Windows 10 Win/10 Security & Updates Guide


TS Ambassador
Win/10 Security+Update Guide (from ZDNET.COM by Ed Bott)


The single most important security setting for any Windows 10 PC is ensuring that updates are being installed on a regular, predictable schedule. That's true of every modern computing device, of course, but the "Windows as a service" model that Microsoft introduced with Windows 10 changes the way you manage updates.

Before you begin, though, it's important to understand about the different types of Windows 10 updates and how they work.

  • *Quality updates are delivered monthly through Windows Update. They address security and reliability issues and do not include new features. (These updates also include patches for microcode flaws in Intel processors.)
  • *All quality updates are cumulative, so you no longer have to download dozens or even hundreds of updates after performing a clean install of Windows 10. Instead, you can install the latest cumulative update and you will be completely up to date.
  • *Feature updates are the equivalent of what used to be called version upgrades. They include new features and require a multi-gigabyte download and a full setup. Windows 10 feature updates are released twice a year, in April and October, and are also delivered through Windows Update.

On devices running Windows 10 Home, *there's no supported way to control when updates are installed.* Administrators can exercise some control, however, over when updates are installed on PCs running business editions of Windows 10.

Using the Windows Update for Business features built into Windows 10 Pro, Enterprise, and Education editions, you can defer installation of *quality updates*

Devices that are running a business edition of Windows 10 (Pro, Enterprise, or Education) can be joined to a Windows domain.

  • *Local accounts use credentials that are stored only on the device.
  • *Microsoft accounts are free for consumer use and allow syncing of data and settings across PCs and devices; they also support two-factor authentication and password recovery options.
  • *Azure Active Directory (Azure AD) accounts are associated with a custom domain and can be centrally managed. Basic Azure AD features are free and are included with Office 365 Business and Enterprise subscriptions;

*The first account on a Windows 10 PC is a member of the Administrators group and has the right to install software and modify the system configuration.*

To increase the security of the sign-in process on a specific device, you can use a Windows 10 feature called Windows Hello. Windows Hello requires a two-step verification process to enroll the device with a Microsoft account, an Active Directory account, an Azure AD account, or a third-party identity provider that supports FIDO version 2.0.

On a Windows 10 device, the single most important configuration change you can make is to enable BitLocker device encryption.

Enabling BitLocker requires a device that includes a Trusted Platform Module (TPM) chip;
every business PC manufactured in the past six years should qualify in this regard.

In addition, BitLocker requires a business edition of Windows 10 (Pro, Enterprise, or Education);
the *Home edition* supports strong device encryption, *but only with a Microsoft account*,
and it doesn't allow management of a BitLocker device.
[edit] Bitlocker primarily comes into play when the data is at rest, aka not online OR when RDP is active. IMO, if you disable RDP and have the firewall active, Bitlocker is unnecessary and just adds complications.[/edit]

organizations that use Windows Enterprise edition can deploy Windows Defender Advanced Threat Protection, a security platform that monitors endpoints such as Windows 10 PCs using behavioral sensors. Using cloud-based analytics, Windows Defender ATP can identify suspicious behavior and alert administrators to potential threats.

For *smaller businesses*, the most important challenge is to prevent malicious code from reaching the PC in the first place. Microsoft's SmartScreen technology is another built-in feature that scans downloads and blocks execution of those that are known to be malicious. The SmartScreen technology also blocks unrecognized programs but allows the user to override those settings if necessary.

It's worth noting that SmartScreen in Windows 10 works independently of browser-based technology such as Google's Safe Browsing service and the SmartScreen Filter service in Microsoft Edge.

Another crucial vector for managing potentially malicious code is email.

Last edited: