Nuts and Bolts Windows 10 Security Lead image: Lead Image © Duncan Andison,
Lead Image © Duncan Andison,

New security features in Windows 10

Fresh Start

With each version of Windows, Microsoft has expanded the built-in security functions. Windows 10 includes a number of new and interesting security features. By Marc Grote

Microsoft has responded to the changes in IT threat management with a number of new Windows 10 security functions [1]. Read on for a summary of some important new security features in Windows 10.


The vast majority of security advisories come with one common warning: Update your system! System updates are a necessity on today's networks, and a number of extensions to the update process [2] are waiting for you in Windows 10. These extensions include distribution rings, which you can use to determine the order in which devices and servers are patched. It is possible, for example, to patch only unimportant computers or test computers in an initial wave of updates to first test the effects of the update on your production environment.

Distribution rings make it possible to patch systems based on both importance and membership. For example, you can update a domain controller first and then the Exchange Server that requires the domain controller's Active Directory services to operate correctly. Windows Update for Business makes it possible to define maintenance windows in which computers are supplied with updates. Using these tools, you can meet any requirements your company might have and just install updates at a convenient time when the disruptions associated with installing updates will have little or no effect.

A tool called BranchCache lets you copy Windows updates to computers in branch offices and remote sites with low bandwidth for local distribution. This technique removes the need to run a Windows Update distribution solution such as Windows Server Update Services (WSUS) at all locations. Storing updates once only at branch offices also saves network bandwidth.

Only Signed Apps

Device Guard [3] is a new technology in Windows 10 that aims to prevent malicious software from running on the system. The Device Guard function only allows trusted or digitally signed apps on the machine, thus protecting against new, unknown malware and advanced persistent threats (APT). Device Guard even protects portable applications that run from a USB stick.

The system administrator can use central guidelines to determine the sources from which apps are classified as trusted. It is possible to block or allow both universal apps and Win32 apps. Device Guard defends itself from manipulation by isolating the related code and processes using hardware and virtualization technologies from other components. Compared with similar Microsoft technologies such as AppLocker, Device Guard's strength is that it prevents the intruder from manipulating the test process itself. In the future, Device Guard could form the platform for other anti-virus and anti-malware technologies.

Compartmentalized Apps

Microsoft is tying to implement new functions for separating business and personal information in Windows 10 Mobile apps. This capability would let you create separate environments for using a smartphone privately and professionally. Microsoft is thus closing the gap with BlackBerry and Android devices (e.g., Samsung KNOX), which have similar technologies. This feature could combine with Device Guard to make it possible for administrators to define a list of trusted apps that can run on the device.

Integrated identification protection in Windows 10 makes it easy to sign in to a device, app, or website. A two-component test based on similar tests for smartcards is already integrated into the system. Companies will be able to customize the app store according to their needs in the future. This way it will be possible to use volume licenses for apps; app distribution will be more flexible, and administrators will be able to recover and reuse licenses.

Show Your Face

Many experts believe passwords don't provide adequate security, and, even if they did, all too many users fail to implement secure password rules and procedures. Windows 10 provides built-in support for hardware technologies that offer alternative authentication options. The Windows Hello [4] feature uses facial recognition to log in a user with a familiar face. Eyes or fingers can also serve as identification. You do, of course, need a compatible hardware device that supports Window Hello, such as a built-in iris scanner. The hardware manufacturers still have some work to do in building reliable systems, but Microsoft assumes many manufacturers will provide biometric hardware solutions in the next 12 months. The situation already looks better for fingerprint sensors. All available solutions are supported by Windows 10. Windows Hello also supports all Intel F200 and future Intel RealSense facial recognition solutions, and you can use Hello with all other IR solutions that meet the Microsoft sensor specifications.

Microsoft Passport [5] is essential for using Windows Hello. Passport is not the single sign-on service from earlier days (previously called Microsoft Wallet, .NET Passport, Microsoft Passport Network, and, most recently, Windows Live ID). Instead, the Microsoft Passport in Windows 10 is more of a password management tool.

If a user wants to log on to a system or application, Microsoft Passport does not send the password to the authentication component; instead, it forwards the authentication request to Windows Hello. Windows Hello can then use different authentication methods, such as facial recognition or finger and eye detection. Alternatively, authentication can occur using a PIN if the necessary hardware requirements for using Windows Hello are not met.

The Computer as a Second Logon Factor

Multifactor authentication (MFA) is another important security feature in Windows 10. The MFA options are based on the open standards of the FIDO Alliance and should reduce the need for additional devices, such as smartcards and tokens. In Windows 10, the logon credentials for a device can be either a key pair provided by Windows or a certificate provided by the company's own PKI infrastructure. As soon as a user has successfully logged on, the logon credentials are stored in a secure, Hyper-V-based container.

Data Loss Prevention in the Cloud

The extra protection against loss of corporate data is an additional security feature in Windows 10. Since Windows Vista, BitLocker has provided the option to encrypt whole hard drives and to encrypt individual files using the encrypted filesystem (EFS). However, this protection only applies to data stored on the local network. Encrypting data as soon as it leaves end devices will become more important in the future because of the increasing use of mobile devices in corporate environments.

Azure, Active Directory, and Information Rights Management in Microsoft Office and Exchange Server already provide some protection for when corporate data leaves the corporate network. However, these technologies must be configured by administrators first and then enabled and employed by users.

Protection Courtesy of Containers

The new Windows Server 2016 will allow companies to define specific applications for access to corporate data and also prevent the copying of corporate data to untrusted devices, depending on the security profile. Windows Server will enable this functionality through the use of containers. Microsoft uses Docker technology [6] to create a Windows Server Container. Although Docker technology alone does not yet allow containers to be insulated, because they share a common operating system, libraries, and binaries, Microsoft relies on containers in conjunction with Hyper-V virtualization to isolate the containers from each other.

Not a lot has changed with Windows Defender. The configuration will take place in the Windows 10 menu in the future and no longer in Defender.

The applications in the containers can be executed on an end device without a local installation. The data in containers is also encrypted automatically. With this unified access, Microsoft wants to prevent users from having to activate certain tools or applications first to access business data. Microsoft is so enthusiastic about Docker that it wants to integrate support in both Windows Server and Microsoft Azure, and as far as is currently known, Docker in Windows 10 Mobile, the former Windows Phone, is also possible.

In addition to Docker, Microsoft implements the Hyper-V container technology, which is used to isolate containers from each other using the Hyper-V hypervisor. The containers can then run on platforms such as Windows Server Core or the new Nano Server generation.

Windows Defender Against Viruses

Windows Defender is an integral part of Windows 8 and aims to protect computers from malware. The Windows 10 Windows Defender interface is similar to previous versions of Windows Defender. The Defender options are now configured in the Windows 10 configuration menus and no longer in the Windows Defender application itself. Windows Defender will be an integral part of the next version of Windows Server. You can also use System Center Endpoint Protection, which allows central management and distribution functions, instead of Windows Defender.

Meanwhile, malware authors are constantly developing new techniques for hiding their malicious code from anti-spyware software. The procedure called obfuscation encodes and nests commands to divert the scanner's attention from the real attack.

In Windows 10, Microsoft provides the new Antimalware Scan Interface (AMSI) for scripting environments. Using AMSI, app developers can install special access in their programs for antivirus software. The aim is for the script environment (instead of the virus scanners) to decrypt the possible malicious code first and only then pass on the code in plain text to the virus scanner.


Microsoft has increased security in Windows 10 and has thus attempted to make life as difficult as possible for attackers. Features such as Device Guard, Windows Defender, and AMSI help protect the system from attack. Microsoft has also beefed up its support for alternative authentication techniques and has included support for two-factor authentication with Windows 10.