If you’re involved in the enterprise management of IT systems, you’ll probably know that Windows 10 receives two types of updates:
- Quality updates, which are released monthly (normally on “Patch Tuesday”). These include bug fixes, security improvements and driver updates.
- Feature updates, which are released every 6 months (in the Semi-Annual Channel). Feature updates are much larger than quality updates and – as the name suggests – include new OS features and bigger improvements.
Version 1703 of Windows 10 (nicknamed “Creators Update”) was one of these major feature updates. Since its release earlier this year, we’ve been working to update our EUD guidance to include details of the new features and changes it introduces. That work is now complete, so today, we’ve published our new Windows 10 guidance.
This is an update to the alpha guidance we published for the 1607 “Anniversary Update” earlier this spring. It’s worth noting that this is different to the guidance we published last month explaining how to manage Windows devices via an MDM. We’ll continue to maintain both guides separately.
Firmware update
One of the biggest additions to the guidance this time is the topic of device firmware management. We’ve been working for a while on different approaches for managing firmware, and we’re really pleased to be including the results of this research in our Windows 10 guidance. We’ve outlined ways you can manage UEFI settings, automate updates and some possible solutions to monitor the integrity and recovery of firmware. There’s also an example set of recommended settings for you to examine.
Managing and keeping firmware up to date across your organisation is important for many reasons, not least that a great deal of system stability issues come from out-of-date firmware. But, what makes this so crucial for us, is that the security of your entire end user device can be undermined by incorrectly configured or out-of-date firmware.
As we’ve seen just this month, with the Infineon ‘ROCA’ vulnerability, important security patches can come along at any moment. We therefore believe this to be an important security aspect for administrators to be able to manage at scale, and we’ve issued some guidance to help reduce the impact of this vulnerability.
Other changes
Firmware has kept us occupied recently, but there are other changes to note in this new guidance:
- We’ve included new NCSC & Microsoft group policy enterprise baselines. These are like a starter pack of group policies, they help administrators configure devices in a convenient and easy-to-manage way.
- The Security Compliance Manager (SCM) has been retired. Instead we now advise using “Microsoft Security Compliance Toolkit 1.0” to help assess the differences between group policy settings and baselines from different versions of Windows 10.
- Updates to our guidance around the use of the Enhanced Mitigation for Exploits Toolkit (EMET). Windows 10 1703 will be the last version of Windows 10 that is supported by EMET before its features become integrated into the platform and it still currently offers additional protection over not using EMET. Therefore, we are still recommending EMET in Windows 10 1703.
Get in touch
If you have any feedback regarding the firmware additions, or any thoughts on how we could improve the guidance, please get in touch below, or here. We’re about to start work on the Fall Creators’ Update of Windows 10.
Stuart G
EUD Security Research
P.S. – If you are still using Windows 10 1511, it’s time to upgrade! Microsoft has stopped supporting this version and therefore will not get any more security or quality updates.
Source: National Cyber Security Centre
