1 11
1 11
Security continues to be a critical element of Windows 10. Over the last four years, that work has proven its effectiveness with Windows 10 being near the bottom in the list of systems impacted by global malware attacks.
In Windows 10 Version 1903, admins can create allow and deny lists to pre-approve sites that can be visited and prevent end users from visiting specific sites that are known threats.
In addition, the misuse of credentials in attacks and features to prevent tampering with the operating system have been added along with machine learning to detect and prevent new attack methods.
For those still on Windows 7 and 8.1, Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) is now supported on those operating systems.
This security feature provides end users with a safe environment to test programs to ensure they're not a threat to your organization.
The most likely power users for Windows Sandbox will be your security personnel and security researchers because it is a temporary instance of Windows 10 that is fenced off from the rest of the end-user operating system.
Although there are some configuration options, once closed all content that was used, executed, stored, or left behind in Windows Sandbox is removed. That is what protects the host system from infection from malware or any other threat that was being tested on that device.
Another attack vector some malware is using: systems audio capability to secretly record spoken sensitive information.
To combat that, Microsoft has added a new system tray icon that will alert the end user when their microphone is being used by any process on their device. If they expect that to happen, then no problem and they can proceed with their work.
However, if they were not using their microphone, they can take immediate action to shut the offending software down.
Enhanced microphone privacy settings have also been added at Settings>Privacy>Microphone so that admins or end users can give apps explicit permission to either use or not use their microphone.
For stand-alone end users, it is no longer necessary to edit Registry keys to implement some of the features of WDAG plus Enterprise users can now view the settings configured by their system admins for better clarity on how their device is working.
If your organization is using Chrome or Firefox as the default browser on deployed end points, you can now benefit from WDAG. Previously, WDAG was only available if you were using the Edge browser which is part of Windows 10 by default.
Now extensions for Chrome and Firefox will give you access to this protection capability.
- Application Guard Extension (Chrome)
- Application Guard Extension (Firefox)
You will also need the Windows Defender Application Guard Companion App from the Microsoft Store.
Once these are deployed and configured, any sites that are considered a threat in Chrome or Firefox will be opened in Microsoft Edge using WDAG for protection and further evaluation.
Note: Administrators can deploy these extensions and the companion app using their system management tools/services.
Compromised identities, including user credentials, are leading contributors to security breaches in organizations.
Microsoft continues to add capabilities to their Azure Active Directory (AAD) service to help prevent the loss of user credentials through improper access to user systems.
Improvements in this feature update include Windows Hello receiving FIDO2 certification that enables organizations to implement password-less website login on sites which supports FIDO2.
Updates to Windows Hello include a new PIN reset process that can be initiated from the Lock Screen, passwordless login using your Microsoft Account and phone number, and using biometrics for remote desktop login.
In addition to your own hardware firewalls on your networks, local firewall rules can be deployed to end user systems for further protection on the local device.
New firewall rules have also been added for Windows Subsystem for Linux (WSL) processes on those end points.
The Windows Security app is the end point hub for understanding the security status and configuration of your organization's devices.
New configurable options include:
- Controlled Folder Access
- Windows Defender Offline Scanning
- Pending Recommendations
- Tamper Protection
A broad range of changes have been made around the deployment and management of system updates to better improve the overall experience and impact on your network and end points.
- Delivery Optimization using Peer Efficiency for complex networks.
- Reserved Storage to make sure space is available on devices for updates and system functionality. You must clean install to get this feature - it does not activate when upgrading from a previous version of Windows 10.
- Devices joined via AAD can now automatically restart and sign back on to complete updates. The device will be locked at this login but the update will finalize in the background, so the device is ready for the user at their next system logon.
- Windows Update for Business now has one start date for your deployments. Notifications and device restart scheduling has been improved with options to schedule or immediate restart for the update.
- Improved update roll backs in the case of failed updates to get the system back to a functioning state.
- Using machine learning, Intelligent Active Hours will adjust based on device usage so that updates are scheduled during times when the device is not being used.
- Updates for Microsoft Store apps and the system are now done when the user is away from their device to prevent conflicts when the device is being used.
- A more verbose update notice system including changes to system icons when a system update is pending on the device.
- System admins can use new command-line tools in SetupDiag to find out why updates fail on specific systems.
One of the benefits of WaaS and a modern desktop is the ability to manage those devices for setup, deployment, upgrades, and updates.
Updates to the Windows Autopilot Enrollment Status Page allows you to track regular desktop software that is installed using Intune and the selection of apps that will not be enrolled as a new device is enrolled through Intune.
The out of box experience for setting up a device deployed using Windows Autopilot has been revised and turns off Cortana’s voice guide by default.
New Mobile Device Management (MDM) policies now provide management for Microsoft Edge, enabling BitLocker for AAD joined users, and improved Microsoft 365 management for end users.
Microsoft's updated baseline security policies can be used as is or adjusted based on your company’s security approach. Included in these new baseline recommendations is the removal of expiration dates for user passwords.
- What’s new for IT Pros in Windows 10, version 1903
- What’s new in Windows Update for Business in Windows 10, Version 1903
- The latest news on Windows Autopilot
Downloads
- Windows 10 Update Assistant and Media Creation Tool
Related ITPro Today Content
- IT Pro Today Windows 10 Coverage
- Windows 10 (19H1) Build Tracker for PCs
- Windows 10 (19H1) Software Development Kit (SDK) Build Tracker
- Windows 10 20H1 Build Tracker for PCs
- Windows 10 (20H1) Software Development Kit (SDK) Build Tracker
