With the release of Windows 10 Anniversary Edition (1607) and the upcoming Creators’ Edition, we’ve updated our End User Device guidance to take advantage of the most useful new security-related features of the platform.
These new features include:
- Windows Hello PIN and Biometrics to improve the authentication experience by replacing traditional passwords with a more modern approach
- Enabling virtualisation features to better protect credentials and the underlying platform
- Safe use of modern high-speed interfaces such as USB-C and Thunderbolt
- Explicitly using security-enhancing cloud services such as Windows Defender, SmartScreen, Microsoft Update and the Windows Store for Business
Note too, that some of the other security features you may have seen advertised, are not yet being recommended. These include Device Guard, Windows Information Protection and MDM management features. We’ve chosen to focus on other technologies that currently give a good balance of usability, security and ease of configuration for a fully-managed device. We will of course continue to review this advice.
Windows as a Service
Windows 10 is regularly updated to add new features, but Microsoft only supports the more recent versions (as described on their website). Therefore you should check your devices have been updating as the original release (1507) will not get security patches after March 26th 2017.
As part of these updates, the security features that were initially part of EMET (the Enhanced Mitigation Experience Toolkit) are making their way into Windows 10 by default. With this in mind, Microsoft recently announced end-of-life for EMET and will be stopping support by the end of July 2018 (see Microsoft’s blog).
As with all unsupported software, after this date EMET should be removed. Until then, it is recommended that you continue deploying EMET. We believe EMET will continue to add value until around the end of 2017, after which, you should begin migrating away from it. Once end-of-life has been reached, our guidance will be updated to reflect the changing recommendation.
Windows 7 and 8.1
We’ve also taken the opportunity to retire our guidance for Windows 7 and Windows 8.1 as we strongly recommend that new deployments use the latest version of the platform. This is particularly timely as Windows 7 will only be supported until January 2020 – less than 3 years away.
While there’s no need to move to Windows 10 right away, you should put a plan in place to move away from Windows 7 before that time is up. After all, we don’t want to hear the Windows XP stories all over again!
Source: National Cyber Security Centre
