With the new era of Windows as a service, Microsoft is rolling out changes to the operating system twice a year. Many of those changes will allow you to improve your security posture and offer more security choices. You no longer have to wait for a new operating system to deploy new security features.
Windows 10 20H2
Microsoft’s semi-annual Windows 10 feature release for Windows 10, called 20H2, for the second half of 2020 is the smaller May incremental release to version 2004. The naming changed to align with the Windows Insider channel releases. You can move from any older version of Windows 10 to the 20H2 release. If you move from 2004, the installation time will be quick as 20H2 is an enablement package for software already installed. Installing from any older release will take longer as it will go through the normal installation and staging process.
Microsoft has also released a draft of the security baseline documents for 20H2. (Security baselines for Edge are released separately as you can install it separately from the operating system.)
Version 20H2 is supported through May 10, 2022, for Home, Pro, Pro Education, Pro for Workstations and IoT Core, and through May 9, 2023, for Enterprise, Education and IoT Enterprise.
Chromium-based Edge browser
The major change in 20H2 is the inclusion of Microsoft’s new Edge browser based on the Chromium engine. To download the Group Policy files to control the new Edge in your environment, go to the Edge for business web page. Click the drop-down menu item “Select Channel/Build”, then choose the version of Edge you plan to use. Next, select the platform from the drop-down menu and select your operating system. Click on “Get policy files” to download the Cabinet (CAB) Group Policy files you need to manage Edge.
Service stack update changes
Deployment of servicing stack updates has changed with 20H2. You no longer must look for and approve servicing stack updates separately from the latest cumulative updates. Servicing stack updates help keep Windows 10 updating healthy. Before 20H2 when a servicing stack update was released and you used Windows Server Update Service (WSUS), System Center Configuration Manager (SCCM) or another patching platform to look for and approve latest cumulative update and then find and approve the servicing stack released for the month (if there was one). If both were not approved, you risked having patching issues with the operating system. Now both are included in one update, like the streamlined process for consumer patching.
DisableAntiSpyware setting
In 20H2 Microsoft has deprecated the DisableAntiSpyware setting. Now when Microsoft Defender sees another antivirus tool installed, it will automatically turn itself off. Note that if you deploy Windows Server or Long Term Servicing Branch (LTSB) versions, you might still need this setting or to manually disable antivirus tools as those versions don’t sense all antivirus vendors.
Microsoft Defender Application Guard for Office
The 20H2 release also includes support for Microsoft Defender Application Guard for Office. With this enabled, untrusted Office documents sent from outside of your organization automatically open in an isolated sandbox. This prevents malicious content from compromising your system. You will need a Microsoft 365 E5 license to fully implement this solution.
Expanded Windows Sandbox policies
Windows Sandbox policies have been expanded to support Windows Intune policies. The additional policies include:
- WindowsSandbox/AllowAudioInput allows you to enable or disable audio input to the Sandbox.
- WindowsSandbox/AllowClipboardRedirection allows you to enable or disable sharing of the host clipboard with the sandbox.
- WindowsSandbox/AllowPrinterRedirection allows you to enable or disable printer sharing from the host into the Sandbox.
- WindowsSandbox/AllowVGPU allows you to enable or disable virtualized GPU for Windows Sandbox.
- WindowsSandbox/AllowVideoInput allows you to enable or disable video input to the Sandbox.
Biometric authentication via Windows Hello
Windows Hello offers support for fingerprint and face sensors in virtualization so it further isolates and ensures that a user’s biometric authentication.
Four new security settings
Four new settings included in 20H2 are an interesting mix, and one addresses a recent security vulnerability that has been in the headlines.
The first new setting is “Domain controller: Allow vulnerable Netlogon secure channel connections”. This is needed due to the Zerologon vulnerability that has been recently patched. It allows exclusions for non-complying devices that cannot connect to a domain after these patches (CVE-2020–1472) have been applied to your domain controllers. It is located at “Machine”, then “Security Options”.
The next new setting is “Turn off cloud optimized content”. This is located at “Machine” then “Windows ComponentsCloud Content”.
Another new setting relating to Windows Update is “Disable Safeguards for Feature Updates”. Microsoft blocks feature updates to systems that are not able to properly deploy the feature releases. This setting allows you to override that block. It is located at “Machine” and then at “Windows ComponentsWindows UpdateWindows Update for Business”.
The final new setting is “Configure the inclusion of Edge tabs into Alt-Tab”. It is located at “User” and then at “Windows ComponentsMultitasking”.
Windows 10 2004
Microsoft released Windows 10 2004 to developers in mid-May 2020 and then to the general public at the end of May. Many organizations are on 1903 and have not moved to 1909. Version 2004 has new security features that might make an upgrade worthwhile.
Windows 10 2004 is a spring feature release, so has an 18-month servicing time from release date. Version 1909 will be supported until May 11, 2021 for Home, Pro, Pro Education, and Pro for Workstations editions, and until May 10, 2022 for Education and Enterprise versions. This extended due date in response to the impact of the public health situation. Version 2004 was built to minimize update processing time and does not share the code of Windows 10 1903/1909, and thus is a more impactful feature release than version 1909.
Windows 10 Hello
Windows 10 Version 2004 emphasizes passwordless technology and lets you use Windows 10 Hello biometric security system to sign on. To turn this feature on, launch “Settings”. Then click on “Accounts” and “Sign-in options” Under “Require Windows Hello sign-in for Microsoft accounts,” select “On”. Once Hello is enabled you can then login for Microsoft services on company devices.
Windows Hello allows for log in with your face, iris, fingerprint, or a PIN. Support depends on you’re your devices support for authentication. Windows Hello can take data from a camera, iris sensor, or fingerprint reader. The data is then encrypted before it’s stored on the device. Research if your hardware supports Windows Hello before deploying it.
Windows Defender Application Guard upgrades
Windows Defender Application Guard is a security tool originally developed for Microsoft’s HTML-based Edge browser. It protects users by isolating files received from untrusted or potentially dangerous sites. In Windows 10 2004 Pro or Enterprise. Application Guard also works in the new Chromium-based Edge and allows Edge extensions to run in containers. This is a change from prior versions, which allowed Device Guard/ Application Guard policies to be created only on Enterprise but enforced on any SKU. Version 2004 allows Application Guard policies for Windows 10 Pro specifically for the new Edge version.
Windows Update Delivery Optimization
Microsoft has enhanced Delivery Optimization to allow for more control over the bandwidth used during Windows 10 updates. You can set a limit cap at which the computer will stop Delivery Optimization features to more efficiently use network resources while downloading installation packages.
Delivery Optimization settings
Controlling rebooting
Microsoft has long struggled to make updates more dependable and take less time. The company claims that user downtime during feature updates for version 2004 has been reduced to 20 minutes and requires just one reboot. Updates are optimized when the computer has adequate resources. Even with these changes, it’s still recommended to optimize your Windows 10 deployments by providing devices with SSD hard drives and adequate RAM for the function you need them to perform. Unless the device is purpose built, I recommend at least 8GB of RAM.
Resetting the PC
Microsoft has made the process of deploying Windows 10 extremely fast. This process has normally required an ISO file mounted locally. Windows 10 2004 allows you to reset the PC with the option of downloading the media from online. If any of the following optional features are installed, However, the reset from cloud will not work if any of these optional features are installed:
- EMS and SAC Toolset for Windows 10
- IrDA infrared
- Print Management Console
- RAS Connection Manager Administration Kit (CMAK)
- RIP Listener
- All RSAT tools
- Simple Network Management Protocol (SNMP)
- Windows Fax and Scan
- Windows Storage Management
- Wireless Display
- WMI SNMP Provider
Susan BradleyReset PC now allows for cloud downloads
The cloud download option can use more than 4GB of data, so plan accordingly.
Windows Subsystem for Linux 2
A new version of Windows Subsystem for Linux (WSL) is released in 2004. Unlike the prior version that used an emulator, WSL 2 uses its own kernel. This should increase compatibility and performance. The new version allows you to run ELF64 Linux binaries on Windows. Individual Linux distros can be run either as a WSL 1 or WSL 2 distro. They can also be upgraded or downgraded at any time, and you can run WSL 1 and WSL 2 distros side by side.
The new Microsoft Edge browser
While not part of Windows 10 2004, the new Edge browser based on Chrome should be included in your deployment plans. The major advantage of the new Edge is that it’s based on Chromium, the same foundation as Google’s Chrome, so any Chome extensions you use can be easily ported over to the new Edge.
Microsoft will roll out the new Edge to consumers over the next several months. The company does not plan to push it out to enterprises, as Windows 10 Enterprise, Education and Pro for Workstations Edition devices will not be automatically updated. If you use Windows 10 Pro, you can block the automatic deployment of Edge using the Blocker toolkit. You can download a deployment package to install on your systems. If you’ve been previewing the Edge beta, the final version will install side by side and will not replace the beta.
You can use Group Policy settings for the new Edge as well. Go to the Microsoft Edge for Business page and download the policy setting. Choose the “Channel/Version, “Build” and “Platform” to enable the “Get Policy Files” download. You can use the policy settings for:
- Cast
- Default search provider
- HTTP authentication
- Password manager and protection
- Proxy server
- Content
- Allowed extensions
- Native messaging
- Printing
- Smart screen
- Startup, home page and new tab page
- Update policy and update period override
Windows 10 1909
Microsoft’s 1909 version of Windows 10 will have the fewest changes from prior versions. Several feature releases haven’t been as uneventful as they could have been, so 1909 is making a drastic change in how it rolls out.
1909 offered to unmanaged PCs, not pushed
The biggest change in how 1909 is released is in the unmanaged personal computer experience. If your computer is not behind Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM) and thus is managed by Windows Update, the 1909 update will be offered when you check for updates but won’t install.
Susan Bradley1909 offered for unmanaged PCs
This new “seeker” experience, noted in the Windows Experience blog, gives more control over the updating process. The install will be quick if you are on the 1903 release already and feels less like a service pack and more like a normal monthly patch process. If you have already deployed 1903, moving over to 1909 will be a trivial testing process.
1909 shares the same security update code base as 1903
As you test and patch 1909, you will notice that the security updates that apply to 1903 are labelled with the same knowledgebase numbers as those applied to 1909. These updates share exactly the same code base. For example, KB4524570, the November 12 security update for Windows 10 1903, also patches Windows 10 1909. The title, OS Builds 18362.476 and 18363.476, and the notation “Applies to: Windows 10, version 1903, Windows Server version 1903, Windows 10, version 1909, Windows Server version 1909,” clearly shows how the update installs on both platforms.
Enablement package
Enterprises or businesses that use corporate patching systems such as WSUS should look for an “Enablement package,” KB4517245. It turns on new features in Windows 10, version 1909, that were already included in the latest monthly quality update for Windows 10, version 1903 (released October 8, 2019), but are inactive. If you’ve already installed the October updates, you have 1909, just not all the features.
