What’s new for business in Windows 10 Insider Preview Builds

Windows Defender Application Guard as browser extensions in Google Chrome and Mozilla Firefox

To extend our container technology to other browsers and provide customers with a comprehensive solution to isolate potential browser-based attacks, we have designed and developed Windows Defender Application Guard extensions for Google Chrome and Mozilla Firefox.

Application Guard extension

How it works

The extensions for Google Chrome and Mozilla Firefox automatically redirect untrusted navigations to Windows Defender Application Guard for Microsoft Edge. The extension relies on a native application that we’ve built to support the communication between the browser and the device’s Application Guard settings.

When users navigate to a site, the extension checks the URL against a list of trusted sites defined by enterprise administrators. If the site is determined to be untrusted, the user is redirected to an isolated Microsoft Edge session. In the isolated Microsoft Edge session, the user can freely navigate to any site that has not been explicitly defined as trusted by their organization without any risk to the rest of system. With our upcoming dynamic switching capability, if the user tries to go to a trusted site while in an isolated Microsoft Edge session, the user is taken back to the default browser.

To configure the Application Guard extension under managed mode, enterprise administrators can follow these recommended steps:

  1. Ensure devices meet requirements.
  2. Turn on Windows Defender Application Guard.
  3. Define the network isolation settings to ensure a set of trusted sites is in place.
  4. Install the new Windows Defender Application Guard companion application from the Microsoft Store.
  5. Install the extension for Google Chrome or Mozilla Firefox browsers provided by Microsoft.
  6. Restart the devices.

Intuitive user experience

We designed the user interface to be transparent to users about Windows Defender Application Guard being installed on their devices and what it does. We want to ensure that users are fully aware that their untrusted navigations will be isolated and why.

  1. When users initially open Google Chrome or Mozilla Firefox after the extension is deployed and configured properly, they will see a Windows Defender Application Guard landing page.

Application Guard extension

  1. If there are any problems with the configuration, users will get instructions for resolving any configuration errors.

Application Guard extension

  1. Users can initiate an Application Guard session without entering a URL or clicking on a link by clicking the extension icon on the menu bar of the browser.

Application Guard extension

Where to get it

The Windows Defender Application Guard extension for Google Chrome and Mozilla Firefox is rolling out to Windows Insiders today and will be generally available very soon. This is available for users on Win 10 Enterprise and Pro SKUs on 1803 or later.

Submit feedback here. Contact our team if you have any questions.

Reserving disk space to keep Windows 10 up to date (Build 18312)

In 19H1, we’re making a few changes to how Windows 10 manages disk space. Through reserved storage, some disk space will be set aside to be used by updates, apps, temporary files, and system caches. Our goal is to improve the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. With reserved storage, updates, apps, temporary files, and caches are less likely to take away from valuable free space and should continue to operate as expected. Reserved storage will be introduced automatically on PCs that come with 19H1 pre-installed or on PCs where 19H1 was clean installed. For Windows Insiders who want to try this feature out right now – just run through this quest. After completing the quest, reserved storage will kick off with the next flight. (If you do the quest before installing Build 18312 – reserved storage should kick off for this flight.) For more details on reserved storage coming in 19H1, read this blog post here.

Reset this PC UI Improvements (Build 18312)

We added new UI for Reset this PC as part of Settings > Update & Security > Recovery. The new UI provides a more consistent experience across devices with different configurations and requires fewer clicks to complete.

Reset this PC UI

Windows Subsystem for Linux Command Line Tool Improvements (Build 18312)

We added new command line options to the WSL command line tool (wsl.exe) for easier WSL management and added functionality based on your feedback. Below is a summary of changes. You can read about more details in our release notes and on our command line blog.

  • Consolidated command line options – The wsl command line tool now includes options to manage your WSL distros that are included in the wslconfig command line tool. We intend to only update the wsl tool with the latest management options moving forward.
  • Import a distro for easy sideloading including to non-system drives – Use the “–import” option to imports a tar file as a new distribution. You can specify the distribution registry to the location of your choice including non-system drives.
  • Export your WSL distribution for simpler environment management – Use the “—export” option to export a distribution to a tar file. Your distro will export to your default downloads location.

Streamlined Windows Hello PIN reset experience (Build 18309)

We know remembering a PIN can be tricky, so we wanted to provide our Microsoft account users with a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web. Check it out in today’s build by clicking the ‘I forgot my PIN’ link when signing in to Windows with a PIN. Insiders can try it out on all Windows 10 editions.

Windows Sandboxing

Signing in to Windows with password-less Microsoft accounts (Build 18309)

We’re pushing forward on eliminating passwords and keeping your accounts safe with another cool feature. With Build 18305, we announced support for setting up and signing in to Windows 10 with a phone number account, without having to create, or deal with the hassle of a password for Insiders using the Windows 10 Home edition. Today, that support is extending to all Windows 10 editions! If you have a Microsoft account with your phone number, you can use an SMS code to sign in, and set up your account on Windows 10. Once you’ve setup your account, you can use Windows Hello Face, Fingerprint, or a PIN (depending on your device capabilities) to sign in to Windows 10. No password needed anywhere!

Passwordless Microsoft accounts

Creating a password-less phone number account

If you don’t already have a password-less phone number account, you can create one in a mobile app like Word on your iOS or Android device to try it out. Simply go to Word and sign up with your phone number by entering your phone number under “Sign in or sign up for free”.

Add your password-less phone number account to Windows

Now that you’ve created a password-less phone number account, you can use it to sign in to Windows with the following steps:

  1. Add your account to Windows from Settings > Accounts > Family & other Users > “Add someone else to this PC”.
  2. Lock your device and select your phone number account from the Windows sign-in screen.
  3. Since your account doesn’t have a password, select ‘Sign in options’, click the alternative ‘PIN’ tile, and click ‘Sign in’.
  4. Go through web sign in and Windows Hello set up (this is what you’ll use to sign in to your account on subsequent sign ins).

You can now enjoy the benefits of signing in to Windows with your password-less phone number account.

Introducing Windows Sandbox! (Build 18305)

Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation. How many times have you downloaded an executable file, but were afraid to run it? Have you ever been in a situation which required a clean installation of Windows, but didn’t want to set up a virtual machine?

At Microsoft, we regularly encounter these situations, so we developed Windows Sandbox: an isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device. Any software installed in Windows Sandbox stays only in the sandbox and cannot affect your host. Once Windows Sandbox is closed, all the software with all of its files and state are permanently deleted.

Windows Sandbox has the following properties:

  • Part of Windows – everything required for this feature ships with Windows 10 Pro and Enterprise. No need to download a VHD!
  • Pristine – every time Windows Sandbox runs, it’s as clean as a brand-new installation of Windows.
  • Disposable – nothing persists on the device; everything is discarded after you close the application.
  • Secure – uses hardware-based virtualization for kernel isolation, which relies on the Microsoft Hypervisor to run a separate kernel which isolates Windows Sandbox from the host.
  • Efficient – uses integrated kernel scheduler, smart memory management, and virtual GPU.

To install Windows Sandbox, go to Settings > Apps > Apps & Features > Programs and Features > Turn Windows Features on or off, and then select Enable Windows Sandbox. To start Windows Sandbox, open the Start menu, enter Windows Sandbox and then select it.

Windows Sandbox respects the host diagnostic data settings. All other privacy settings are set to their default values. For more information, please visit Windows Sandbox at Windows Kernel Internals.

We are excited to learn how you use Windows Sandbox! As we continue to add new functionality, your feedback is crucial in shaping the direction of this feature, so share your thoughts with us at Feedback Hub.

Windows Sandboxing

Known issues

  • When Windows Sandbox is first installed and on every servicing event a setup process will run and trigger significant CPU and disk activity for a minute or so.
  • Opening the Start menu in Windows Sandbox takes some time and some Start Menu apps will not run.
  • The time zone is not synchronized between Windows Sandbox and the host.
  • Windows Sandbox does not support installers which require reboot.
  • The Microsoft Store is not supported in Windows Sandbox.
  • Windows Sandbox does not support high dpi displays very well.
  • Windows Sandbox does not fully support multi-monitor configurations.

Windows Security app improvements (Build 18305)

New Protection History experience: We have had great feedback on our history experience from users, and we’ve listened! Based on the suggestions and feedback we’ve received, the Protection history experience in Windows Security has been completely revamped. The new Protection History experience still shows you detections by Windows Defender Antivirus, but it’s now updated to also give more detailed and easier to understand information about threats and available actions. We have also added Controlled folder access blocks to history, along with any blocks which are made through organizational configuration of Attack Surface Reduction Rules. If you use the Windows Defender Offline scanning tool, any detections it makes will now also show in your history. Additionally, you will see any pending recommendations (red or yellow states from throughout the app) in the history list. We hope you like the changes we’ve made!

New Protection History

Introducing Tamper Protection! Tamper Protection is a new setting from Windows Defender Antivirus, available in the Windows Security app, which when on, provides additional protections against changes to key security features, including limiting changes which are not made directly through the Windows Security app. You can find this setting under Windows Security > Virus & Threat Protection > Virus & Threat Protection Settings.

Tamper Protection

Automatic Restart and Sign On (ARSO) for Enterprises (Build 18305)

Are you tired of seeing these flashing screens after every update?

ARSO1 ARSO2

ARSO is a feature that automatically signs-in a user after an update to finish setting up and then locks the PC. This feature is part of our Seamless Update Story for Windows, and its goal is to reduce customer pain points around updates, including things such as post logon set up time and not being able to pick up where you left off. This feature will be enabled on Cloud Domain Joined devices that meet certain security requirements:

  • BitLocker is enabled and is not suspended during the upgrade
  • TPM 2.0
  • SecureBoot

To check if your device will get ARSO go to Settings > Accounts > Sign-in options > Privacy:

ARSO2

If the toggle is switched “On” and is not grayed out, then the device meets the security requirements for ARSO, and is enabled by default. If the toggle is grayed out and Enabled, this means that your IT Admin has explicitly enabled ARSO for you, irrespective of your device’s security requirements. If the toggle is grayed out and disabled, this means that you do not meet the minimum security requirements for Enterprise ARSO, or your IT Admin has explicitly disabled ARSO for you, irrespective of your device’s security requirements.

Windows Security gets an additional Windows Defender Application Guard setting (Build 18277)

Insiders will notice that Isolated browsing has an additional toggle that lets users manage access to their camera and microphone while browsing using Application Guard for Microsoft Edge. If this is managed by enterprise admins, users can check how this setting is configured. For this to be turned on in Application Guard for Microsoft Edge, the camera and microphone setting must already be turned on for the device in Settings > Privacy > Microphone & Settings > Privacy > Camera.

Application Guard settings

Improved Kiosk Setup Experience (Build 17723)

We have introduced a simplified assigned access configuration page in Settings that allows device administrators to easily set up their PC as a kiosk or digital sign. This new page provides a wizard experience that walks you through the kiosk setup flow including creating a kiosk account that will automatically sign in on device start.

Please go to Settings, search for assigned access, and open the “Set up a kiosk” page to give it a try. We would love to hear your feedback! Let us know via the Feedback Hub.

set up a kiosk

We are very excited to announce that Microsoft Edge now works with assigned access which allows IT administrators to create a tailored browsing experience designed for kiosk devices. Microsoft Edge kiosk mode supports the following four types.

For Microsoft Edge kiosk mode running in single-app assigned access the two kiosk types are:

  1. Digital / Interactive signage that displays a specific website full-screen InPrivate.
  2. Public browsing supports multi-tab browsing and runs InPrivate with minimal features available. Users cannot minimize, close, or open a new Microsoft Edge windows or customize it using Microsoft Edge Settings. Users can clear browsing data, downloads and restart Microsoft Edge by clicking “End session.” Administrators can configure Microsoft Edge to restart after a period of inactivity.

single app assigned access

For Microsoft Edge kiosk mode running in multi-app assigned access the two kiosk types are (Note the following Microsoft Edge kiosk mode types cannot be setup using the new simplified assigned access configuration page in Windows 10 Settings):

  1. Public browsing supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate windows. multi-app assigned access
  2. Normal mode runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books. normal mode

New Microsoft Edge Group Policies (Build 17723)

The Microsoft Edge team introduced new Group Policies and MDM settings for IT administrators to manage Microsoft Edge. The new policies include enabling/disabling full-screen mode, printing, favorites bar, and saving history; prevent certificate error overrides; configuring the Home button and startup options; setting the New Tab page and Home button URL and managing extensions. Learn more about the new Microsoft Edge policies.

Microsoft Edge kiosk mode (Build 17713)

Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices. When you configure Microsoft Edge kiosk mode in assigned access, you can set it up to show only a single URL in full-screen, in the case of digital/interactive signage on a single-app kiosk device. You can restrict Microsoft Edge for public browsing (on a single and multi-app kiosk device) which runs a multi-tab version of InPrivate with limited functionality. Also, you can configure a multi-app kiosk device to run a full or normal version of Microsoft Edge. Learn more about Microsoft Edge kiosk mode.

Web sign-in to Windows 10 (Build 17713)

Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).

web sign-in

To try out web sign-in:

  1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
  2. Set the Policy CSP/Authentication/EnableWebSignIn policy to enable web sign-in.
  3. On the lock screen, select web sign-in under sign-in options.
  4. Click the “Sign in” button to continue.

Faster sign-in to a Windows 10 shared pc (Build 17713)

Do you have shared PCs deployed in your work place? Introducing “fast sign-in,” which enables users to sign in to a shared Windows 10 PC in a flash! fast sign-in

To enable fast sign-in,

  1. Set up a shared or guest PC with Windows 10
  2. Set Policy/Authentication/EnableFastFirstSignIn to enable fast sign-in
  3. With the policy enabled, sign-in to a shared PC with your account and notice the difference!

Windows Defender Application Guard Improvements (Build 17713)

Windows Defender Application Guard introduced a new user interface inside Windows Security in this release. Standalone users can now install and configure their Windows Defender Application Guard settings in Windows Security without needing to change Registry key settings.

Additionally, users who are managed by enterprise policies will be able to check their settings to see what their administrators have configured for their machines to better understand the behavior of Windows Defender Application Guard. This new UI aims to improve the overall experience for users to manage and check their Windows Defender Application Guard settings. As long as devices meet the minimum requirements, these settings will appear in Windows Security.For detailed information, click here.

To check this out,

  1. go to Windows Security and select App & browser control. Security at a glance
  2. Select Install Windows Defender Application Guard under Isolated browsing, install and restart the device (only for standalone users). Isolated browser
  3. Select Change Application Guard settings. change WDAG settings
  4. Configure or check Application Guard Settings. view WDAG settings

Remote Desktop with Biometrics (Build 17713)

We’re happy to share that with this build of Windows 10, Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session!

Enter your credentials

To get started, bring up Remote Desktop Connection (mstsc.exe), type the name of the computer to which you want to connect and tap or click Connect.

Because you signed using Windows Hello for Business, Windows remembers how you signed in and automatically selects Windows Hello for Business to authenticate you to your RDP session but, you can click More choices to choose alternate credentials.

Enter your credentials

In this example, Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN.

Microsoft Hyper-V Server 2016

##Windows 10 Pro S Mode requires a network connection (Build 17712)

Starting with Windows 10 Pro S Mode build 17712, a network connection is now required to set up a new device. As a result, we removed the “skip for now” option in the network setup page in OOBE.

Registry editor improvements (Build 17711)

Have you ever been typing into the regedit address bar, and the next part of the path is just on the tip of your tongue, but you can’t remember? Starting with build 17711, you’ll see a dropdown as you type to help complete the next part of the path. You can also press Ctrl + Backspace to delete the last "word," which makes backing up work that much faster (Ctrl + Delete will delete the next word).

Registry editor dropdown

Security updates (Build 17704)

We’ve continued to work on the Current threats area in Virus & threat protection, which now displays all threats that need action. You can quickly take action on threats straight from this screen:

Virus & threat protection settings

You can enable a new protection setting, Block suspicious behaviors, which brings Windows Defender Exploit Guard attack surface reduction technology to all users. To enable this setting, go to the Virus & threat protection section and click Manage settings, as shown in the following screenshot:

Block suspicious behaviors

With Controlled folder access you can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like Documents and Pictures. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.

When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking Manage settings under the Ransomware protection heading, and then Allow an app through Controlled folder access. After the prompt, click the plus button and choose Recently blocked apps. Select any of the apps to add them to the allowed list. You can also browse for an app from this page as well.

We've added a new assessment for the Windows time service to the Device performance & health section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on.

We’re continuing to work on how other security apps you’ve installed show up in the Windows Security app. There’s a new page called Security providers that you can find in the Settings section of the app. Click Manage providers to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps, or get more information on how to resolve any issue that they have reported to you through the Windows Security app.

This also means you’ll see more links to other security apps within the Windows Security app. For example, if you open the Firewall & network protection section, you’ll see the firewall apps that are running on your device under each firewall type (domain, private, and public networks).

The Windows Security Center (WSC) service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security UI, and Windows Defender Antivirus will remain enabled side-by-side with these products. For testing purposes, you can disable this new behavior in Windows Insider builds by creating the following registry key and rebooting the device. This key will be removed as we get closer to release.

HKLM\SOFTWARE\Microsoft\Security Center\Feature 
DisableAvCheck (DWORD) = 1 

Windows Defender Security Center is now called Windows Security (Build 17661)

You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security or interact with the taskbar icon. Windows Security lets you manage all your security needs, including Windows Defender Antivirus and Windows Defender Firewall.

Windows Security Center gets a Fluent Design refresh (Build 17650)

We’ve heard your feedback and we’ve updated Windows Security Center (WSC) to include the Fluent Design elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app and will now dynamically size the categories on the main page if more room is needed for extra info. Last but not least, we’ve also updated the title bar of the app so that it will now use your accent color if you’ve enabled that option in Color Settings – with Sets enabled, you will see this color in the WDSC tab.

alt text

Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes (Build 17627)

You can add specific rules for a WSL process in Windows Defender Firewall, just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), the Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in Build 17627.

Windows Autopilot self-deploying mode (Build 17672)

Windows AutoPilot has a self-deploying mode in RS5 that enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot.

This self-deploying capability removes the current need to have an end user interact by pressing a “Next” button during the deployment processes. In addition, the activities opt-in page in OOBE has also been removed from all Insider Preview builds.

Utilize Windows Autopilots self-deploying mode to completely register the device to an AAD tenant, enroll in your organization’s MDM provider, ensure all policies, applications, etc. are correctly provisioned on the device with no user authentication or user interaction required, before the end user even logs in.

To learn more about the Autopilot Self-Deploying feature and see the step by step instructions to perform such a deployment, click here.

Windows Defender Credential Guard is supported by default on 10S devices that are AAD Joined

Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory domain (AD) credentials so that they can't be stolen or misused by malware on a users machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.

Windows Defender Credential Guard has always been an optional feature, but Windows 10-S turns this functionality on by default when the machine has been AAD joined. This provides an added level of security when connecting to domain resources not normally present on 10-S devices. Please note that Windows Defender Credential Guard is available only to S-Mode devices or Enterprise and Education Editions.

To evaluate: Windows Defender Credential Guard is preconfigured and enabled for both S-Mode and Enterprise Edition in the Windows Insider Lab for Enterprise. To configure manually in your own lab environment:

  1. Set up Intune and enroll a device. Request an Intune trial.
  2. Navigate to the Azure portal and sign in with an Intune admin account.
  3. On the left navigation bar, click All services and search for Intune.
  4. In Intune, click on Device configuration>Profiles and click + Create profile.
  5. Under "Platform", select Windows 10 and later.
  6. Under "Profile Type", select Endpoint Protection.
  7. In Settings, click Windows Defender Credential Guard and select Enable with UEFI Lock.

BitLocker silent enforcement on fixed drives

Through an MDM policy, BitLocker can silently be enabled for standard AAD Joined users. In RS4 (Windows 10 build 1803) automatic BitLocker encryption was enabled for standard AADJ users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new feature functionality enables BitLocker via policy even on devices that don’t pass the HSTI.

This is an update to the BitLocker CSP, which was introduced in Windows 10 build 1703, and leveraged by Intune and others. This feature will soon be enabled on Olympia Corp as an optional feature.

Delivering BitLocker policy to AutoPilot devices during OOBE

As an IT admin you can choose which encryption algorithm to apply to a device on your automatic BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This new functionality allows the encryption algorithm, and other BitLocker policies that must be applied prior to encryption starting, to get delivered before automatic BitLocker encryption begins.

For example, as an IT admin for your organization you can choose the XTS-AES 256 encryption algorithm, and have it applied even for devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.

To evaluate: This feature is preconfigured in the Windows Insider Lab for Enterprise. For the steps needed to automatically deploy a device with Bitlocker policy, connect a client device to Olympia Corp and follow the AutoPilot quest.