2. Windows 10 – the safest and most secure version of Windows
Chris Riggs
Principal Program Manager

3. Agenda Windows 10 Security Journey Creators Update New Features
Calls to Action

4. Nations, Terror Groups, Activists
4/27/2018
Evolution of attacks
Mischief
Fraud and Theft
Damage and Disruption
Script Kiddies
Organized Crime
Nations, Terror Groups, Activists
Unsophisticated
More sophisticated
Very sophisticated and well resourced
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

5. Anatomy of an attack ENTER ESTABLISH EXPAND ENDGAME
4/27/2018
Anatomy of an attack
ATTACK
Browser or Doc Exploit Delivery
USER
Malicious Attachment Delivery
ENTER
Phishing Attacks
Internet Service Compromise
DEVICE
Browser or Doc Exploit Execution
ESTABLISH
Malicious Attachment Execution
Stolen Credential Use
Kernel Exploits
NETWORK
EXPAND
Kernel-mode Malware
Pass-the-Hash
ENDGAME
BUSINESS DISRUPTION
LOST PRODUCTIVITY
DATA THEFT
ESPIONAGE, LOSS OF IP
RANSOM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

6. Threat protection over time
Attackers take advantage of periods between releases
Game change with Windows and Software as a Services
Disrupt and out innovate our adversaries by design
Capability
Protection Gap
Time
Product Release
Threat sophistication

7. Windows 10 Security Journey

8. closing the gap between discovery and action
4/27/2018 3:44 PM
PROTECT
across all endpoints, from sensors to the datacenter
DETECT
using targeted signals, behavioral monitoring, and machine learning
YOUR
YOUR SECURITY POSTURE
IT ENVIRONMENT !
RESPOND
closing the gap between discovery and action
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. OUR APPROACH OUR SECURITY PLATFORM PLATFORM 4/27/2018 3:44 PM Identity
Device
Apps & Data
Infrastructure
OUR APPROACH
OUR SECURITY PLATFORM
Advanced Threat Protection
Anti-Spam / Anti-Malware
Message Encryption
Customer Lockbox
Data Loss Prevention
Windows Trusted Boot
Device Encryption
Device Guard
Credential Guard
Microsoft Edge
Windows Hello
Windows Defender Application Guard
Windows Defender ATP
Windows Update for Business
Windows Information Protection
Azure Active Directory
Azure Security Center
Azure Storage Service Encryption
Azure Key Vault
Advanced Threat Analytics
Cloud App Security
Intune
Windows Server 2016
SQL Server 2016
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. INTELLIGENCE PLATFORM INTELLIGENCE PARTNERS
Multi-factor authentication
Data encryption
User accounts
Device log-ins
Malware
Unauthorized data access
PLATFORM
INTELLIGENCE
PARTNERS
Attacks
INTELLIGENCE
User log-ins
Phishing
Denial of service
Spam
System updates
Enterprise security

11. OUR UNIQUE INTELLIGENCE
4/27/2018 3:44 PM
OUR UNIQUE INTELLIGENCE
300B user authentications each month
1B Windows devices updated
200B s analyzed for spam and malware
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. Protect Detect Respond Windows Trusted Boot Microsoft Edge
4/27/2018
Protect
Detect
Respond
Windows Trusted Boot
Microsoft Edge
Windows Defender
Companion Device Framework
Windows Information Protection
Windows Defender Advanced Threat Protection
Legacy Devices
(Upgraded from Win 7 or 32-bit Win 8.x)
Virtualization based security
UEFI Secure Boot
Device Guard
Credential Guard
Windows Defender Application Guard
Windows Hello
Device Encryption
Security management
Conditional Access
Modern Devices
(Fresh install or upgrade from 64-bit Win 8.x )
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

13. Windows 10 empowers
people of action to
do great things.

14. 4/27/2018
What we’ve heard…
“I don’t pay any attention to those things anymore…People get weary from being bombarded by watch out messages.”
“Years ago, you had 1 password to keep up with at work,” she said. “Now people are being asked to remember 25 or 30. We haven’t really thought about cybersecurity expanding and what it has done to end users.”
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

15. Consumers need security too…
TPM 2.0 on every device – helping protect your credentials and other key data Windows Hello , fingerprint or face authentication – helping solve the ever confusing world of passwords Device encryption – helping protect your local data if it is accessed or if your device is stolen Smart Screen filter in Edge – helping protect you against malicious web sites
Consumers need security too…

16. 4/27/2018 3:44 PM
You can see & control your security and device health features in one unified experience 
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. Windows & Partners Protect my Digital Life
* User interface and category names subject to change.

18. Microsoft Enablement Docs#
Area
Description & URL 1
Overall Windows 10 security
High level details on all our great security features 2
TPM 2.0
This walks through the great benefits of TPM 3
Windows Hello
Getting a Windows Hello enabled device 4
Device Encryption
This walks through device encryption enablement 5
Smart Screen for Edge
Protect your family and friends from unwanted malware in Edge

19. Virtualization Based Security (VBS)

20. Windows 7 platform stack
4/27/2018
Windows 7 platform stack
Device Hardware
Kernel
Windows Platform Services
Apps
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

21. Microsoft Edge Protected by Windows Defender Application Guard
4/27/2018
Microsoft Edge Protected by Windows Defender Application Guard
Kernel
Windows Platform Services
Apps
Windows
Operating System
Microsoft Edge
Windows Defender Application Guard
System Container
Device Guard
Credential Guard
Trustlet #3
Hyper-V
Hyper-V
Device Hardware
Hypervisor
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

22. Creators Update: Preparing for Device Guard, Credential Guard
WinHEC 2016
4/27/2018 3:44 PM
Creators Update: Preparing for Device Guard, Credential Guard
ACPI Standard Header
Field
Byte Length
Byte Offset
Description
Signature 4
Signature for the WSMT
Length
Length, in bytes, of the WSMT. Must be 40 for Revision 1.
Revision 1 8
Checksum 9
Entire table, which must sum to zero
OEMID 6 10
Original equipment manufacturer (OEM) identifier (ID)
OEM Table ID 16
Manufacturer model ID
OEM Revision 24
OEM revision for supplied OEM table ID
Creator ID 28
Vendor ID of the ASL compiler utility that created the table
Creator Revision 32
Revision of the ASL compiler utility that created the table
Protection Flags 36
Container of a bitmask of the system implemented WSMT protections. Bits in this field represent that certain protections/enforcements are enabled and active for firmware executing in SMM context after ExitBootServices(). See Table 2 for a detailed description of this field.
Table 1. Windows SMM Security Mitigations Table
Virtualization Based Security (VBS)
Create a static Windows Security Mitigation Table (WSMT) in the ACPI namespace of the platform to help secure BIOS configurations and protect against SMM attacks
Length
Bit offset
Description 1
FIXED_COMM_BUFFERS
If set, expresses that for all synchronous SMM entries, SMM will validate that input and output buffers lie entirely within the expected fixed memory regions.
COMM_BUFFER_NESTED_PTR_PROTECTION
If set, expresses that for all synchronous SMM entries, SMM will validate that input and output pointers embedded within the fixed communication buffer only refer to address ranges that lie entirely within the expected fixed memory regions. 2
SYSTEM_RESOURCE_PROTECTION
Firmware setting this bit is an indication that it will not allow reconfiguration of system resources via non-architectural mechanisms.
31:3
Reserved; must return 0 when read.
Table 2.
Protection Flags Field
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23. Creators update: preparing for Device Guard, Credential Guard
Virtualization Based Security (VBS)
To help mitigate vulnerabilities that happen at UEFI runtime such as updating the capsule or setting variables, we are requiring the following:
Implement key UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE for EFI_MEMORY_RO and EFI_MEMORY_XP
No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable

24. Microsoft Enablement Docs#
Area
Description & URL 1
HVCI Compliant Drivers
Since Anniversary update, all kernel drivers must be Hypervisor Code Integrity Compliant and pass the HLK test: 2
Pass the Hardware Security Interface Spec Test (ver. 1.1.a)
HSTI protects against misconfiguration of security features on Windows devices 3
PC OEM Device / Credential Guard Requirements
This walks through end to end requirements against each Windows release 4
Device Guard / Credential Guard Readiness Tool
A tool that helps OEMs, ODMs, or enterprise customers to check if their systems are DG/CG ready:
New for Creators Update partner requirements for Device Guard, Credential Guard 5
UEFI NX Protections
This outlines the security requirements:
Must implement UEFI 2.6 specification’s EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table.
All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
No entries must be left with neither of the above attribute, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable. 6
Firmware Support for SMM Protection (WSMT table)
This table helps secure UEFI runtime functions to protect VBS, firmware and attacks against SMM

25. Microsoft Edge Security
4/27/2018 3:44 PM
Microsoft Edge Security
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26. Increasingly effective vulnerability discovery
4/27/2018
Increasingly effective vulnerability discovery
Researchers and attackers have become increasingly effective at finding web browser vulnerabilities
# of Microsoft Remote Code Execution (RCE) CVEs addressed by product area and patch year
# of Microsoft web browser Remote Code Execution (RCE) CVEs addressed by patch year
We experienced a 3.5x y/y increase in 2013 and ~2x y/y in 2014
Web browser vulnerabilities have accounted for more than 50% of Microsoft’s RCEs each year since 2013
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27. Measuring Microsoft Edge Security improvements
4/27/2018
Measuring Microsoft Edge Security improvements
Number of exploited
web browser CVEs
Number of days with known zero day exploit in the wild
Number of Vulnerabilities
(CVEs) by web browser
Source: Microsoft,
as of August 22, 2016
Source: Microsoft,
as of August 22, 2016
Source: US National Vulnerability Database,
November, 2015 – October, 2016
No known exploits
for Microsoft Edge CVEs
No known exploits in-the-wild
that target Microsoft Edge
30% reduction in Microsoft Edge
CVEs in the last 12 servicing months
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28. SHA1 – Are you ready? Today February 14, 2017
Our goal: Match the industry, and balance customer experience and adjust as warranted by changes in technology.
Today
Internet Explorer and Microsoft Edge no longer show the lock icon for SHA1-TLS sites
February 14, 2017
Internet Explorer and Microsoft Edge Warn for SHA1 TLS Sites Mixed-content doesn’t load; no user-facing error Other Windows functionality unaffected More info at

29. Windows Defender Application Guard
4/27/2018 3:44 PM
Windows Defender Application Guard
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30. Windows Defender Application Guard
4/27/2018
Windows Defender Application Guard
Uses virtualization-based security to isolate Microsoft Edge, protecting Windows 10 against advanced attacks
Malware and vulnerability exploits targeting the browser, including zero-day exploits, are unable to impact the operating system, apps, data and network
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

31. Application Guard Video queue up

32. Windows 10 Deployment 4/27/2018 3:44 PM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33. As a partner for Microsoft, are you running Windows 10 today
As a partner for Microsoft, are you running Windows 10 today? If not, join the club now!

34. 3K 2K 600 99% Millions 20K Windows Compat Promise
WPC 2015
4/27/2018 3:44 PM 3K
Top apps being tested with every release across consumers, gamers and information worker categories 2K
Number of devices and peripherals tested
600
Engagement with hardware and software partners to detect and resolve compat issues
Windows Compat Promise
99%
%age of millions of apps inferred as compatible from Windows telemetry
Millions
Windows Insiders validating early Windows builds
20K
Number of user feedback processed for detecting compat issues
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35. http://www.microsoft.com/en- us/WindowsForBusiness/upgrade-analytics
Sign up via
us/WindowsForBusiness/upgrade-analytics
Windows
upgrade analytics
Opt-in feedback from Windows 7 and 8.1
Track upgrade readiness
Identify app and driver issues
Remediate
Drive deployment

36. “Ready for Windows”
Ready for Windows makes it easy for ISVs to list their software solutions that support Windows 10 and generate market visibility. It also give access to the Windows as a Service compatible logo program.
The Microsoft Ready for Windows program helps IT decision makers search and source business applications that are compatible and supported on Windows 10.

37. Ready for Windows portal
Microsoft Worldwide Partner Conference 2016
4/27/2018 3:44 PM
Ready for Windows portal
Global reach and exposure
App data from commercial Windows 10 installs
ISV support declaration for WaaS
Windows 10 compatible logo for Windows as a Service
App Status
Guidance
Adopted
This application has been installed on at least 10,000 commercial Windows 10 devices.
Highly adopted
This application has been installed on at least 100,000 commercial Windows 10 devices.
Supported version available
The ISV has declared support for a version of this application on Windows 10.
Contact software provider
There may be compatibility issues with this solution, and thus Microsoft recommends contacting the software provider to learn more.
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38. Run Upgrade Analytics internally as a partner, sign up here:
us/WindowsForBusiness/upgrade-analytics
Getting Started Guide:
ge-windows-upgrades-with-upgrade-analytics
Getting your app ready for Windows 10:
windows#/
What can you do?

39. Wrap up

40. Recap – Windows 10 is the most secure OS we’ve ever shipped
4/27/2018 3:44 PM
Recap –
Windows 10 is the most secure OS we’ve ever shipped
Be prepared to deliver on:
Consumer security features and positioning (TPM 2.0, Windows Hello, Device Encryption, Smart Screen with Edge)
Commercial security features such as Device Guard, Credential Guard, and Windows Defender Application Guard
Get on Windows 10:
Windows Upgrade Analytics helps you get to Windows 10 faster than ever, along with certifying your apps on Ready for Windows 10
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

41. Thank You 谢谢 Please follow WinHEC @ WinHEC.com 4/27/2018 3:44 PM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.