Software

Windows 10 security overhaul: Microsoft lays out the most important new features

The firm has detailed 10 security features available to Windows 10 following the Fall Creators Update.

Microsoft has outlined how it is hardening Windows 10 against the growing menace of ransomware and other threats.

The firm has detailed 10 security features available in Windows 10 following the Fall Creators Update (FCU), currently being rolled out to PCs worldwide. The roll out is staggered, and while home users will be the first to get the update, business users typically configure machines to start receiving updates around four months later.

Many of these features are aimed at businesses, and as such, aren't available to Windows 10 Home users.

1. Windows AutoPilot

Windows AutoPilot is a cloud service for allowing employees to automatically provision pre-configured Windows 10 desktops on a self-service basis, without IT having to be involved.

AutoPilot allows organizations to automatically join devices to Azure Active Directory (Azure AD), to auto-enroll devices into MDM services—such as Microsoft Intune (if your organization has an Azure AD Premium subscription), and to create and auto-assign devices to configuration groups based on a device's profile.

While Microsoft added some of these capabilities with Windows 10's Creators Update in April this year, Microsoft says it is working to broaden the range of devices that support the service, with Lenovo, HP, Panasonic, Toshiba and Fujitsu due to introduce support from January 2018.

SEE: Toolkit: 21 useful Active Directory scripts for Windows (Tech Pro Research)

2. Windows Defender Application Guard

Windows Defender Application Guard isolates Windows 10's Edge browser from the rest of the OS to make it difficult for malware encountered while browsing the web to access the rest of the system.

Windows achieves this isolation by running Edge inside a temporary virtualized container, which has very limited access to the rest of the system and that is disposed off once the user logs off.

The bad news for home and small business owners is this feature is only available to users of Windows 10 Enterprise Edition.

3. Windows Defender Advanced Threat Protection (ATP)

Windows Defender Advanced Threat Protection (ATP) is a cloud-based, malware-detection system that spot threats by examining a wide-range of system behavior, looking for everything from suspicious memory manipulation to keylogging.

Following the Fall Creators Update, Windows Defender ATP offers security admins a 'single pane of glass' view of potential security threats detected across their firm's Windows estate.

A new analytics dashboard will recommend ways to improve security and fresh APIs allow firms to extract data and set up automated responses to alerts.

The service doesn't work with Windows 10 Home and requires organizations be signed up to a Microsoft Volume Licensing deal.

4. Windows Defender Application Control

Windows Defender Application Control is a new feature that allows organizations to determine which apps can run on a device.

This level of control was previously available via Windows Defender Device Guard but only to systems with the necessary hardware. Application Control widens the feature to any "Windows 10 capable device", although yet again it is only available on systems running Windows 10 Enterprise.

Whitelisting applications can be automated, if desired, drawing on data about security threats that Microsoft gathers from scanning emails and systems worldwide and brings together in its Intelligent Security Graph.

5. Windows Defender Exploit Guard

Windows Defender Exploit Guard bundles together various tools that provide ways to customise Windows to block malware from exploiting unpatched vulnerabilities.

Firms will be able to control factors such as whether certain types of macros are enabled in Office documents, whether to allow certain types of network traffic, or access to particular websites.

6. Controlled Folder Access

Designed to help tackle the growing threat of ransomware, Controlled Folder Access is part of Windows Defender Exploit Guard, but available to all Windows 10 users.

Controlled Folder Access allows users to designate certain folders and documents as protected, meaning they will only be accessible to trusted applications. User folders such as Documents, Pictures and Downloads are protected by default.

SEE: How to protect your Windows 10 PC from ransomware with the Fall Creators Update

7. Windows Defender Antivirus

Microsoft's free AV program, Windows Defender Antivirus should also be able to better identify and neutralize threats, as a result of being plugged into the Microsoft Intelligent Security Graph, which analyses billions of data points about emerging security risks.

8. Windows Assigned Access

Windows Assigned Access allows organizations to remotely manage Windows 10 PCs that are set up to run as single-function devices, for instance displaying a restaurant menu.

Cloud-based tools allow admins to lock down, customize and maintain these devices, with support for devices functioning as single or multi-app machines.

9. Windows Hello

Windows Hello allows users to sign into their Windows 10 PC, as well as various online services, using their fingerprint, via a reader, or face, simply by looking at a supported webcam.

The FCU makes it easier for firms to support Windows Hello, with organizations that have existing public key infrastructure (PKI) and certificate deployments able to deploy Windows Hello for Business while using their current certificate enrollment mechanisms. System Center Config Manager for certificate provisioning is also no longer required for Windows Hello provisioning, and is instead provided through Active Directory Federation Server Certificate Registration Authority.

10. Windows 10 Subscription Activation

The new Windows 10 Subscription Activation feature makes it simpler for Windows 10 Pro devices to be automatically converted to Windows 10 Enterprise.

The feature should allow employees to start using an off-the-shelf OEM device, without the need to reimage it as a Windows 10 Enterprise machine. This is possible due to admins being able to assign Windows 10 Enterprise E3 or E5 licenses directly to Azure Active Directory users via the Subscription Activation feature.

More on Windows 10 Fall Creators Update

About Nick Heath

Nick Heath is chief reporter for TechRepublic. He writes about the technology that IT decision makers need to know about, and the latest happenings in the European tech scene.

Editor's Picks

Free Newsletters, In your Inbox