Available for all Windows 10 editions, Windows Hello Companion Devices is a framework for allowing users to use an external device -- such as a phone, access card, or wearable -- as one or more authenticating factors for Hello. Users interested in working with Windows Hello Companion Device to roam with their Windows Hello credentials between multiple Windows 10 systems must have Pro or Enterprise installed on each one.
Windows 10 formerly had Microsoft Passport, which enabled users to log in to trusted applications via Hello credentials. With Anniversary Update, Passport no longer exists as a separate feature but is incorporated into Hello. Third-party applications that use the Fast Identity Online (FIDO) specification will be able to support single sign-on by way of Hello. For example, the Dropbox app can be authenticated directly via Hello, and Microsoft’s Edge browser enables integration with Hello to extend to the web. It’s possible to turn on the feature in a third-party mobile device management platform, as well. The password-less future is coming, but not quite yet.
Keeping malware out
Windows 10 also introduces Device Guard, technology that flips traditional antivirus on its head. Device Guard locks down Windows 10 devices, relying on whitelists to let only trusted applications be installed. Programs aren’t allowed to run unless they are determined safe by checking the file’s cryptographic signature, which ensures all unsigned applications and malware cannot execute. Device Guard relies on Microsoft’s own Hyper-V virtualization technology to store its whitelists in a shielded virtual machine that system administrators can’t access or tamper with. To take advantage of Device Guard, machines must run Windows 10 Enterprise or Education and support TPM, hardware CPU virtualization, and I/O virtualization. Device Guard relies on Windows hardening such as Secure Boot.
AppLocker, available only for Enterprise and Education, can be used with Device Guard to set up code integrity policies. For example, administrators can decide to limit which universal applications from the Windows Store can be installed on a device.
Configurable code integrity is another Windows component which verifies that the code running is trusted and sage. Kernel mode code integrity (KMCI) prevents the kernel from executing unsigned drivers. Administrators can manage the policies at the certificate authority or publisher level as well as the individual hash values for each binary executable. Since much of commodity malware tends to be unsigned, deploying code integrity policies lets organizations immediately protect against unsigned malware.
Windows Defender, first released as standalone software for Windows XP, became Microsoft’s default malware protection suite, with antispyware and antivirus, in Windows 8. Defender is automatically disabled when a third-party antimalware suite is installed. If there is no competing antivirus or security product installed, make sure that Windows Defender, available across all editions and with no specific hardware requirements, is turned on. For Windows 10 Enterprise users, there is the Windows Defender Advanced Threat Protection, which offers real-time behavioral threat analysis to detect online attacks.
Sign up for CIO Asia eNewsletters.