How to Upgrade Windows 10 & Deploy Enterprise Security Features

Microsoft 365 is a new offering from Microsoft that combines Windows 10 with Office 365, and Enterprise Mobility and Security (EMS).

To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task.

Windows Autopilot
In-place upgrade
Deploying Windows 10 upgrade with Intune
Deploying Windows 10 upgrade with Microsoft Endpoint Configuration Manager
Deploying a computer refresh with Microsoft Endpoint Configuration Manager

Learning Objectives

In the Part 1 of this post is at this link and we have looked at followings

  • Plan for Windows as a Service (WaaS)
  • Choosing Windows 10 deployment methods
  • Windows 10 AutoPilot Deployments
  • Creating AutoPilot deployment profiles
  • Enroll Windows 10 Devices

This is Part 2

  • Analyze Upgrade Readiness for Windows 10
  • Windows 10 Enterprise Security features
  • Threat Protection
  • Deploy Enterprise Security Features

Analyze Upgrade Readiness For Windows 10

Image for post
Image for post

Windows Analytics is a suite of cloud services, comrpised of three solutions: Upgrade Readiness, Update Compliance, and Device Health. In July of 2019, Desktop Analytics was introduced via a public preview as the next evolution of the Windows Analytics platform. On January the 31st, 2020, Windows Analytics will retire in favor of Desktop Analytics. New customers will no longer be able to onboard to the Upgrade Readiness and Device Health solutions once Desktop Analytics becomes generally available. However, Update Compliance will remain available via the Azure Portal. Desktop Analytics is a successor of the Windows Analytics. The Windows Analytics service includes Upgrade Readiness, Update Compliance, and Device Health. All of these capabilities are combined in the Desktop Analytics service. Desktop Analytics also is more tightly integrated with Configuration Manager. The supported upgrade paths are Windows 7, Windows 8.1, and Windows 10. To perform an in-place upgrade from Windows 7 and Windows 8.1, user computers must be running the latest version of either Windows 7 SP1 or Windows 8.1. After you enable Windows diagnostic data, Upgrade Readiness performs a full inventory of the computer so that you can see which version of Windows is installed on each one. Keeping Windows 10 up to date involves deploying a feature update and Upgrade Readiness tools help you prepare and plan for these Windows updates. The latest cumulative update must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. So, how does the Upgrade Readiness work?

Image for post
Image for post

Well, Microsoft analyzes system data application and driver diagnostics data to help you determine when computers are upgrade-ready. The user computer sends computer application and driver diagnostic data to a secure Microsoft data center through the Microsoft data management service. After you’ve configured the Upgrade Readiness, diagnostic data is analyzed by the Upgrade Readiness service. This information is then pushed to your OMS workspace, and you can then use the Upgrade Readiness solution to plan and manage your Windows 10 upgrades. Upgrade Readiness is offered as a solution within the Azure Portal, utilizing the operation management suite as well as Azure Log Analytics, which is a collection of cloud-based services for managing on-premises and cloud computing. If you’re already using Azure Portal or Azure Log Analytics, you’ll find Upgrade Readiness in the solution gallery.

Image for post
Image for post

Click the Upgrade Readiness tile in the gallery, and then click add on the solution details page. Then it becomes visible in your workspace. If you are not using the Azure Portal, or Log Analytics, you can go to the Log Analytics site on the website, and select “Start Free” to start the set-up process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. Upgrade Readiness can also be integrated with your installation of Configuration Manager. Now, there are three core steps to this. The first one is add, second, enroll, and the third is upgrade. Upgrade Readiness is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subcription is required for managing and using Upgrade Readiness, but no Azure charges are expected to accrue to the subscription as a result of using it. Once you have added Upgrade Readiness to a workspace in your Azure subscription, you can start enrolling devices in your organization. You can then use the Upgrade Readiness to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Readiness enables you to deploy Windows with confidence knowing that you’ve addressed potential blocking issues up front. Devices enrolled in Desktop Analytics may only be used by licensed users of either Windows 10 Enterprise E3 or E5, Windows 10 Education A3 or A5, and Windows Virtual Desktop E3 or E5. Beyond the cost of license subscriptions, there’s no additional cost for using Desktop Analytics. Within Azure Log Analytics, Desktop Analytics is zero rated. This rating means it’s excluded from data limits and costs regardless of the Azure Log Analytics pricing tier you choose. If you use the free tier, which has a cap on the amount of data collected per day, the Desktop Analytics data doesn’t count towards the cap. Desktop Analytics collects and analyzes device application and driver data in your organization. Based on this analysis and your input, you can use this service to create deployment plans for Windows 10. Deployment plans have the following features: Automatically recommend which devices to include in pilots, identify compatibility issues and suggest mitigations, asses the health of the deployment before, during, and after updates, and track the progress of the deployment. As part of the deployment plan, you need to complete the following actions:

  • Define what versions of Windows 10 you wish to deploy,
  • Choose what groups of devices to which you want to deploy,
  • Create readiness rules for the deployment,
  • Define the importance of your apps,
  • Choose pilot devices based on automatic recommendations,
  • Decide how to fix issues with apps based on the recommendations from within Desktop Analytics.

By default, Desktop Analytics refreshes deployment plan data daily. Any changes you make within a deployment plan, such as a signing important to an app, or choosing a device to include in a pilot takes up to 24 hours to process. To speed up this process, you can request an on-demand data refresh.

Windows 10 Enterprise Security Features

Windows 10 contains various enterprise security features. But the three common areas are:

  • Identity and Access Management, and here we can deploy secure, enterprise-grade authentication and access control that will protect the accounts and data.
  • Threat Protection, which can stop cyber threats and quickly identify and respond to breaches.
  • Information Protection, allowing us to identify and secure our critical data to prevent data loss.

When we look at Identity and Access Management, in Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric, or pin. We can also protect derived domain credentials with Credential Guard. This was introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets, so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash, or Pass-the-Ticket. Credential Guard helps prevent these attacks by protecting NTLM password hashes and Kerberos tickets. We can also protect remote desktop credentials using that same Credential Guard. Remote Credential Guard helps you protect your credentials over a remote desktop connection by redirecting the Kerberos request back to the device that’s requesting the connection. Tamper-resistant portable storage devices that can enhance security of tasks, such as authenticating clients, signing code, securing email, and signing in with Windows domain accounts can be used. You’ll recognize these as Smart Cards. We can also provide Certificate Pinning. Enterprise Certificate Pinning is a Windows feature for remembering, or pinning, a route-issuing certificate authority, or end entity certificate, to a given domain name. Enterprise Certificate Pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates, or to fraudulently issued certificates. Of course, Windows 10 supports S/MIME, which lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification, also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender, and that the message hasn’t been tampered with. And of course, our last option here, is to use a VPN, which allows us to tunnel all of the traffic securely back to the organization. Now Windows 10 also provides threat protection. It provides threat and vulnerability management, this is a built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of end-point vulnerabilities and misconfigurations. The attack surface reduction is a set of capabilities that provide the first line of defense in the stack. By ensuring configuration settings are properly set, and exploit mitigation techniques are applied. These set of capabilities resist attacks and exploitations. To further reinforce the security perimeter of your network, Microsoft Defender ATP, or Advanced Threat Protection, uses next-generation protection designed to catch all types of emerging threats. Endpoint detection and response capabilities are put in place to detect, investigate, and respond to intrusion attempts and active breaches. With advanced hunting, you have a query-based threat hunting tool that lets you proactively find breaches and create custom detections. In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. Microsoft Defender ATP also includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. Microsoft Defender’s ATP new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower security operation centers to identify and respond to threats quickly and accurately. Microsoft Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workspace.

Threat protection

Microsoft also provides information protection. The first piece of this is BitLocker. BitLocker provides data encryption and protection features integrated with the operating system and addresses the threats of data theft or exposure from lost, stolen or inappropriately decommissioned computers. Kernel DMA protection protects PCs against drive by direct memory access or DMA attacks using PCI hot plug devices that are connected via thunderbolt 3 ports. Windows information protection provides info about how to create Windows information protection policy that can help protect against potential corporate data leakage and is applied against content stored on the device. Windows 10 also supports features to help prevent root kits and boot kits from loading during the startup process by utilizing secure Windows 10 boot. And then lastly, trusted platform module or TPM technology is designed to provide hardware-based security related functions. A TPM chip is a security cryptoprocessor that helps you with actions such as generating and storing and limiting the use of cryptographic keys. And Microsoft defender advanced threat protection requires one of the following licenses: Windows 10 enterprise E5, Windows 10 education E5, Microsoft 365 E5, which also includes Windows 10 enterprise E5 and E3 with identity and threat protection package. There are three core steps for implementing attack surface reduction. We first install application guard, second define group policy settings, third customize application guard. You can configure attack surface reduction with a number of tools including Microsoft InTune, system center configuration manager, group policy, and powershell commands. And our final step is to test the configuration that we apply to make sure that those enterprise security features work in the best way possible.

Deploy Enterprise Security Features

Image for post
Image for post

So now that our Windows 10 device is connected to the Intune reference that we had, we can click on Devices, click on by platform using the Windows option and you can see our device is listed. If I click into this, it will give me a breakdown of the device itself and any other information that it needs to show. We can also click device configuration at this point and you’ll notice that there’s no configuration that’s been applied to this device. So, let’s go back to devices and we’ll go down to configuration profiles. We only have an IOS device restriction, so let’s create a Windows 10 one. So, we’ll click create profile. I’ll call it “Windows 10 Security”. We’ll change the platform to be Windows 10 and later. And then I’ll choose the type of configuration that I wish to add. So, for example, we could do device restrictions, delivery optimization and kiosk, VPN, Wi-Fi, etc. Now, what I can do is choose pre-canned ones. So, for example, endpoint protection will give me all of the Microsoft Defender capabilities. It will give me the security details for the local security policy, or anything to do with user right assignment.

Image for post
Image for post

If I scroll to Microsoft Defender Firewall, then from here I can then define Firewall rules as part of this deployment. So, I can go to file transfer protocol and choose block. I can say pre-shared key encoding, I could enable or not enable. I can choose exceptions. So, I can say, for example, I want ICMP to be available which is ping. I can then go back and say for the certification revocation list, I want to disable that. So, any certificates that need to make a call out are just allowed and I don’t need to worry about it, they’re just disabled. I can scroll a bit further, I can enable authentication blocks. And then I can go to the network settings. Where I can click into domain workplace network. And from here, I have the ability to configure the Microsoft Defender Firewall. If I click enable, I can go to stealth mode and choose allow. I can then decide whether to use Ipsec secured packet exemption. I’m going to leave that as it is. I wish to allow shielded and then I can define some in-bound notifications as well as default actions. So, for example, I could say in-bound notifications, I want those to show. And if you ever need to know what each of these are, you can hover on top and this will say, “Block notifications from displaying to users when an application is blocked from listening”. For default, I can either block out-bound connections or allow them. I’m going to say allow and we’ll just allow. I then have the option here about rule merging. So I can say, authorize application Microsoft Defender rules from the local store can be merged. I’m going to choose okay. Global port ones can be merged. Allow Microsoft Defender rules from the local store and the IPsec ones and I’m going to click okay. So, I get to go through and define those settings for each of those. Whether it’s the main workplace, private discoverable, or public. What I could also do is actually add Firewall rules. So I can say, add and this will then take me to a rule. I can say RDP, so we’ll call this one the remote desktop one. I can then say direction is going to be in-bound. The action I wish to allow. And then the Network type, I can choose all three of those or just one of those networks. I can then go to the application itself and say all. So, I don’t need to restrict it to a specific application. I can scroll down to the IP address ranges and say I want to block or allow local or remote addresses. And then from the protocol option, I can choose TCP, go to the specified ports, and of course remote desktop is actually 3389. I’m going to say specified ports for the remote is 3389. This allows me to define a rule for remote desktop. I can the specify the interface types that it should be available on. Whether it’s remote access, wireless, or local network. I’m going to choose all three of those and then I’m going to click okay. And then I’ll click okay again and click okay and then we’ll create that new rule.

Image for post
Image for post

Now that the rule has been created, the next step is to assign that rule. So, I’m going to click assignments, leave it on select groups, choose select groups to include, and then I’m going to scroll all the way down to my Windows 10 auto group and click save. So, I’ve now successfully cerated a configuration profile and assigned.

Image for post
Image for post

If I now click back to devices, click on Windows, and go back to the device, you’ll see here if I click device configuration that nothing has been applied yet. And that’s because we haven’t actually performed a synchronization and then a restart. If I click sync, this will attempt to synchronize the device directly with my Microsoft Intune, forcing the policy down to the device. I’m going to click yes. The sync has now been initiated. If I just refresh this page and go back again, we can see that the synchronization process will take effect and then I can say restart and click yes. Now what this will do is initiate those two components. A sync from the Windows 10 device from Microsoft Intune and then a forced restart to the device. Now that the device has been rebooted and started back up, we can log back into the device; we can get back into using it as normal. Now, in order to validate that it was actually successful in the deployment. we can click into Windows, we can click into the device itself, and then from here when I click device configuration, you’ll see that the Windows 10 security profile that we applied to it has succeeded. If I click into that, this gives me the breakdown of what was successful. You can see all of the profile properties that we crated such as Firewall out-bound connections and in-bound connections, as well as Firewall rules were successful. This means that our Windows 10 device, registered with Microsoft Intune, now has a new security policy pushed on to them. At any point, we can come back to devices, go back to configuration profiles, click on the Windows 10 security policy we had, click properties and then we can make changes to the settings and configurations as needed. So, for example, I could click Windows Encryption and at this point I could say, “require encryption of the device” and then define any of the BitLocker settings that need to be enabled. We can of course do that for all of the different categories that are available. From Windows Defender Application Guard, to the Credential Guard, to the Smart Screen if needed. Now, the key here is that these settings are not applied immediately. They will need to be a synchronization which logically takes place automatically from the Windows 10 device to Intune. However, once that profile has been saved, if I click okay to cancel here, if we go back to the Windows device, click on the device, we can force that again by clicking sync. That will force the Intune connection to synchronize to Windows 10 and then if needed, we can perform a remote restart of that device.

Originally published at

Written by

I am passionate about Technology, Cloud Computing, Machine Learning and Blockchain

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store