Microsoft Touts Windows 10's Security Milestones
- By Kurt Mackie
- February 13, 2017
To coincide with this week's RSA security conference, Microsoft has put Windows 10's security improvements in the spotlight.
In an announcement Friday, Microsoft boasted that even the U.S. National Security Agency can now use Windows 10; the Surface Pro 3 and the Surface Pro 4 have made the NSA's Commercial Solutions for Classified Programs list. However, those Surface devices are the only Windows 10 machines that have made the NSA's list at present, Microsoft indicated.
SEMM Device Security
Microsoft has provided a means to control security for the hardware components in its "Surface Pro 4, Surface Book and Surface Studio" devices via a new Surface Enterprise Management Mode (SEMM). This hardware management software lets organizations have better control over devices such as cameras and microphones in those machines, for instance. SEMM is currently in use by organizations, Microsoft's announcement noted.
SEMM will only work on UEFI-based firmware, according to Microsoft's TechNet documentation. It's currently available as a standalone tool, known as the "Microsoft Surface UEFI Configurator," but SEMM is also available as a management addition to the "current branch" release of System Center Configuration Manager, as described in this TechNet article.
Using SEMM requires having "physical possession of the device." It uses certificate-based signatures to ensure security, which also serves to prevent modifications should a machine get lost or stolen. In a video, Microsoft explained that a "dynamic SEMM" will be capable of setting up automated configurations, such as turning off particular hardware access during work hours, but not after-work hours.
Microsoft's "Windows Analytics" tool (formerly known as "Windows Upgrade Analytics"), which is part of the Microsoft Operations Management Suite, now has a new preview of an "Update Compliance" service. It's described as a "free resource" that provides "a holistic view of Windows 10 update compliance for both monthly quality updates and new feature updates." It only works for Windows 10 devices right now.
The Update Compliance service will help organizations get "insights about their fully-patched, secure Windows 10 device environment," Microsoft's announcement suggested. While it's described as a free service, the Microsoft Operations Management Suite isn't free. Apparently, though, it's possible to use the Update Compliance service by signing up for "OMS Update Compliance" using an Azure subscription, according to this "getting started" document.
Windows 10 Creators Update Security
Microsoft also offered a short update to some security improvements coming to the Windows 10 "creators update," which is expected to arrive in March or April. The company is planning to make its security baseline policies available to mobile device management solutions with the release of the Windows 10 creators update. Previously, those policies had a dependency on Group Policy use, but they'll be available more broadly through MDM software, Microsoft promised.
Microsoft also recently published its MDM Migration Analysis Tool on GitHub. According to the instructions published at GitHub, the MDM Migration Analysis Tool helps organizations translate their Group Policy settings when they use an MDM tool. It runs a PowerShell script and generates reports on whether the MDM tool has the same Group Policy support or not, although it's just a "best-effort analysis."
Windows Hello, Microsoft's biometric log-in alternative to typing passwords, will be getting future support for operations on the customer's premises, rather than being tied to Microsoft's datacenters and the use of Azure Active Directory service. It will be possible with the Windows 10 creators update to use Windows Hello based on an organizations Active Directory use on their premises, Microsoft promised. Microsoft also plans to add a "Dynamic Lock" feature to Windows Hello. It's a Bluetooth wireless feature will lock a computer if the user's smartphone travels outside a certain range.
Windows Defender Advanced Threat Protection, a post-breach analysis service based on signals data processed by Microsoft's machine learning algorithms, will have a customization option with the Windows 10 creators update release. Organizations will be able to add their own "customized detection rules" and they'll be able use those rules to look across "six months of historical data," Microsoft's announcement promised.
Microsoft also previously described a bunch of Windows 10 security improvements coming in the creators update back in December.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.