Next week is one of the most important weeks of the year for us in security at Microsoft, as we join the leading thinkers in cybersecurity at the RSA conference in San Francisco.
At Microsoft, we are tirelessly focused on creating innovation that helps our customers protect, detect and respond to the constantly evolving and ever-changing cyber threat landscape. Our goal is to create a holistic, agile security platform, powered by the cloud, that better secures our customers – and Microsoft’s – infrastructure around the world.
With RSA so clearly on my mind, I am pleased to share six new security announcements that we will discuss in detail next week.
- NSA adds Windows 10 and Surface to list for classified use
- Enhanced security capabilities with Surface Enterprise Management Mode
- Extending device management in Windows 10
- New enhancements to Windows Defender Advanced Threat Protection
- The quest for No More Passwords with Windows Hello
- Turbo-charging your deployments with Windows Analytics
This is a big list and the culmination of a lot of work, so let’s look in detail at each of these in turn.
NSA adds Windows 10 and Surface to list for classified use
Our customers are the most security-conscious in the world and demonstrating our commitment to meeting their needs is incredibly important to us. Today, I’m excited to share that both Windows 10 and Surface devices including Surface Pro 3, Surface Pro 4 and Surface Book have been added to the NSA’s Commercial Solutions for Classified Programs (CSfC) list. The CSfC program listing demonstrates Windows 10, as well as Surface devices (the only Windows 10 devices currently on the list), when used in a layered solution, can meet the highest security requirements for use in classified environments.
Enhanced security capabilities with Surface Enterprise Management Mode
Many of our Surface customers in heavily-regulated industries have told us they value the many layers of security built into Windows 10, but also need to deploy additional protections at the hardware layer, such as being able to disable the camera or turn off the microphone to use a device within classified areas or on the manufacturing floor. Today, I’m excited to announce we’ve added a layer of hardware security functionality called Surface Enterprise Management Mode (SEMM) and it can be deployed on any Surface Pro 4, Surface Book and Surface Studio.
SEMM allows an organization to take ownership, modify, lock down, and otherwise control hardware configuration, security, and OS behaviors within the device firmware. Hardware configuration rules can be applied to Wi-Fi, Bluetooth, Cameras, USB, Microphones, Micro SD Card, TypeCover, and additional advanced features, which are protected by a SEMM certificate created during initial deployment.*
SEMM is easy to use and allows IT managers to deploy their Surface devices in custom configurations to help protect against evolving attacks. SEMM also requires both physical possession of the device and unique certificate signatures to make any changes, helping to prevent modifications in the event of device loss or theft and providing additional security authentication beyond simply trusting local administrator or BIOS passwords. Customers in the intelligence, financial services and healthcare industries are already using SEMM now. Here’s an example of how it works:
Extending device management in Windows 10
We’re bringing many of the security settings and configurations found in the Security Baseline Policies, previously only available through Group Policy, to MDM solutions with the Creators Update. Also, to help analyze and report on the Group Policy settings configured within your organization and list those supported by MDM, we’ve shipped the MDM Migration Analysis Tool** (MMAT) allowing simple symmetric policy configuration for your Windows 10 MDM managed devices.
New enhancements to Windows Defender Advanced Threat Protection (WDATP)
Since its release with the Windows 10 Anniversary Update, Windows Defender Advanced Threat Protection (WDATP) continues to prove its value in detecting high-profile security cases such as zero-day attacks, ransomware and other advanced attacks as published by our research team. With the Creators Update, we are enabling customers to add customized detection rules and providing the ability to perform ‘time travel’ detections running every new detection added across six months of historical data. This helps customers uncover past unnoticed attacks. These insights and more, available through WDATP, have contributed to the incredible growth in active WDATP customers and pilots – now protecting nearly 1.5 million devices in just over six months.
We’ve heard feedback that in addition to integration of Office ATP and WDATP insights, customers want to view malware reports and other security events in a single place. Therefore, we are now integrating security events and alerts from across the Windows security stack, starting with Windows Defender Antivirus. As we look forward into the roadmap, we’re planning to introduce WDATP support for additional platforms starting with Windows Server.
We are also pleased to share that through continued investments in our Windows Defender Antivirus offering, our test results continue to be among the top of security industry leaders. AV-TEST, a recognized independent malware protection testing firm noted in their Nov-Dec/2016 Product Review and Certification Report that our antivirus for enterprises, System Center Endpoint Protection, received high marks with 100% on zero day, web and email based threat testing and 98.6% on malware and prevalent malware testing.
The quest for No More Passwords with Windows Hello
Windows Hello is designed to eliminate the use of passwords, which remains one of the biggest security risks our customers face today. By using Azure Active Directory and hybrid environments with Azure Active Directory Connect, many of our customers have been able to use Windows Hello in their environments through the cloud. Now with the Creators Update, all organizations, particularly those in public sector, with on premise Active Directory-only environments will be able to use Windows Hello.
We are also adding Dynamic Lock to Windows Hello to automatically lock a device when the customer is no longer within proximity. Using Bluetooth signals, proximity will be based on distance between a customer’s mobile phone and the Windows 10 device and can be defined in Settings or through policy. Dynamic Lock can provide an additional layer of protection to help prevent unauthorized access to an unlocked, unattended device.
Through our co-engineering work with Intel as part of Project EVO, Windows Hello will be integrated within Intel’s Authenticate technology. This integration enables Windows Hello to take full advantage of Authenticate’s hardware-based authentication factors to help protect them from even the most advanced attacks. Together with Intel, we expect to deliver Windows devices with this integration capability by the end of 2017.
Turbo-charging your deployments with Windows Analytics
To help customers gain deep insights into the operational efficiency, health, and security of their Windows 10 devices, we have expanded our a suite of cloud-powered Windows Analytics solutions. In addition to upgrade and compatibility readiness, Windows Analytics will now include Update Compliance – free insights available in public preview starting today that provide a holistic view of Windows 10 update compliance for both monthly quality updates and new feature updates. This free resource will help organizations monitor deployment progress, identify issues and provide insights about their fully-patched, secure Windows 10 device environment.
Windows 10 is the most secure version of Windows ever and these new additions, along with our focus on simplifying modern IT and enabling amazing experiences and devices powered by Windows 10, continue to drive deployments with customers like the US Department of Defense, Australian Department of Human Services, Kimberly-Clark, Hendrick Motorsports, Crystal Group and Aiken County Public School District, and many others.
For those attending RSA, please come and visit us at the Microsoft booth to get hands on with WDATP, sign up for a free trial and learn more about these security announcements.
*2/11/17: Updated to clarify what is currently available via SEMM versus what can be done through partner implementation. SEMM, when coupled with offerings from partners, can enable dynamic hardware configuration rules, pushed from the cloud, however this is not available immediately out of the box.
**2/11/17: Updated to clarify the name of the tool.