This content is part of the Essential Guide: Windows 10 guide to upgrades, compatibility and more

Comprehensive look at Windows 10 security features

Microsoft has made an effort to bolster security in Windows 10 with features such as Device Guard and multifactor authentication.

There are lots of new, headline-grabbing features in Windows 10, but, what about security? Is Microsoft's newest operating system safe to use in the enterprise?

With Windows 10, Microsoft is doing away with the separate operating system for Windows Phone so there is just one OS for every type of Microsoft device. As a result there is less surface area for attackers to exploit, and IT administrators only have to develop security measures to protect one OS.

There are also some new Windows 10 security features, such as tools to combat malware, plus multifactor authentication and data loss prevention (DLP) that's ratcheted up a notch.

How does Windows 10 combat malware?

Device Guard, the primary tool for fighting malware in Windows 10, only allows users to download trusted applications that have been approved by the Windows Store or specific, trusted vendors. The tool also grants IT admins the power to sign and approve any apps Microsoft or a software vendor did not. It is essentially a form of app whitelisting, where IT determines which apps are safe for the business.

If a user tries to download an app that isn't on the list, Device Guard will stop them and admins can let the user know it's not approved. To bolster their defense even more, IT admins can limit which apps can access the corporate virtual private network (VPN) based on the port or IP address.

The major limitation with Device Guard is its tamper-proof design which might not leave admins with the amount of control and flexibility to make adjustments they would like.

What’s the story with multifactor authentication?

Windows 10 takes DLP up a notch to address concerns associated with users who are constantly moving data from device to device.

Multifactor authentication bolsters security by requiring at least two forms of identification to log in to a computer or profile. One form of authentication could be a password, but the user also has to enter a PIN or use biometric technology to log in. Windows Hello is Microsoft's biometric hardware and can recognize a user's face, iris or fingerprint. Microsoft Passport, which features asymmetric cryptography, adds biometric authentication to Microsoft Edge.

In Windows 10, a mobile device can work as one of the forms of authentication with a key pair from Microsoft or a PKI certificate provisioned in-house. Both can authenticate the device and associate a security token with it. The token is stored using Hyper-V technology in a secure container. Hackers cannot impersonate the user with a pass-the-ticket attack and access the token. And even if a hacker has a user's password, he would still need the user's actual mobile device to gain access to the network.

How does Windows 10 tackle data loss prevention?

Windows operating systems have used BitLocker encryption for DLP as far back as Vista. Windows 10 security features take DLP up a notch to address concerns associated with users who are constantly moving data from device to device. If a user does not have the correct security profile IT admins can use containers to limit which apps can access corporate data. They can also put restrictions on what information can be copied while the data is transferring from one device to another.

The containers keep corporate and personal information separate at the app and file level, and even encrypt data automatically when it goes onto a device. And users don't have to switch modes or apps to keep data safe. In fact, they don't have to do anything, so IT admins don't have to worry about users ignoring security policies.

How does Microsoft Edge address security?

Internet Explorer's (IE) security holes -- from the most basic browser vulnerabilities to common attacks such as distributed denial of service and bypass -- are well documented. Microsoft is trying to plug up the gaps by focusing on stopping phishing and browser hacking in its new Web browser on Windows 10 known as Edge. For example, Edge HTML fights against phishing by stopping cross-site scripting attacks with the World Wide Web Consortium standard. HTTP Strict Transport Security provides secure connections to each website. Other antiphishing features include Microsoft SmartScreen, which blocks access to malicious sites and Microsoft Certificate Reputation, which prevents access to sites with fraudulent certificates.

Microsoft has taken steps to stop browser hacking by making its code more resistant to attacks by completely redesigning its document object model. Vulnerable extensions such as VML, VBScript and Toolbars are out in favor of HTML5. Edge also runs as a 64-bit process on 64-bit systems. As a result the address space is much larger than in IE, so address randomization is much better, which makes it harder for attackers to pinpoint where to strike.

What other Windows 10 security features come with the OS?

In Windows 10, IT admins can use Azure Active Directory instead of Microsoft Accounts to handle their Active Directory and still access the Universal apps platform without sacrificing any internal policies. Windows 10 also extends the managed VPN policies from Windows 8.1 to any third-party VPN vendor and includes individual desktops and Universal apps. The policies can all be managed by a mobile device management platform. Microsoft Advanced Threat Analytics detects anomalies with an internal view of the Active Directory.

Next Steps

What's new with Windows 10?

A look at Windows 10's top features

The Windows OS through the years

Windows Hello and Passport improving Windows 10 security

Compare Windows 10 features to previous OSes

Dig Deeper on Windows 10