Our newly published EUD guidance for Windows 10 Fall Creators Update (1709) takes advantage of the most useful new security-related features of the platform.
It also comes with a refresh of our handy group policies, which provide an easy way for administrators to apply the settings we recommend.
New in this update:
- Removal of the Enhanced Mitigation Experience Toolkit (EMET) and introduction to its replacement, Windows Defender Exploit Guard (WDEG), also known as Windows Defender EMET Gone*. We have included configuration details for WDEG which build on top of Microsoft's enterprise baselines.
- Information on the new Device Tunnel concept which has been added to the native built-in VPN client. The Device Tunnel allows the computer to establish a tunnel prior to users logging in so that pre-logon connectivity scenarios and device management capabilities can be fulfilled. Similar functionality may have been previously achieved using DirectAccess, which has now been removed from our guidance.
Although we recommend that organisations should disable or remove Internet Explorer 11 from the enterprise image they provision, we understand that in some cases, you simply cannot move from IE. This is probably due to "legacy" reasons.So we made the decision to keep IE configuration baselines in the policy pack we provide. If you're not using IE simply unlink the group polices.
Other than a basic configuration, we haven't included too much detail on the new Windows Defender Application Guard (WDAG). WDAG utilises Microsoft's Hyper-V virtualisation technology to run untrusted websites in an isolated instance of the Edge web browser. We believe there are some great security benefits to be gained from this new technology, so if you think your organisation may benefit from using WDAG and would like some guidance on configuration, let us know.
As always, feel free to add comments below or get in touch if you have any suggestions on how we could improve our guidance. We would be especially keen to hear from you if you've completed any recent deployments using the settings we recommend – being able to learn from your experiences improves the guidance we develop.
EUD Security Research
* It's not actually called Windows Defender EMET Gone.