With the new era of Windows as a service, Microsoft is rolling out changes to the operating system twice a year. Many of those changes will allow you to improve your security posture and offer more security choices. You no longer have to wait for a new operating system to deploy new security features.
Windows 10 2004
Microsoft will release Windows 10 2004 to developers in mid-May 2020 and then to the general public at the end of May. Many organizations are on 1903 and have not moved to 1909. Version 2004 has new security features that might make an upgrade worthwhile.
Windows 10 2004 is a spring feature release, so it will have an 18-month servicing time from release date. Version 1909 will be supported until May 11, 2021 for Home, Pro, Pro Education, and Pro for Workstations editions, and until May 10, 2022 for Education and Enterprise versions. This extended due date in response to the impact of the public health situation. Version 2004 was built to minimize update processing time and does not share the code of Windows 10 1903/1909, and thus is a more impactful feature release than version 1909.
Windows 10 Hello
Windows 10 Version 2004 emphasizes passwordless technology and lets you use Windows 10 Hello biometric security system to sign on. To turn this feature on, launch “Settings”. Then click on “Accounts” and “Sign-in options” Under “Require Windows Hello sign-in for Microsoft accounts,” select “On”. Once Hello is enabled you can then login for Microsoft services on company devices.
Windows Hello allows for log in with your face, iris, fingerprint, or a PIN. Support depends on you’re your devices support for authentication. Windows Hello can take data from a camera, iris sensor, or fingerprint reader. The data is then encrypted before it’s stored on the device. Research if your hardware supports Windows Hello before deploying it.
Windows Defender Application Guard upgrades
Windows Defender Application Guard is a security tool originally developed for Microsoft’s HTML-based Edge browser. It protects users by isolating files received from untrusted or potentially dangerous sites. In Windows 10 2004 Pro or Enterprise. Application Guard also works in the new Chromium-based Edge and allows Edge extensions to run in containers. This is a change from prior versions, which allowed Device Guard/ Application Guard policies to be created only on Enterprise but enforced on any SKU. Version 2004 allows Application Guard policies for Windows 10 Pro specifically for the new Edge version.
Windows Update Delivery Optimization
Microsoft has enhanced Delivery Optimization to allow for more control over the bandwidth used during Windows 10 updates. You can set a limit cap at which the computer will stop Delivery Optimization features to more efficiently use network resources while downloading installation packages.
Microsoft has long struggled to make updates more dependable and take less time. The company claims that user downtime during feature updates for version 2004 has been reduced to 20 minutes and requires just one reboot. Updates are optimized when the computer has adequate resources. Even with these changes, it’s still recommended to optimize your Windows 10 deployments by providing devices with SSD hard drives and adequate RAM for the function you need them to perform. Unless the device is purpose built, I recommend at least 8GB of RAM.
Resetting the PC
Microsoft has made the process of deploying Windows 10 extremely fast. This process has normally required an ISO file mounted locally. Windows 10 2004 allows you to reset the PC with the option of downloading the media from online. If any of the following optional features are installed, However, the reset from cloud will not work if any of these optional features are installed:
- EMS and SAC Toolset for Windows 10
- IrDA infrared
- Print Management Console
- RAS Connection Manager Administration Kit (CMAK)
- RIP Listener
- All RSAT tools
- Simple Network Management Protocol (SNMP)
- Windows Fax and Scan
- Windows Storage Management
- Wireless Display
- WMI SNMP Provider
The cloud download option can use more than 4GB of data, so plan accordingly.
Windows Subsystem for Linux 2
A new version of Windows Subsystem for Linux (WSL) is released in 2004. Unlike the prior version that used an emulator, WSL 2 uses its own kernel. This should increase compatibility and performance. The new version allows you to run ELF64 Linux binaries on Windows. Individual Linux distros can be run either as a WSL 1 or WSL 2 distro. They can also be upgraded or downgraded at any time, and you can run WSL 1 and WSL 2 distros side by side.
The new Microsoft Edge browser
While not part of Windows 10 2004, the new Edge browser based on Chrome should be included in your deployment plans. The major advantage of the new Edge is that it’s based on Chromium, the same foundation as Google’s Chrome, so any Chome extensions you use can be easily ported over to the new Edge.
Microsoft will roll out the new Edge to consumers over the next several months. The company does not plan to push it out to enterprises, as Windows 10 Enterprise, Education and Pro for Workstations Edition devices will not be automatically updated. If you use Windows 10 Pro, you can block the automatic deployment of Edge using the Blocker toolkit. You can download a deployment package to install on your systems. If you’ve been previewing the Edge beta, the final version will install side by side and will not replace the beta.
You can use Group Policy settings for the new Edge as well. Go to the Microsoft Edge for Business page and download the policy setting. Choose the “Channel/Version, “Build” and “Platform” to enable the “Get Policy Files” download. You can use the policy settings for:
- Default search provider
- HTTP authentication
- Password manager and protection
- Proxy server
- Allowed extensions
- Native messaging
- Smart screen
- Startup, home page and new tab page
- Update policy and update period override
Windows 10 1909
Microsoft’s 1909 version of Windows 10 will have the fewest changes from prior versions. Several feature releases haven’t been as uneventful as they could have been, so 1909 is making a drastic change in how it rolls out.
1909 offered to unmanaged PCs, not pushed
The biggest change in how 1909 is released is in the unmanaged personal computer experience. If your computer is not behind Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM) and thus is managed by Windows Update, the 1909 update will be offered when you check for updates but won’t install.
This new “seeker” experience, noted in the Windows Experience blog, gives more control over the updating process. The install will be quick if you are on the 1903 release already and feels less like a service pack and more like a normal monthly patch process. If you have already deployed 1903, moving over to 1909 will be a trivial testing process.
1909 shares the same security update code base as 1903
As you test and patch 1909, you will notice that the security updates that apply to 1903 are labelled with the same knowledgebase numbers as those applied to 1909. These updates share exactly the same code base. For example, KB4524570, the November 12 security update for Windows 10 1903, also patches Windows 10 1909. The title, OS Builds 18362.476 and 18363.476, and the notation “Applies to: Windows 10, version 1903, Windows Server version 1903, Windows 10, version 1909, Windows Server version 1909,” clearly shows how the update installs on both platforms.
Enterprises or businesses that use corporate patching systems such as WSUS should look for an “Enablement package,” KB4517245. It turns on new features in Windows 10, version 1909, that were already included in the latest monthly quality update for Windows 10, version 1903 (released October 8, 2019), but are inactive. If you’ve already installed the October updates, you have 1909, just not all the features.
Similar to earlier versions of Windows 10, ensuring that you are up to date on BIOS, driver and other hardware related updates is key to successful deployment of feature releases. Also review the Windows health release dashboard for known issues and blocking items. For example, Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. KB4529832 notes that unsupported Realtek Bluetooth radios will block a device from receiving 1909. You will need to update to driver version 1.5.1012 or later to remove this safeguard hold.
30-month support window for Enterprise
If you are running the Enterprise version of Windows 10, the 1909 version is supported for 30 months. If you want to skip the next two years of feature releases, you can.
Windows 10 1909 allows users to customize their experience in Kiosk mode. You now have the option to allow a user to switch to various languages while keeping a block on accessing networking settings.
Microsoft BitLocker key rolling
The Key-rolling or Key-rotation feature enables secure rolling of recovery passwords on devices connected to Azure Active Directory (AAD) and Microsoft Mobile Device Management (MDM) on demand from Microsoft Intune/MDM tools or when recovery password is used to unlock the BitLocker-protected drive. This feature helps prevent accidental recovery password disclosure during manual BitLocker drive unlock by users.
Windows 10 Pro and Enterprise in S mode
The Windows 10 in S mode platform has the potential to provide much more security. Similar to the mobile phone platform where the vendor vets and approves applications before they can be installed, S mode allows applications to be deployed only from the Microsoft Store. With 1909 you can deploy and run traditional Win32 (desktop) apps without leaving the security of S mode by configuring the Windows 10 in S mode policy to support Win32 apps, then deploy them with MDM software such as Microsoft Intune.
Windows Defender Credential Guard supports ARM
Windows Defender Credential Guard is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices. More new devices use CPUs based on the RISC (reduced instruction set computer) architecture developed by Advanced RISC Machines (ARM) rather than AMD or Intel. The old Surface RT device, for example, was based on the ARM architecture. Microsoft’s more recent Surface Pro X device is also based on the ARM processor.
Windows Sandbox supports multiple OS versions
Windows Sandbox, originally was released in Windows 10, Version 1903, is an isolated desktop environment where you can install software and any malicious activity can’t impact the device. In 1909, Microsoft has included support for mixed-version container scenarios, allowing Sandbox to be run in a different version of Windows 10 than the host operating system. You can now test on different versions of Windows.
Windows 10 1909 brings the fewest changes to Windows 10. That, quite honestly, is a good thing. Past releases haven’t been without issues. Having a quiet release may be just the thing that all IT administrators need to standardize on Windows 10 1909 sooner rather than later.
Windows 10 1903
Below is a summary of all the new security features and options in Windows 10 version 1903, which features Windows Defender Advanced Threat Protection (ATP) enhancements, more options for enterprises to defer updates, and Windows Sandbox, which provides a safe area to run untrusted software. Bookmark this article, because we will be adding new security features as Microsoft releases future Windows updates.
Now that Microsoft has officially released Windows 10 1903, there are key security enhancements to look for and that I think are exciting. Here are my top picks for the 1903 release.
Changes to Windows update
The changes to Windows update and Windows update for business include key abilities to control updates. You can pause updates for all versions of Windows, including Home. Home version users may pause any updates for seven days. Pro version users continue to have the option to defer feature releases up to 365 days. Windows provides more visual clues that an update is pending on reboot.
A small dot next to the power icon is a new visual clue that indicates an update will install when your computer reboots. Active hours will be more responsive to your actual working hours and not reboot the computer while you are using it.
There are changes in Windows update for Business. The terms of “Semi Annual Channel” and “Semi Annual Targeted” have been removed. No longer will there be a designation that Windows 10 1903 is ready for business. Instead, you determine your deferral period from when the release came out.