Blog post

What's new in Windows Fall Creators Update (1709)?

Created:  24 Apr 2018
Updated:  24 Apr 2018
Author:  Stuart G
windows fall 1709

Our newly published EUD guidance for Windows 10 Fall Creators Update (1709) takes advantage of the most useful new security-related features of the platform.

It also comes with a refresh of our handy group policies, which provide an easy way for administrators to apply the settings we recommend.

New in this update: 

  • Removal of the Enhanced Mitigation Experience Toolkit (EMET) and introduction to its replacement, Windows Defender Exploit Guard (WDEG), also known as Windows Defender EMET Gone*. We have included configuration details for WDEG which build on top of Microsoft's enterprise baselines. 
  • Information on the new Device Tunnel concept which has been added to the native built-in VPN client. The Device Tunnel allows the computer to establish a tunnel prior to users logging in so that pre-logon connectivity scenarios and device management capabilities can be fulfilled. Similar functionality may have been previously achieved using DirectAccess, which has now been removed from our guidance. 

Although we recommend that organisations should disable or remove Internet Explorer 11 from the enterprise image they provision, we understand that in some cases, you simply cannot move from IE. This is probably due to "legacy" reasons.So we made the decision to keep IE configuration baselines in the policy pack we provide. If you're not using IE simply unlink the group polices.

Other than a basic configuration, we haven't included too much detail on the new Windows Defender Application Guard (WDAG). WDAG utilises Microsoft's Hyper-V virtualisation technology to run untrusted websites in an isolated instance of the Edge web browser. We believe there are some great security benefits to be gained from this new technology, so if you think your organisation may benefit from using WDAG and would like some guidance on configuration, let us know

As always, feel free to add comments below or get in touch if you have any suggestions on how we could improve our guidance. We would be especially keen to hear from you if you've completed any recent deployments using the settings we recommend – being able to learn from your experiences improves the guidance we develop.

Stuart G
EUD Security Research

* It's not actually called Windows Defender EMET Gone.

3 comments

Vicky V - 25 Apr 2018
Thanks for releasing the updated EUD Security Guidance for 1709 and for the summary above, much appreciated.
Ben Chamberlain - 03 May 2018
Good work NCSC :) Just to note that the GPO comments read "EUD guidance based on 1507 build of Windows 10. developed to align with Windows 8.1 guidance"
windows7 Support number - 04 Aug 2018
You are doing well but windows 10 updation is always bad experience give

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No