It is tempting to think that the process of securing a Windows 10 device can be reduced to a simple checklist. Install some security software, adjust a few settings, hold a training session or two, and you can move on to the next item on your to-do list.
Alas, the real world is far more complicated than that.
There is no software magic bullet, and your initial setup simply establishes a security baseline. After that initial configuration is complete, security requires continued vigilance and ongoing effort. Much of the work of securing a Windows 10 device happens away from the device itself. A well-planned security policy pays attention to network traffic, email accounts, authentication mechanisms, management servers, and other external connections.
This guide covers a broad spectrum of business use cases, with each heading discussing an issue that decision makers must consider when deploying Windows 10 PCs. And although it covers many options that are available, this is not a hands-on guide.
In a large business, your IT staff should include security specialists who can manage these steps. In a small business without dedicated IT staff, outsourcing these responsibilities to a consultant with the necessary expertise might be the best approach.
Before you touch a single Windows setting, though, take some time for a threat assessment. In particular, be aware of your legal and regulatory responsibilities in the event of a data breach or other security-related event. For businesses that are subject to compliance requirements, you'll want to hire a specialist who knows your industry and can ensure that your systems meet all applicable requirements.
The following categories apply to businesses of all sizes.
The single most important security setting for any Windows 10 PC is ensuring that updates are being installed on a regular, predictable schedule. That's true of every modern computing device, of course, but the "Windows as a service" model that Microsoft introduced with Windows 10 changes the way you manage updates.
Before you begin, though, it's important to understand about the different types of Windows 10 updates and how they work.
- Quality updates are delivered monthly through Windows Update. They address security and reliability issues and do not include new features. (These updates also include patches for microcode flaws in Intel processors.)
- All quality updates are cumulative, so you no longer have to download dozens or even hundreds of updates after performing a clean install of Windows 10. Instead, you can install the latest cumulative update and you will be completely up to date.
- Feature updates are the equivalent of what used to be called version upgrades. They include new features and require a multi-gigabyte download and a full setup. Windows 10 feature updates are released twice a year, in April and October, and are also delivered through Windows Update.
See also: FAQ: How to manage Windows 10 updates
By default, Windows 10 devices download and install updates as soon as they're available on Microsoft's update servers. On devices running Windows 10 Home, there's no supported way to control when updates are installed. Administrators can exercise some control, however, over when updates are installed on PCs running business editions of Windows 10.
As with all security decisions, choosing when to install updates involves a trade-off. Installing updates immediately after they're released offers the best protection; deferring updates makes it possible to minimize unscheduled downtime associated with those updates.
Using the Windows Update for Business features built into Windows 10 Pro, Enterprise, and Education editions, you can defer installation of quality updates by up to 30 days. You can also delay feature updates by as much as two years, depending on the edition.
Deferring quality updates by seven to 15 days is a low-risk way of avoiding the risk of a flawed update that can cause stability or compatibility problems. You can adjust Windows Update for Business settings on individual PCs using the controls in Settings > Update & Security > Advanced Options.
In larger organizations, administrators can apply Windows Update for Business settings using Group Policy or mobile device management (MDM) software. You can also administer updates centrally by using a management tool such as System Center Configuration Manager or Windows Server Update Services.
Finally, your software update strategy shouldn't stop at Windows itself. Make sure that updates for Windows applications, including Microsoft Office and Adobe applications, are installed automatically.
Identity and user account management
Every Windows 10 PC requires at least one user account, which is in turn protected by a password and optional authentication mechanisms. How you set up that account (and any secondary accounts) goes a long way toward ensuring the security of the device.
Devices that are running a business edition of Windows 10 (Pro, Enterprise, or Education) can be joined to a Windows domain. In that configuration, domain administrators have access to the Active Directory features and can authorize users, groups, and computers to access local and network resources. If you're a domain administrator, you can manage Windows 10 PCs using the full set of server based Active Directory tools.
For Windows 10 PCs that are not joined to a domain, as is the case in most small businesses, you have a choice of three account types:
- Local accounts use credentials that are stored only on the device.
- Microsoft accounts are free for consumer use and allow syncing of data and settings across PCs and devices; they also support two-factor authentication and password recovery options.
- Azure Active Directory (Azure AD) accounts are associated with a custom domain and can be centrally managed. Basic Azure AD features are free and are included with Office 365 Business and Enterprise subscriptions; additional Azure AD features are available as paid upgrades.
The first account on a Windows 10 PC is a member of the Administrators group and has the right to install software and modify the system configuration. Secondary accounts can and should be set up as Standard users to prevent untrained users from inadvertently damaging the system or installing unwanted software.
Requiring a strong password is an essential step regardless of account type. On managed networks, administrators can use Group Policy or MDM software to enforce an organization password policy.
To increase the security of the sign-in process on a specific device, you can use a Windows 10 feature called Windows Hello. Windows Hello requires a two-step verification process to enroll the device with a Microsoft account, an Active Directory account, an Azure AD account, or a third-party identity provider that supports FIDO version 2.0.
When that enrollment is complete, the user can sign in using a PIN or, with supported hardware, biometric authentication such as a fingerprint or facial recognition. The biometric data is stored on the device only and prevents a variety of common password-stealing attacks. On devices connected to business accounts, administrators can use Windows Hello for Business to specify PIN complexity requirements.
Finally, when using Microsoft or Azure AD accounts on business PCs, you should set up multi-factor authentication (MFA) to protect the account from external attacks. On Microsoft accounts, the Two-step Verification setting is available at https://account.live.com/proofs. For Office 365 Business and Enterprise accounts, an administrator must first enable the feature from the Office portal, after which users can manage MFA settings by going to https://account.activedirectory.windowsazure.com/r#/profile.
Physical security is every bit as important as issues related to software or networks. A stolen laptop, or one left behind in a taxi or a restaurant, can lead to significant risk of data loss. For a business or a government agency, the impact can be disastrous, and the consequences are even worse in regulated industries or where data breach laws require public disclosure.
On a Windows 10 device, the single most important configuration change you can make is to enable BitLocker device encryption. (BitLocker is the brand name that Microsoft uses for the encryption tools available in business editions of Windows.)
With BitLocker enabled, every bit of data on the device is encrypted using the XTS-AES standard. Using Group Policy settings or device management tools, you can increase the encryption strength from its default 128-bit setting to 256-bit.
Enabling BitLocker requires a device that includes a Trusted Platform Module (TPM) chip; every business PC manufactured in the past six years should qualify in this regard. In addition, BitLocker requires a business edition of Windows 10 (Pro, Enterprise, or Education); the Home edition supports strong device encryption, but only with a Microsoft account, and it doesn't allow management of a BitLocker device.
For full management capabilities, you'll also need to set up BitLocker using an Active Directory account on a Windows domain or an Azure Active Directory account. In either configuration, the recovery key is saved in a location that is available to the domain or AAD administrator.
On an unmanaged device running a business edition of Windows 10, you can use a local account, but you'll need to use the BitLocker Management tools to enable encryption on available drives.
And don't forget to encrypt portable storage devices. USB flash drives. MicroSD cards used as expansion storage, and portable hard drives are easily lost, but the data can be protected from prying eyes with the use of BitLocker To Go, which uses a password to decrypt the drive's contents.
Also: Windows 10 tip: Protect removable storage devices with BitLocker encryption
In large organizations that use Azure Active Directory, it's also possible to protect the contents of stored files and email messages using Azure Information Protection and the Azure Rights Management service. That combination allows administrators to classify and restrict access to documents created in Office and other applications, independent of their local encryption status.
Blocking malicious code
As the world has become more connected and online attackers have become more sophisticated, the role of traditional antivirus software has changed. Instead of being the primary tool for blocking the installation of malicious code, security software is now just another layer in a defensive strategy.
Every installation of Windows 10 includes built-in antivirus, anti-malware software called Windows Defender, which updates itself using the same mechanism as Windows Update. Windows Defender is designed to be a set-it-and-forget-it feature and doesn't require any manual configuration. If you install a third-party security package, Windows Defender steps aside and allows that software to detect and remove potential threats.
Large organizations that use Windows Enterprise edition can deploy Windows Defender Advanced Threat Protection, a security platform that monitors endpoints such as Windows 10 PCs using behavioral sensors. Using cloud-based analytics, Windows Defender ATP can identify suspicious behavior and alert administrators to potential threats.
For smaller businesses, the most important challenge is to prevent malicious code from reaching the PC in the first place. Microsoft's SmartScreen technology is another built-in feature that scans downloads and blocks execution of those that are known to be malicious. The SmartScreen technology also blocks unrecognized programs but allows the user to override those settings if necessary.
It's worth noting that SmartScreen in Windows 10 works independently of browser-based technology such as Google's Safe Browsing service and the SmartScreen Filter service in Microsoft Edge.
On unmanaged PCs, SmartScreen is another feature that requires no manual configuration. You can adjust its configuration using the App & Browser Control settings in the Windows Security app in Windows 10.
Another crucial vector for managing potentially malicious code is email, where seemingly innocuous file attachments and links to malicious websites can result in infection. Although email client software can offer some protection in this regard, blocking these threats at the server level is the most effective way to prevent attacks on PCs.
An effective approach for preventing users from running unwanted programs (including malicious code) is to configure a Windows 10 PC from running any apps except those you specifically authorize. To adjust these settings on a single PC, go to Settings > Apps > Apps & Features; under the Installing Apps heading, choose Allow Apps From The Store Only. This setting allows previously installed apps to run, but prevents installation of any downloaded programs from outside the Microsoft Store.
Administrators can configure this setting over a network using Group Policy: Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure App install Control.
The most extreme approach for locking down a Windows 10 PC is to use the Assigned Access feature to configure the device so that it can run only a single app. If you choose Microsoft Edge as the app, you can configure the device to run in full-screen mode locked to a single site or as a public browser with a limited set of features.
To configure this feature, go to Settings > Family & Other Users and click Assigned Access. (On a PC connected to a business account, this option is under Settings > Other Users.)
Every version of Windows in the past 15 years has included a stateful inspection firewall. In Windows 10, this firewall is enabled by default and doesn't need any tweaking to be effective. As with its predecessors, the Windows 10 firewall supports three different network configurations: Domain, Private, and Public. Apps that need access to network resources can generally configure themselves as part of initial setup.
To adjust basic Windows firewall settings, use the Firewall & Network Protection tab in the Windows Security app. For a far more comprehensive, expert-only set of configuration tools, click Advanced Settings to open the legacy Windows Defender Firewall with Advanced Security console. On managed networks, these settings can be controlled through a combination of Group Policy and server-side settings.
From a security standpoint, the biggest network-based threats to a Windows 10 PC arise when connecting to wireless networks. Large organizations can significantly improve the security of wireless connections by adding support for the 802.1x standard, which uses access controls instead of shared passwords as in WPA2 wireless networks. Windows 10 will prompt for a username and password when attempting to connect to this type of network and will reject unauthorized connections.
On Windows domain-based networks, you can use the native DirectAccess feature to allow secure remote access.
For times when you must connect to an untrusted wireless network, the best alternative is to set up a virtual private network (VPN). Windows 10 supports most popular VPN packages used on corporate networks; to configure this type of connection, go to Settings > Network & Internet > VPN. Small businesses and individuals can choose from a variety of Windows-compatible third-party VPN services.
Previous and related coverage:
Here's everything you need to know before you repair, reinstall, or upgrade Windows 10, including details about activation and product keys.
ou've just upgraded to the most recent version of Windows 10. Before you get back to work, use this checklist to ensure that your privacy and security settings are correct and that you've cut annoyances to a bare minimum.
You've got a new PC running Windows 10 Home. You want to upgrade to Windows 10 Pro. Here's how to get that upgrade for free. All you need is a Pro/Ultimate product key from an older version of Windows.