Windows 10 security features
Many of the advancements relating to security derive from new technology becoming widely available on desktop devices, laptops, and smartphones. Windows 10 supports a variety of modern technologies that can be used by administrators to protect users’ identities and resources, including:
- Trusted Platform Module (TPM)
- Unified Extensible Firmware Interface (UEFI)
- Virtualization-based security
- Windows Biometric Framework
- Virtual smart cards
- MFA
Some of the security features built into Windows 10 that you should have an awareness of include:
- BitLocker A TPM Version 1.2 or higher works with BitLocker to store encryption keys. BitLocker helps protect against data theft and offline tampering by providing for whole-drive encryption. Requirements for BitLocker include:
- A device installed with either Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education.
- Optionally, a TPM. Using a TPM with BitLocker enables Windows to verify startup component integrity.
Note TPM Requirement
You don’t require a TPM in your computer to use BitLocker, but it does increase the security of the encryption keys. It’s also used to support other important security features in Windows 10.
- Device Health Attestation (DHA) With the increase in use of users’ personally owned devices to access corporate resources, such as email, it is important to ensure that Windows 10 devices connecting to your organization meet the security and compliance requirements of your organization. Device Health Attestation uses Measured Boot data to help perform this verification. To implement DHA, your Windows 10 devices must have TPM Version 2.0 or higher.
- Secure Boot When Secure Boot is enabled, you can only start the operating system by using an operating system loader that is signed using a digital certificate stored in the UEFI Secure Boot signature database. This helps prevent malicious code from loading during the Windows 10 start process.
Note Secure Boot
Secure boot is enabled by default in Windows 10.
- MFA This is a process that provides for user authentication based on using at least two factors, such as:
- Something the user knows, such as a password
- Something the user is, such as a biometric attribute (facial recognition, iris detection, or a fingerprint)
- Something the user has, such as a device, like a cellphone, running the Microsoft Authenticator app
- Windows Biometric Framework Provides support for biometric devices, such as a fingerprint reader, a smartphone, or an illuminated infrared camera using Windows Hello. Organizations can implement secure, passwordless sign in for Azure AD and Microsoft accounts using a security key or Windows Hello when using standards-based FIDO2-compatible devices.
- Virtual Secure Mode This feature moves some sensitive elements of the operating system to trustlets that run in a Hyper-V container that parts of the Windows 10 operating system cannot access. This helps make the operating system more secure. Currently, this is only available in Windows 10 Enterprise edition.
- Virtual Smart Card This feature offers comparable security benefits in two-factor authentication to the protection provided by physical smart cards. Virtual smart cards require a compatible TPM (Version 1.2 or later).