Learn How to Secure Windows 10 Devices in a Modern Sophisticated Way

Few years before, the protection to a Windows machine was only an Antivirus software with a malware/spyware protection. This world is changed now and the cyber attacks are getting more sophisticated. I don’t believe that only antivirus and malware/spyware solution can only help us to protect corporate devices. As you know, Windows 10 is redefining the way we think about security. With TPM and UEFI, hardware can be used to plug some of the holes attackers use to compromise systems. Of course, these capabilities are just part of a sophisticated solution that involves countless security enhancements to Windows 10 itself, such as improved identity and access control, cloud security integration, and containerization. Windows 10 delivers an unprecedented suite of capabilities to the enterprise. Now it’s up to you as IT systems administrators to use these new features correctly and help keep your company safe.

To that end, Microsoft  TechNet has a nice overview here and Adaptiva has provided some background and how-to information in their recent Top 5 Security Best Practices for Windows 10 in the Enterprise report. Most of the topics covered below are very easily implemented using modern management way using OMA-URI via Intune/SCCM. Some of the topics the report covers include:

Learn How to Secure Windows 10 Devices in a Modern Sophisticated Way 2

Windows Information Protection

Want to keep your company’s confidential product roadmap from being sent from an employee’s private email, or placed in their personal Dropbox account? That is the sort of challenge Microsoft is solving through containerization with WIP. How to create WIP/EDP policies via Intune and SCCM are explained in one of my blog post here.


Imagine a future where part of your encryption key is stored in the hardware of a system, and another part is stored in software. If you run a TPM chip with BitLocker, that future is reality today. It makes life easier for users, because they get this extra level of security while only entering their Windows login—not a separate encryption key. But it makes life hard for attackers, who would need both the hardware and software keys (or an extremely long recovery key) to break in.

UEFI with Secure Boot

UEFI changes everything because it enables secure boot. Now when your OS loads, it has to be trusted by the PC manufacturer or it won’t run. The same goes for drivers and more—if they are not trusted they don’t run. This makes life a lot harder for people looking to compromise your OS.

Credential Guard

We’ve all heard of “pass the hash” attacks where security credentials are snagged and used for unfriendly purposes. Credential Guard helps to prevent them, and some other attacks as well.

Device Guard

Of course, securing the boot process, credentials, and hard disk is not enough. If one application is replaced with an imposter, or contains malware to begin with, or IS malware, a hacker has the keys to the front door of your enterprise. Device Guard prevents unauthorized applications from running.

Vulnerability is not an Option

If you are up to speed on all these technologies, and implementing them correctly, great! If not, you should invest some time to download the guides and reports out there and get up to speed on your security options with Windows 10 today.  

Sharing is caring!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.