Best new Windows 10 security features: Windows Sandbox, more update options

Here's what you need to know about each security update to Windows 10 as they roll out from Microsoft. Now updated for the 1903 feature release.

1 2 3 4 Page 4
Page 4 of 4

Application guard can be controlled via group policy, Intune, or System Center. Application Guard can be deployed via features or PowerShell using Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard. Once enabled, you can limit websites to block outside content in Internet Explorer and Edge, limit printing, the use of clipboard, and isolate the browser to only use local network resources.

Windows Defender Device Guard

Device Guard is a new name for software restriction policies. Unless an application is trusted, it cannot be run on the system. Rather than the current model of software that we use now, where we trust software by default, Device Guard assumes all software is suspect and only allows software you trust to run on your system. Like Application guard, the requirements include virtualization technology.

Windows Information Protection (WIP)

WIP now works with Office and Azure Information Protection. WIP used to be called Enterprise Data Protection. Setting a WIP policy ensures that files downloaded from an Azure location will be encrypted. You can set a listing of apps that are allowed to access this protected data.


The minimum PIN length for BitLocker was changed in version 1709 from six to four, with six as the default.

Windows Hello

Microsoft’s facial authentication system has been improved in version 1709 to use proximity settings to allow multifactor authentication in more sensitive deployments.

Windows Update for Business

The group policy settings that allow you to better control updating in Windows 10 now include the ability to control the use of Insider Edition on systems in your network. This allows you to enroll business systems in Microsoft’s beta testing process. Organizations may wish to opt into this program to better test and prepare for feature releases.

Security features prior to version 1709

Security changes and enhancements introduced in previous editions include the following:

Windows Defender Advanced Threat Protection

Windows 10 1703 introduced the ability to use the threat intelligence API to build custom alerts. Improvements were made in operating system memory and kernel sensors to better detect attacks deep into the operating system. It also allowed for six months of historical detection to better review for patterns. Antivirus detection and Device Guard events were placed in the Threat Protection portal. Windows 10 1607 originally introduced the online cloud forensic tool to the Windows 10 platform for the first time.

Windows Defender Antivirus

This was renamed from Windows Defender in Version 1703 and was integrated into the Windows Defender Security Center Application. In addition, updated behavior monitoring and real-time protection was enhanced. In Windows 10 1607, PowerShell cmdlets were introduced to configure options and run scans.

Windows Defender Credential Guard

Usernames and passwords are stolen on a regular basis to gain access into systems. An attacker gains access into one compromised system and then using attacks such as “Pass the hash” or “Pass the ticket” can harvest credentials saved in systems to perform lateral movement attacks across a network. Credential guard protects NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials from attackers. However, be aware that single sign-on applications may not work if credential guard is enabled.

Windows 10 1703 increased the hardware requirement to deploy Device Guard and Credential Guard to better protect from vulnerabilities in UEFI runtime scenarios:

  • Support for virtualization-based security (required)
  • Secure boot (required)
  • TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
  • UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)

If you want to enable credential guard on virtual machines where the risk of lateral movement may be higher, additional hardware requirements include:

  • 64-bit CPU
  • CPU virtualization extensions plus extended page tables
  • Windows Hypervisor

Windows 10 1511 introduced the ability to enable Credential Guard by using the registry to allow you to disable Credential Guard remotely.

Group Policy Security

Windows 10 1703 introduced a new security policy specifically to make the username more private during sign in. Interactive logon: Don't display username at sign-in allows for more granular control over the sign in process.

Windows Hello for Business

Windows 10 1703 introduced the ability to reset a forgotten PIN without losing profile data. Windows 10 1607 combined the technologies of Microsoft Passport and Windows Hello.

Windows Update for Business

Feature update installation can be deferred by 365 days, increased from the prior 180 days allowed.

Virtual Private Network (VPN)

Windows 10 1607 allowed the VPN client to integrate with the Conditional Access Framework and can integrate with the Windows Information Protection policy for more security.


Windows 10 1507 introduced a new parameter that allows you to choose if executable and DLL rules will apply to non-interactive processes.


BitLocker received new features in Windows 10 1511 including enhancements in the XTS-AES encryption algorithm to better protect from attacks on encryption that utilize manipulating cipher texts. Windows 10 1507 introduced the ability to encrypt and recover a device with Azure Active Directory.

Windows 10 auditing

Windows 10 Version 1507 added more auditing events and increased fields to better track processes and events.

This story, "Best new Windows 10 security features: Windows Sandbox, more update options" was originally published by CSO.

1 2 3 4 Page 4
Page 4 of 4
Shop Tech Products at Amazon