BitLocker, which secures files in an encrypted container, has been around since Windows Vista and is better than ever in Windows 10. With Anniversary Update, the encryption tool is available for Pro, Enterprise, and Education editions. Much like Windows Hello, BitLocker works best if TPM is used to protect the encryption keys, but it can also use software-based key protection if TPM does not exist or is not configured. Protecting BitLocker with a password provides the most basic defense, but a better method is to use a smartcard or the Encrypting File System to create a file encryption certificate to protect associated files and folders.
When BitLocker is enabled on the system drive and brute-force protection is enabled, Windows 10 can restart the PC and lock access to the hard drive after a specified number of incorrect password attempts. Users would have to type the 48-character BitLocker recovery key to start the device and access the disk. To enable this feature, the system would need to have UEFI firmware version 2.3.1 or later.
Windows Information Protection, formerly Enterprise Data Protection (EDP), is available only for Windows 10 Pro, Enterprise, or Education editions. It provides persistent file-level encryption and basic rights management, while also integrating with Azure Active Directory and Rights Management services. Information Protection requires some kind of mobile device management -- Microsoft Intune or a third-party platform such as VMware’s AirWatch -- or System Center Configuration Manager (SCCM) to manage the settings. An admin can define a list of Windows Store or desktop applications that can access work data, or block them entirely. Windows Information Protection helps control who can access data to prevent accidental information leakage. Active Directory helps ease management but is not required to use Information Protection, according to Microsoft.
Virtualizing security defenses
Credential Guard, available only for Windows 10 Enterprise and Education, can isolate “secrets” using virtualization-based security (VBS) and restrict access to privileged system software. It helps block pass-the-hash attacks, although security researchers have recently found ways to bypass the protections. Even so, having Credential Guard is still better than not having it at all. It runs only on x64 systems and requires UEFI 2.3.1 or greater. Virtualization extensions such as Intel VT-x, AMD-V, and SLAT must be enabled, as well as IOMMU such as Intel VT-d, AMD-Vi, and BIOS Lockdown. TPM 2.0 is recommended in order to enable Device Health Attestation for Credential Guard, but if TPM is not available, software-based protections can be used instead.
Another Windows 10 Enterprise and Education feature is Virtual Secure Mode, which is a Hyper-V container that protects domain credentials saved on Windows.
Other security goodies
Windows 10 supports mobile device management across all editions, but needs to be integrated with a separate MDM platform, such as Microsoft Intune or a third-party platform such as VMware’s AirWatch. If MDM is on the list, the best scenario would be to avoid Windows 10 Home, as not all capabilities are available in that edition. MDM and SCCM platforms can also use the Windows Device Health Attestation Service, available across all editions, to manage conditional access scenarios.
Sign up for CIO Asia eNewsletters.