feature release that provides the enterprise to make it that much harder for attackers to infiltrate systems.
Windows 10 1803: The privacy edition
This edition was slated to be released in March 2018. Due to quality and release issues including reported blue screens of death in some of the final testing releases, the feature release date was postponed to April 30. It is encouraging to see that Microsoft is putting an emphasis on quality and not just depending on shipping the feature update as a key milestone.
For best results, install your video driver and motherboard updates before installing any feature update. It’s also wise to reach out to your vendors, specifically for any third-party security software you depend on. Many have security software releases ready to go as Windows 1803 is released. Others might need time to revise their software to work with the new edition.
Windows 1803 is deemed to be in semi-annual targeted release. Enterprises should test and confirm that the update is acceptable to the business. In a few months when Microsoft declares the software is “semi-annual channel,” it’s deemed to be ready for businesses to fully deploy and for broader release. When Microsoft announces that release date, it will be re-released to the Windows Software Update Services channel and other enterprise patching platforms to allow for broader release.
The next feature release is expected in the September time frame. Windows is also aligning its feature release timetable with Office 365 releases. Even though there are only six months between feature releases, Microsoft supports each individual release for a reasonable about of time. Normally, Microsoft supports a Windows 10 edition with quality (security) updates for 18 months. Due to changes in Office, it added six months of support to 1607, 1703, and 1709 versions. Thus, you can choose to skip one version and jump over to the next in your deployment methodology.
Here are just a few reasons that you might want to deploy 1803 sooner versus later:
The European Union EU) is putting into place new rules to ensure privacy for EU citizens in the form of General Data Protection Regulations (GDPR). While not a requirement of GDPR, 1803 exposes what Microsoft is collecting from your system regarding telemetry.
Microsoft uses telemetry to track what features you use, the success or failure of updates, and various other settings. Enterprises in sensitive industries are often concerned that no information can be shared for any reason. Before the release of 1803, if you wanted to block all telemetry and still receive Windows updates, you needed to upgrade to the Windows Enterprise version to block telemetry and still receive updates.
To use and view the new Diagnostic Data Viewer you have to enable it in Settings. Then go to Privacy then go to Diagnostics & Feedback. Then click “Diagnostic Data Viewer” to download the tool from the Windows store.
You can now launch and review what is being sent to Microsoft. The data is geared toward developers, so you might find that the details are a bit elusive. You can’t make sense of many of the items being tracked unless you understand the details of the operating system. However, it’s a good sign of good faith going forward that these items are now being exposed and can the examined by third-party reviewers to help us all understand what is being tracked and sent to Microsoft.
Of related interest is the online privacy center where you can log in and review what Microsoft is collecting online regarding your browsing history and Cortana use. Review this site to determine what is currently being captured from your systems. Once there you can also remove data that was sent to Microsoft.